Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
16-09-2024 11:49
Static task
static1
Behavioral task
behavioral1
Sample
e4b62f938d7ef21a01827925502d554a_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e4b62f938d7ef21a01827925502d554a_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
e4b62f938d7ef21a01827925502d554a_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
e4b62f938d7ef21a01827925502d554a
-
SHA1
211d0fa951c33282c9fa591b9c07ff4072946327
-
SHA256
8689b0d900885e1c0fcd93116833bb94cd8acc9c26760b5e29f7945ae34f2c4d
-
SHA512
a062898e9fbfd609626b62e2d96a9f594ccd8422f084d8f78d3aae038037c444780bb8dda8b67edbad4862f0e657567dd351e931ef32b5a203189a8bebe0dafc
-
SSDEEP
24576:DZxTLS3rBXO6bIw3Rl5VwuF2YSKFMyWVjXVusS/R1iAKpX:DXTLS3VXO0AGZ3a1VbO/R1
Malware Config
Signatures
-
Ardamax main executable 1 IoCs
resource yara_rule behavioral2/files/0x00070000000233de-8.dat family_ardamax -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation e4b62f938d7ef21a01827925502d554a_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 2120 MCK.exe -
Loads dropped DLL 1 IoCs
pid Process 2120 MCK.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MCK Start = "C:\\Windows\\SysWOW64\\KHYQSO\\MCK.exe" MCK.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\SysWOW64\KHYQSO\MCK.004 e4b62f938d7ef21a01827925502d554a_JaffaCakes118.exe File created C:\Windows\SysWOW64\KHYQSO\MCK.001 e4b62f938d7ef21a01827925502d554a_JaffaCakes118.exe File created C:\Windows\SysWOW64\KHYQSO\MCK.002 e4b62f938d7ef21a01827925502d554a_JaffaCakes118.exe File created C:\Windows\SysWOW64\KHYQSO\AKV.exe e4b62f938d7ef21a01827925502d554a_JaffaCakes118.exe File created C:\Windows\SysWOW64\KHYQSO\MCK.exe e4b62f938d7ef21a01827925502d554a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\KHYQSO\ MCK.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e4b62f938d7ef21a01827925502d554a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MCK.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 2120 MCK.exe Token: SeIncBasePriorityPrivilege 2120 MCK.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2120 MCK.exe 2120 MCK.exe 2120 MCK.exe 2120 MCK.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1368 wrote to memory of 2120 1368 e4b62f938d7ef21a01827925502d554a_JaffaCakes118.exe 83 PID 1368 wrote to memory of 2120 1368 e4b62f938d7ef21a01827925502d554a_JaffaCakes118.exe 83 PID 1368 wrote to memory of 2120 1368 e4b62f938d7ef21a01827925502d554a_JaffaCakes118.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\e4b62f938d7ef21a01827925502d554a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e4b62f938d7ef21a01827925502d554a_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\SysWOW64\KHYQSO\MCK.exe"C:\Windows\system32\KHYQSO\MCK.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2120
-
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request58.55.71.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request25.140.123.92.in-addr.arpaIN PTRResponse25.140.123.92.in-addr.arpaIN PTRa92-123-140-25deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request73.31.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request13.86.106.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request103.169.127.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request56.126.166.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request92.12.20.2.in-addr.arpaIN PTRResponse92.12.20.2.in-addr.arpaIN PTRa2-20-12-92deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request92.12.20.2.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request240.143.123.92.in-addr.arpaIN PTRResponse240.143.123.92.in-addr.arpaIN PTRa92-123-143-240deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request19.229.111.52.in-addr.arpaIN PTRResponse
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
58.55.71.13.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
25.140.123.92.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
73.31.126.40.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
13.86.106.20.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
103.169.127.40.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
56.126.166.20.in-addr.arpa
-
138 B 131 B 2 1
DNS Request
92.12.20.2.in-addr.arpa
DNS Request
92.12.20.2.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
240.143.123.92.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
19.229.111.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
456KB
MD51f29b1075a91b3da0ccc0b9c49eece56
SHA1048e675f087181035aedece9e7b11d065c6355cc
SHA2564f6825548b32329c3360ed9abb7c0a6809a2c2291cf0bcaac511a9fa32a6336e
SHA5127e152caf055f57f599ecc1e3a404b540b721b3315d2ba16bff6eb21f03edeb3a06ae185621e3139293612d94210f500f098bd281489ca7f336efd8b5284ee060
-
Filesize
61KB
MD531c866d8e4448c28ae63660a0521cd92
SHA10e4dcb44e3c8589688b8eacdd8cc463a920baab9
SHA256dc0eaf9d62f0e40b6522d28b2e06b39ff619f9086ea7aa45fd40396a8eb61aa1
SHA5121076da7f8137a90b5d3bbbbe2b24fd9774de6adbcdfd41fd55ae90c70b9eb4bbf441732689ad25e5b3048987bfb1d63ba59d5831a04c6d84cb05bbfd2d32f839
-
Filesize
43KB
MD5093e599a1281e943ce1592f61d9591af
SHA16896810fe9b7efe4f5ae68bf280fec637e97adf5
SHA2561ac0964d97b02204f4d4ae79cd5244342f1a1798f5846e9dd7f3448d4177a009
SHA51264cb58fbf6295d15d9ee6a8a7a325e7673af7ee02e4ece8da5a95257f666566a425b348b802b78ac82e7868ba7923f85255c2c31e548618afa9706c1f88d34dc
-
Filesize
1KB
MD55cd533d8c016b1026dffcd8771a3e728
SHA19f43cbc36e04d95b39c4be09c0fcb3fbedb42170
SHA256b0ac5f55ee2c1e6ceecf95415945c9c0aec7808944c1df48520c656101ca54e0
SHA512d39cdf11a8855b19c3a4b3a86a55aeb58d3a88db072f18752d783dec698b7eb9103fa09548f084e7e1688809de1a6c9337cea90b5793fa67b80e4e0bad42ebb0
-
Filesize
1.5MB
MD50aaffc12ef1b416b9276bdc3fdec9dff
SHA19f38d7cf6241d867da58f89db9ff26544314b938
SHA25642b33dd905c5668c2518a6a7d407fb10c303cfedeaefcd7b6e4c7cc1b891c73b
SHA512bbde0986b298c6172e7c8e3f938db9425f54cca097e280736e1ba289afd06a0b86f7cbc91f6d46458bc8e75069c12cda1cf808acf3b6c773b0661d081136ee7c