Malware Analysis Report

2024-10-18 23:06

Sample ID 240726-v77bhaxblh
Target 750d6651064cdb2ab6d741df8d180830_JaffaCakes118
SHA256 a9a7f2894ba0a13b2e10a3f702c3c67eac469636286e56f44e3bf56633c6ef00
Tags
ardamax discovery keylogger persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a9a7f2894ba0a13b2e10a3f702c3c67eac469636286e56f44e3bf56633c6ef00

Threat Level: Known bad

The file 750d6651064cdb2ab6d741df8d180830_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

ardamax discovery keylogger persistence stealer

Ardamax

Ardamax main executable

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Checks installed software on the system

Adds Run key to start application

Drops file in System32 directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-26 17:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-26 17:38

Reported

2024-07-26 21:55

Platform

win7-20240705-en

Max time kernel

141s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\750d6651064cdb2ab6d741df8d180830_JaffaCakes118.exe"

Signatures

Ardamax

keylogger stealer ardamax

Ardamax main executable

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\MABWLQ\HHW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NeoBot Keygen.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HHW Start = "C:\\Windows\\SysWOW64\\MABWLQ\\HHW.exe" C:\Windows\SysWOW64\MABWLQ\HHW.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\MABWLQ\HHW.exe C:\Users\Admin\AppData\Local\Temp\750d6651064cdb2ab6d741df8d180830_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\MABWLQ\ C:\Windows\SysWOW64\MABWLQ\HHW.exe N/A
File created C:\Windows\SysWOW64\MABWLQ\HHW.004 C:\Users\Admin\AppData\Local\Temp\750d6651064cdb2ab6d741df8d180830_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\MABWLQ\HHW.001 C:\Users\Admin\AppData\Local\Temp\750d6651064cdb2ab6d741df8d180830_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\MABWLQ\HHW.002 C:\Users\Admin\AppData\Local\Temp\750d6651064cdb2ab6d741df8d180830_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\750d6651064cdb2ab6d741df8d180830_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\MABWLQ\HHW.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\NeoBot Keygen.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\MABWLQ\HHW.exe N/A
N/A N/A C:\Windows\SysWOW64\MABWLQ\HHW.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NeoBot Keygen.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\SysWOW64\MABWLQ\HHW.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\MABWLQ\HHW.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\MABWLQ\HHW.exe N/A
N/A N/A C:\Windows\SysWOW64\MABWLQ\HHW.exe N/A
N/A N/A C:\Windows\SysWOW64\MABWLQ\HHW.exe N/A
N/A N/A C:\Windows\SysWOW64\MABWLQ\HHW.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\750d6651064cdb2ab6d741df8d180830_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\750d6651064cdb2ab6d741df8d180830_JaffaCakes118.exe"

C:\Windows\SysWOW64\MABWLQ\HHW.exe

"C:\Windows\system32\MABWLQ\HHW.exe"

C:\Users\Admin\AppData\Local\Temp\NeoBot Keygen.exe

"C:\Users\Admin\AppData\Local\Temp\NeoBot Keygen.exe"

Network

N/A

Files

\Windows\SysWOW64\MABWLQ\HHW.exe

MD5 9a6a50772539f5a61fefa29c34666223
SHA1 b2b8650d817ef7d86bfef48420e9716f0ffdccce
SHA256 93db12799d366bbb10f28b923188e3f1457b3ec931ddf33ddeb131a80e46f00b
SHA512 eb5f89e6b27981d85dc235edc477a4397d08b9e89d638b0e07301a26ca6e640f12251fdcfe1386df4167a2928bc60959289329531bc7a9e14a232ead22935fed

\Users\Admin\AppData\Local\Temp\NeoBot Keygen.exe

MD5 1f8f1049cc68f42bb076b115f5080e8c
SHA1 410f64a187df631980fcdf6103cc09234494b8ad
SHA256 fe98ec45f426733e0fabcbb57c4e729a9a2b8e0e5213f6582a8894fb906def18
SHA512 6669cd4221eb92bfe9b6e772763f970249976d7b2785fefede0ed94b680abda3039323b5feaa986c2820187b76d88aed2997f034aabd0526be09044849945389

C:\Windows\SysWOW64\MABWLQ\HHW.001

MD5 9681d3e1f2c53ad98b8467b3acca33fc
SHA1 04d5d08781f27d6e08ad0262f7325b2be4db7743
SHA256 baecddca15ea6932b9cd4e7f5bae848c3c290660a85c408b898150c6f8fd744e
SHA512 5c6191fb676ace9d1c2ddfd4e98651959ab24b718ab626c343e2bb271d31edd8ba43ed9de528c7832ddcc2137d2424c22bb19f115dc252e1400cfcd3edce2098

memory/2736-22-0x00000000001C0000-0x00000000001C1000-memory.dmp

C:\Windows\SysWOW64\MABWLQ\HHW.004

MD5 1ee74b56b1078b1901ba0e1f7e48c920
SHA1 99daa6b4d4ee3923ca4e5933d1d56ffa4dc6c4cb
SHA256 0251d1442c517493b55a37a43a7baf2f49933949a4a6e5bdeac2b40579cbb82f
SHA512 e7ca455035b44e3ab55b99428699b6b323cb796de62e5fc7d8d048d51e8dd9ac9533b40adb251f2d24445b95f249d70c637dbdb94dbb6993c71aa996efb7820a

C:\Windows\SysWOW64\MABWLQ\HHW.002

MD5 e65e4bdb2c86226589b88f101153c01b
SHA1 731be43621721dba20f0bb74966ea08043ef37fd
SHA256 e8a9477bc04824357c0f0bcc1cb665e1dfb6cf5c05f68517749f6cb11821cec2
SHA512 7700ee197f109a8f2cff2e529715e371e36c1d9924af0bedef9285f76898d3448847af3bff342813b9bd8ca619b7c39b9607150596008ffc6fe68b338f6769cd

memory/2892-27-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2892-28-0x0000000000400000-0x000000000049D000-memory.dmp

memory/2736-30-0x00000000001C0000-0x00000000001C1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-26 17:38

Reported

2024-07-26 21:54

Platform

win10v2004-20240709-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\750d6651064cdb2ab6d741df8d180830_JaffaCakes118.exe"

Signatures

Ardamax

keylogger stealer ardamax

Ardamax main executable

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\750d6651064cdb2ab6d741df8d180830_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\MABWLQ\HHW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NeoBot Keygen.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\MABWLQ\HHW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NeoBot Keygen.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HHW Start = "C:\\Windows\\SysWOW64\\MABWLQ\\HHW.exe" C:\Windows\SysWOW64\MABWLQ\HHW.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\MABWLQ\HHW.002 C:\Users\Admin\AppData\Local\Temp\750d6651064cdb2ab6d741df8d180830_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\MABWLQ\HHW.exe C:\Users\Admin\AppData\Local\Temp\750d6651064cdb2ab6d741df8d180830_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\MABWLQ\ C:\Windows\SysWOW64\MABWLQ\HHW.exe N/A
File created C:\Windows\SysWOW64\MABWLQ\HHW.004 C:\Users\Admin\AppData\Local\Temp\750d6651064cdb2ab6d741df8d180830_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\MABWLQ\HHW.001 C:\Users\Admin\AppData\Local\Temp\750d6651064cdb2ab6d741df8d180830_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\750d6651064cdb2ab6d741df8d180830_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\MABWLQ\HHW.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\NeoBot Keygen.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\MABWLQ\HHW.exe N/A
N/A N/A C:\Windows\SysWOW64\MABWLQ\HHW.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\SysWOW64\MABWLQ\HHW.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\MABWLQ\HHW.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\MABWLQ\HHW.exe N/A
N/A N/A C:\Windows\SysWOW64\MABWLQ\HHW.exe N/A
N/A N/A C:\Windows\SysWOW64\MABWLQ\HHW.exe N/A
N/A N/A C:\Windows\SysWOW64\MABWLQ\HHW.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\750d6651064cdb2ab6d741df8d180830_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\750d6651064cdb2ab6d741df8d180830_JaffaCakes118.exe"

C:\Windows\SysWOW64\MABWLQ\HHW.exe

"C:\Windows\system32\MABWLQ\HHW.exe"

C:\Users\Admin\AppData\Local\Temp\NeoBot Keygen.exe

"C:\Users\Admin\AppData\Local\Temp\NeoBot Keygen.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

C:\Windows\SysWOW64\MABWLQ\HHW.exe

MD5 9a6a50772539f5a61fefa29c34666223
SHA1 b2b8650d817ef7d86bfef48420e9716f0ffdccce
SHA256 93db12799d366bbb10f28b923188e3f1457b3ec931ddf33ddeb131a80e46f00b
SHA512 eb5f89e6b27981d85dc235edc477a4397d08b9e89d638b0e07301a26ca6e640f12251fdcfe1386df4167a2928bc60959289329531bc7a9e14a232ead22935fed

C:\Windows\SysWOW64\MABWLQ\HHW.004

MD5 1ee74b56b1078b1901ba0e1f7e48c920
SHA1 99daa6b4d4ee3923ca4e5933d1d56ffa4dc6c4cb
SHA256 0251d1442c517493b55a37a43a7baf2f49933949a4a6e5bdeac2b40579cbb82f
SHA512 e7ca455035b44e3ab55b99428699b6b323cb796de62e5fc7d8d048d51e8dd9ac9533b40adb251f2d24445b95f249d70c637dbdb94dbb6993c71aa996efb7820a

C:\Windows\SysWOW64\MABWLQ\HHW.002

MD5 e65e4bdb2c86226589b88f101153c01b
SHA1 731be43621721dba20f0bb74966ea08043ef37fd
SHA256 e8a9477bc04824357c0f0bcc1cb665e1dfb6cf5c05f68517749f6cb11821cec2
SHA512 7700ee197f109a8f2cff2e529715e371e36c1d9924af0bedef9285f76898d3448847af3bff342813b9bd8ca619b7c39b9607150596008ffc6fe68b338f6769cd

C:\Windows\SysWOW64\MABWLQ\HHW.001

MD5 9681d3e1f2c53ad98b8467b3acca33fc
SHA1 04d5d08781f27d6e08ad0262f7325b2be4db7743
SHA256 baecddca15ea6932b9cd4e7f5bae848c3c290660a85c408b898150c6f8fd744e
SHA512 5c6191fb676ace9d1c2ddfd4e98651959ab24b718ab626c343e2bb271d31edd8ba43ed9de528c7832ddcc2137d2424c22bb19f115dc252e1400cfcd3edce2098

memory/1452-19-0x00000000006E0000-0x00000000006E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\NeoBot Keygen.exe

MD5 1f8f1049cc68f42bb076b115f5080e8c
SHA1 410f64a187df631980fcdf6103cc09234494b8ad
SHA256 fe98ec45f426733e0fabcbb57c4e729a9a2b8e0e5213f6582a8894fb906def18
SHA512 6669cd4221eb92bfe9b6e772763f970249976d7b2785fefede0ed94b680abda3039323b5feaa986c2820187b76d88aed2997f034aabd0526be09044849945389

memory/2992-25-0x0000000000650000-0x0000000000651000-memory.dmp

memory/2992-26-0x0000000000400000-0x000000000049D000-memory.dmp