Analysis
-
max time kernel
140s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
26-07-2024 09:58
Static task
static1
Behavioral task
behavioral1
Sample
73925ab83867f47654bc3d68b8ca8153_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
73925ab83867f47654bc3d68b8ca8153_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
73925ab83867f47654bc3d68b8ca8153_JaffaCakes118.exe
-
Size
1.4MB
-
MD5
73925ab83867f47654bc3d68b8ca8153
-
SHA1
41d917f3566fa677e1c233244622e8cd8edf268e
-
SHA256
5540c4308c8d2c0ab691ec58fd7e3925a5ac4aae3600ba28e45db92053edbfc1
-
SHA512
b75572feed842370f7040af024f997cff41b28b69993acd60ada6901316816aad9af7c65c65e6b8e82eaae823bfe950274655d02fd9db634b2110392c417e1cc
-
SSDEEP
24576:tiITmQR/lSUa6UqHiaCi3m2iNlpWyeSy/gnSTeiRRx0axirlRdOhpxqPABcuX/kq:t3TD/xa6U6X332llp6gnCAEpxqPocuvc
Malware Config
Signatures
-
Ardamax main executable 1 IoCs
Processes:
resource yara_rule \Windows\SysWOW64\BMQEIV\WKE.exe family_ardamax -
Executes dropped EXE 3 IoCs
Processes:
WKE.exeGalaxiCyber.exeGalaxiCyber.exepid process 3048 WKE.exe 2760 GalaxiCyber.exe 2892 GalaxiCyber.exe -
Loads dropped DLL 5 IoCs
Processes:
73925ab83867f47654bc3d68b8ca8153_JaffaCakes118.exeGalaxiCyber.exepid process 2036 73925ab83867f47654bc3d68b8ca8153_JaffaCakes118.exe 2036 73925ab83867f47654bc3d68b8ca8153_JaffaCakes118.exe 2036 73925ab83867f47654bc3d68b8ca8153_JaffaCakes118.exe 2760 GalaxiCyber.exe 2760 GalaxiCyber.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
WKE.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WKE Start = "C:\\Windows\\SysWOW64\\BMQEIV\\WKE.exe" WKE.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
GalaxiCyber.exedescription ioc process File opened (read-only) \??\B: GalaxiCyber.exe File opened (read-only) \??\N: GalaxiCyber.exe File opened (read-only) \??\O: GalaxiCyber.exe File opened (read-only) \??\W: GalaxiCyber.exe File opened (read-only) \??\X: GalaxiCyber.exe File opened (read-only) \??\Y: GalaxiCyber.exe File opened (read-only) \??\E: GalaxiCyber.exe File opened (read-only) \??\I: GalaxiCyber.exe File opened (read-only) \??\J: GalaxiCyber.exe File opened (read-only) \??\K: GalaxiCyber.exe File opened (read-only) \??\Q: GalaxiCyber.exe File opened (read-only) \??\S: GalaxiCyber.exe File opened (read-only) \??\T: GalaxiCyber.exe File opened (read-only) \??\V: GalaxiCyber.exe File opened (read-only) \??\A: GalaxiCyber.exe File opened (read-only) \??\G: GalaxiCyber.exe File opened (read-only) \??\L: GalaxiCyber.exe File opened (read-only) \??\P: GalaxiCyber.exe File opened (read-only) \??\R: GalaxiCyber.exe File opened (read-only) \??\Z: GalaxiCyber.exe File opened (read-only) \??\H: GalaxiCyber.exe File opened (read-only) \??\M: GalaxiCyber.exe File opened (read-only) \??\U: GalaxiCyber.exe -
Drops file in System32 directory 5 IoCs
Processes:
73925ab83867f47654bc3d68b8ca8153_JaffaCakes118.exedescription ioc process File created C:\Windows\SysWOW64\BMQEIV\WKE.exe 73925ab83867f47654bc3d68b8ca8153_JaffaCakes118.exe File created C:\Windows\SysWOW64\BMQEIV\WKE.004 73925ab83867f47654bc3d68b8ca8153_JaffaCakes118.exe File created C:\Windows\SysWOW64\BMQEIV\WKE.001 73925ab83867f47654bc3d68b8ca8153_JaffaCakes118.exe File created C:\Windows\SysWOW64\BMQEIV\WKE.002 73925ab83867f47654bc3d68b8ca8153_JaffaCakes118.exe File created C:\Windows\SysWOW64\BMQEIV\AKV.exe 73925ab83867f47654bc3d68b8ca8153_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
73925ab83867f47654bc3d68b8ca8153_JaffaCakes118.exeWKE.exeGalaxiCyber.exeGalaxiCyber.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 73925ab83867f47654bc3d68b8ca8153_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WKE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GalaxiCyber.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GalaxiCyber.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
GalaxiCyber.exepid process 2892 GalaxiCyber.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
73925ab83867f47654bc3d68b8ca8153_JaffaCakes118.exeGalaxiCyber.exedescription pid process target process PID 2036 wrote to memory of 3048 2036 73925ab83867f47654bc3d68b8ca8153_JaffaCakes118.exe WKE.exe PID 2036 wrote to memory of 3048 2036 73925ab83867f47654bc3d68b8ca8153_JaffaCakes118.exe WKE.exe PID 2036 wrote to memory of 3048 2036 73925ab83867f47654bc3d68b8ca8153_JaffaCakes118.exe WKE.exe PID 2036 wrote to memory of 3048 2036 73925ab83867f47654bc3d68b8ca8153_JaffaCakes118.exe WKE.exe PID 2036 wrote to memory of 2760 2036 73925ab83867f47654bc3d68b8ca8153_JaffaCakes118.exe GalaxiCyber.exe PID 2036 wrote to memory of 2760 2036 73925ab83867f47654bc3d68b8ca8153_JaffaCakes118.exe GalaxiCyber.exe PID 2036 wrote to memory of 2760 2036 73925ab83867f47654bc3d68b8ca8153_JaffaCakes118.exe GalaxiCyber.exe PID 2036 wrote to memory of 2760 2036 73925ab83867f47654bc3d68b8ca8153_JaffaCakes118.exe GalaxiCyber.exe PID 2760 wrote to memory of 2892 2760 GalaxiCyber.exe GalaxiCyber.exe PID 2760 wrote to memory of 2892 2760 GalaxiCyber.exe GalaxiCyber.exe PID 2760 wrote to memory of 2892 2760 GalaxiCyber.exe GalaxiCyber.exe PID 2760 wrote to memory of 2892 2760 GalaxiCyber.exe GalaxiCyber.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\73925ab83867f47654bc3d68b8ca8153_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\73925ab83867f47654bc3d68b8ca8153_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\BMQEIV\WKE.exe"C:\Windows\system32\BMQEIV\WKE.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3048 -
C:\Users\Admin\AppData\Local\Temp\GalaxiCyber.exe"C:\Users\Admin\AppData\Local\Temp\GalaxiCyber.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Users\Admin\AppData\Local\Temp\~sfx007D620CD0\GalaxiCyber.exe"C:\Users\Admin\AppData\Local\Temp\~sfx007D620CD0\GalaxiCyber.exe"3⤵
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2892
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
490KB
MD551b7a820e5252ff5158f0143780fc427
SHA156f3ecebbf3c70a0b2e432395a70cb4d44c618d0
SHA25647152ec42883b545842660514c80b62fc76cc47f9449104fe4b473b9c32fb46c
SHA512441a6a4ca70e6929989664c4f7c96afb9244ddf106816c8af88363ed15acfd3a95a1a1f6cfb0722a133cfee943a1cc7c424d1c33bf3192eaad5d60bcc7c6c545
-
Filesize
61KB
MD5d02c94d02f324be4517cd570672a38eb
SHA1af21c078c41fbc66aac65e7afc782d1dfb9684f0
SHA256c6684fb800ddfaa11070587fc66c613eb96b00bf4534144a747fbc1b711cb965
SHA51245dd3aeb10cd17901509dad15c1f3bf941cf1771671ff3cdc7743c790066aaa16c659b511fdf375d4908ab5347f0aa1005e950272ffa9f5f5564ff757e65a685
-
Filesize
44KB
MD58e7df9075891cde8051cd8e40eeeddf7
SHA18156fd5804ee054a3160ba7f511134355508b128
SHA25630f963b1f86a713a53e6c3b9ec39f339158793e800406d245bfc9565272118d9
SHA51256f835ff92fbb41cc6aac150e5a99dfaa6bb0221f7e4e503136d7ee1d29c13d235607498ee5bac84407a9b56af9f895fcfdd5795706d3a9b99d7a69a14c5d780
-
Filesize
1KB
MD512c94be3840f29216ccc2ab1d32e2f89
SHA1a38c5f6b89d134cc5490246f20eb1c7a9c453591
SHA25601fab2b20aef20de595e8dd602612ff8fa3a1d41351db8573424af52e8afa9ed
SHA5120ff728c6474d4383a49c756067b43fedf3e35cf66596a160fa249119db0e23d26d153e5be0a26aa91de15c708e2ceac97148c5f34736d1e863ae9ef21274885b
-
Filesize
266KB
MD59812d923239f680850907fd9ca513b97
SHA134339d754d46f965568c50068b337ba35129db2d
SHA256488727b47b76ec2d148bfd13d44f435064673c1cc6b405becf4c7e5805a38f8d
SHA512047b6dce1497d1b687086b8166d0f6f8ca5a68ba004afe6725e7b2a1f050ab074920d539fbf33fc4ed2efbc557b33badd2654f144aa52a5bf15aa99035d40528
-
Filesize
124KB
MD56655aa9a48888dbfe8177a69ab5971ab
SHA108c18c0ac2229f9b328a0230df4f68b8ec74daa8
SHA256ca34ccfb2ed7e738b4def9c083f99ade98f6a2a96868894ddd56d35f2631269c
SHA5125362d8010e412059961a947da2824fd1374d5ebc03917ccbe621e57e74f75fc2b06771c53b461be20237355eace4c0c19e361f8160bff57eebeece035e6928bc
-
Filesize
1.7MB
MD591dcc602af4df48468e5f60724f2e6fb
SHA13f466e5628c80891fc10822f85ac547d461aee6e
SHA2566067d9a2efd2176dcfc41db3d20cf6657cce911dba1bd6a08aac55bfea99830d
SHA512d671d43977fb9a3e892354768c16393edfc7d462226c3986b350b9aa6267751ebf4b4bbb269a4372313befdd26a1edf0927efb14f22f6f1a5706aae87fc2f67a