Analysis
-
max time kernel
119s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/09/2024, 06:27 UTC
Static task
static1
Behavioral task
behavioral1
Sample
d3befbf53dd7ed84b5540d223e86884d_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d3befbf53dd7ed84b5540d223e86884d_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
d3befbf53dd7ed84b5540d223e86884d_JaffaCakes118.exe
-
Size
597KB
-
MD5
d3befbf53dd7ed84b5540d223e86884d
-
SHA1
cab90d480c0ff4705400e660cf0d6513252a477d
-
SHA256
ace69a47deb73ba1524da0bb81aba94c6f426a72639cc09eef529989a0c30eac
-
SHA512
39b0b744a7a92b14177c6d981202e1749976e1ca95d4e1176fae8e9df789cf58adbb5f436e7679c3cce167f25991fb518b7b557785822243308779a96f080c42
-
SSDEEP
12288:wbzUzGD2qYtRIvzf0jbch/Cz3s7kKH/HgJUN3ApupVnG1DJy:wbzUzRqiIvzf0vyKA7kRJonnG1Jy
Malware Config
Signatures
-
Ardamax main executable 1 IoCs
resource yara_rule behavioral1/files/0x000700000001739a-22.dat family_ardamax -
Executes dropped EXE 2 IoCs
pid Process 2468 renungan.exe 2656 SCLG.exe -
Loads dropped DLL 13 IoCs
pid Process 1796 d3befbf53dd7ed84b5540d223e86884d_JaffaCakes118.exe 1796 d3befbf53dd7ed84b5540d223e86884d_JaffaCakes118.exe 2468 renungan.exe 2468 renungan.exe 2468 renungan.exe 2468 renungan.exe 2468 renungan.exe 2468 renungan.exe 2656 SCLG.exe 2656 SCLG.exe 2656 SCLG.exe 2656 SCLG.exe 2656 SCLG.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SCLG Agent = "C:\\Windows\\SysWOW64\\28463\\SCLG.exe" SCLG.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\SysWOW64\28463\AKV.exe renungan.exe File opened for modification C:\Windows\SysWOW64\28463 SCLG.exe File created C:\Windows\SysWOW64\28463\SCLG.001 renungan.exe File created C:\Windows\SysWOW64\28463\SCLG.006 renungan.exe File created C:\Windows\SysWOW64\28463\SCLG.007 renungan.exe File created C:\Windows\SysWOW64\28463\SCLG.exe renungan.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d3befbf53dd7ed84b5540d223e86884d_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language renungan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SCLG.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 2656 SCLG.exe Token: SeIncBasePriorityPrivilege 2656 SCLG.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 2656 SCLG.exe 2656 SCLG.exe 2656 SCLG.exe 2656 SCLG.exe 2656 SCLG.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1796 wrote to memory of 2468 1796 d3befbf53dd7ed84b5540d223e86884d_JaffaCakes118.exe 31 PID 1796 wrote to memory of 2468 1796 d3befbf53dd7ed84b5540d223e86884d_JaffaCakes118.exe 31 PID 1796 wrote to memory of 2468 1796 d3befbf53dd7ed84b5540d223e86884d_JaffaCakes118.exe 31 PID 1796 wrote to memory of 2468 1796 d3befbf53dd7ed84b5540d223e86884d_JaffaCakes118.exe 31 PID 1796 wrote to memory of 2468 1796 d3befbf53dd7ed84b5540d223e86884d_JaffaCakes118.exe 31 PID 1796 wrote to memory of 2468 1796 d3befbf53dd7ed84b5540d223e86884d_JaffaCakes118.exe 31 PID 1796 wrote to memory of 2468 1796 d3befbf53dd7ed84b5540d223e86884d_JaffaCakes118.exe 31 PID 2468 wrote to memory of 2656 2468 renungan.exe 32 PID 2468 wrote to memory of 2656 2468 renungan.exe 32 PID 2468 wrote to memory of 2656 2468 renungan.exe 32 PID 2468 wrote to memory of 2656 2468 renungan.exe 32 PID 2468 wrote to memory of 2656 2468 renungan.exe 32 PID 2468 wrote to memory of 2656 2468 renungan.exe 32 PID 2468 wrote to memory of 2656 2468 renungan.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\d3befbf53dd7ed84b5540d223e86884d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d3befbf53dd7ed84b5540d223e86884d_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Users\Admin\AppData\Local\Temp\renungan.exe"C:\Users\Admin\AppData\Local\Temp\renungan.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\28463\SCLG.exe"C:\Windows\system32\28463\SCLG.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2656
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
395KB
MD5adbec81b510dcfe49835f95940ef961d
SHA177940f6e46fbd5f53de23bd49afe9172470769d0
SHA256466efb4b00255f21075b340fc2d2444f182947ab90270840543658c5fd3a9b95
SHA512ef4324a06fbe960933f5551ea6ac587cd87cb6025bc6879a2b81a4d1033cfe87e244b6a87fb5db5ad065321ccbe8035cf24a668452d5b0c6a4063a355a12b2a7
-
Filesize
394B
MD5fd7a5e7c9e583dc950b4e9c4a280dc06
SHA1f74385d69d240cc85a19f1d24679e150c8c17599
SHA256dc8b3f83a99a1af7d517c26505823e265121f9c4c40a55cf4c68b64d86aeeca5
SHA512016e37281ef36077d2cc27c9848ee8397395cdff7da7e90ada9b10e6d19decf2c034d69982cb2dab69676cd4b0b0070afa068859070eb2995ad446cd6d0fe104
-
Filesize
8KB
MD5f5eff4f716427529b003207d5c953df5
SHA179696d6c8d67669ea690d240ef8978672e3d151c
SHA256ac54ebb9eec3212f294462ce012fdc42f4b0896d785d776a5a2cc3599dc5bcde
SHA5125a48599a5855f06c3e7d6f89c4e06bab1f4381b9d30cf3824c465b8fd6c142b316e6bd6aaad73d1f9b3e84d96113fb5e7374831bf503744013c9e1a0632a0caf
-
Filesize
5KB
MD5bc75eddaa64823014fef0fe70bd34ffc
SHA115cd2ace3b68257faed33c78b794b2333eab7c0a
SHA2569eada36d17635bedb85ce96a62cb019dbfee696b9986f69de7d5b5bc1f44df5d
SHA51220db25f32f9cfdbffa4f30c0065125052c6e20b7dcc147fa7ebff38e37b51f6a43e48e486f148d7ee11671479b9fb0bbe1c6df151101af3b50c65fd334d13baa
-
Filesize
4KB
MD513e10cd76f11d6cb43182dcba7370171
SHA1e6b8ce329e49ff09f1cb529c60fc466cb9a579c8
SHA256f1265c88f0077009eaa18db413f156cc7ad8d41dc9d797dd1032b0e0ae9c40d5
SHA512ee32ef3f50838936417e51dfd365b166456900e327dbe51902700bb3d562dea22e6fbd9009c822ba0562687001802a2e61d38123f81ae19f7b3d05bb1fd5cda8
-
Filesize
480KB
MD5f7438819e47e4397ab4486463e0cdf8a
SHA1584a31f107b738f7000289363c114b41ee31cc30
SHA256ed70effb65019ecfb36bf65086d71be49352a4822aa12d9f0a4721c900703d4f
SHA5123cb9817491b5544c1cb99e1342b2bb78676fb82681a25530358fadc4a6f598f70361dcfd94256277e304d37aefdd6ebb48d4289b6c6683f344657ec8c3d1532c
-
Filesize
473KB
MD53c90d45b1c004e86a7f7a7a340f1abc8
SHA110602c450bcbda2735dc036f2e399646f0c64f4c
SHA256f6d9c3bba7fc4dfa681cadf68f41093e3c431501c6789e891e599719e5d2781c
SHA51285457be4c2aa76ede288cd185131d46e5f0b37187313f3a54fe789e28929ec6e44282f4ba0981f46354705cd5da83990586c8846f52fcdb807908254c8719cc1