Analysis

  • max time kernel
    141s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-09-2024 17:36

General

  • Target

    d6cda39f0c27fe2976a3435ca02b0a34_JaffaCakes118.exe

  • Size

    2.1MB

  • MD5

    d6cda39f0c27fe2976a3435ca02b0a34

  • SHA1

    cc90eb5c7507ecc4d010ae56b91fe15562e5b812

  • SHA256

    6fbe324be0a3456f9b1353b600eb84b770d0bb72910891cc8dcb2949b2b0d2b8

  • SHA512

    48b3ef4663e90fd2cd65052fc63b1cebc4bdb20d891cf3be7fc01c961052b233a071c925ef13d3e4e352e21dd01a98174489220f3eba1264e486e8264945e6d4

  • SSDEEP

    49152:OoTiWSeLWmD74CqUOiJkvSBRS5DS1I/2iWSUPW/J98ZmneEEdKF:yWSwF74CPR8S1KKScWnNe

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

  • Ardamax main executable 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in System32 directory 13 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 37 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d6cda39f0c27fe2976a3435ca02b0a34_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d6cda39f0c27fe2976a3435ca02b0a34_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1676
    • C:\Windows\SysWOW64\FHDQFH\WKK.exe
      "C:\Windows\system32\FHDQFH\WKK.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2396
    • C:\Users\Admin\AppData\Local\Temp\ZIGMA.exe
      "C:\Users\Admin\AppData\Local\Temp\ZIGMA.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3600
      • C:\Windows\SysWOW64\28463\HGYI.exe
        "C:\Windows\system32\28463\HGYI.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:448
      • C:\Users\Admin\AppData\Local\Temp\WinAPIOverride32.exe
        "C:\Users\Admin\AppData\Local\Temp\WinAPIOverride32.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:4444

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\@66A9.tmp

    Filesize

    4KB

    MD5

    ccf39f70a662f70e7cae4cfc81255c44

    SHA1

    00177d41252c2a5322be8e54567a845217072e2c

    SHA256

    4c9cca81f2f2d91b636c0ec747e96821749788368c48981bf04accfeb5c2e5d0

    SHA512

    2cc006d3bd6af737f31707b457caaa267ee1361cfd0afab0be8b74be8587d02b20909962d138e137fe79252e0d112bd3be091a98ba50863520b5bbf21bb9501d

  • C:\Users\Admin\AppData\Local\Temp\WinAPIOverride32.exe

    Filesize

    503KB

    MD5

    7975e2b7413be8642d941c399b92e583

    SHA1

    8493e5887977759f4fcb9b2198a971e3740908b1

    SHA256

    30186e1c7583454a3b32c36498b317c62725df5c945d9e58eef1502ece851f82

    SHA512

    03b9f7494d5c943b4f3eb83f94033406a7909b3204c34b8a33bfc5adcc70c1863697730dd6269c8f8e7209c10911777170b6cc7079fcdd81017acc68d5bfd0f5

  • C:\Users\Admin\AppData\Local\Temp\ZIGMA.exe

    Filesize

    1.0MB

    MD5

    200696efa2e50135693f17043bd1c429

    SHA1

    f5bcec8943f6468d1455548b5ad5e292bc070756

    SHA256

    0eb14d1432f786a5bde6196c1820c735df508e6cd5acadd4682993e69f11dd84

    SHA512

    b26a9ce9b86b5f8c69058db1f1f00811a0b6396f85721e9cebfe66c8c2cd6c0a0c61eee2b7d09d01ad50be95ea730dd5f3144090197776a9c3b73661f68e81b9

  • C:\Windows\SysWOW64\28463\AKV.exe

    Filesize

    457KB

    MD5

    828586f5f9fd7e6bd99401fe7cece954

    SHA1

    8eb70f4af2cec3c3dd3ec1491913369e99b7b874

    SHA256

    02b8379b1838ea70f7f17e0785aaaedb7c721d9b6e262577723bba9492748d0c

    SHA512

    16b64be59cf9ae403fb3b7e1fc8da98cb2a5db84aef0e352910172796ecf96dcf86a7e16afe78fa7e22b7b6948e8a1fa027da7161d5a0ad98e76175d764ed6a7

  • C:\Windows\SysWOW64\28463\HGYI.001

    Filesize

    450B

    MD5

    b343ee4e32095fe980d6d3eb34c0652c

    SHA1

    0863c9e8c13e883a21a84fb52f6eca31c2554163

    SHA256

    62d014827da7993230409cd660e939cb45c699e0657e1cd367667b04bea64574

    SHA512

    ed544631a7ee1318d791c86a8e2ee1f8cf436c79c72a998fe6b486f852f67aa6c6d07232778c6b31a5a7dd2a6b2c819b584caec3afdf317cd64519b5e5039d32

  • C:\Windows\SysWOW64\28463\HGYI.006

    Filesize

    8KB

    MD5

    69db8c925f2dd8136d956a086ed1ee41

    SHA1

    9d0f653cc7ab881eb45fe93490a9c096f2dec6cf

    SHA256

    984da5476c2c69a779bc99d0901569347cc605a36499e2284706cda3ed6e13f3

    SHA512

    fa5cedd539dca3631511488aea8bcb7821db1d53452c1b61ee663cb5700bb9919b092593a7f5eb7a3c3a75f801b2980f817de4a66bf8aa51093ced4b30ffd068

  • C:\Windows\SysWOW64\28463\HGYI.007

    Filesize

    5KB

    MD5

    9e9da4c851850726c789bb4b94a41bb3

    SHA1

    1e2fd71f1d1a3ac15d3c820d8459635cd775cf24

    SHA256

    94f6502a4e94de0301ae07befd63767a4de35d9b2d2d00687a3130e883ab1963

    SHA512

    4c60e951056c5773d769a9c88245fc4a597949deb72a1a7546991488e85ffc4ff2a34840ad227595bcdc105cf187207721b57c457ac832ee0159dd0e1d9be063

  • C:\Windows\SysWOW64\28463\HGYI.exe

    Filesize

    648KB

    MD5

    c5ca2c96edc99cf9edf0f861d784209a

    SHA1

    6cb654b3eb20c85224a4849c4cc30012cabbdbaa

    SHA256

    0ca27dfe22971bfb19c7f3d6fe03cd398816a88fc50943ba9821fa6b91be7807

    SHA512

    aeb36bbbf68c7b733ddd856f8f0cdd9548ff597843a22611757c98f69a589035410fecfa692bb83c740823ddae6432d3be5cb66f4309a9d0f5fedeb7b017ff36

  • C:\Windows\SysWOW64\28463\key.bin

    Filesize

    106B

    MD5

    639d75ab6799987dff4f0cf79fa70c76

    SHA1

    be2678476d07f78bb81e8813c9ee2bfff7cc7efb

    SHA256

    fc42ab050ffdfed8c8c7aac6d7e4a7cad4696218433f7ca327bcfdf9f318ac98

    SHA512

    4b511d0330d7204af948ce7b15615d745e8d4ea0a73bbece4e00fb23ba2635dd99e4fa54a76236d6f74bdbcdba57d32fd4c36b608d52628e72d11d5ed6f8cde2

  • C:\Windows\SysWOW64\FHDQFH\AKV.exe

    Filesize

    463KB

    MD5

    eb916da4abe4ff314662089013c8f832

    SHA1

    1e7e611cc6922a2851bcf135806ab51cdb499efa

    SHA256

    96af80e7ba0f3997d59ebcb5ecef619f980d71ca29113e2cd2f2e8adcdea3061

    SHA512

    d0dbe1d1612982b9cd2a3ed3cbd3e3b5be49237f580f91d5e5d5b6d20ed4dc0babb69a666c19bf4e0f10776a43b9b1dcda91a4cd381ce3705b1795ef9d731c8b

  • C:\Windows\SysWOW64\FHDQFH\WKK.001

    Filesize

    61KB

    MD5

    425ff37c76030ca0eb60321eedd4afdd

    SHA1

    7dde5e9ce5c4057d3db149f323fa43ed29d90e09

    SHA256

    70b00b09ae76a7ecfd6680ab22df546b17826755087c069fc87d14895e1a4e24

    SHA512

    ef5ff97c0d682b6155eff8f92dace1789cf01ca8bca55af1c1d0f2243b5e18bc12a657bb2bb12601b51ef9e1b942f02feb8462644da291fd1b2239c34ef2b59b

  • C:\Windows\SysWOW64\FHDQFH\WKK.002

    Filesize

    43KB

    MD5

    12fb4f589942682a478b7c7881dfcba2

    SHA1

    a3d490c6cda965708a1ff6a0dc4e88037e0d6336

    SHA256

    4de0c277800ae36b85a11ed9765f732a73578d4dce053ff7179f96ab776fb60d

    SHA512

    dd1c6a4ea5bc9698701ec941c4e90fe8dfb0993dc321edc052d1a80cc49bc46be665a85ec678876e698de60cda5dbf1d6279742a16d648f9d18e642a3ea33ddd

  • C:\Windows\SysWOW64\FHDQFH\WKK.004

    Filesize

    1KB

    MD5

    dfd373ce425b56a7eba0a9f5905e5b5d

    SHA1

    2ce58545a6ddd16df8e90b20cceedcc3e9a4de7c

    SHA256

    1c7e190415ded8b752f2167ecda5b4e438fcd18e5f557d1091feb30c3b7bafdb

    SHA512

    59b1020ebbbb18b10b709e2c9a024f88e9292971347dd8ee5a04cc3e53fa0f9c34d00829c023fbc9d16a4934a7a70dd4288d8beba55c3280490187de80d1c806

  • C:\Windows\SysWOW64\FHDQFH\WKK.exe

    Filesize

    1.5MB

    MD5

    f8530f0dfe90c7c1e20239b0a7643041

    SHA1

    3e0208ab84b8444a69c8d62ad0b81c4186395802

    SHA256

    734439c4049ae1a832b4cc5c8d227112106406945d1a7cbb355e11a3f5e356c4

    SHA512

    5cb01517938789e006e00d69729ae7d73ad480f1ae17a80059bf81ee5d9cebb1263a35732c84f03d742684a650b116b13e6731ca80b0b9cdb3908e5588649399

  • memory/448-45-0x0000000000400000-0x00000000004DF000-memory.dmp

    Filesize

    892KB

  • memory/448-69-0x0000000000400000-0x00000000004DF000-memory.dmp

    Filesize

    892KB

  • memory/448-72-0x0000000000400000-0x00000000004DF000-memory.dmp

    Filesize

    892KB

  • memory/2396-24-0x0000000000620000-0x0000000000621000-memory.dmp

    Filesize

    4KB