Analysis

  • max time kernel
    125s
  • max time network
    129s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-09-2024 20:41

General

  • Target

    ec28a285eb7c0022f021064a9e73ae40_JaffaCakes118.exe

  • Size

    918KB

  • MD5

    ec28a285eb7c0022f021064a9e73ae40

  • SHA1

    bd06a5ca5a43d66614b5ef55344e2a8b4aed5048

  • SHA256

    45a05078e555fb489807bbd1e3df8f49d7004bfc0a374c45aa8c3d8953af1f9f

  • SHA512

    83f3a62e385ea1185e0cf54d11e5a0ea3c71a19bfa8e6c218dd4e62d971f8961ccc908d9a49828a2107943bb7c8e2d3caafa4d68d67a60ece63038d6467bcc2a

  • SSDEEP

    24576:uHvZTDDE81u3rrl+YKvMqARUfrEvIzcSVKYYgQQh/SCqvoqU0bg0kW:eBTD5s33IXvMqkUfc+cSAa96U0

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

  • Ardamax main executable 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ec28a285eb7c0022f021064a9e73ae40_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ec28a285eb7c0022f021064a9e73ae40_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1608
    • C:\Windows\SysWOW64\MRPVRK\RTL.exe
      "C:\Windows\system32\MRPVRK\RTL.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      PID:1500
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4416,i,3239535018877284530,3457823197501312703,262144 --variations-seed-version --mojo-platform-channel-handle=4348 /prefetch:8
    1⤵
      PID:4572

    Network

    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
      Response
      8.8.8.8.in-addr.arpa
      IN PTR
      dnsgoogle
    • flag-us
      DNS
      58.55.71.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      58.55.71.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      240.143.123.92.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      240.143.123.92.in-addr.arpa
      IN PTR
      Response
      240.143.123.92.in-addr.arpa
      IN PTR
      a92-123-143-240deploystaticakamaitechnologiescom
    • flag-us
      DNS
      133.32.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      133.32.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      209.205.72.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      209.205.72.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      86.23.85.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      86.23.85.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      206.23.85.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      206.23.85.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      18.134.221.88.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      18.134.221.88.in-addr.arpa
      IN PTR
      Response
      18.134.221.88.in-addr.arpa
      IN PTR
      a88-221-134-18deploystaticakamaitechnologiescom
    • flag-us
      DNS
      19.229.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      19.229.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      19.229.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      19.229.111.52.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      216.143.123.92.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      216.143.123.92.in-addr.arpa
      IN PTR
      Response
      216.143.123.92.in-addr.arpa
      IN PTR
      a92-123-143-216deploystaticakamaitechnologiescom
    • flag-us
      DNS
      25.140.123.92.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      25.140.123.92.in-addr.arpa
      IN PTR
      Response
      25.140.123.92.in-addr.arpa
      IN PTR
      a92-123-140-25deploystaticakamaitechnologiescom
    No results found
    • 8.8.8.8:53
      8.8.8.8.in-addr.arpa
      dns
      66 B
      90 B
      1
      1

      DNS Request

      8.8.8.8.in-addr.arpa

    • 8.8.8.8:53
      58.55.71.13.in-addr.arpa
      dns
      70 B
      144 B
      1
      1

      DNS Request

      58.55.71.13.in-addr.arpa

    • 8.8.8.8:53
      240.143.123.92.in-addr.arpa
      dns
      73 B
      139 B
      1
      1

      DNS Request

      240.143.123.92.in-addr.arpa

    • 8.8.8.8:53
      133.32.126.40.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      133.32.126.40.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
      144 B
      1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      209.205.72.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      209.205.72.20.in-addr.arpa

    • 8.8.8.8:53
      86.23.85.13.in-addr.arpa
      dns
      70 B
      144 B
      1
      1

      DNS Request

      86.23.85.13.in-addr.arpa

    • 8.8.8.8:53
      206.23.85.13.in-addr.arpa
      dns
      71 B
      145 B
      1
      1

      DNS Request

      206.23.85.13.in-addr.arpa

    • 8.8.8.8:53
      18.134.221.88.in-addr.arpa
      dns
      72 B
      137 B
      1
      1

      DNS Request

      18.134.221.88.in-addr.arpa

    • 8.8.8.8:53
      19.229.111.52.in-addr.arpa
      dns
      144 B
      158 B
      2
      1

      DNS Request

      19.229.111.52.in-addr.arpa

      DNS Request

      19.229.111.52.in-addr.arpa

    • 8.8.8.8:53
      216.143.123.92.in-addr.arpa
      dns
      73 B
      139 B
      1
      1

      DNS Request

      216.143.123.92.in-addr.arpa

    • 8.8.8.8:53
      25.140.123.92.in-addr.arpa
      dns
      72 B
      137 B
      1
      1

      DNS Request

      25.140.123.92.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\MRPVRK\RTL.001

      Filesize

      61KB

      MD5

      34c92b717ae97bc926f56ba56a44f24a

      SHA1

      ccaf3c6bf0c73564d0bf19c92b8d25008ffffbfa

      SHA256

      6e60d85b35f5e9222375f606e4116b38364a4a943596ddb0d914cf1cf4791774

      SHA512

      2a9eb63837db128c9e036976d903ebd925e6952ab6bf4efa0e370e79f9fefe0ed6e44e4ab444f56ace1149f4dd14797f568e8827e7cebd1e5581dcf309f9745a

    • C:\Windows\SysWOW64\MRPVRK\RTL.002

      Filesize

      43KB

      MD5

      246761f047f6aa98d6eaad66a2f883b9

      SHA1

      42474a5b23d03e094103b62fd7e820457cf807c4

      SHA256

      3774021a3cdf32d23fd5921cea4de8c26b08f0d601f3097550a7e8af7b00f111

      SHA512

      d39d0913975ca2f8d585b72667d76de09ce7817f6de26ef21a8b62edc25d7fab39785f036992d19ca5700f5fc2ee377e696142c41529f23f503e8eefff393144

    • C:\Windows\SysWOW64\MRPVRK\RTL.004

      Filesize

      1KB

      MD5

      6b5a1c04478fb9bb2f4e5ea559553d20

      SHA1

      bbab85e6699ae17ef62e7c19bb76849b7bf59a25

      SHA256

      1a39a19570c64ca6521f7c3a7b5067e6c7dcfdabdf7d388652e6860317f9b48b

      SHA512

      d878a13897cba3805e95ecdf8eb43937386045086cd6ab2fb6cc3bff5c3487e8e41ec9ff9d7d20b9ed38156ecf515c5b85e54815b2ce8637972780130599bc87

    • C:\Windows\SysWOW64\MRPVRK\RTL.exe

      Filesize

      1.5MB

      MD5

      9ab9b7b74790b7bb2798dd2b26f4a913

      SHA1

      e8ffa981a0149aa6441dcb0dd42f7baf6eb773a2

      SHA256

      df1c8d608ebd300889cf21c3bda6d5dd2574d68e1f530cc5a885449a22177a75

      SHA512

      ffffe21d8cc244aacaaba2eb13cc77ad800a196ecf6f77637a8a1f6d456cabb8331970ab358ab21dcf9832343379b4f0486da3990d45eb2f2765e55b7404739e

    • memory/1500-15-0x00000000005B0000-0x00000000005B1000-memory.dmp

      Filesize

      4KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.