Malware Analysis Report

2024-10-18 23:06

Sample ID 240725-pgj6dsyamj
Target 6f89f777e3e7b94a18e212a16f986434_JaffaCakes118
SHA256 f6f98db33080a2eef74f7315947ed9032f37f98e92c24ff663fea7f11be45515
Tags
ardamax discovery keylogger persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f6f98db33080a2eef74f7315947ed9032f37f98e92c24ff663fea7f11be45515

Threat Level: Known bad

The file 6f89f777e3e7b94a18e212a16f986434_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

ardamax discovery keylogger persistence stealer

Ardamax

Ardamax main executable

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Checks installed software on the system

Adds Run key to start application

Drops file in System32 directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-25 12:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-25 12:17

Reported

2024-07-25 12:20

Platform

win7-20240704-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6f89f777e3e7b94a18e212a16f986434_JaffaCakes118.exe"

Signatures

Ardamax

keylogger stealer ardamax

Ardamax main executable

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\28463\DQHV.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DQHV Agent = "C:\\Windows\\SysWOW64\\28463\\DQHV.exe" C:\Windows\SysWOW64\28463\DQHV.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\28463\DQHV.001 C:\Users\Admin\AppData\Local\Temp\6f89f777e3e7b94a18e212a16f986434_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\28463\DQHV.006 C:\Users\Admin\AppData\Local\Temp\6f89f777e3e7b94a18e212a16f986434_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\28463\DQHV.007 C:\Users\Admin\AppData\Local\Temp\6f89f777e3e7b94a18e212a16f986434_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\28463\DQHV.exe C:\Users\Admin\AppData\Local\Temp\6f89f777e3e7b94a18e212a16f986434_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\28463\AKV.exe C:\Users\Admin\AppData\Local\Temp\6f89f777e3e7b94a18e212a16f986434_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\28463 C:\Windows\SysWOW64\28463\DQHV.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6f89f777e3e7b94a18e212a16f986434_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\28463\DQHV.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\SysWOW64\28463\DQHV.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\28463\DQHV.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\28463\DQHV.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\DQHV.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\DQHV.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\DQHV.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\DQHV.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6f89f777e3e7b94a18e212a16f986434_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\6f89f777e3e7b94a18e212a16f986434_JaffaCakes118.exe"

C:\Windows\SysWOW64\28463\DQHV.exe

"C:\Windows\system32\28463\DQHV.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\@D0F5.tmp

MD5 ac2120f3b2fb824a5c1f3752dc944d21
SHA1 8bfbf3887103e886736e0802f88ed860a450856e
SHA256 fd9c203a32eec0afe4ab1e3ae02c68ac27649120bb3f0af68852ba487384ecaf
SHA512 474d77a27e3553aa58b394e77317a770f700f59580820741269e6c4746e664ce483a33a51baecd45ef4ac1a13e451a2c47d95c9abb79c7bc5cf902646f78c90f

\Windows\SysWOW64\28463\DQHV.exe

MD5 0c7a714b8e1d2ead2afc90dcc43bbe18
SHA1 66736613f22771f5da5606ed8c80b572b3f5c103
SHA256 800bdf00e09f302a17e22d26dffbea037e3c077ef9f6d1d585c114f079397a9e
SHA512 35db0de86c168eb6302dcbaa1e1f9ec96b5a8814e7067e1a7bb682e9f35fc06c51148a08e6f7df1e8caeb2effde555c53966a8922e8fef6b7ce194dc81c984b4

C:\Windows\SysWOW64\28463\AKV.exe

MD5 33dc7c00c1d64022dcea78d2147a90a5
SHA1 21b50a05d4bbfe74c1df846d9268dc953f8050a3
SHA256 e6164ff194fb651a44db5a78d680bc19efe242f3f8e95f5aedbe1cc7f00ef4ef
SHA512 3f5e3db56d056d49b094b33ddcdae8c528ec19851daa9576f00cb347f628b82bbe045fee51d92cf5507822188e5bce17b745cbc6bad155fae16b73eb191bb98f

C:\Windows\SysWOW64\28463\DQHV.007

MD5 b128c2f3eafaff6725ed554a2a21b72f
SHA1 377c206483b5348eb4b657363d29cae830be0b8c
SHA256 b9939a330a7cf6d9947a2b3ffb52170a35d5927e401016e7694fdd24ba1aa4ef
SHA512 3de5ec44becf7520d7ae32764b4636a1d727ab92d192fd92d725d6d308067e331f88e62f3cd9a4a334eb1d9e2ea44bf30f14ebd4e4f2877cdbd6b7bf0ed771c8

C:\Windows\SysWOW64\28463\DQHV.006

MD5 8499922ab422c17e550a724083be50c7
SHA1 914aa24da69f9882d12d7d7cceae38de4dbcad1c
SHA256 894ff0262900acdc5b0266f75b2db829d3dec9a059f28888d5c0997d5b76db8a
SHA512 9d2e7619c7e8e459449a7f70d581ae52a1d33ba1c90b2a14812c2a44474451dc06e78a8e410aae5e7caf9306bbe739b1eeca1a1bc167498a982d9f1320dbbd1b

C:\Windows\SysWOW64\28463\DQHV.001

MD5 d8025c14f8ec39a9f253563e9867e55b
SHA1 2d9e43068cc752c371e538515f30c841c9ba8700
SHA256 4b3191c40ca0d5fc5a373cce74d80563e2e3f7ce3a30cf0cf307ea0456f49246
SHA512 46f53b79c6dd912f746268327f53ba4bb2761136bfc0bb93cd40c9cea52b4b566ea2ed6641bd88096abee0eac44295571e7857c686f97f152d93b14c1da21db6

memory/980-24-0x0000000000250000-0x0000000000251000-memory.dmp

memory/980-27-0x0000000000250000-0x0000000000251000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-25 12:17

Reported

2024-07-25 12:20

Platform

win10v2004-20240704-en

Max time kernel

139s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6f89f777e3e7b94a18e212a16f986434_JaffaCakes118.exe"

Signatures

Ardamax

keylogger stealer ardamax

Ardamax main executable

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6f89f777e3e7b94a18e212a16f986434_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\28463\DQHV.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DQHV Agent = "C:\\Windows\\SysWOW64\\28463\\DQHV.exe" C:\Windows\SysWOW64\28463\DQHV.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\28463\AKV.exe C:\Users\Admin\AppData\Local\Temp\6f89f777e3e7b94a18e212a16f986434_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\28463 C:\Windows\SysWOW64\28463\DQHV.exe N/A
File created C:\Windows\SysWOW64\28463\DQHV.001 C:\Users\Admin\AppData\Local\Temp\6f89f777e3e7b94a18e212a16f986434_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\28463\DQHV.006 C:\Users\Admin\AppData\Local\Temp\6f89f777e3e7b94a18e212a16f986434_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\28463\DQHV.007 C:\Users\Admin\AppData\Local\Temp\6f89f777e3e7b94a18e212a16f986434_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\28463\DQHV.exe C:\Users\Admin\AppData\Local\Temp\6f89f777e3e7b94a18e212a16f986434_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6f89f777e3e7b94a18e212a16f986434_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\28463\DQHV.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\SysWOW64\28463\DQHV.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\28463\DQHV.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\28463\DQHV.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\DQHV.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\DQHV.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\DQHV.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\DQHV.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6f89f777e3e7b94a18e212a16f986434_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\6f89f777e3e7b94a18e212a16f986434_JaffaCakes118.exe"

C:\Windows\SysWOW64\28463\DQHV.exe

"C:\Windows\system32\28463\DQHV.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\@AC5D.tmp

MD5 ac2120f3b2fb824a5c1f3752dc944d21
SHA1 8bfbf3887103e886736e0802f88ed860a450856e
SHA256 fd9c203a32eec0afe4ab1e3ae02c68ac27649120bb3f0af68852ba487384ecaf
SHA512 474d77a27e3553aa58b394e77317a770f700f59580820741269e6c4746e664ce483a33a51baecd45ef4ac1a13e451a2c47d95c9abb79c7bc5cf902646f78c90f

C:\Windows\SysWOW64\28463\DQHV.exe

MD5 0c7a714b8e1d2ead2afc90dcc43bbe18
SHA1 66736613f22771f5da5606ed8c80b572b3f5c103
SHA256 800bdf00e09f302a17e22d26dffbea037e3c077ef9f6d1d585c114f079397a9e
SHA512 35db0de86c168eb6302dcbaa1e1f9ec96b5a8814e7067e1a7bb682e9f35fc06c51148a08e6f7df1e8caeb2effde555c53966a8922e8fef6b7ce194dc81c984b4

C:\Windows\SysWOW64\28463\AKV.exe

MD5 33dc7c00c1d64022dcea78d2147a90a5
SHA1 21b50a05d4bbfe74c1df846d9268dc953f8050a3
SHA256 e6164ff194fb651a44db5a78d680bc19efe242f3f8e95f5aedbe1cc7f00ef4ef
SHA512 3f5e3db56d056d49b094b33ddcdae8c528ec19851daa9576f00cb347f628b82bbe045fee51d92cf5507822188e5bce17b745cbc6bad155fae16b73eb191bb98f

C:\Windows\SysWOW64\28463\DQHV.001

MD5 d8025c14f8ec39a9f253563e9867e55b
SHA1 2d9e43068cc752c371e538515f30c841c9ba8700
SHA256 4b3191c40ca0d5fc5a373cce74d80563e2e3f7ce3a30cf0cf307ea0456f49246
SHA512 46f53b79c6dd912f746268327f53ba4bb2761136bfc0bb93cd40c9cea52b4b566ea2ed6641bd88096abee0eac44295571e7857c686f97f152d93b14c1da21db6

C:\Windows\SysWOW64\28463\DQHV.006

MD5 8499922ab422c17e550a724083be50c7
SHA1 914aa24da69f9882d12d7d7cceae38de4dbcad1c
SHA256 894ff0262900acdc5b0266f75b2db829d3dec9a059f28888d5c0997d5b76db8a
SHA512 9d2e7619c7e8e459449a7f70d581ae52a1d33ba1c90b2a14812c2a44474451dc06e78a8e410aae5e7caf9306bbe739b1eeca1a1bc167498a982d9f1320dbbd1b

C:\Windows\SysWOW64\28463\DQHV.007

MD5 b128c2f3eafaff6725ed554a2a21b72f
SHA1 377c206483b5348eb4b657363d29cae830be0b8c
SHA256 b9939a330a7cf6d9947a2b3ffb52170a35d5927e401016e7694fdd24ba1aa4ef
SHA512 3de5ec44becf7520d7ae32764b4636a1d727ab92d192fd92d725d6d308067e331f88e62f3cd9a4a334eb1d9e2ea44bf30f14ebd4e4f2877cdbd6b7bf0ed771c8

memory/2200-23-0x0000000000680000-0x0000000000681000-memory.dmp

memory/2200-27-0x0000000000680000-0x0000000000681000-memory.dmp