Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
18-09-2024 02:18
Static task
static1
Behavioral task
behavioral1
Sample
e8235f369bed9d092bda176cd5fd7466_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
e8235f369bed9d092bda176cd5fd7466_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
e8235f369bed9d092bda176cd5fd7466_JaffaCakes118.exe
-
Size
1.3MB
-
MD5
e8235f369bed9d092bda176cd5fd7466
-
SHA1
02ac1c6604fc55b4478534f3020041c53a725eb2
-
SHA256
20e69215971cd1615920e55183b2186794a81322a44086c3582ef7e820ad533a
-
SHA512
3cafcc573ff0b9e87ccc0f85cf07228c5610fa23caf7b554512ac1aad8aa2633a3ca956964295123be7505e253c7ba9bb9a80567bb673b6caf9f2921a49d9f1c
-
SSDEEP
24576:dzwTT6VrDtLzW/nQI/ZH65X78Dr2YWIsdP9+FhIMoYTL/rI2GSF:dz+TqrDFW/nQ/uDCEsdG6M9TLM7
Malware Config
Signatures
-
Ardamax main executable 1 IoCs
resource yara_rule behavioral1/files/0x000600000001924a-6.dat family_ardamax -
Executes dropped EXE 1 IoCs
pid Process 2628 GKK.exe -
Loads dropped DLL 4 IoCs
pid Process 2024 e8235f369bed9d092bda176cd5fd7466_JaffaCakes118.exe 2628 GKK.exe 2680 DllHost.exe 2024 e8235f369bed9d092bda176cd5fd7466_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\GKK Start = "C:\\Windows\\SysWOW64\\ENUJXA\\GKK.exe" GKK.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 8 IoCs
description ioc Process File created C:\Windows\SysWOW64\ENUJXA\GKK.004 e8235f369bed9d092bda176cd5fd7466_JaffaCakes118.exe File created C:\Windows\SysWOW64\ENUJXA\GKK.001 e8235f369bed9d092bda176cd5fd7466_JaffaCakes118.exe File created C:\Windows\SysWOW64\ENUJXA\GKK.002 e8235f369bed9d092bda176cd5fd7466_JaffaCakes118.exe File created C:\Windows\SysWOW64\ENUJXA\AKV.exe e8235f369bed9d092bda176cd5fd7466_JaffaCakes118.exe File created C:\Windows\SysWOW64\ENUJXA\GKK.exe e8235f369bed9d092bda176cd5fd7466_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ENUJXA\ GKK.exe File created C:\Windows\SysWOW64\ENUJXA\GKK.008 GKK.exe File opened for modification C:\Windows\SysWOW64\ENUJXA\GKK.008 GKK.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e8235f369bed9d092bda176cd5fd7466_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GKK.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2628 GKK.exe 2628 GKK.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 2628 GKK.exe Token: SeIncBasePriorityPrivilege 2628 GKK.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2680 DllHost.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2628 GKK.exe 2628 GKK.exe 2628 GKK.exe 2628 GKK.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2024 wrote to memory of 2628 2024 e8235f369bed9d092bda176cd5fd7466_JaffaCakes118.exe 30 PID 2024 wrote to memory of 2628 2024 e8235f369bed9d092bda176cd5fd7466_JaffaCakes118.exe 30 PID 2024 wrote to memory of 2628 2024 e8235f369bed9d092bda176cd5fd7466_JaffaCakes118.exe 30 PID 2024 wrote to memory of 2628 2024 e8235f369bed9d092bda176cd5fd7466_JaffaCakes118.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\e8235f369bed9d092bda176cd5fd7466_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e8235f369bed9d092bda176cd5fd7466_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\ENUJXA\GKK.exe"C:\Windows\system32\ENUJXA\GKK.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2628
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:2680
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
31KB
MD57704bedbb1885b07b82e1007b9f3e968
SHA10a3b4f7ec84ae18d303b0aee8aa56edd6370bbd6
SHA2567c7db85af38b44ede7e15010690bbb6909c946a7f423b288c1ea8057cc249941
SHA51243a2dd4188d2a1b67edfc366056dce1cb28389658c9eeeb2666d0ef57e9ca866c166c11c2464012369c7f8767aeb428623aa0c44711d1d2811d6f7061389d480
-
Filesize
485KB
MD542150775d201a85ebc379d21aa253f85
SHA1fccd7df34e16abaf8d55935016cdb15df8041e06
SHA25600206ccef9ee8da111cc547c698b7e61736b328de48ac5c307d05f2921ef0b9c
SHA5124ff3c587a8d88e319acb028829c75ecb3e11c16a62ba9c2090720613c51c6555af698ba8ff75672b405602f196ed1b99dbeb9395bae62aac2140fa31600b36e0
-
Filesize
61KB
MD59681d3e1f2c53ad98b8467b3acca33fc
SHA104d5d08781f27d6e08ad0262f7325b2be4db7743
SHA256baecddca15ea6932b9cd4e7f5bae848c3c290660a85c408b898150c6f8fd744e
SHA5125c6191fb676ace9d1c2ddfd4e98651959ab24b718ab626c343e2bb271d31edd8ba43ed9de528c7832ddcc2137d2424c22bb19f115dc252e1400cfcd3edce2098
-
Filesize
44KB
MD5e65e4bdb2c86226589b88f101153c01b
SHA1731be43621721dba20f0bb74966ea08043ef37fd
SHA256e8a9477bc04824357c0f0bcc1cb665e1dfb6cf5c05f68517749f6cb11821cec2
SHA5127700ee197f109a8f2cff2e529715e371e36c1d9924af0bedef9285f76898d3448847af3bff342813b9bd8ca619b7c39b9607150596008ffc6fe68b338f6769cd
-
Filesize
1KB
MD5dcd582e0797b4f2f986af7d49bb81a6e
SHA1733f946842bfca54fd36b980ac4f663f0a5140aa
SHA256db61e08b0df8d0ec562ddf22679b01d0c95b9e8f1cc7a677c7701c709898595d
SHA5120de2a2fe282429593966e7ec5f9963abf02ffeb4e9118d65b90949e1199c0495e8b9de4d24730c5940cbe02d8813fa97dde013a9d04126d194915e437c7be3f2
-
Filesize
458B
MD54c124cda2262488e26de5d63a79c4825
SHA102bcd356e48330c3570c1a608aa926f3870b5fa9
SHA256e9aac31dddc303403269d1113e0ef4c1a02a828af926728623b52c98f002fdb6
SHA51208528c077749899e8635b18c2279ed415948f425daeab1c0906cdd81b5576ee50fa3ffe247a685b40ab56979dee6be31092aa6b366998c3b245b9ea080e5e28f
-
Filesize
1.7MB
MD59a6a50772539f5a61fefa29c34666223
SHA1b2b8650d817ef7d86bfef48420e9716f0ffdccce
SHA25693db12799d366bbb10f28b923188e3f1457b3ec931ddf33ddeb131a80e46f00b
SHA512eb5f89e6b27981d85dc235edc477a4397d08b9e89d638b0e07301a26ca6e640f12251fdcfe1386df4167a2928bc60959289329531bc7a9e14a232ead22935fed