Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
25-07-2024 01:22
Static task
static1
Behavioral task
behavioral1
Sample
6d9645853f6a14a564f7be1110327e6f_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
6d9645853f6a14a564f7be1110327e6f_JaffaCakes118.exe
Resource
win10v2004-20240704-en
General
-
Target
6d9645853f6a14a564f7be1110327e6f_JaffaCakes118.exe
-
Size
1.3MB
-
MD5
6d9645853f6a14a564f7be1110327e6f
-
SHA1
fb1846009cd0065061cb36c8d263ed6c1fcbd8cd
-
SHA256
903a315f8e05abfbdc9cf2b32f5c23c770505d5dcb1190c5e17a8117287ce4f4
-
SHA512
da0c7807bdd5a817f2474f0a3d2eafc32281ed9d15ce33f1d7aad9fc8f41629cac5e303ce905fc97c73f1125e2eadf8a1ec3e3795ad5226d8e93c39a1951df28
-
SSDEEP
24576:lJF4vJ6FKrNSxFYM7xgZniP6MLeFFRYnQwzOR6cBWMy/vYKiGfAbZhDAv4:lJF4xSxyMlgozev0QwuWXPNIlE4
Malware Config
Signatures
-
Ardamax main executable 1 IoCs
Processes:
resource yara_rule \Windows\SysWOW64\MCBFIX\LDB.exe family_ardamax -
Executes dropped EXE 3 IoCs
Processes:
Install.exeKermit.exeLDB.exepid process 1464 Install.exe 884 Kermit.exe 1060 LDB.exe -
Loads dropped DLL 12 IoCs
Processes:
6d9645853f6a14a564f7be1110327e6f_JaffaCakes118.exeInstall.exeKermit.exeLDB.exepid process 2440 6d9645853f6a14a564f7be1110327e6f_JaffaCakes118.exe 1464 Install.exe 2440 6d9645853f6a14a564f7be1110327e6f_JaffaCakes118.exe 1464 Install.exe 884 Kermit.exe 884 Kermit.exe 1464 Install.exe 1060 LDB.exe 1060 LDB.exe 884 Kermit.exe 1060 LDB.exe 884 Kermit.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
LDB.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LDB Start = "C:\\Windows\\SysWOW64\\MCBFIX\\LDB.exe" LDB.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 6 IoCs
Processes:
Install.exeLDB.exedescription ioc process File created C:\Windows\SysWOW64\MCBFIX\LDB.exe Install.exe File opened for modification C:\Windows\SysWOW64\MCBFIX\ LDB.exe File created C:\Windows\SysWOW64\MCBFIX\LDB.004 Install.exe File created C:\Windows\SysWOW64\MCBFIX\LDB.001 Install.exe File created C:\Windows\SysWOW64\MCBFIX\LDB.002 Install.exe File created C:\Windows\SysWOW64\MCBFIX\LDB.003 Install.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
6d9645853f6a14a564f7be1110327e6f_JaffaCakes118.exeInstall.exeKermit.exeLDB.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6d9645853f6a14a564f7be1110327e6f_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Install.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kermit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LDB.exe -
NSIS installer 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\Kermit.exe nsis_installer_1 \Users\Admin\AppData\Local\Temp\Kermit.exe nsis_installer_2 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Kermit.exepid process 884 Kermit.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
LDB.exedescription pid process Token: 33 1060 LDB.exe Token: SeIncBasePriorityPrivilege 1060 LDB.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
LDB.exepid process 1060 LDB.exe 1060 LDB.exe 1060 LDB.exe 1060 LDB.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
6d9645853f6a14a564f7be1110327e6f_JaffaCakes118.exeInstall.exedescription pid process target process PID 2440 wrote to memory of 1464 2440 6d9645853f6a14a564f7be1110327e6f_JaffaCakes118.exe Install.exe PID 2440 wrote to memory of 1464 2440 6d9645853f6a14a564f7be1110327e6f_JaffaCakes118.exe Install.exe PID 2440 wrote to memory of 1464 2440 6d9645853f6a14a564f7be1110327e6f_JaffaCakes118.exe Install.exe PID 2440 wrote to memory of 1464 2440 6d9645853f6a14a564f7be1110327e6f_JaffaCakes118.exe Install.exe PID 2440 wrote to memory of 1464 2440 6d9645853f6a14a564f7be1110327e6f_JaffaCakes118.exe Install.exe PID 2440 wrote to memory of 1464 2440 6d9645853f6a14a564f7be1110327e6f_JaffaCakes118.exe Install.exe PID 2440 wrote to memory of 1464 2440 6d9645853f6a14a564f7be1110327e6f_JaffaCakes118.exe Install.exe PID 2440 wrote to memory of 884 2440 6d9645853f6a14a564f7be1110327e6f_JaffaCakes118.exe Kermit.exe PID 2440 wrote to memory of 884 2440 6d9645853f6a14a564f7be1110327e6f_JaffaCakes118.exe Kermit.exe PID 2440 wrote to memory of 884 2440 6d9645853f6a14a564f7be1110327e6f_JaffaCakes118.exe Kermit.exe PID 2440 wrote to memory of 884 2440 6d9645853f6a14a564f7be1110327e6f_JaffaCakes118.exe Kermit.exe PID 2440 wrote to memory of 884 2440 6d9645853f6a14a564f7be1110327e6f_JaffaCakes118.exe Kermit.exe PID 2440 wrote to memory of 884 2440 6d9645853f6a14a564f7be1110327e6f_JaffaCakes118.exe Kermit.exe PID 2440 wrote to memory of 884 2440 6d9645853f6a14a564f7be1110327e6f_JaffaCakes118.exe Kermit.exe PID 1464 wrote to memory of 1060 1464 Install.exe LDB.exe PID 1464 wrote to memory of 1060 1464 Install.exe LDB.exe PID 1464 wrote to memory of 1060 1464 Install.exe LDB.exe PID 1464 wrote to memory of 1060 1464 Install.exe LDB.exe PID 1464 wrote to memory of 1060 1464 Install.exe LDB.exe PID 1464 wrote to memory of 1060 1464 Install.exe LDB.exe PID 1464 wrote to memory of 1060 1464 Install.exe LDB.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6d9645853f6a14a564f7be1110327e6f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6d9645853f6a14a564f7be1110327e6f_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Users\Admin\AppData\Local\Temp\Install.exe"C:\Users\Admin\AppData\Local\Temp\Install.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\SysWOW64\MCBFIX\LDB.exe"C:\Windows\system32\MCBFIX\LDB.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1060 -
C:\Users\Admin\AppData\Local\Temp\Kermit.exe"C:\Users\Admin\AppData\Local\Temp\Kermit.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
PID:884
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
703B
MD5b7a080223bb6819cac4c87328c46fabf
SHA142f7c5ea7e67248e2ce4648c6f54f2425cd5518e
SHA256315871214e27b9acfda09f5f32e837f8b99f6dd03a76618e9793bfd46b831282
SHA512dc8722efb3fb40646511e1fbe30ae7b4654e44e06ba23806f9d4f5601f0000494dbe13a1ba82f746c7abf4cfab3b83cfe00a08a4c19c4d86fedd0bf699b151a5
-
Filesize
61KB
MD5383d5f5d4240d590e7dec3f7312a4ac7
SHA1f6bcade8d37afb80cf52a89b3e84683f4643fbce
SHA2567e87f6817b17a75106d34ce9884c40ddfb381bf8f2013930916498d1df0a6422
SHA512e652c41ec95d653940b869426bc2cbd8e5b3159110ffaab7d623e23eebe1f34ca65be6a9a9cdcd5f41aec7567469d6b4d6362d24ae92267cddb8940e1265806a
-
Filesize
43KB
MD593df156c4bd9d7341f4c4a4847616a69
SHA1c7663b32c3c8e247bc16b51aff87b45484652dc1
SHA256e55b6eabf0f99b90bd4cf3777c25813bded7b6fc5c9955188c8aa5224d299c3e
SHA512ed2e98c5fd1f0d49e5bac8baa515d489c89f8d42772ae05e4b7a32da8f06d511adad27867034ca0865beae9f78223e95c7d0f826154fc663f2fab9bd61e36e35
-
Filesize
65KB
MD5cefd6e9c8a039ab9a7833414dfb03f76
SHA12a026d0514e0119d0fd545a0d2f6deb198806b70
SHA2564d71cf9a598c7babd938c2635a755441da18502118cc3336ae25389510c7d01f
SHA512efcfd6654bf0c45158f43a8c8fd45cc8d40cac227926faa0cd368f1d8012df1bc271f3c7d5db539b1bf282087e533e5a809cf040ac087fcfab58bb320c5a5502
-
Filesize
1KB
MD512184213127875905ed91975d1972e48
SHA142431004f6a147e75875361ee8dc029fb5add072
SHA256c2c838072aa40b9b29ce12e0051c11bc2b0b46efc814b4462ac4502136f4e983
SHA5127c8a48270f8804205ced0cbfefd4ce63fc7cf53bdf866416d941e805655d637f31f3650d24da3b6fbe7407e3ce43d3a7f14658b28adb457281e1d552d654b8f9
-
Filesize
972KB
MD57852b729c3ac6da81dc48173058c1e51
SHA1f66fb8c96bdaf5e4f6901280f1b4096b31efc496
SHA2569f8a15c488dc42ee3694996d10df1cc734107b62afb526ef2a157f45bc63ee26
SHA51272a0a8359b02a832eb2d493bf663ad8b312ca2bc25b69e55ccd26b3b4879a01e379712e49dc2ffb2711dab49e595713909549c225a2f6654533904660f4add09
-
Filesize
380KB
MD56146c7becde8f5aa3f06c56a5c7876c6
SHA1599b289ae7ddd6fd3a1e3ded4b6a7db0b627603b
SHA25694b2bd510e45e2e4611d8106a88fe26d3beafae9acb5f1f94d9042a705605e84
SHA5124260e85d70b98855ebb234ba180a3056d4bc181ba4f3628c16a6953474e50d9001178cf933f4dd8462e70e438e51df9e380724ce8daa59c62505ab4d0e62c347
-
Filesize
14KB
MD5325b008aec81e5aaa57096f05d4212b5
SHA127a2d89747a20305b6518438eff5b9f57f7df5c3
SHA256c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b
SHA51218362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf
-
Filesize
1.7MB
MD53cd29c0df98a7aeb69a9692843ca3edb
SHA17c86aea093f1979d18901bd1b89a2b02a60ac3e2
SHA2565a37cd66508fa3fc85ae547de3498e709bd45167cb57f5e9b271dc3a1cb71a32
SHA512e78f3206b1878e8db1766d4038a375bbebcbcdb8d1b0a0cb9b0dc72c54881392b9c27e2864ad9118702da58f203f13e0ad5d230980ad1ef2370391a2c4acffc9