Analysis
-
max time kernel
142s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12-09-2024 16:58
Static task
static1
Behavioral task
behavioral1
Sample
dca974dd704022af9c3adfdfb42007b0_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
dca974dd704022af9c3adfdfb42007b0_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
dca974dd704022af9c3adfdfb42007b0_JaffaCakes118.exe
-
Size
1.4MB
-
MD5
dca974dd704022af9c3adfdfb42007b0
-
SHA1
7b0c9fbcc5ae0fcca3b0a53030819df7c6dfd546
-
SHA256
c4099ac3f5861b0c6d227c389f5597cffb64dc340a9d79e50eba457745203d8c
-
SHA512
3a92bd8c403652859177deb60af54f5965ce5d1088a99fc4c72c1c4bcd0857f6a5c3edfbf336be8293442fa5a962670218ce556b0ff03429c1484373b5f21175
-
SSDEEP
24576:XrHV4SGPDx+SccjcZ3nxQc/aJoSlDZciA0GLlH2DLfbtdhvXijBqBVYq:uSqNkcSQc/aJfl1cbLlWJzvSNqBV/
Malware Config
Extracted
Protocol: ftp- Host:
ftp.drivehq.com - Port:
21 - Username:
dhiliph
Signatures
-
Ardamax main executable 1 IoCs
resource yara_rule behavioral1/files/0x0006000000018b62-13.dat family_ardamax -
Executes dropped EXE 1 IoCs
pid Process 2744 system32SQSR.exe -
Loads dropped DLL 1 IoCs
pid Process 2716 dca974dd704022af9c3adfdfb42007b0_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system32SQSR Agent = "C:\\Windows\\system32SQSR.exe" system32SQSR.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Windows directory 10 IoCs
description ioc Process File opened for modification C:\Windows\system32SQSR.009 system32SQSR.exe File created C:\Windows\Sep_12_2024__17_01_03.jpg system32SQSR.exe File created C:\Windows\system32SQSR.001 dca974dd704022af9c3adfdfb42007b0_JaffaCakes118.exe File created C:\Windows\system32SQSR.007 dca974dd704022af9c3adfdfb42007b0_JaffaCakes118.exe File created C:\Windows\system32SQSR.exe dca974dd704022af9c3adfdfb42007b0_JaffaCakes118.exe File created C:\Windows\system32AKV.exe dca974dd704022af9c3adfdfb42007b0_JaffaCakes118.exe File created C:\Windows\system32SQSR.009 system32SQSR.exe File created C:\Windows\system32SQSR.006 dca974dd704022af9c3adfdfb42007b0_JaffaCakes118.exe File created C:\Windows\system32SQSR.009.tmp system32SQSR.exe File created C:\Windows\Sep_12_2024__17_00_03.jpg system32SQSR.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dca974dd704022af9c3adfdfb42007b0_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32SQSR.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2888 vlc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2888 vlc.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: 33 2744 system32SQSR.exe Token: SeIncBasePriorityPrivilege 2744 system32SQSR.exe Token: 33 2640 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2640 AUDIODG.EXE Token: 33 2640 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2640 AUDIODG.EXE Token: 33 2888 vlc.exe Token: SeIncBasePriorityPrivilege 2888 vlc.exe -
Suspicious use of FindShellTrayWindow 10 IoCs
pid Process 2744 system32SQSR.exe 2888 vlc.exe 2888 vlc.exe 2888 vlc.exe 2888 vlc.exe 2888 vlc.exe 2888 vlc.exe 2888 vlc.exe 2888 vlc.exe 2888 vlc.exe -
Suspicious use of SendNotifyMessage 9 IoCs
pid Process 2744 system32SQSR.exe 2888 vlc.exe 2888 vlc.exe 2888 vlc.exe 2888 vlc.exe 2888 vlc.exe 2888 vlc.exe 2888 vlc.exe 2888 vlc.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 2744 system32SQSR.exe 2744 system32SQSR.exe 2744 system32SQSR.exe 2744 system32SQSR.exe 2888 vlc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2716 wrote to memory of 2744 2716 dca974dd704022af9c3adfdfb42007b0_JaffaCakes118.exe 29 PID 2716 wrote to memory of 2744 2716 dca974dd704022af9c3adfdfb42007b0_JaffaCakes118.exe 29 PID 2716 wrote to memory of 2744 2716 dca974dd704022af9c3adfdfb42007b0_JaffaCakes118.exe 29 PID 2716 wrote to memory of 2744 2716 dca974dd704022af9c3adfdfb42007b0_JaffaCakes118.exe 29 PID 2716 wrote to memory of 2888 2716 dca974dd704022af9c3adfdfb42007b0_JaffaCakes118.exe 30 PID 2716 wrote to memory of 2888 2716 dca974dd704022af9c3adfdfb42007b0_JaffaCakes118.exe 30 PID 2716 wrote to memory of 2888 2716 dca974dd704022af9c3adfdfb42007b0_JaffaCakes118.exe 30 PID 2716 wrote to memory of 2888 2716 dca974dd704022af9c3adfdfb42007b0_JaffaCakes118.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\dca974dd704022af9c3adfdfb42007b0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\dca974dd704022af9c3adfdfb42007b0_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\system32SQSR.exe"C:\Windows\system32SQSR.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2744
-
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Vodafone Full (Zekty.com).mp3"2⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2888
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4981⤵
- Suspicious use of AdjustPrivilegeToken
PID:2640
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1022KB
MD5caa7d3978e8d9096243fe1f99e11bc52
SHA1a021ab0e865581e0fbfb271472235f3a35342290
SHA25687285bd09d1292eb94e582bb612bbb4a442ed96745424bab1223819ca3255031
SHA512f7bf01bbf9721296c10dd76769398993dd48821b9856aa983cf5b0e5e6658226a09edbfe1f873cd32c13e4ebbe82c74216c29120712f50b6ae967253c8985fc8
-
Filesize
612B
MD50856b21b923ff4a4164bf970a7614aeb
SHA1ef0b5cbd7ff727757d0ea908a12bc2bc7a67eac1
SHA256220a26314ac62d730ed00487e5e0b9e103e2cf4cd02170706906a912f5461687
SHA512657cb9105e9025e5391498e09289a9c219cb6df13aaa77af7d276bc76397a1cc7926eb51df845b99658a0176f11ac8f8ce9aa542db8fa74714eb131e8c9af3eb
-
Filesize
7KB
MD587ccf7eb039971590aac6f254b2c788a
SHA13095496ffd364b32cdbe63ba4dd2f477fd848515
SHA25659973b04dd9bec56a7ff9d898fda25e9214ee7652f2687ba409b435ae07e554b
SHA512d5f9f7855725021522fae819a855d3d2d2cf028b0ea3ac191ad02039cbb688af42b191a1ec4f1868365e2f7de36acca2b7ba3bee0a7b8447820c4521e942d8d2
-
Filesize
75KB
MD5d1fc5eea5c8d9ae874c1cd9a01881e41
SHA11ee75c9a7e6d49ee87e883156c48d0abab4bdda2
SHA2566e9c368c972caf1060fe0feea653876e5a601fdc48a51dde45cd37befb72f325
SHA512eea8808babf3301b85c14a836bb6bc49f8199946d325060cfb0bfe472f285fb9d4baeeaae7fbd0c4d140806f8664b560e92e417c650af01b80e91b080da940a5
-
Filesize
471KB
MD5912c55621b4c3f0fb2daef5b4f4f5f4c
SHA1735701c75569b7563950508afc8948b52e7bf4b2
SHA25641ecb7a6e3e9c32ce1bbfdff8fe381f6c21fc1f601f7e9be9fcfa2678d2420a0
SHA51265a08579e959d4beebb5ad026cab451d381e147621be8a0707baca748eaee22050c020e3d54f312376eaf6f20a1fc3713e5e07cc9d4ee7f32b7c17dc15c80d05
-
Filesize
4KB
MD5b7ea0bc4bb833ab77dce179f16039c14
SHA1b05cc205aa6ffc60a5316c1d5d3831def5a60c20
SHA256e7bc62fb964bacd8e3189f22a8d64a27bddeb90007a38da3d3e6b58f6d8a2dba
SHA5125a4ad9b469c7502a930158ca2db814b0b84880b2658a6a6dcca9fee60e6c8dc5f8a3c8d09e280a026d63e3d48b5291074827d16f3e680ce87645d8aad996a652