Analysis
-
max time kernel
144s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
26-07-2024 04:08
Static task
static1
Behavioral task
behavioral1
Sample
72878c59a8d5c93bc876b7f11ba0bc32_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
72878c59a8d5c93bc876b7f11ba0bc32_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
72878c59a8d5c93bc876b7f11ba0bc32_JaffaCakes118.exe
-
Size
1.0MB
-
MD5
72878c59a8d5c93bc876b7f11ba0bc32
-
SHA1
73df301501f6b378d84937042866f2e037eb43af
-
SHA256
52b6abb3f02c4d3fb024e0bad88fcab677c5512d8e58119a3c768527fd411302
-
SHA512
b002528d23b83004ff9e9f90d9062f543b063f7cd7f0e36fe03e6a370bd3497779488a029f71d8a02192ef935f66ff08e4808f3d38745e5b22d53a4db7598617
-
SSDEEP
24576:Xtg7etcwyCJrSCk6mTnBGLuwcfv6WYbeQ:XgzwyCJeCk5B8uwcfr1Q
Malware Config
Signatures
-
Ardamax main executable 1 IoCs
Processes:
resource yara_rule \Windows\SysWOW64\28463\DNOB.exe family_ardamax -
Executes dropped EXE 2 IoCs
Processes:
DNOB.exeCZCOMBO.exepid process 1944 DNOB.exe 2376 CZCOMBO.exe -
Loads dropped DLL 11 IoCs
Processes:
72878c59a8d5c93bc876b7f11ba0bc32_JaffaCakes118.exeDNOB.exeCZCOMBO.exepid process 2552 72878c59a8d5c93bc876b7f11ba0bc32_JaffaCakes118.exe 2552 72878c59a8d5c93bc876b7f11ba0bc32_JaffaCakes118.exe 2552 72878c59a8d5c93bc876b7f11ba0bc32_JaffaCakes118.exe 1944 DNOB.exe 1944 DNOB.exe 2552 72878c59a8d5c93bc876b7f11ba0bc32_JaffaCakes118.exe 2552 72878c59a8d5c93bc876b7f11ba0bc32_JaffaCakes118.exe 2552 72878c59a8d5c93bc876b7f11ba0bc32_JaffaCakes118.exe 2552 72878c59a8d5c93bc876b7f11ba0bc32_JaffaCakes118.exe 2376 CZCOMBO.exe 2376 CZCOMBO.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
DNOB.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DNOB Agent = "C:\\Windows\\SysWOW64\\28463\\DNOB.exe" DNOB.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 8 IoCs
Processes:
DNOB.exe72878c59a8d5c93bc876b7f11ba0bc32_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\SysWOW64\28463 DNOB.exe File created C:\Windows\SysWOW64\28463\DNOB.009 DNOB.exe File opened for modification C:\Windows\SysWOW64\28463\DNOB.009 DNOB.exe File created C:\Windows\SysWOW64\28463\DNOB.001 72878c59a8d5c93bc876b7f11ba0bc32_JaffaCakes118.exe File created C:\Windows\SysWOW64\28463\DNOB.006 72878c59a8d5c93bc876b7f11ba0bc32_JaffaCakes118.exe File created C:\Windows\SysWOW64\28463\DNOB.007 72878c59a8d5c93bc876b7f11ba0bc32_JaffaCakes118.exe File created C:\Windows\SysWOW64\28463\DNOB.exe 72878c59a8d5c93bc876b7f11ba0bc32_JaffaCakes118.exe File created C:\Windows\SysWOW64\28463\AKV.exe 72878c59a8d5c93bc876b7f11ba0bc32_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
CZCOMBO.exe72878c59a8d5c93bc876b7f11ba0bc32_JaffaCakes118.exeDNOB.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CZCOMBO.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 72878c59a8d5c93bc876b7f11ba0bc32_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DNOB.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
DNOB.exedescription pid process Token: 33 1944 DNOB.exe Token: SeIncBasePriorityPrivilege 1944 DNOB.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
DNOB.exepid process 1944 DNOB.exe 1944 DNOB.exe 1944 DNOB.exe 1944 DNOB.exe 1944 DNOB.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
72878c59a8d5c93bc876b7f11ba0bc32_JaffaCakes118.exedescription pid process target process PID 2552 wrote to memory of 1944 2552 72878c59a8d5c93bc876b7f11ba0bc32_JaffaCakes118.exe DNOB.exe PID 2552 wrote to memory of 1944 2552 72878c59a8d5c93bc876b7f11ba0bc32_JaffaCakes118.exe DNOB.exe PID 2552 wrote to memory of 1944 2552 72878c59a8d5c93bc876b7f11ba0bc32_JaffaCakes118.exe DNOB.exe PID 2552 wrote to memory of 1944 2552 72878c59a8d5c93bc876b7f11ba0bc32_JaffaCakes118.exe DNOB.exe PID 2552 wrote to memory of 2376 2552 72878c59a8d5c93bc876b7f11ba0bc32_JaffaCakes118.exe CZCOMBO.exe PID 2552 wrote to memory of 2376 2552 72878c59a8d5c93bc876b7f11ba0bc32_JaffaCakes118.exe CZCOMBO.exe PID 2552 wrote to memory of 2376 2552 72878c59a8d5c93bc876b7f11ba0bc32_JaffaCakes118.exe CZCOMBO.exe PID 2552 wrote to memory of 2376 2552 72878c59a8d5c93bc876b7f11ba0bc32_JaffaCakes118.exe CZCOMBO.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\72878c59a8d5c93bc876b7f11ba0bc32_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\72878c59a8d5c93bc876b7f11ba0bc32_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\28463\DNOB.exe"C:\Windows\system32\28463\DNOB.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1944 -
C:\Users\Admin\AppData\Local\Temp\CZCOMBO.exe"C:\Users\Admin\AppData\Local\Temp\CZCOMBO.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2376
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
415KB
MD5c02715a00b92e3c8d227b62c962a596a
SHA19ba1f5cadb8a4881bb877837584bfc234759ab37
SHA256065f66163d162f864df0924497cb8ce5728b6981292c250f91a1e625a4c32f02
SHA512bbcb6afbdba6a7c1d8e4a5a22a3309d7f1ab01776cfb9b6317d77b935b5fdeba4b3ca43246afc0058e7fe82bf8a5fc8590d10c9cac1efa39d73978da49989b77
-
Filesize
438B
MD53dad3b9b3f1eef3d2237a8311b2161dd
SHA1c0c5bee9ffbcea9818c873944d2684836e60682b
SHA25646c0577551bae4c1938ab49530a125088f048936903b41734ed5dcd1e12e74f0
SHA51221d168bf360abc468bcd947ab869dc6e181554fe72022ed3d90b8e918f48d4e4d65c845eefac31ffe8fca8eccad76020fed0a279521fce72330edcd3928b1525
-
Filesize
8KB
MD57cd001971037d8671cd1df50ab2ebe1f
SHA1a0d80a31686f582d23a9ff64600dd96a4f67c4c5
SHA25643647f5a2a99de59670247c4259e489fdec954f829e0e36c791ff0e57c512c00
SHA512ea0f9c917fb073c8bd554231ce4084d59b0d8b64fea584ec3c1c85dc639ce0be19962e0f6c91b55799d7e228fb18beaf95c9988c705cfb9866787b0b2a3f244f
-
Filesize
5KB
MD5eca98214c3022425c070e8d2141db13e
SHA11c2e753741f211685aaeae7bb372adef6491c8f5
SHA256f475a855fd1f83721eb3184e3b20154aed3b2241a2ec47c41c8753dd2ed2da66
SHA512f17978d843c8108281a9db210ada7d57dd7f8a850f0c7162ee0836e863b4ee0f49a4489807408e129dd6c66e4dc00becd5594e988e8106e8698f1d2daac9e772
-
Filesize
4KB
MD5ae40e8e0081ac79260616a167645f5d5
SHA1056a1fd2caac824e2ef5917ec6227733924b0f40
SHA2563b0ad6e71940ce5b0f7e2108a63a803e6838752983d696fae9551d93f7d374cc
SHA512402ea3078d72d6039725790a308773b3a7f87a3987be09bca2d216aa8199b0a33ee137dd4c155635420607708f2e14062130fbc58b16de56a614815b0518311a
-
Filesize
514KB
MD5194fa33a5089d8e6d2745cfb882825b3
SHA1d914d9698591690bc712c8ab6a94d05d4cb72a29
SHA2569e7868d0b8d4efe28fc054911235eb3371c9b9a7764a10d2b2a00b50062ad2f7
SHA512686d5819d08a2e1e28b210042201f1b245715deb21f8e4290d6d61772a84ae7cfbc989a33a6365a61c58f182d55825863e82fed37f5c865491635e34d51282ad
-
Filesize
540KB
MD5e5c3d2be1c4e8ffe9b750d91edbbe400
SHA143f1ba1b1bfff30d1845ae446d936ff140694911
SHA256af5df966c3fac4b4b63d62326db8e0c02aac7ff6bef18ffa71839fb20e09d22d
SHA5126f462020eeaa3be0b80674899f3c957664d979b9e243a6802d75f8fa088f70a7b906b0f90c90e4b1f491e1ae7339b7fcffb986f26f75299b9f0c2364bf146903