Malware Analysis Report

2024-10-18 23:06

Sample ID 240726-g5exksvckf
Target 72e8fac6c5dd8b5a108640182806fe3c_JaffaCakes118
SHA256 6c96462b8d07f48077c81df376233872b5f1b2e53739b02b244f51e53c2e5390
Tags
ardamax discovery keylogger persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6c96462b8d07f48077c81df376233872b5f1b2e53739b02b244f51e53c2e5390

Threat Level: Known bad

The file 72e8fac6c5dd8b5a108640182806fe3c_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

ardamax discovery keylogger persistence stealer

Ardamax

Ardamax main executable

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks installed software on the system

Drops file in System32 directory

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-26 06:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-26 06:22

Reported

2024-07-26 06:25

Platform

win7-20240704-en

Max time kernel

142s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\72e8fac6c5dd8b5a108640182806fe3c_JaffaCakes118.exe"

Signatures

Ardamax

keylogger stealer ardamax

Ardamax main executable

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\28463\IBJU.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\IBJU Agent = "C:\\Windows\\SysWOW64\\28463\\IBJU.exe" C:\Windows\SysWOW64\28463\IBJU.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\28463\AKV.exe C:\Users\Admin\AppData\Local\Temp\72e8fac6c5dd8b5a108640182806fe3c_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\28463 C:\Windows\SysWOW64\28463\IBJU.exe N/A
File created C:\Windows\SysWOW64\28463\IBJU.001 C:\Users\Admin\AppData\Local\Temp\72e8fac6c5dd8b5a108640182806fe3c_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\28463\IBJU.006 C:\Users\Admin\AppData\Local\Temp\72e8fac6c5dd8b5a108640182806fe3c_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\28463\IBJU.007 C:\Users\Admin\AppData\Local\Temp\72e8fac6c5dd8b5a108640182806fe3c_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\28463\IBJU.exe C:\Users\Admin\AppData\Local\Temp\72e8fac6c5dd8b5a108640182806fe3c_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\28463\key.bin C:\Users\Admin\AppData\Local\Temp\72e8fac6c5dd8b5a108640182806fe3c_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\72e8fac6c5dd8b5a108640182806fe3c_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\28463\IBJU.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\DllHost.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2F0654D4-9E2B-4955-4091-70A41DA4EE24}\EnablePlugin\ C:\Windows\SysWOW64\28463\IBJU.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2F0654D4-9E2B-4955-4091-70A41DA4EE24}\InProcServer32\ C:\Windows\SysWOW64\28463\IBJU.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2F0654D4-9E2B-4955-4091-70A41DA4EE24}\PersistentHandler C:\Windows\SysWOW64\28463\IBJU.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2F0654D4-9E2B-4955-4091-70A41DA4EE24}\PersistentHandler\ C:\Windows\SysWOW64\28463\IBJU.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CEEFA37A-066B-16E7-ABA1-74970AAAB354}\ C:\Windows\SysWOW64\28463\IBJU.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2F0654D4-9E2B-4955-4091-70A41DA4EE24} C:\Windows\SysWOW64\28463\IBJU.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2F0654D4-9E2B-4955-4091-70A41DA4EE24}\DefaultIcon\ C:\Windows\SysWOW64\28463\IBJU.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2F0654D4-9E2B-4955-4091-70A41DA4EE24}\MiscStatus\ C:\Windows\SysWOW64\28463\IBJU.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2F0654D4-9E2B-4955-4091-70A41DA4EE24}\PersistentHandler\ = "{eec97550-47a9-11cf-b952-00aa0051fe20}" C:\Windows\SysWOW64\28463\IBJU.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CEEFA37A-066B-16E7-ABA1-74970AAAB354}\1.0 C:\Windows\SysWOW64\28463\IBJU.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CEEFA37A-066B-16E7-ABA1-74970AAAB354}\1.0\0\win32\ C:\Windows\SysWOW64\28463\IBJU.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2F0654D4-9E2B-4955-4091-70A41DA4EE24}\TypeLib\ C:\Windows\SysWOW64\28463\IBJU.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2F0654D4-9E2B-4955-4091-70A41DA4EE24}\InProcServer32\ = "C:\\Windows\\SysWOW64\\mshtml.dll" C:\Windows\SysWOW64\28463\IBJU.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2F0654D4-9E2B-4955-4091-70A41DA4EE24}\ProgID C:\Windows\SysWOW64\28463\IBJU.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2F0654D4-9E2B-4955-4091-70A41DA4EE24}\ProgID\ = "htmlfile" C:\Windows\SysWOW64\28463\IBJU.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CEEFA37A-066B-16E7-ABA1-74970AAAB354}\1.0\ = "GrooveProjectMeetingDataDelegate" C:\Windows\SysWOW64\28463\IBJU.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CEEFA37A-066B-16E7-ABA1-74970AAAB354}\1.0\0\win32 C:\Windows\SysWOW64\28463\IBJU.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CEEFA37A-066B-16E7-ABA1-74970AAAB354}\1.0\0\win32\ = "C:\\PROGRA~2\\MICROS~1\\Office14\\GROOVE.EXE\\43" C:\Windows\SysWOW64\28463\IBJU.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CEEFA37A-066B-16E7-ABA1-74970AAAB354}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\" C:\Windows\SysWOW64\28463\IBJU.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2F0654D4-9E2B-4955-4091-70A41DA4EE24}\BrowseInPlace\ C:\Windows\SysWOW64\28463\IBJU.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2F0654D4-9E2B-4955-4091-70A41DA4EE24}\DefaultIcon C:\Windows\SysWOW64\28463\IBJU.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2F0654D4-9E2B-4955-4091-70A41DA4EE24}\TypeLib C:\Windows\SysWOW64\28463\IBJU.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2F0654D4-9E2B-4955-4091-70A41DA4EE24}\TypeLib\ = "{CEEFA37A-066B-16E7-ABA1-74970AAAB354}" C:\Windows\SysWOW64\28463\IBJU.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2F0654D4-9E2B-4955-4091-70A41DA4EE24}\BrowseInPlace C:\Windows\SysWOW64\28463\IBJU.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2F0654D4-9E2B-4955-4091-70A41DA4EE24}\MiscStatus\ = "2228625" C:\Windows\SysWOW64\28463\IBJU.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CEEFA37A-066B-16E7-ABA1-74970AAAB354}\1.0\ C:\Windows\SysWOW64\28463\IBJU.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CEEFA37A-066B-16E7-ABA1-74970AAAB354}\1.0\0\ C:\Windows\SysWOW64\28463\IBJU.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2F0654D4-9E2B-4955-4091-70A41DA4EE24}\Version C:\Windows\SysWOW64\28463\IBJU.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2F0654D4-9E2B-4955-4091-70A41DA4EE24}\EnablePlugin C:\Windows\SysWOW64\28463\IBJU.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2F0654D4-9E2B-4955-4091-70A41DA4EE24}\MiscStatus C:\Windows\SysWOW64\28463\IBJU.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CEEFA37A-066B-16E7-ABA1-74970AAAB354}\1.0\0 C:\Windows\SysWOW64\28463\IBJU.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CEEFA37A-066B-16E7-ABA1-74970AAAB354}\1.0\FLAGS C:\Windows\SysWOW64\28463\IBJU.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CEEFA37A-066B-16E7-ABA1-74970AAAB354}\1.0\FLAGS\ C:\Windows\SysWOW64\28463\IBJU.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CEEFA37A-066B-16E7-ABA1-74970AAAB354}\1.0\HELPDIR C:\Windows\SysWOW64\28463\IBJU.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2F0654D4-9E2B-4955-4091-70A41DA4EE24}\InProcServer32 C:\Windows\SysWOW64\28463\IBJU.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2F0654D4-9E2B-4955-4091-70A41DA4EE24}\ProgID\ C:\Windows\SysWOW64\28463\IBJU.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CEEFA37A-066B-16E7-ABA1-74970AAAB354} C:\Windows\SysWOW64\28463\IBJU.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2F0654D4-9E2B-4955-4091-70A41DA4EE24}\Version\ C:\Windows\SysWOW64\28463\IBJU.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2F0654D4-9E2B-4955-4091-70A41DA4EE24}\Version\ = "4.0" C:\Windows\SysWOW64\28463\IBJU.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2F0654D4-9E2B-4955-4091-70A41DA4EE24}\ = "Ivifaw Object" C:\Windows\SysWOW64\28463\IBJU.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2F0654D4-9E2B-4955-4091-70A41DA4EE24}\DefaultIcon\ = "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe,-19" C:\Windows\SysWOW64\28463\IBJU.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CEEFA37A-066B-16E7-ABA1-74970AAAB354}\1.0\FLAGS\ = "4" C:\Windows\SysWOW64\28463\IBJU.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CEEFA37A-066B-16E7-ABA1-74970AAAB354}\1.0\HELPDIR\ C:\Windows\SysWOW64\28463\IBJU.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\SysWOW64\28463\IBJU.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\28463\IBJU.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\28463\IBJU.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\IBJU.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\IBJU.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\IBJU.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\IBJU.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\72e8fac6c5dd8b5a108640182806fe3c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\72e8fac6c5dd8b5a108640182806fe3c_JaffaCakes118.exe"

C:\Windows\SysWOW64\28463\IBJU.exe

"C:\Windows\system32\28463\IBJU.exe"

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\@1A25.tmp

MD5 36400e746829504282eb26b364826aa9
SHA1 d39ea9da98be0c331fd71002645f4f40664288a2
SHA256 c7ab756437211f6e0e3dcd7482bc67cb910e504345902049eb8abe34a656deb0
SHA512 5fe8fae2f5fcbd42c72cc8f6dd70aeec0afd94af5cfd905441630755790dc6ed346823ee009c21537b9cdb3b7b7a39eeed933606726ffd891dae47b60465f640

C:\Windows\SysWOW64\28463\IBJU.exe

MD5 b181beaba4204ac3ce7bc8e6f0b74312
SHA1 4ab13763d2ecdf0968f15a39302aab2b1f0ab462
SHA256 f36bad234fd1599dd1398d20bc57499314fe96d5de20074536067b2d3c2b4f2d
SHA512 d1aaa2fd25e53986c8ea8213a8a02515927c9e9aa3e4d8077a138a29ba32c807ec81473b672a22ffb6ba26126ccd7e1d310e057ef964d3b21b1672a67af5fd7b

memory/2316-16-0x0000000002530000-0x0000000002610000-memory.dmp

memory/2696-29-0x0000000003120000-0x0000000003121000-memory.dmp

memory/2696-28-0x0000000003100000-0x0000000003101000-memory.dmp

memory/2696-27-0x00000000030B0000-0x00000000030B3000-memory.dmp

memory/2696-26-0x00000000030C0000-0x00000000030C1000-memory.dmp

memory/2696-25-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/2696-24-0x0000000000560000-0x0000000000561000-memory.dmp

memory/2696-23-0x00000000005A0000-0x00000000005A1000-memory.dmp

memory/2696-22-0x0000000000580000-0x0000000000581000-memory.dmp

memory/2696-21-0x0000000000590000-0x0000000000591000-memory.dmp

memory/2696-20-0x0000000000540000-0x0000000000541000-memory.dmp

memory/2696-18-0x0000000000400000-0x00000000004E0000-memory.dmp

C:\Windows\SysWOW64\28463\key.bin

MD5 27c90d4d9b049f4cd00f32ed1d2e5baf
SHA1 338a3ea8f1e929d8916ece9b6e91e697eb562550
SHA256 172d6f21165fb3ca925e5b000451fd8946920206f7438018c28b158b90cf5ffb
SHA512 d73dadb3cf74c647ce5bad5b87d3fb42a212defcba8afb8cf962020b61a0369c0a2b1005797583daf1f1ae88b29b7288bc544a53d643f3519cf604aa0ffd6dae

memory/2696-17-0x00000000004E0000-0x000000000053A000-memory.dmp

memory/2708-31-0x00000000001C0000-0x00000000001C2000-memory.dmp

memory/2316-30-0x0000000000530000-0x0000000000532000-memory.dmp

memory/2696-34-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2696-37-0x0000000003110000-0x0000000003111000-memory.dmp

memory/2696-36-0x00000000030D0000-0x00000000030D1000-memory.dmp

memory/2696-35-0x0000000000250000-0x0000000000251000-memory.dmp

C:\Windows\SysWOW64\28463\IBJU.001

MD5 5a727bb558fa4e82a85036ead0668ea9
SHA1 cda3de5e0d14164833aed08bc02c8a91eeaa3176
SHA256 fbc88fb6117c2f21978a6519070ea334d840253dd5376f12d11d1283325204f6
SHA512 53f58bc052d9e2a744cdc0a71c2f8bb69515b92c6ead833c0632218ed2fcfde0dc96446bc5dc04960b4405fc77f453c18ca0c54789b12a9c13b9d1182e7b30f6

C:\Windows\SysWOW64\28463\AKV.exe

MD5 f34b87951e1a931e01df1bc9f1b98207
SHA1 f3cc94e72bf7e9bf2afa7d8dbfef0ca2087358a1
SHA256 e6cf7cdc5895da8a65f8c4a1a1d0d0583218a1c28f66d25dc56fa67f9c34ed5b
SHA512 c2438d88489b9ed7c6c875ecde07411a488eac9115358c73f72d7029874f75803ebead03a41692a900648fb2b2be63b7c8b4e3a71984261185b6d5d6d7201641

C:\Windows\SysWOW64\28463\IBJU.007

MD5 15eb312db4b3e208b67082653acb8a02
SHA1 b0926b1e1733baa3d7f18d3806916f92704fccff
SHA256 72347b6d619bc7204a155486e4d09a62a4a494c35a8121349bfe2fecd5af99a8
SHA512 7e8d451bc9d1e83615db15d6cdf68230cdd333fa38362979f0408dc80bf680859a2bc3fc09c494805731317b0f136c3227226092f1bcc31c2c80cb73071aa443

C:\Windows\SysWOW64\28463\IBJU.006

MD5 98d22fb2035a26a6b9b7decc0c0ff2fa
SHA1 43a75cf59fc2f8b59b1d962b4e685249eef816d5
SHA256 fd5c03fd9ea47c1e820d19bd307ad7c4e53f4b65d288cb675b05cbe76c9b5c25
SHA512 3cb7f765d6f4d1dc08a0087086f3fe243bd8ff9e699607cf1e4177892576665c0c799307751cba16fd3f1482e5abb884090024431be2ce86d4080f1d1134d91f

C:\Users\Admin\AppData\Local\Temp\Hell Vip FREE 30 DayS!.ico

MD5 095e4b11bc07acedf9eacb0195819280
SHA1 86a292d3a4a6d03df8b823d639ad9e95b1bd9b27
SHA256 f8a0b0d19e121157d2a5ded950f541bd23348b17dffdbcbcb7b92b904554bc0a
SHA512 48c3ef9375cbbdac157eb369080bcda6a46f7989dd781adddb60ab9320b95ad087222893b120c74f4770296b8fc80c6a8fca924af8359c843a335c0bbcb110dc

memory/2696-48-0x0000000000400000-0x00000000004E0000-memory.dmp

memory/2696-49-0x00000000004E0000-0x000000000053A000-memory.dmp

memory/2696-51-0x0000000003100000-0x0000000003101000-memory.dmp

memory/2696-52-0x0000000000400000-0x00000000004E0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-26 06:22

Reported

2024-07-26 06:25

Platform

win10v2004-20240709-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\72e8fac6c5dd8b5a108640182806fe3c_JaffaCakes118.exe"

Signatures

Ardamax

keylogger stealer ardamax

Ardamax main executable

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\72e8fac6c5dd8b5a108640182806fe3c_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\28463\IBJU.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\IBJU Agent = "C:\\Windows\\SysWOW64\\28463\\IBJU.exe" C:\Windows\SysWOW64\28463\IBJU.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\28463\IBJU.007 C:\Users\Admin\AppData\Local\Temp\72e8fac6c5dd8b5a108640182806fe3c_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\28463\IBJU.exe C:\Users\Admin\AppData\Local\Temp\72e8fac6c5dd8b5a108640182806fe3c_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\28463\key.bin C:\Users\Admin\AppData\Local\Temp\72e8fac6c5dd8b5a108640182806fe3c_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\28463\AKV.exe C:\Users\Admin\AppData\Local\Temp\72e8fac6c5dd8b5a108640182806fe3c_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\28463 C:\Windows\SysWOW64\28463\IBJU.exe N/A
File created C:\Windows\SysWOW64\28463\IBJU.001 C:\Users\Admin\AppData\Local\Temp\72e8fac6c5dd8b5a108640182806fe3c_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\28463\IBJU.006 C:\Users\Admin\AppData\Local\Temp\72e8fac6c5dd8b5a108640182806fe3c_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\28463\IBJU.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\72e8fac6c5dd8b5a108640182806fe3c_JaffaCakes118.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{804D4C67-9EB9-4038-B0B2-4CE492FCD5BD}\Implemented Categories\ C:\Windows\SysWOW64\28463\IBJU.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{804D4C67-9EB9-4038-B0B2-4CE492FCD5BD}\ProgID\ C:\Windows\SysWOW64\28463\IBJU.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{804D4C67-9EB9-4038-B0B2-4CE492FCD5BD}\ProgID\ = "WinForms.Control.Host.V3" C:\Windows\SysWOW64\28463\IBJU.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{166768B3-7FD2-751A-A128-D483C5614773}\2.1\0\win64\ = "C:\\Program Files\\Common Files\\System\\ado\\msado21.tlb" C:\Windows\SysWOW64\28463\IBJU.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{804D4C67-9EB9-4038-B0B2-4CE492FCD5BD}\TypeLib\ C:\Windows\SysWOW64\28463\IBJU.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{804D4C67-9EB9-4038-B0B2-4CE492FCD5BD}\TypeLib\ = "{166768B3-7FD2-751A-A128-D483C5614773}" C:\Windows\SysWOW64\28463\IBJU.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{804D4C67-9EB9-4038-B0B2-4CE492FCD5BD}\Version\ = "9.0" C:\Windows\SysWOW64\28463\IBJU.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{804D4C67-9EB9-4038-B0B2-4CE492FCD5BD}\Control C:\Windows\SysWOW64\28463\IBJU.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{804D4C67-9EB9-4038-B0B2-4CE492FCD5BD}\ProgID C:\Windows\SysWOW64\28463\IBJU.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{166768B3-7FD2-751A-A128-D483C5614773} C:\Windows\SysWOW64\28463\IBJU.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{166768B3-7FD2-751A-A128-D483C5614773}\2.1\ C:\Windows\SysWOW64\28463\IBJU.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{804D4C67-9EB9-4038-B0B2-4CE492FCD5BD}\Version\ C:\Windows\SysWOW64\28463\IBJU.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{804D4C67-9EB9-4038-B0B2-4CE492FCD5BD}\InprocServer32 C:\Windows\SysWOW64\28463\IBJU.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{166768B3-7FD2-751A-A128-D483C5614773}\2.1\0 C:\Windows\SysWOW64\28463\IBJU.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{166768B3-7FD2-751A-A128-D483C5614773}\2.1\0\win64 C:\Windows\SysWOW64\28463\IBJU.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{166768B3-7FD2-751A-A128-D483C5614773}\2.1\0\win64\ C:\Windows\SysWOW64\28463\IBJU.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{166768B3-7FD2-751A-A128-D483C5614773}\2.1\FLAGS C:\Windows\SysWOW64\28463\IBJU.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{166768B3-7FD2-751A-A128-D483C5614773}\2.1\FLAGS\ C:\Windows\SysWOW64\28463\IBJU.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{804D4C67-9EB9-4038-B0B2-4CE492FCD5BD}\Control\ C:\Windows\SysWOW64\28463\IBJU.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{166768B3-7FD2-751A-A128-D483C5614773}\2.1\ = "Microsoft ActiveX Data Objects 2.1 Library" C:\Windows\SysWOW64\28463\IBJU.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{166768B3-7FD2-751A-A128-D483C5614773}\2.1\0\ C:\Windows\SysWOW64\28463\IBJU.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{166768B3-7FD2-751A-A128-D483C5614773}\2.1\0\win32 C:\Windows\SysWOW64\28463\IBJU.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{804D4C67-9EB9-4038-B0B2-4CE492FCD5BD}\TypeLib C:\Windows\SysWOW64\28463\IBJU.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{804D4C67-9EB9-4038-B0B2-4CE492FCD5BD}\Version C:\Windows\SysWOW64\28463\IBJU.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{804D4C67-9EB9-4038-B0B2-4CE492FCD5BD} C:\Windows\SysWOW64\28463\IBJU.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{804D4C67-9EB9-4038-B0B2-4CE492FCD5BD}\ = "Ajeqava Class" C:\Windows\SysWOW64\28463\IBJU.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{804D4C67-9EB9-4038-B0B2-4CE492FCD5BD}\Implemented Categories C:\Windows\SysWOW64\28463\IBJU.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{166768B3-7FD2-751A-A128-D483C5614773}\2.1\0\win32\ C:\Windows\SysWOW64\28463\IBJU.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{166768B3-7FD2-751A-A128-D483C5614773}\2.1\0\win32\ = "C:\\Program Files (x86)\\Common Files\\System\\ado\\msado21.tlb" C:\Windows\SysWOW64\28463\IBJU.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{166768B3-7FD2-751A-A128-D483C5614773}\2.1 C:\Windows\SysWOW64\28463\IBJU.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{804D4C67-9EB9-4038-B0B2-4CE492FCD5BD}\InprocServer32\ C:\Windows\SysWOW64\28463\IBJU.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{804D4C67-9EB9-4038-B0B2-4CE492FCD5BD}\InprocServer32\ = "c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll" C:\Windows\SysWOW64\28463\IBJU.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{166768B3-7FD2-751A-A128-D483C5614773}\ C:\Windows\SysWOW64\28463\IBJU.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{166768B3-7FD2-751A-A128-D483C5614773}\2.1\FLAGS\ = "0" C:\Windows\SysWOW64\28463\IBJU.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\SysWOW64\28463\IBJU.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\28463\IBJU.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\28463\IBJU.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\IBJU.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\IBJU.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\IBJU.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\IBJU.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\72e8fac6c5dd8b5a108640182806fe3c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\72e8fac6c5dd8b5a108640182806fe3c_JaffaCakes118.exe"

C:\Windows\SysWOW64\28463\IBJU.exe

"C:\Windows\system32\28463\IBJU.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
N/A 13.89.178.26:443 tcp

Files

C:\Users\Admin\AppData\Local\Temp\@A0B4.tmp

MD5 36400e746829504282eb26b364826aa9
SHA1 d39ea9da98be0c331fd71002645f4f40664288a2
SHA256 c7ab756437211f6e0e3dcd7482bc67cb910e504345902049eb8abe34a656deb0
SHA512 5fe8fae2f5fcbd42c72cc8f6dd70aeec0afd94af5cfd905441630755790dc6ed346823ee009c21537b9cdb3b7b7a39eeed933606726ffd891dae47b60465f640

C:\Windows\SysWOW64\28463\IBJU.exe

MD5 b181beaba4204ac3ce7bc8e6f0b74312
SHA1 4ab13763d2ecdf0968f15a39302aab2b1f0ab462
SHA256 f36bad234fd1599dd1398d20bc57499314fe96d5de20074536067b2d3c2b4f2d
SHA512 d1aaa2fd25e53986c8ea8213a8a02515927c9e9aa3e4d8077a138a29ba32c807ec81473b672a22ffb6ba26126ccd7e1d310e057ef964d3b21b1672a67af5fd7b

memory/3220-19-0x0000000000400000-0x00000000004E0000-memory.dmp

memory/3220-22-0x00000000022D0000-0x000000000232A000-memory.dmp

memory/3220-33-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/3220-32-0x00000000033A0000-0x00000000033A1000-memory.dmp

memory/3220-31-0x0000000003350000-0x0000000003353000-memory.dmp

memory/3220-30-0x0000000003360000-0x0000000003361000-memory.dmp

memory/3220-29-0x00000000024E0000-0x00000000024E1000-memory.dmp

memory/3220-28-0x0000000002520000-0x0000000002521000-memory.dmp

memory/3220-27-0x0000000002560000-0x0000000002561000-memory.dmp

memory/3220-26-0x0000000002540000-0x0000000002541000-memory.dmp

memory/3220-25-0x0000000002550000-0x0000000002551000-memory.dmp

memory/3220-24-0x0000000002500000-0x0000000002501000-memory.dmp

C:\Windows\SysWOW64\28463\key.bin

MD5 27c90d4d9b049f4cd00f32ed1d2e5baf
SHA1 338a3ea8f1e929d8916ece9b6e91e697eb562550
SHA256 172d6f21165fb3ca925e5b000451fd8946920206f7438018c28b158b90cf5ffb
SHA512 d73dadb3cf74c647ce5bad5b87d3fb42a212defcba8afb8cf962020b61a0369c0a2b1005797583daf1f1ae88b29b7288bc544a53d643f3519cf604aa0ffd6dae

memory/3220-35-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

memory/3220-37-0x00000000033B0000-0x00000000033B1000-memory.dmp

memory/3220-36-0x0000000003370000-0x0000000003371000-memory.dmp

memory/3220-34-0x0000000000A90000-0x0000000000A91000-memory.dmp

C:\Windows\SysWOW64\28463\AKV.exe

MD5 f34b87951e1a931e01df1bc9f1b98207
SHA1 f3cc94e72bf7e9bf2afa7d8dbfef0ca2087358a1
SHA256 e6cf7cdc5895da8a65f8c4a1a1d0d0583218a1c28f66d25dc56fa67f9c34ed5b
SHA512 c2438d88489b9ed7c6c875ecde07411a488eac9115358c73f72d7029874f75803ebead03a41692a900648fb2b2be63b7c8b4e3a71984261185b6d5d6d7201641

C:\Windows\SysWOW64\28463\IBJU.007

MD5 15eb312db4b3e208b67082653acb8a02
SHA1 b0926b1e1733baa3d7f18d3806916f92704fccff
SHA256 72347b6d619bc7204a155486e4d09a62a4a494c35a8121349bfe2fecd5af99a8
SHA512 7e8d451bc9d1e83615db15d6cdf68230cdd333fa38362979f0408dc80bf680859a2bc3fc09c494805731317b0f136c3227226092f1bcc31c2c80cb73071aa443

C:\Windows\SysWOW64\28463\IBJU.006

MD5 98d22fb2035a26a6b9b7decc0c0ff2fa
SHA1 43a75cf59fc2f8b59b1d962b4e685249eef816d5
SHA256 fd5c03fd9ea47c1e820d19bd307ad7c4e53f4b65d288cb675b05cbe76c9b5c25
SHA512 3cb7f765d6f4d1dc08a0087086f3fe243bd8ff9e699607cf1e4177892576665c0c799307751cba16fd3f1482e5abb884090024431be2ce86d4080f1d1134d91f

C:\Windows\SysWOW64\28463\IBJU.001

MD5 5a727bb558fa4e82a85036ead0668ea9
SHA1 cda3de5e0d14164833aed08bc02c8a91eeaa3176
SHA256 fbc88fb6117c2f21978a6519070ea334d840253dd5376f12d11d1283325204f6
SHA512 53f58bc052d9e2a744cdc0a71c2f8bb69515b92c6ead833c0632218ed2fcfde0dc96446bc5dc04960b4405fc77f453c18ca0c54789b12a9c13b9d1182e7b30f6

memory/3220-45-0x0000000000400000-0x00000000004E0000-memory.dmp

memory/3220-46-0x00000000022D0000-0x000000000232A000-memory.dmp

memory/3220-47-0x00000000033A0000-0x00000000033A1000-memory.dmp

memory/3220-49-0x0000000000400000-0x00000000004E0000-memory.dmp