Analysis
-
max time kernel
66s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
29-09-2024 23:54
Static task
static1
Behavioral task
behavioral1
Sample
ff87c346af525e2d84b797d6c1aae5e7_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ff87c346af525e2d84b797d6c1aae5e7_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
ff87c346af525e2d84b797d6c1aae5e7_JaffaCakes118.exe
-
Size
1.0MB
-
MD5
ff87c346af525e2d84b797d6c1aae5e7
-
SHA1
4ed733f35f027d56bfae661f4c48cc38a95c8cbf
-
SHA256
77a65648073afb27ceb84694efe9265ae3b283988db704ecbe538b018b08ff14
-
SHA512
f389031260c39a49cf98e7340a3d1871c2edd96a2822d39f6cd80abbe4958b8d211d6ae564fdfa6710a8b62b628b04ceda6395d2f6ce405596900ce83bc7db6d
-
SSDEEP
24576:fU4oTd2MFLCxoGPKDub/nI6d3Qzd/HXpvPY3pP:fULTd2WQ3znPgzV9PO
Malware Config
Signatures
-
Ardamax main executable 1 IoCs
resource yara_rule behavioral1/files/0x0005000000018663-5.dat family_ardamax -
Executes dropped EXE 1 IoCs
pid Process 2372 KRB.exe -
Loads dropped DLL 2 IoCs
pid Process 2260 ff87c346af525e2d84b797d6c1aae5e7_JaffaCakes118.exe 2372 KRB.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\KRB Start = "C:\\Windows\\PEVMFP\\KRB.exe" KRB.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\PEVMFP\KRB.exe ff87c346af525e2d84b797d6c1aae5e7_JaffaCakes118.exe File opened for modification C:\Windows\PEVMFP\ KRB.exe File created C:\Windows\PEVMFP\KRB.004 ff87c346af525e2d84b797d6c1aae5e7_JaffaCakes118.exe File created C:\Windows\PEVMFP\KRB.001 ff87c346af525e2d84b797d6c1aae5e7_JaffaCakes118.exe File created C:\Windows\PEVMFP\KRB.002 ff87c346af525e2d84b797d6c1aae5e7_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ff87c346af525e2d84b797d6c1aae5e7_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language KRB.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: 33 2372 KRB.exe Token: SeIncBasePriorityPrivilege 2372 KRB.exe Token: SeIncBasePriorityPrivilege 2372 KRB.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2372 KRB.exe 2372 KRB.exe 2372 KRB.exe 2372 KRB.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2260 wrote to memory of 2372 2260 ff87c346af525e2d84b797d6c1aae5e7_JaffaCakes118.exe 29 PID 2260 wrote to memory of 2372 2260 ff87c346af525e2d84b797d6c1aae5e7_JaffaCakes118.exe 29 PID 2260 wrote to memory of 2372 2260 ff87c346af525e2d84b797d6c1aae5e7_JaffaCakes118.exe 29 PID 2260 wrote to memory of 2372 2260 ff87c346af525e2d84b797d6c1aae5e7_JaffaCakes118.exe 29 PID 2372 wrote to memory of 952 2372 KRB.exe 30 PID 2372 wrote to memory of 952 2372 KRB.exe 30 PID 2372 wrote to memory of 952 2372 KRB.exe 30 PID 2372 wrote to memory of 952 2372 KRB.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\ff87c346af525e2d84b797d6c1aae5e7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ff87c346af525e2d84b797d6c1aae5e7_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\PEVMFP\KRB.exe"C:\Windows\PEVMFP\KRB.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\PEVMFP\KRB.exe > nul3⤵
- System Location Discovery: System Language Discovery
PID:952
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60KB
MD5a15c556f17d7db8287e023138942d5db
SHA1880bf8ec944120830dc2e2e040e5996e4e0e6c83
SHA256f3716810ab011a4cb7693d31b69cd540380ef2a067724e0d568070c8a558694e
SHA512930339711e3d73e5af0778367a648c94411c20d23bf4c27ec5d72222e76b8902eb3fc0992d70cc4141600c19087159514246d42f1e762c98dad306f8e0bd99cd
-
Filesize
43KB
MD5daabecdfba287a3333b60ae82211acd7
SHA1e67b4c7bf0dd71ad47263a58bb60be4bce504b84
SHA25612981c35adf6f00c7dddbc3ab23c04c30133cc5be107015dab9fd7ba4e8b4173
SHA512937f551f959bd823292fe5983bbfb1c3a6dd86426a5da228dc7ddba38138c898599bc713d707b9d3463b20825cee0783d92c1c19019cd0328986a8aef5c1222f
-
Filesize
1KB
MD5552f0e44ef070d229192ec395ae2ba3c
SHA1b8d60002a0055fde19ce0d7baeb12698fb837b44
SHA256baeeb7c02516440613eb183893763785d054297caeb5bd2ad21e71d164d3de0f
SHA51264ed0ac1869f8e5c66f7d49fe0b8bc9246bee21ac7cc7955f4bb74d456c0c7605d3a36c889b0812424742f232410af1b7502cc7095c0bd0c43a3b959eb1d4472
-
Filesize
1.7MB
MD5f3819a6cab8ae058254c4abb3844d87e
SHA10f8b1a74af87f1823ec0d76e21a8d54d55a53a8b
SHA2563d656d1364b4b2382020f64990a2c630b7b9422ca7b7fe2c30646fda3303e6c9
SHA512dfe9d342f3ad543fec8bd278e21ac5059b1c36ed3f735734e9b92d639cb25609f9307862ab2b35ea3e88713f4a652abe5863871225f915462c79d493ac5e1f57