Analysis
-
max time kernel
141s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
26-07-2024 09:58
Static task
static1
Behavioral task
behavioral1
Sample
73925ab83867f47654bc3d68b8ca8153_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
73925ab83867f47654bc3d68b8ca8153_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
73925ab83867f47654bc3d68b8ca8153_JaffaCakes118.exe
-
Size
1.4MB
-
MD5
73925ab83867f47654bc3d68b8ca8153
-
SHA1
41d917f3566fa677e1c233244622e8cd8edf268e
-
SHA256
5540c4308c8d2c0ab691ec58fd7e3925a5ac4aae3600ba28e45db92053edbfc1
-
SHA512
b75572feed842370f7040af024f997cff41b28b69993acd60ada6901316816aad9af7c65c65e6b8e82eaae823bfe950274655d02fd9db634b2110392c417e1cc
-
SSDEEP
24576:tiITmQR/lSUa6UqHiaCi3m2iNlpWyeSy/gnSTeiRRx0axirlRdOhpxqPABcuX/kq:t3TD/xa6U6X332llp6gnCAEpxqPocuvc
Malware Config
Signatures
-
Ardamax main executable 1 IoCs
Processes:
resource yara_rule C:\Windows\SysWOW64\BMQEIV\WKE.exe family_ardamax -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
GalaxiCyber.exe73925ab83867f47654bc3d68b8ca8153_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation GalaxiCyber.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation 73925ab83867f47654bc3d68b8ca8153_JaffaCakes118.exe -
Executes dropped EXE 3 IoCs
Processes:
WKE.exeGalaxiCyber.exeGalaxiCyber.exepid process 3440 WKE.exe 2732 GalaxiCyber.exe 776 GalaxiCyber.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
WKE.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WKE Start = "C:\\Windows\\SysWOW64\\BMQEIV\\WKE.exe" WKE.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
GalaxiCyber.exedescription ioc process File opened (read-only) \??\U: GalaxiCyber.exe File opened (read-only) \??\W: GalaxiCyber.exe File opened (read-only) \??\A: GalaxiCyber.exe File opened (read-only) \??\G: GalaxiCyber.exe File opened (read-only) \??\J: GalaxiCyber.exe File opened (read-only) \??\M: GalaxiCyber.exe File opened (read-only) \??\O: GalaxiCyber.exe File opened (read-only) \??\Q: GalaxiCyber.exe File opened (read-only) \??\L: GalaxiCyber.exe File opened (read-only) \??\N: GalaxiCyber.exe File opened (read-only) \??\V: GalaxiCyber.exe File opened (read-only) \??\Y: GalaxiCyber.exe File opened (read-only) \??\Z: GalaxiCyber.exe File opened (read-only) \??\B: GalaxiCyber.exe File opened (read-only) \??\H: GalaxiCyber.exe File opened (read-only) \??\P: GalaxiCyber.exe File opened (read-only) \??\R: GalaxiCyber.exe File opened (read-only) \??\T: GalaxiCyber.exe File opened (read-only) \??\X: GalaxiCyber.exe File opened (read-only) \??\E: GalaxiCyber.exe File opened (read-only) \??\I: GalaxiCyber.exe File opened (read-only) \??\K: GalaxiCyber.exe File opened (read-only) \??\S: GalaxiCyber.exe -
Drops file in System32 directory 5 IoCs
Processes:
73925ab83867f47654bc3d68b8ca8153_JaffaCakes118.exedescription ioc process File created C:\Windows\SysWOW64\BMQEIV\AKV.exe 73925ab83867f47654bc3d68b8ca8153_JaffaCakes118.exe File created C:\Windows\SysWOW64\BMQEIV\WKE.exe 73925ab83867f47654bc3d68b8ca8153_JaffaCakes118.exe File created C:\Windows\SysWOW64\BMQEIV\WKE.004 73925ab83867f47654bc3d68b8ca8153_JaffaCakes118.exe File created C:\Windows\SysWOW64\BMQEIV\WKE.001 73925ab83867f47654bc3d68b8ca8153_JaffaCakes118.exe File created C:\Windows\SysWOW64\BMQEIV\WKE.002 73925ab83867f47654bc3d68b8ca8153_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
73925ab83867f47654bc3d68b8ca8153_JaffaCakes118.exeWKE.exeGalaxiCyber.exeGalaxiCyber.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 73925ab83867f47654bc3d68b8ca8153_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WKE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GalaxiCyber.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GalaxiCyber.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
GalaxiCyber.exedescription pid process Token: SeShutdownPrivilege 776 GalaxiCyber.exe Token: SeCreatePagefilePrivilege 776 GalaxiCyber.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
GalaxiCyber.exepid process 776 GalaxiCyber.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
73925ab83867f47654bc3d68b8ca8153_JaffaCakes118.exeGalaxiCyber.exedescription pid process target process PID 2404 wrote to memory of 3440 2404 73925ab83867f47654bc3d68b8ca8153_JaffaCakes118.exe WKE.exe PID 2404 wrote to memory of 3440 2404 73925ab83867f47654bc3d68b8ca8153_JaffaCakes118.exe WKE.exe PID 2404 wrote to memory of 3440 2404 73925ab83867f47654bc3d68b8ca8153_JaffaCakes118.exe WKE.exe PID 2404 wrote to memory of 2732 2404 73925ab83867f47654bc3d68b8ca8153_JaffaCakes118.exe GalaxiCyber.exe PID 2404 wrote to memory of 2732 2404 73925ab83867f47654bc3d68b8ca8153_JaffaCakes118.exe GalaxiCyber.exe PID 2404 wrote to memory of 2732 2404 73925ab83867f47654bc3d68b8ca8153_JaffaCakes118.exe GalaxiCyber.exe PID 2732 wrote to memory of 776 2732 GalaxiCyber.exe GalaxiCyber.exe PID 2732 wrote to memory of 776 2732 GalaxiCyber.exe GalaxiCyber.exe PID 2732 wrote to memory of 776 2732 GalaxiCyber.exe GalaxiCyber.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\73925ab83867f47654bc3d68b8ca8153_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\73925ab83867f47654bc3d68b8ca8153_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\BMQEIV\WKE.exe"C:\Windows\system32\BMQEIV\WKE.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3440 -
C:\Users\Admin\AppData\Local\Temp\GalaxiCyber.exe"C:\Users\Admin\AppData\Local\Temp\GalaxiCyber.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Users\Admin\AppData\Local\Temp\~sfx007D620CD0\GalaxiCyber.exe"C:\Users\Admin\AppData\Local\Temp\~sfx007D620CD0\GalaxiCyber.exe"3⤵
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:776
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD53a16ce313f0aedba14943c83ef4a853a
SHA1e3d635fcf3471a638153e8756da3d3e06cf102f1
SHA2560d6943432a32c38e203c1a2eace24145e470b06d9d73bdf3a82a32955124d00d
SHA512a89b9b75ca9a0556eff3ddfc202ac17e3d78c2a5334b61a1f97d9aa802234b2bbcb43b20fe2440d45c6a742e69a4032cdae5e92e491d1a5b79fe21cdf475ae6a
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
Filesize
266KB
MD59812d923239f680850907fd9ca513b97
SHA134339d754d46f965568c50068b337ba35129db2d
SHA256488727b47b76ec2d148bfd13d44f435064673c1cc6b405becf4c7e5805a38f8d
SHA512047b6dce1497d1b687086b8166d0f6f8ca5a68ba004afe6725e7b2a1f050ab074920d539fbf33fc4ed2efbc557b33badd2654f144aa52a5bf15aa99035d40528
-
Filesize
124KB
MD56655aa9a48888dbfe8177a69ab5971ab
SHA108c18c0ac2229f9b328a0230df4f68b8ec74daa8
SHA256ca34ccfb2ed7e738b4def9c083f99ade98f6a2a96868894ddd56d35f2631269c
SHA5125362d8010e412059961a947da2824fd1374d5ebc03917ccbe621e57e74f75fc2b06771c53b461be20237355eace4c0c19e361f8160bff57eebeece035e6928bc
-
Filesize
490KB
MD551b7a820e5252ff5158f0143780fc427
SHA156f3ecebbf3c70a0b2e432395a70cb4d44c618d0
SHA25647152ec42883b545842660514c80b62fc76cc47f9449104fe4b473b9c32fb46c
SHA512441a6a4ca70e6929989664c4f7c96afb9244ddf106816c8af88363ed15acfd3a95a1a1f6cfb0722a133cfee943a1cc7c424d1c33bf3192eaad5d60bcc7c6c545
-
Filesize
61KB
MD5d02c94d02f324be4517cd570672a38eb
SHA1af21c078c41fbc66aac65e7afc782d1dfb9684f0
SHA256c6684fb800ddfaa11070587fc66c613eb96b00bf4534144a747fbc1b711cb965
SHA51245dd3aeb10cd17901509dad15c1f3bf941cf1771671ff3cdc7743c790066aaa16c659b511fdf375d4908ab5347f0aa1005e950272ffa9f5f5564ff757e65a685
-
Filesize
44KB
MD58e7df9075891cde8051cd8e40eeeddf7
SHA18156fd5804ee054a3160ba7f511134355508b128
SHA25630f963b1f86a713a53e6c3b9ec39f339158793e800406d245bfc9565272118d9
SHA51256f835ff92fbb41cc6aac150e5a99dfaa6bb0221f7e4e503136d7ee1d29c13d235607498ee5bac84407a9b56af9f895fcfdd5795706d3a9b99d7a69a14c5d780
-
Filesize
1KB
MD512c94be3840f29216ccc2ab1d32e2f89
SHA1a38c5f6b89d134cc5490246f20eb1c7a9c453591
SHA25601fab2b20aef20de595e8dd602612ff8fa3a1d41351db8573424af52e8afa9ed
SHA5120ff728c6474d4383a49c756067b43fedf3e35cf66596a160fa249119db0e23d26d153e5be0a26aa91de15c708e2ceac97148c5f34736d1e863ae9ef21274885b
-
Filesize
1.7MB
MD591dcc602af4df48468e5f60724f2e6fb
SHA13f466e5628c80891fc10822f85ac547d461aee6e
SHA2566067d9a2efd2176dcfc41db3d20cf6657cce911dba1bd6a08aac55bfea99830d
SHA512d671d43977fb9a3e892354768c16393edfc7d462226c3986b350b9aa6267751ebf4b4bbb269a4372313befdd26a1edf0927efb14f22f6f1a5706aae87fc2f67a