Malware Analysis Report

2024-10-18 23:06

Sample ID 240726-eqfjfswajl
Target 72878c59a8d5c93bc876b7f11ba0bc32_JaffaCakes118
SHA256 52b6abb3f02c4d3fb024e0bad88fcab677c5512d8e58119a3c768527fd411302
Tags
ardamax discovery keylogger persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

52b6abb3f02c4d3fb024e0bad88fcab677c5512d8e58119a3c768527fd411302

Threat Level: Known bad

The file 72878c59a8d5c93bc876b7f11ba0bc32_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

ardamax discovery keylogger persistence stealer

Ardamax

Ardamax main executable

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Checks installed software on the system

Adds Run key to start application

Drops file in System32 directory

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-26 04:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-26 04:08

Reported

2024-07-26 04:36

Platform

win7-20240704-en

Max time kernel

144s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\72878c59a8d5c93bc876b7f11ba0bc32_JaffaCakes118.exe"

Signatures

Ardamax

keylogger stealer ardamax

Ardamax main executable

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\28463\DNOB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CZCOMBO.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DNOB Agent = "C:\\Windows\\SysWOW64\\28463\\DNOB.exe" C:\Windows\SysWOW64\28463\DNOB.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\28463 C:\Windows\SysWOW64\28463\DNOB.exe N/A
File created C:\Windows\SysWOW64\28463\DNOB.009 C:\Windows\SysWOW64\28463\DNOB.exe N/A
File opened for modification C:\Windows\SysWOW64\28463\DNOB.009 C:\Windows\SysWOW64\28463\DNOB.exe N/A
File created C:\Windows\SysWOW64\28463\DNOB.001 C:\Users\Admin\AppData\Local\Temp\72878c59a8d5c93bc876b7f11ba0bc32_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\28463\DNOB.006 C:\Users\Admin\AppData\Local\Temp\72878c59a8d5c93bc876b7f11ba0bc32_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\28463\DNOB.007 C:\Users\Admin\AppData\Local\Temp\72878c59a8d5c93bc876b7f11ba0bc32_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\28463\DNOB.exe C:\Users\Admin\AppData\Local\Temp\72878c59a8d5c93bc876b7f11ba0bc32_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\28463\AKV.exe C:\Users\Admin\AppData\Local\Temp\72878c59a8d5c93bc876b7f11ba0bc32_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\CZCOMBO.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\72878c59a8d5c93bc876b7f11ba0bc32_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\28463\DNOB.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\SysWOW64\28463\DNOB.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\28463\DNOB.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\28463\DNOB.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\DNOB.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\DNOB.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\DNOB.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\DNOB.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\72878c59a8d5c93bc876b7f11ba0bc32_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\72878c59a8d5c93bc876b7f11ba0bc32_JaffaCakes118.exe"

C:\Windows\SysWOW64\28463\DNOB.exe

"C:\Windows\system32\28463\DNOB.exe"

C:\Users\Admin\AppData\Local\Temp\CZCOMBO.exe

"C:\Users\Admin\AppData\Local\Temp\CZCOMBO.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ftp.husranyolu.hu.funpic.de udp
DE 213.202.229.103:21 ftp.husranyolu.hu.funpic.de tcp
DE 213.202.229.103:21 ftp.husranyolu.hu.funpic.de tcp

Files

\Users\Admin\AppData\Local\Temp\@BA3B.tmp

MD5 ae40e8e0081ac79260616a167645f5d5
SHA1 056a1fd2caac824e2ef5917ec6227733924b0f40
SHA256 3b0ad6e71940ce5b0f7e2108a63a803e6838752983d696fae9551d93f7d374cc
SHA512 402ea3078d72d6039725790a308773b3a7f87a3987be09bca2d216aa8199b0a33ee137dd4c155635420607708f2e14062130fbc58b16de56a614815b0518311a

\Windows\SysWOW64\28463\DNOB.exe

MD5 e5c3d2be1c4e8ffe9b750d91edbbe400
SHA1 43f1ba1b1bfff30d1845ae446d936ff140694911
SHA256 af5df966c3fac4b4b63d62326db8e0c02aac7ff6bef18ffa71839fb20e09d22d
SHA512 6f462020eeaa3be0b80674899f3c957664d979b9e243a6802d75f8fa088f70a7b906b0f90c90e4b1f491e1ae7339b7fcffb986f26f75299b9f0c2364bf146903

C:\Windows\SysWOW64\28463\AKV.exe

MD5 c02715a00b92e3c8d227b62c962a596a
SHA1 9ba1f5cadb8a4881bb877837584bfc234759ab37
SHA256 065f66163d162f864df0924497cb8ce5728b6981292c250f91a1e625a4c32f02
SHA512 bbcb6afbdba6a7c1d8e4a5a22a3309d7f1ab01776cfb9b6317d77b935b5fdeba4b3ca43246afc0058e7fe82bf8a5fc8590d10c9cac1efa39d73978da49989b77

C:\Windows\SysWOW64\28463\DNOB.006

MD5 7cd001971037d8671cd1df50ab2ebe1f
SHA1 a0d80a31686f582d23a9ff64600dd96a4f67c4c5
SHA256 43647f5a2a99de59670247c4259e489fdec954f829e0e36c791ff0e57c512c00
SHA512 ea0f9c917fb073c8bd554231ce4084d59b0d8b64fea584ec3c1c85dc639ce0be19962e0f6c91b55799d7e228fb18beaf95c9988c705cfb9866787b0b2a3f244f

C:\Windows\SysWOW64\28463\DNOB.007

MD5 eca98214c3022425c070e8d2141db13e
SHA1 1c2e753741f211685aaeae7bb372adef6491c8f5
SHA256 f475a855fd1f83721eb3184e3b20154aed3b2241a2ec47c41c8753dd2ed2da66
SHA512 f17978d843c8108281a9db210ada7d57dd7f8a850f0c7162ee0836e863b4ee0f49a4489807408e129dd6c66e4dc00becd5594e988e8106e8698f1d2daac9e772

C:\Windows\SysWOW64\28463\DNOB.001

MD5 3dad3b9b3f1eef3d2237a8311b2161dd
SHA1 c0c5bee9ffbcea9818c873944d2684836e60682b
SHA256 46c0577551bae4c1938ab49530a125088f048936903b41734ed5dcd1e12e74f0
SHA512 21d168bf360abc468bcd947ab869dc6e181554fe72022ed3d90b8e918f48d4e4d65c845eefac31ffe8fca8eccad76020fed0a279521fce72330edcd3928b1525

memory/1944-23-0x0000000000250000-0x0000000000251000-memory.dmp

\Users\Admin\AppData\Local\Temp\CZCOMBO.exe

MD5 194fa33a5089d8e6d2745cfb882825b3
SHA1 d914d9698591690bc712c8ab6a94d05d4cb72a29
SHA256 9e7868d0b8d4efe28fc054911235eb3371c9b9a7764a10d2b2a00b50062ad2f7
SHA512 686d5819d08a2e1e28b210042201f1b245715deb21f8e4290d6d61772a84ae7cfbc989a33a6365a61c58f182d55825863e82fed37f5c865491635e34d51282ad

memory/2552-38-0x0000000002960000-0x0000000002A4A000-memory.dmp

memory/2552-29-0x0000000002960000-0x0000000002A4A000-memory.dmp

memory/2376-40-0x0000000000290000-0x00000000002E0000-memory.dmp

memory/2376-49-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

memory/2376-48-0x0000000001CD0000-0x0000000001CD1000-memory.dmp

memory/2376-47-0x0000000001D00000-0x0000000001D01000-memory.dmp

memory/2376-46-0x0000000001CC0000-0x0000000001CC1000-memory.dmp

memory/2376-45-0x0000000001CB0000-0x0000000001CB1000-memory.dmp

memory/2376-44-0x00000000002E0000-0x00000000002E1000-memory.dmp

memory/2376-43-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2376-42-0x0000000001CF0000-0x0000000001CF1000-memory.dmp

memory/2376-50-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

memory/2376-65-0x0000000002330000-0x0000000002331000-memory.dmp

memory/2376-66-0x0000000001FF0000-0x0000000001FF1000-memory.dmp

memory/2376-64-0x0000000002320000-0x0000000002321000-memory.dmp

memory/2376-63-0x0000000002000000-0x0000000002001000-memory.dmp

memory/2376-62-0x0000000001FC0000-0x0000000001FC1000-memory.dmp

memory/2376-61-0x0000000001FD0000-0x0000000001FD1000-memory.dmp

memory/2376-60-0x0000000001F30000-0x0000000001F31000-memory.dmp

memory/2376-59-0x0000000001F70000-0x0000000001F71000-memory.dmp

memory/2376-58-0x0000000001FA0000-0x0000000001FA1000-memory.dmp

memory/2376-57-0x0000000001F60000-0x0000000001F61000-memory.dmp

memory/2376-56-0x0000000001F50000-0x0000000001F51000-memory.dmp

memory/2376-70-0x0000000000200000-0x0000000000201000-memory.dmp

memory/2376-69-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2376-68-0x0000000002AA0000-0x0000000002AA2000-memory.dmp

memory/2376-55-0x0000000001F10000-0x0000000001F11000-memory.dmp

memory/2376-54-0x0000000001F20000-0x0000000001F21000-memory.dmp

memory/2376-53-0x0000000001F90000-0x0000000001F91000-memory.dmp

memory/2376-52-0x0000000002AB0000-0x0000000002AB2000-memory.dmp

memory/2376-51-0x0000000001CA0000-0x0000000001CA1000-memory.dmp

memory/2376-72-0x0000000000400000-0x00000000004EA000-memory.dmp

memory/2376-73-0x0000000000290000-0x00000000002E0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-26 04:08

Reported

2024-07-26 04:37

Platform

win10v2004-20240709-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\72878c59a8d5c93bc876b7f11ba0bc32_JaffaCakes118.exe"

Signatures

Ardamax

keylogger stealer ardamax

Ardamax main executable

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\72878c59a8d5c93bc876b7f11ba0bc32_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\28463\DNOB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CZCOMBO.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DNOB Agent = "C:\\Windows\\SysWOW64\\28463\\DNOB.exe" C:\Windows\SysWOW64\28463\DNOB.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\28463 C:\Windows\SysWOW64\28463\DNOB.exe N/A
File created C:\Windows\SysWOW64\28463\DNOB.009 C:\Windows\SysWOW64\28463\DNOB.exe N/A
File opened for modification C:\Windows\SysWOW64\28463\DNOB.009 C:\Windows\SysWOW64\28463\DNOB.exe N/A
File created C:\Windows\SysWOW64\28463\DNOB.001 C:\Users\Admin\AppData\Local\Temp\72878c59a8d5c93bc876b7f11ba0bc32_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\28463\DNOB.006 C:\Users\Admin\AppData\Local\Temp\72878c59a8d5c93bc876b7f11ba0bc32_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\28463\DNOB.007 C:\Users\Admin\AppData\Local\Temp\72878c59a8d5c93bc876b7f11ba0bc32_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\28463\DNOB.exe C:\Users\Admin\AppData\Local\Temp\72878c59a8d5c93bc876b7f11ba0bc32_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\28463\AKV.exe C:\Users\Admin\AppData\Local\Temp\72878c59a8d5c93bc876b7f11ba0bc32_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\72878c59a8d5c93bc876b7f11ba0bc32_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\28463\DNOB.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\CZCOMBO.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\SysWOW64\28463\DNOB.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\28463\DNOB.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\28463\DNOB.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\DNOB.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\DNOB.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\DNOB.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\DNOB.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\72878c59a8d5c93bc876b7f11ba0bc32_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\72878c59a8d5c93bc876b7f11ba0bc32_JaffaCakes118.exe"

C:\Windows\SysWOW64\28463\DNOB.exe

"C:\Windows\system32\28463\DNOB.exe"

C:\Users\Admin\AppData\Local\Temp\CZCOMBO.exe

"C:\Users\Admin\AppData\Local\Temp\CZCOMBO.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 ftp.husranyolu.hu.funpic.de udp
DE 213.202.229.103:21 ftp.husranyolu.hu.funpic.de tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
DE 213.202.229.103:21 ftp.husranyolu.hu.funpic.de tcp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\@AB92.tmp

MD5 ae40e8e0081ac79260616a167645f5d5
SHA1 056a1fd2caac824e2ef5917ec6227733924b0f40
SHA256 3b0ad6e71940ce5b0f7e2108a63a803e6838752983d696fae9551d93f7d374cc
SHA512 402ea3078d72d6039725790a308773b3a7f87a3987be09bca2d216aa8199b0a33ee137dd4c155635420607708f2e14062130fbc58b16de56a614815b0518311a

C:\Windows\SysWOW64\28463\DNOB.exe

MD5 e5c3d2be1c4e8ffe9b750d91edbbe400
SHA1 43f1ba1b1bfff30d1845ae446d936ff140694911
SHA256 af5df966c3fac4b4b63d62326db8e0c02aac7ff6bef18ffa71839fb20e09d22d
SHA512 6f462020eeaa3be0b80674899f3c957664d979b9e243a6802d75f8fa088f70a7b906b0f90c90e4b1f491e1ae7339b7fcffb986f26f75299b9f0c2364bf146903

C:\Users\Admin\AppData\Local\Temp\CZCOMBO.exe

MD5 194fa33a5089d8e6d2745cfb882825b3
SHA1 d914d9698591690bc712c8ab6a94d05d4cb72a29
SHA256 9e7868d0b8d4efe28fc054911235eb3371c9b9a7764a10d2b2a00b50062ad2f7
SHA512 686d5819d08a2e1e28b210042201f1b245715deb21f8e4290d6d61772a84ae7cfbc989a33a6365a61c58f182d55825863e82fed37f5c865491635e34d51282ad

memory/832-29-0x0000000000400000-0x00000000004EA000-memory.dmp

C:\Windows\SysWOW64\28463\DNOB.007

MD5 eca98214c3022425c070e8d2141db13e
SHA1 1c2e753741f211685aaeae7bb372adef6491c8f5
SHA256 f475a855fd1f83721eb3184e3b20154aed3b2241a2ec47c41c8753dd2ed2da66
SHA512 f17978d843c8108281a9db210ada7d57dd7f8a850f0c7162ee0836e863b4ee0f49a4489807408e129dd6c66e4dc00becd5594e988e8106e8698f1d2daac9e772

C:\Windows\SysWOW64\28463\DNOB.006

MD5 7cd001971037d8671cd1df50ab2ebe1f
SHA1 a0d80a31686f582d23a9ff64600dd96a4f67c4c5
SHA256 43647f5a2a99de59670247c4259e489fdec954f829e0e36c791ff0e57c512c00
SHA512 ea0f9c917fb073c8bd554231ce4084d59b0d8b64fea584ec3c1c85dc639ce0be19962e0f6c91b55799d7e228fb18beaf95c9988c705cfb9866787b0b2a3f244f

C:\Windows\SysWOW64\28463\DNOB.001

MD5 3dad3b9b3f1eef3d2237a8311b2161dd
SHA1 c0c5bee9ffbcea9818c873944d2684836e60682b
SHA256 46c0577551bae4c1938ab49530a125088f048936903b41734ed5dcd1e12e74f0
SHA512 21d168bf360abc468bcd947ab869dc6e181554fe72022ed3d90b8e918f48d4e4d65c845eefac31ffe8fca8eccad76020fed0a279521fce72330edcd3928b1525

memory/208-36-0x0000000000690000-0x0000000000691000-memory.dmp

C:\Windows\SysWOW64\28463\AKV.exe

MD5 c02715a00b92e3c8d227b62c962a596a
SHA1 9ba1f5cadb8a4881bb877837584bfc234759ab37
SHA256 065f66163d162f864df0924497cb8ce5728b6981292c250f91a1e625a4c32f02
SHA512 bbcb6afbdba6a7c1d8e4a5a22a3309d7f1ab01776cfb9b6317d77b935b5fdeba4b3ca43246afc0058e7fe82bf8a5fc8590d10c9cac1efa39d73978da49989b77

memory/832-38-0x0000000000400000-0x00000000004EA000-memory.dmp

memory/832-43-0x0000000000400000-0x00000000004EA000-memory.dmp

memory/832-44-0x0000000000400000-0x00000000004EA000-memory.dmp

memory/832-50-0x0000000000400000-0x00000000004EA000-memory.dmp

memory/832-46-0x0000000000400000-0x00000000004EA000-memory.dmp

memory/832-51-0x0000000000400000-0x00000000004EA000-memory.dmp

memory/832-45-0x0000000000400000-0x00000000004EA000-memory.dmp

memory/832-42-0x0000000000400000-0x00000000004EA000-memory.dmp

memory/832-41-0x0000000000400000-0x00000000004EA000-memory.dmp

memory/832-37-0x00000000004A2000-0x00000000004A3000-memory.dmp

memory/832-52-0x0000000000400000-0x00000000004EA000-memory.dmp

memory/832-53-0x0000000000400000-0x00000000004EA000-memory.dmp

memory/832-56-0x00000000004A2000-0x00000000004A3000-memory.dmp