Malware Analysis Report

2024-10-18 23:06

Sample ID 240725-bc434syann
Target 6d855db8cedf0f404b3aac1d3eaeb8cf_JaffaCakes118
SHA256 8b4ed262efa19f8b56abde205b1039e3f772093a340a6a6957fb11d970044ca8
Tags
ardamax discovery keylogger persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8b4ed262efa19f8b56abde205b1039e3f772093a340a6a6957fb11d970044ca8

Threat Level: Known bad

The file 6d855db8cedf0f404b3aac1d3eaeb8cf_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

ardamax discovery keylogger persistence stealer

Ardamax

Ardamax main executable

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Checks installed software on the system

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-25 01:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-25 01:00

Reported

2024-07-25 01:29

Platform

win7-20240708-en

Max time kernel

140s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6d855db8cedf0f404b3aac1d3eaeb8cf_JaffaCakes118.exe"

Signatures

Ardamax

keylogger stealer ardamax

Ardamax main executable

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sxe52A4.tmp N/A
N/A N/A C:\Windows\system32TTKD.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system32TTKD Agent = "C:\\Windows\\system32TTKD.exe" C:\Windows\system32TTKD.exe N/A

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\system32TTKD.007 C:\Users\Admin\AppData\Local\Temp\sxe52A4.tmp N/A
File created C:\Windows\system32TTKD.exe C:\Users\Admin\AppData\Local\Temp\sxe52A4.tmp N/A
File created C:\Windows\system32AKV.exe C:\Users\Admin\AppData\Local\Temp\sxe52A4.tmp N/A
File created C:\Windows\system32TTKD.001 C:\Users\Admin\AppData\Local\Temp\sxe52A4.tmp N/A
File created C:\Windows\system32TTKD.006 C:\Users\Admin\AppData\Local\Temp\sxe52A4.tmp N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6d855db8cedf0f404b3aac1d3eaeb8cf_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\sxe52A4.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\system32TTKD.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\DllHost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32TTKD.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32TTKD.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32TTKD.exe N/A
N/A N/A C:\Windows\system32TTKD.exe N/A
N/A N/A C:\Windows\system32TTKD.exe N/A
N/A N/A C:\Windows\system32TTKD.exe N/A
N/A N/A C:\Windows\system32TTKD.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2480 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\6d855db8cedf0f404b3aac1d3eaeb8cf_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\sxe52A4.tmp
PID 2480 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\6d855db8cedf0f404b3aac1d3eaeb8cf_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\sxe52A4.tmp
PID 2480 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\6d855db8cedf0f404b3aac1d3eaeb8cf_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\sxe52A4.tmp
PID 2480 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\6d855db8cedf0f404b3aac1d3eaeb8cf_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\sxe52A4.tmp
PID 2480 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\6d855db8cedf0f404b3aac1d3eaeb8cf_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\sxe52A4.tmp
PID 2480 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\6d855db8cedf0f404b3aac1d3eaeb8cf_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\sxe52A4.tmp
PID 2480 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\6d855db8cedf0f404b3aac1d3eaeb8cf_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\sxe52A4.tmp
PID 2824 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\sxe52A4.tmp C:\Windows\system32TTKD.exe
PID 2824 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\sxe52A4.tmp C:\Windows\system32TTKD.exe
PID 2824 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\sxe52A4.tmp C:\Windows\system32TTKD.exe
PID 2824 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\sxe52A4.tmp C:\Windows\system32TTKD.exe
PID 2824 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\sxe52A4.tmp C:\Windows\system32TTKD.exe
PID 2824 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\sxe52A4.tmp C:\Windows\system32TTKD.exe
PID 2824 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\sxe52A4.tmp C:\Windows\system32TTKD.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6d855db8cedf0f404b3aac1d3eaeb8cf_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\6d855db8cedf0f404b3aac1d3eaeb8cf_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\sxe52A4.tmp

"C:\Users\Admin\AppData\Local\Temp\sxe52A4.tmp"

C:\Windows\system32TTKD.exe

"C:\Windows\system32TTKD.exe"

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\sxe52A2.tmp

MD5 bd815b61f9948f93aface4033fbb4423
SHA1 b5391484009b39053fc8b1bba63d444969bafcfa
SHA256 b018bf9e9f8b6d945e6a2a25984970634884afabc580af2b4e855730520d5d76
SHA512 a363abe97b5a44e5d36af859e8d484daffe1d8e321c87969a75d1bfaa4288a5e6be1922a02c6d72937c84e81a79a1c7f6c9f2a44a995cac3f993ed5608afcd71

\Users\Admin\AppData\Local\Temp\sxe52A4.tmp

MD5 c61cd043b2353595e0497a1d7916126a
SHA1 2644ad6dd86e78835947438acf19bd0ebe732d15
SHA256 c7d8268a8cccccd09665aaef23db71dbf8c3accaa92954847b83992a2147e687
SHA512 f4206cffe12b38d550f44bea5ebee10d4b29c6caf71fb1711a47e8b9fcf8c5ef5ec7f955114a33f761c7f1090fe782f01099e7efac35cc82009b609e5382d064

\Users\Admin\AppData\Local\Temp\@52E1.tmp

MD5 b7ea0bc4bb833ab77dce179f16039c14
SHA1 b05cc205aa6ffc60a5316c1d5d3831def5a60c20
SHA256 e7bc62fb964bacd8e3189f22a8d64a27bddeb90007a38da3d3e6b58f6d8a2dba
SHA512 5a4ad9b469c7502a930158ca2db814b0b84880b2658a6a6dcca9fee60e6c8dc5f8a3c8d09e280a026d63e3d48b5291074827d16f3e680ce87645d8aad996a652

C:\Windows\system32TTKD.exe

MD5 912c55621b4c3f0fb2daef5b4f4f5f4c
SHA1 735701c75569b7563950508afc8948b52e7bf4b2
SHA256 41ecb7a6e3e9c32ce1bbfdff8fe381f6c21fc1f601f7e9be9fcfa2678d2420a0
SHA512 65a08579e959d4beebb5ad026cab451d381e147621be8a0707baca748eaee22050c020e3d54f312376eaf6f20a1fc3713e5e07cc9d4ee7f32b7c17dc15c80d05

C:\Windows\system32TTKD.001

MD5 20264c0df8eb2d69e6016fb791e3f146
SHA1 37fff22f166111d44fb9b8e160d78dc357b262b0
SHA256 c3fdb4fa5b54480cb214a683b7a8118a79951db6c4ed8408e9e2d768cbd28bbc
SHA512 83d3c51683de8f09489a21446f5171009c41a7b0d89edf0dbe63487b25ff7b6b139aa3c0f64a45033547988d2da6bd75fd1508f6e99b25d387c37458edd5d74d

C:\Windows\system32TTKD.006

MD5 87ccf7eb039971590aac6f254b2c788a
SHA1 3095496ffd364b32cdbe63ba4dd2f477fd848515
SHA256 59973b04dd9bec56a7ff9d898fda25e9214ee7652f2687ba409b435ae07e554b
SHA512 d5f9f7855725021522fae819a855d3d2d2cf028b0ea3ac191ad02039cbb688af42b191a1ec4f1868365e2f7de36acca2b7ba3bee0a7b8447820c4521e942d8d2

memory/2784-34-0x0000000000260000-0x0000000000261000-memory.dmp

C:\Windows\system32TTKD.007

MD5 81938df0dbfee60828e9ce953bdf62e6
SHA1 b1182a051011e901c17eab2e28727bec8db475fb
SHA256 982e2e47e8af4384a6b71937fb4e678a61fbc354f6816204e14a01d325529a98
SHA512 64ebe41c17f55f725aeb946b1a7843ad27062490a3e9cc49df7ecb3e5e408444c766236642986cbe499e876e91d1d95d4aafe7d044fda3f5370bbe5f71532143

memory/2824-35-0x00000000004D0000-0x00000000004D2000-memory.dmp

memory/1920-36-0x0000000000220000-0x0000000000222000-memory.dmp

memory/2824-39-0x00000000004C0000-0x00000000004C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3.JPG

MD5 371f6e8bdbc3cc30160c45ca5cd7d908
SHA1 34de4c638edee0eefb6a74e1e45b726377b1d075
SHA256 8ca32094e55c796691fcd38244bb65b6c3f885a633d14be37f9daef8c75e9b2e
SHA512 7daf11a8d1d921c989ee3c649f4f3a878c0ee5dd41e55b1f1a0e241897952f56cfb508edfc88a0aa2bed9a6f5a34159791395a326cb16ca65501a6322306b41b

memory/2784-41-0x0000000010000000-0x0000000010006000-memory.dmp

memory/2784-42-0x0000000000330000-0x0000000000336000-memory.dmp

memory/1920-44-0x00000000001F0000-0x00000000001F6000-memory.dmp

memory/1920-43-0x0000000010000000-0x0000000010006000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-25 01:00

Reported

2024-07-25 01:30

Platform

win10v2004-20240709-en

Max time kernel

144s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6d855db8cedf0f404b3aac1d3eaeb8cf_JaffaCakes118.exe"

Signatures

Ardamax

keylogger stealer ardamax

Ardamax main executable

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sxeF88B.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sxeF88B.tmp N/A
N/A N/A C:\Windows\system32TTKD.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system32TTKD Agent = "C:\\Windows\\system32TTKD.exe" C:\Windows\system32TTKD.exe N/A

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\system32TTKD.001 C:\Users\Admin\AppData\Local\Temp\sxeF88B.tmp N/A
File created C:\Windows\system32TTKD.006 C:\Users\Admin\AppData\Local\Temp\sxeF88B.tmp N/A
File created C:\Windows\system32TTKD.007 C:\Users\Admin\AppData\Local\Temp\sxeF88B.tmp N/A
File created C:\Windows\system32TTKD.exe C:\Users\Admin\AppData\Local\Temp\sxeF88B.tmp N/A
File created C:\Windows\system32AKV.exe C:\Users\Admin\AppData\Local\Temp\sxeF88B.tmp N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6d855db8cedf0f404b3aac1d3eaeb8cf_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\sxeF88B.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\system32TTKD.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32TTKD.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32TTKD.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32TTKD.exe N/A
N/A N/A C:\Windows\system32TTKD.exe N/A
N/A N/A C:\Windows\system32TTKD.exe N/A
N/A N/A C:\Windows\system32TTKD.exe N/A
N/A N/A C:\Windows\system32TTKD.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6d855db8cedf0f404b3aac1d3eaeb8cf_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\6d855db8cedf0f404b3aac1d3eaeb8cf_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\sxeF88B.tmp

"C:\Users\Admin\AppData\Local\Temp\sxeF88B.tmp"

C:\Windows\system32TTKD.exe

"C:\Windows\system32TTKD.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\sxeF879.tmp

MD5 bd815b61f9948f93aface4033fbb4423
SHA1 b5391484009b39053fc8b1bba63d444969bafcfa
SHA256 b018bf9e9f8b6d945e6a2a25984970634884afabc580af2b4e855730520d5d76
SHA512 a363abe97b5a44e5d36af859e8d484daffe1d8e321c87969a75d1bfaa4288a5e6be1922a02c6d72937c84e81a79a1c7f6c9f2a44a995cac3f993ed5608afcd71

C:\Users\Admin\AppData\Local\Temp\sxeF88B.tmp

MD5 c61cd043b2353595e0497a1d7916126a
SHA1 2644ad6dd86e78835947438acf19bd0ebe732d15
SHA256 c7d8268a8cccccd09665aaef23db71dbf8c3accaa92954847b83992a2147e687
SHA512 f4206cffe12b38d550f44bea5ebee10d4b29c6caf71fb1711a47e8b9fcf8c5ef5ec7f955114a33f761c7f1090fe782f01099e7efac35cc82009b609e5382d064

C:\Users\Admin\AppData\Local\Temp\@F8C7.tmp

MD5 b7ea0bc4bb833ab77dce179f16039c14
SHA1 b05cc205aa6ffc60a5316c1d5d3831def5a60c20
SHA256 e7bc62fb964bacd8e3189f22a8d64a27bddeb90007a38da3d3e6b58f6d8a2dba
SHA512 5a4ad9b469c7502a930158ca2db814b0b84880b2658a6a6dcca9fee60e6c8dc5f8a3c8d09e280a026d63e3d48b5291074827d16f3e680ce87645d8aad996a652

C:\Windows\system32TTKD.exe

MD5 912c55621b4c3f0fb2daef5b4f4f5f4c
SHA1 735701c75569b7563950508afc8948b52e7bf4b2
SHA256 41ecb7a6e3e9c32ce1bbfdff8fe381f6c21fc1f601f7e9be9fcfa2678d2420a0
SHA512 65a08579e959d4beebb5ad026cab451d381e147621be8a0707baca748eaee22050c020e3d54f312376eaf6f20a1fc3713e5e07cc9d4ee7f32b7c17dc15c80d05

C:\Windows\system32TTKD.001

MD5 20264c0df8eb2d69e6016fb791e3f146
SHA1 37fff22f166111d44fb9b8e160d78dc357b262b0
SHA256 c3fdb4fa5b54480cb214a683b7a8118a79951db6c4ed8408e9e2d768cbd28bbc
SHA512 83d3c51683de8f09489a21446f5171009c41a7b0d89edf0dbe63487b25ff7b6b139aa3c0f64a45033547988d2da6bd75fd1508f6e99b25d387c37458edd5d74d

memory/4108-35-0x0000000000A70000-0x0000000000A71000-memory.dmp

C:\Windows\system32TTKD.006

MD5 87ccf7eb039971590aac6f254b2c788a
SHA1 3095496ffd364b32cdbe63ba4dd2f477fd848515
SHA256 59973b04dd9bec56a7ff9d898fda25e9214ee7652f2687ba409b435ae07e554b
SHA512 d5f9f7855725021522fae819a855d3d2d2cf028b0ea3ac191ad02039cbb688af42b191a1ec4f1868365e2f7de36acca2b7ba3bee0a7b8447820c4521e942d8d2

C:\Windows\system32TTKD.007

MD5 81938df0dbfee60828e9ce953bdf62e6
SHA1 b1182a051011e901c17eab2e28727bec8db475fb
SHA256 982e2e47e8af4384a6b71937fb4e678a61fbc354f6816204e14a01d325529a98
SHA512 64ebe41c17f55f725aeb946b1a7843ad27062490a3e9cc49df7ecb3e5e408444c766236642986cbe499e876e91d1d95d4aafe7d044fda3f5370bbe5f71532143

memory/4108-41-0x0000000000A70000-0x0000000000A71000-memory.dmp