Analysis

  • max time kernel
    141s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-07-2024 09:58

General

  • Target

    73925ab83867f47654bc3d68b8ca8153_JaffaCakes118.exe

  • Size

    1.4MB

  • MD5

    73925ab83867f47654bc3d68b8ca8153

  • SHA1

    41d917f3566fa677e1c233244622e8cd8edf268e

  • SHA256

    5540c4308c8d2c0ab691ec58fd7e3925a5ac4aae3600ba28e45db92053edbfc1

  • SHA512

    b75572feed842370f7040af024f997cff41b28b69993acd60ada6901316816aad9af7c65c65e6b8e82eaae823bfe950274655d02fd9db634b2110392c417e1cc

  • SSDEEP

    24576:tiITmQR/lSUa6UqHiaCi3m2iNlpWyeSy/gnSTeiRRx0axirlRdOhpxqPABcuX/kq:t3TD/xa6U6X332llp6gnCAEpxqPocuvc

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

  • Ardamax main executable 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\73925ab83867f47654bc3d68b8ca8153_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\73925ab83867f47654bc3d68b8ca8153_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2404
    • C:\Windows\SysWOW64\BMQEIV\WKE.exe
      "C:\Windows\system32\BMQEIV\WKE.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      PID:3440
    • C:\Users\Admin\AppData\Local\Temp\GalaxiCyber.exe
      "C:\Users\Admin\AppData\Local\Temp\GalaxiCyber.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2732
      • C:\Users\Admin\AppData\Local\Temp\~sfx007D620CD0\GalaxiCyber.exe
        "C:\Users\Admin\AppData\Local\Temp\~sfx007D620CD0\GalaxiCyber.exe"
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:776

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

    Filesize

    64KB

    MD5

    3a16ce313f0aedba14943c83ef4a853a

    SHA1

    e3d635fcf3471a638153e8756da3d3e06cf102f1

    SHA256

    0d6943432a32c38e203c1a2eace24145e470b06d9d73bdf3a82a32955124d00d

    SHA512

    a89b9b75ca9a0556eff3ddfc202ac17e3d78c2a5334b61a1f97d9aa802234b2bbcb43b20fe2440d45c6a742e69a4032cdae5e92e491d1a5b79fe21cdf475ae6a

  • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

    Filesize

    9KB

    MD5

    7050d5ae8acfbe560fa11073fef8185d

    SHA1

    5bc38e77ff06785fe0aec5a345c4ccd15752560e

    SHA256

    cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

    SHA512

    a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

  • C:\Users\Admin\AppData\Local\Temp\GalaxiCyber.exe

    Filesize

    266KB

    MD5

    9812d923239f680850907fd9ca513b97

    SHA1

    34339d754d46f965568c50068b337ba35129db2d

    SHA256

    488727b47b76ec2d148bfd13d44f435064673c1cc6b405becf4c7e5805a38f8d

    SHA512

    047b6dce1497d1b687086b8166d0f6f8ca5a68ba004afe6725e7b2a1f050ab074920d539fbf33fc4ed2efbc557b33badd2654f144aa52a5bf15aa99035d40528

  • C:\Users\Admin\AppData\Local\Temp\~sfx007D620CD0\GalaxiCyber.exe

    Filesize

    124KB

    MD5

    6655aa9a48888dbfe8177a69ab5971ab

    SHA1

    08c18c0ac2229f9b328a0230df4f68b8ec74daa8

    SHA256

    ca34ccfb2ed7e738b4def9c083f99ade98f6a2a96868894ddd56d35f2631269c

    SHA512

    5362d8010e412059961a947da2824fd1374d5ebc03917ccbe621e57e74f75fc2b06771c53b461be20237355eace4c0c19e361f8160bff57eebeece035e6928bc

  • C:\Windows\SysWOW64\BMQEIV\AKV.exe

    Filesize

    490KB

    MD5

    51b7a820e5252ff5158f0143780fc427

    SHA1

    56f3ecebbf3c70a0b2e432395a70cb4d44c618d0

    SHA256

    47152ec42883b545842660514c80b62fc76cc47f9449104fe4b473b9c32fb46c

    SHA512

    441a6a4ca70e6929989664c4f7c96afb9244ddf106816c8af88363ed15acfd3a95a1a1f6cfb0722a133cfee943a1cc7c424d1c33bf3192eaad5d60bcc7c6c545

  • C:\Windows\SysWOW64\BMQEIV\WKE.001

    Filesize

    61KB

    MD5

    d02c94d02f324be4517cd570672a38eb

    SHA1

    af21c078c41fbc66aac65e7afc782d1dfb9684f0

    SHA256

    c6684fb800ddfaa11070587fc66c613eb96b00bf4534144a747fbc1b711cb965

    SHA512

    45dd3aeb10cd17901509dad15c1f3bf941cf1771671ff3cdc7743c790066aaa16c659b511fdf375d4908ab5347f0aa1005e950272ffa9f5f5564ff757e65a685

  • C:\Windows\SysWOW64\BMQEIV\WKE.002

    Filesize

    44KB

    MD5

    8e7df9075891cde8051cd8e40eeeddf7

    SHA1

    8156fd5804ee054a3160ba7f511134355508b128

    SHA256

    30f963b1f86a713a53e6c3b9ec39f339158793e800406d245bfc9565272118d9

    SHA512

    56f835ff92fbb41cc6aac150e5a99dfaa6bb0221f7e4e503136d7ee1d29c13d235607498ee5bac84407a9b56af9f895fcfdd5795706d3a9b99d7a69a14c5d780

  • C:\Windows\SysWOW64\BMQEIV\WKE.004

    Filesize

    1KB

    MD5

    12c94be3840f29216ccc2ab1d32e2f89

    SHA1

    a38c5f6b89d134cc5490246f20eb1c7a9c453591

    SHA256

    01fab2b20aef20de595e8dd602612ff8fa3a1d41351db8573424af52e8afa9ed

    SHA512

    0ff728c6474d4383a49c756067b43fedf3e35cf66596a160fa249119db0e23d26d153e5be0a26aa91de15c708e2ceac97148c5f34736d1e863ae9ef21274885b

  • C:\Windows\SysWOW64\BMQEIV\WKE.exe

    Filesize

    1.7MB

    MD5

    91dcc602af4df48468e5f60724f2e6fb

    SHA1

    3f466e5628c80891fc10822f85ac547d461aee6e

    SHA256

    6067d9a2efd2176dcfc41db3d20cf6657cce911dba1bd6a08aac55bfea99830d

    SHA512

    d671d43977fb9a3e892354768c16393edfc7d462226c3986b350b9aa6267751ebf4b4bbb269a4372313befdd26a1edf0927efb14f22f6f1a5706aae87fc2f67a

  • memory/2732-54-0x0000000000400000-0x0000000000517000-memory.dmp

    Filesize

    1.1MB

  • memory/3440-27-0x0000000000780000-0x0000000000781000-memory.dmp

    Filesize

    4KB