Analysis
-
max time kernel
141s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
24/08/2024, 00:43
Static task
static1
Behavioral task
behavioral1
Sample
bdacbaac7288774e1a08e13499f57a06_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
bdacbaac7288774e1a08e13499f57a06_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
bdacbaac7288774e1a08e13499f57a06_JaffaCakes118.exe
-
Size
1.2MB
-
MD5
bdacbaac7288774e1a08e13499f57a06
-
SHA1
a492c96808082bfb5aa2fd262e94c8e23c96989d
-
SHA256
5d2fe12230c1823267fa32116975e6d4d61378d60ff795aaf221db1ad2510fe1
-
SHA512
01e0966af6c98c184415436e50b53a04512937e1b666a763bed73e64467193e92d0ff385332f7e1b03904415c8f77835ec021a692f58cce1b9b490b839fb0c77
-
SSDEEP
24576:E0NzTkTxqqlKZF9qnQAmj9nmiuqNiUtSvAHwf3LozYxFekDpqO:E0pTk5lS9qnUj8TqYUnHwPszkg+E
Malware Config
Signatures
-
Ardamax main executable 1 IoCs
resource yara_rule behavioral2/files/0x000700000002346c-7.dat family_ardamax -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation bdacbaac7288774e1a08e13499f57a06_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 3332 SIQ.exe -
Loads dropped DLL 2 IoCs
pid Process 3332 SIQ.exe 4144 NOTEPAD.EXE -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SIQ Start = "C:\\Windows\\SysWOW64\\FSHPTR\\SIQ.exe" SIQ.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 10 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\FSHPTR\ SIQ.exe File created C:\Windows\SysWOW64\FSHPTR\SIQ.009 SIQ.exe File created C:\Windows\SysWOW64\FSHPTR\Screen_Aug_24_2024__00_44_41.html SIQ.exe File created C:\Windows\SysWOW64\FSHPTR\SIQ.002 bdacbaac7288774e1a08e13499f57a06_JaffaCakes118.exe File created C:\Windows\SysWOW64\FSHPTR\AKV.exe bdacbaac7288774e1a08e13499f57a06_JaffaCakes118.exe File created C:\Windows\SysWOW64\FSHPTR\SIQ.exe bdacbaac7288774e1a08e13499f57a06_JaffaCakes118.exe File created C:\Windows\SysWOW64\FSHPTR\Screen_Aug_24_2024__00_44_40.jpg SIQ.exe File created C:\Windows\SysWOW64\FSHPTR\SIQ.004 bdacbaac7288774e1a08e13499f57a06_JaffaCakes118.exe File created C:\Windows\SysWOW64\FSHPTR\SIQ.001 bdacbaac7288774e1a08e13499f57a06_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\FSHPTR\SIQ.009 SIQ.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bdacbaac7288774e1a08e13499f57a06_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SIQ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings bdacbaac7288774e1a08e13499f57a06_JaffaCakes118.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 4144 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3332 SIQ.exe 3332 SIQ.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 3332 SIQ.exe Token: SeIncBasePriorityPrivilege 3332 SIQ.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3332 SIQ.exe 3332 SIQ.exe 3332 SIQ.exe 3332 SIQ.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4004 wrote to memory of 3332 4004 bdacbaac7288774e1a08e13499f57a06_JaffaCakes118.exe 88 PID 4004 wrote to memory of 3332 4004 bdacbaac7288774e1a08e13499f57a06_JaffaCakes118.exe 88 PID 4004 wrote to memory of 3332 4004 bdacbaac7288774e1a08e13499f57a06_JaffaCakes118.exe 88 PID 4004 wrote to memory of 4144 4004 bdacbaac7288774e1a08e13499f57a06_JaffaCakes118.exe 90 PID 4004 wrote to memory of 4144 4004 bdacbaac7288774e1a08e13499f57a06_JaffaCakes118.exe 90 PID 4004 wrote to memory of 4144 4004 bdacbaac7288774e1a08e13499f57a06_JaffaCakes118.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\bdacbaac7288774e1a08e13499f57a06_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\bdacbaac7288774e1a08e13499f57a06_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Windows\SysWOW64\FSHPTR\SIQ.exe"C:\Windows\system32\FSHPTR\SIQ.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3332
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Install.txt2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:4144
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1B
MD5e1671797c52e15f763380b45e841ec32
SHA158e6b3a414a1e090dfc6029add0f3555ccba127f
SHA2563f79bb7b435b05321651daefd374cdc681dc06faa65e374e38337b88ca046dea
SHA51287c568e037a5fa50b1bc911e8ee19a77c4dd3c22bce9932f86fdd8a216afe1681c89737fada6859e91047eece711ec16da62d6ccb9fd0de2c51f132347350d8c
-
Filesize
484KB
MD54f60429f20ac507bb61cb45998a73847
SHA1c094a508b75c7c9a83cb04cd1fa9a547ab87fded
SHA25665478b0bded54534eb7e1241a8da267c57b55c3da90adce2880c04b861c6ddc9
SHA512e5f879e4e21051d91f7bf88e77dbbf1c288d595988d55a13ef703e242094e8a762c3262200cf478d55ac91d12cefcdd176646cffaf88439313d8e44b12c5fa91
-
Filesize
57KB
MD53d651fa5a97b20252ca2ec495a864fb9
SHA1d7b3ec70914daaae30982d8a17f3e9b984b23acf
SHA256c37a75bd098084ad0c19b67f48989288933359a9ebc8ce421d4e14cd17c18a0a
SHA5127010b951812c2707089393fe2110a7d55fe08a45d91ff09792f8fde1cad0f69787c4fc292cbf690d37411dbd434d19cabfb57be2aa97df3efb67f670be4913d8
-
Filesize
61KB
MD50d52ec4abb6e5055a153d97eab5bc2da
SHA1f01f83ac6741d9d53aa43501d456c5b003746fe9
SHA256845e34cf0373b2e959d3d27cfe09d858283dd6a4b335014c3b82e4af1161b321
SHA5125876e5a0401d9520678e733fc89147d6a6d7ef5bf6f8dbbb59276c79f8cf57301a49b3c20861a5696ee36337d6b151c32c3be2abcdb2990301bf0c616ff0be19
-
Filesize
43KB
MD5fab6c7c9f60f3a391f22754e221ba23f
SHA1b885a44fa6a8d6c0f08069f202527de1e93d460e
SHA25611c28e015fb748bf664203c92288252a90aa7119079094d5fed17bc6ebfc803b
SHA51286c368b8d542ec4dde120effcdac80a03118b8296188f3e09dde81883903b6a51a1bb6b981d394e05ff21bdc1cdcda125a427bfdb76aa209e706a58666e342bb
-
Filesize
1KB
MD52ddff30336bc233d0a0e575688949bf9
SHA1448fe7cb45214c96f7faa6134db5dbcc984059d0
SHA2560ec43fb4f2b6a4488b99b0ec4b5a0f03722477ca02983b3d6ffbc195d3bae703
SHA512a6f832282879a82b47493d191b85619b6be0d6d37de818ea92d64d804952add90cbce184866bbfc1812898f0d377750eb3ac56979a9573d556d6fd050c8fd7d8
-
Filesize
1.7MB
MD5cfeee152a39c265c34b5163548f8c59b
SHA15807f521bf8c48e8fb0abb657b6df7d21a533dc4
SHA2560f86eb289dc6b99c7560607e4e8e84b134515cee05becae947056026bfd21844
SHA512b50eafbade678e6a29dcae61e6eb251bcbc26d25427adf313aa7eb654de710d48236f1749e59cd0b19e28967b26a37bde364e584853b9b7f007d89c999d08ecd