ardamax | 5c8e54a9bd23efffb06d37ca7864339d1c6406063bbd6b4e65939347d987d9f0

Analysis

max time kernel
117s
max time network
127s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29-09-2024 13:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe
Size

1.2MB
MD5

fea41fed8bb977e1934ab64351189601
SHA1

c1da96deb2fed5acc14051dec31c552922b08a16
SHA256

5c8e54a9bd23efffb06d37ca7864339d1c6406063bbd6b4e65939347d987d9f0
SHA512

61160d902711075a018195bd467f9ee64dbe37b583cd2a587b7f114f9ee196b02cdacf6988c743cae9aa9263d54becbfbb19bd3118041cbfec80c99fdf93b981
SSDEEP

24576:Ej9p+CRObLIr9PUAPZIrRzVNVgUaXxazeq8zL+MYpVvqkjmxIVW0it4:uOWmrRzVNVgpBeMaMEv3x

Score

10^/10

ardamax discovery evasion keylogger persistence stealer themida vmprotect

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x000800000001941e-33.dat	family_ardamax

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\system32\drivers\etc\hosts	speed.exe

Executes dropped EXE 3 IoCs

pid	Process
2012	Install.exe
1260	EQYA.exe
2332	speed.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe

Loads dropped DLL 18 IoCs

pid	Process
1288	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe
2012	Install.exe
2012	Install.exe
2012	Install.exe
2012	Install.exe
2012	Install.exe
2012	Install.exe
1260	EQYA.exe
1260	EQYA.exe
1260	EQYA.exe
1260	EQYA.exe
1260	EQYA.exe
1288	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe
1288	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe
1288	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe
1288	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe
2332	speed.exe
2332	speed.exe

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/1288-0-0x0000000000400000-0x00000000004AB000-memory.dmp	themida
behavioral1/memory/1288-56-0x0000000000400000-0x00000000004AB000-memory.dmp	themida

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/2332-55-0x0000000000400000-0x000000000042E000-memory.dmp	vmprotect
behavioral1/files/0x0008000000019023-54.dat	vmprotect
behavioral1/memory/2332-57-0x0000000000400000-0x000000000042E000-memory.dmp	vmprotect
behavioral1/memory/2332-83-0x0000000000400000-0x000000000042E000-memory.dmp	vmprotect

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EQYA Agent = "C:\\Windows\\SysWOW64\\28463\\EQYA.exe"	EQYA.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\AKV.exe	Install.exe
File opened for modification	C:\Windows\SysWOW64\28463	EQYA.exe
File created	C:\Windows\SysWOW64\28463\EQYA.001	Install.exe
File created	C:\Windows\SysWOW64\28463\EQYA.006	Install.exe
File created	C:\Windows\SysWOW64\28463\EQYA.007	Install.exe
File created	C:\Windows\SysWOW64\28463\EQYA.exe	Install.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EQYA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	speed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Kills process with taskkill 30 IoCs

evasion

pid	Process
2844	taskkill.exe
988	taskkill.exe
2704	taskkill.exe
2952	taskkill.exe
2764	taskkill.exe
2620	taskkill.exe
2900	taskkill.exe
1056	taskkill.exe
3036	taskkill.exe
1480	taskkill.exe
2308	taskkill.exe
2820	taskkill.exe
924	taskkill.exe
1380	taskkill.exe
1036	taskkill.exe
2896	taskkill.exe
2716	taskkill.exe
2948	taskkill.exe
1648	taskkill.exe
2200	taskkill.exe
2360	taskkill.exe
2680	taskkill.exe
2880	taskkill.exe
2120	taskkill.exe
548	taskkill.exe
2284	taskkill.exe
608	taskkill.exe
2184	taskkill.exe
2872	taskkill.exe
3004	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	speed.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://h1.ripway.com/buscador/BuscadorTotal.htm"	speed.exe

Modifies registry key 1 TTPs 12 IoCs

Modify Registry

T1112

pid	Process
628	reg.exe
1976	reg.exe
1584	reg.exe
2160	reg.exe
2136	reg.exe
808	reg.exe
1804	reg.exe
2836	reg.exe
2564	reg.exe
2168	reg.exe
2168	reg.exe
2928	reg.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: 33	1260	EQYA.exe
Token: SeIncBasePriorityPrivilege	1260	EQYA.exe
Token: SeDebugPrivilege	988	taskkill.exe
Token: SeDebugPrivilege	2184	taskkill.exe
Token: SeDebugPrivilege	2820	taskkill.exe
Token: SeDebugPrivilege	2948	taskkill.exe
Token: SeDebugPrivilege	2308	taskkill.exe
Token: SeDebugPrivilege	2900	taskkill.exe
Token: SeDebugPrivilege	1036	taskkill.exe
Token: SeDebugPrivilege	2704	taskkill.exe
Token: SeDebugPrivilege	2620	taskkill.exe
Token: SeDebugPrivilege	2716	taskkill.exe
Token: SeDebugPrivilege	2844	taskkill.exe
Token: SeDebugPrivilege	2952	taskkill.exe
Token: SeDebugPrivilege	1056	taskkill.exe
Token: SeDebugPrivilege	2764	taskkill.exe
Token: SeDebugPrivilege	2880	taskkill.exe
Token: SeDebugPrivilege	2872	taskkill.exe
Token: SeDebugPrivilege	2120	taskkill.exe
Token: SeDebugPrivilege	3036	taskkill.exe
Token: SeDebugPrivilege	1380	taskkill.exe
Token: SeDebugPrivilege	3004	taskkill.exe
Token: SeDebugPrivilege	2896	taskkill.exe
Token: SeDebugPrivilege	924	taskkill.exe
Token: SeDebugPrivilege	2680	taskkill.exe
Token: SeDebugPrivilege	1480	taskkill.exe
Token: SeDebugPrivilege	1648	taskkill.exe
Token: SeDebugPrivilege	2200	taskkill.exe
Token: SeDebugPrivilege	548	taskkill.exe
Token: SeDebugPrivilege	608	taskkill.exe
Token: SeDebugPrivilege	2284	taskkill.exe
Token: SeDebugPrivilege	2360	taskkill.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
1288	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe
1260	EQYA.exe
1260	EQYA.exe
1260	EQYA.exe
1260	EQYA.exe
1260	EQYA.exe
2332	speed.exe
2332	speed.exe
2332	speed.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1288 wrote to memory of 1036	1288	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	30
PID 1288 wrote to memory of 1036	1288	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	30
PID 1288 wrote to memory of 1036	1288	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	30
PID 1288 wrote to memory of 1036	1288	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	30
PID 1288 wrote to memory of 988	1288	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	31
PID 1288 wrote to memory of 988	1288	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	31
PID 1288 wrote to memory of 988	1288	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	31
PID 1288 wrote to memory of 988	1288	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	31
PID 1288 wrote to memory of 1096	1288	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	33
PID 1288 wrote to memory of 1096	1288	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	33
PID 1288 wrote to memory of 1096	1288	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	33
PID 1288 wrote to memory of 1096	1288	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	33
PID 1288 wrote to memory of 2184	1288	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	35
PID 1288 wrote to memory of 2184	1288	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	35
PID 1288 wrote to memory of 2184	1288	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	35
PID 1288 wrote to memory of 2184	1288	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	35
PID 1288 wrote to memory of 2896	1288	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	36
PID 1288 wrote to memory of 2896	1288	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	36
PID 1288 wrote to memory of 2896	1288	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	36
PID 1288 wrote to memory of 2896	1288	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	36
PID 1288 wrote to memory of 2704	1288	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	39
PID 1288 wrote to memory of 2704	1288	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	39
PID 1288 wrote to memory of 2704	1288	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	39
PID 1288 wrote to memory of 2704	1288	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	39
PID 1288 wrote to memory of 2308	1288	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	40
PID 1288 wrote to memory of 2308	1288	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	40
PID 1288 wrote to memory of 2308	1288	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	40
PID 1288 wrote to memory of 2308	1288	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	40
PID 1288 wrote to memory of 2716	1288	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	42
PID 1288 wrote to memory of 2716	1288	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	42
PID 1288 wrote to memory of 2716	1288	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	42
PID 1288 wrote to memory of 2716	1288	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	42
PID 1288 wrote to memory of 2820	1288	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	43
PID 1288 wrote to memory of 2820	1288	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	43
PID 1288 wrote to memory of 2820	1288	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	43
PID 1288 wrote to memory of 2820	1288	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	43
PID 1288 wrote to memory of 2836	1288	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	45
PID 1288 wrote to memory of 2836	1288	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	45
PID 1288 wrote to memory of 2836	1288	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	45
PID 1288 wrote to memory of 2836	1288	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	45
PID 1288 wrote to memory of 2952	1288	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	47
PID 1288 wrote to memory of 2952	1288	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	47
PID 1288 wrote to memory of 2952	1288	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	47
PID 1288 wrote to memory of 2952	1288	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	47
PID 1288 wrote to memory of 2764	1288	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	48
PID 1288 wrote to memory of 2764	1288	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	48
PID 1288 wrote to memory of 2764	1288	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	48
PID 1288 wrote to memory of 2764	1288	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	48
PID 1288 wrote to memory of 2948	1288	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	49
PID 1288 wrote to memory of 2948	1288	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	49
PID 1288 wrote to memory of 2948	1288	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	49
PID 1288 wrote to memory of 2948	1288	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	49
PID 1288 wrote to memory of 2620	1288	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	50
PID 1288 wrote to memory of 2620	1288	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	50
PID 1288 wrote to memory of 2620	1288	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	50
PID 1288 wrote to memory of 2620	1288	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	50
PID 1288 wrote to memory of 2872	1288	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	52
PID 1288 wrote to memory of 2872	1288	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	52
PID 1288 wrote to memory of 2872	1288	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	52
PID 1288 wrote to memory of 2872	1288	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	52
PID 1288 wrote to memory of 2900	1288	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	53
PID 1288 wrote to memory of 2900	1288	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	53
PID 1288 wrote to memory of 2900	1288	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	53
PID 1288 wrote to memory of 2900	1288	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	53

C:\Users\Admin\AppData\Local\Temp\fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe"
1⤵
- Identifies Wine through registry keys
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1288
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im egui.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1036
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ekrn.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:988
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop "Panda anti-virus service"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1096
- - C:\Windows\SysWOW64\net.exe
    net stop "Panda anti-virus service"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1740
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Panda anti-virus service"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2036
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ApVxdWin.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2184
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im AVENGINE.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2896
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im pavsrv51.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2704
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im psimreal.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2308
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im PsImSvc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2716
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im WebProxy.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2820
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2836
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:1584
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcagent.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2952
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcdash.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2764
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mghtml.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2948
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcmnhdlr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2620
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsshld.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2872
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im McVSEscn.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2900
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsftsn.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2880
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2220
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:808
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2800
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:1976
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2868
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2136
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2780
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2564
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2660
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2160
- C:\Users\Admin\AppData\Local\Temp\Install.exe
  "C:\Users\Admin\AppData\Local\Temp\Install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:2012
- - C:\Windows\SysWOW64\28463\EQYA.exe
    "C:\Windows\system32\28463\EQYA.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1260
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im egui.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1380
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ekrn.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2844
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop "Panda anti-virus service"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1628
- - C:\Windows\SysWOW64\net.exe
    net stop "Panda anti-virus service"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:768
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Panda anti-virus service"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2560
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ApVxdWin.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:924
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im AVENGINE.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1056
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im pavsrv51.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2680
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im psimreal.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3036
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im PsImSvc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1648
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im WebProxy.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3004
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2928
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2168
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcagent.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2120
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcdash.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2284
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mghtml.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1480
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcmnhdlr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:548
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsshld.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:608
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im McVSEscn.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2360
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsftsn.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2200
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1320
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:1804
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1508
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2836
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:892
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2928
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1316
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:628
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1600
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2168
- C:\Users\Admin\AppData\Local\Temp\speed.exe
  "C:\Users\Admin\AppData\Local\Temp\speed.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Suspicious use of SetWindowsHookEx
  PID:2332

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-85201430311277572171875832938-13247637979613113831769892556672761666809946729"
1⤵
PID:1976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\speed.exe

Filesize
92KB

MD5
984817a1a887e3b4abae7cce7c2e4641

SHA1
512ef98793ad6bae6b1c9ebf3b2011ed33713b31

SHA256
e2547b707c3f2fec79b073ebf3a4f1a52b573282c7a6be63e9d735480ce5ee70

SHA512
41378cf1975620ece0cbfc746b3fcffdff58e1cde8623e17c1e10f37794ce3e10eaa164c1e46da497280958a4a4cdd2738e29fc8c1cb2355a75ffe5ae7a99d00

Download Submit
C:\Windows\SysWOW64\28463\AKV.exe

Filesize
393KB

MD5
b0b09699ea39c0107af1c0833f07c054

SHA1
b730e2fb0bda9bf4a1b1f8768a00838e3ca9dcc1

SHA256
be63e3b5a6c3fbec11a737332d4e0040a23cc2d17182b4bc5e7d5dd41d930ee1

SHA512
55430e53058964961808f37d738c31f1502c3ec4a14b0296bef7bad22e468734bcd119eedba14cc87894d4acc81c9266572aff9919b18bd584823c47fa149796

Download Submit
C:\Windows\SysWOW64\28463\EQYA.001

Filesize
506B

MD5
4be124e2f06e43d07bf39f1033320d3d

SHA1
116c5b6a9d1f2e4e472572a86fdf2b29848045ea

SHA256
78a5794091da44542b1baddf969db0cd36515e7f7f8ad8a54e1c2fdf259a717a

SHA512
059ce782b64693c09930b05ef7c4162f93108ad8585a5ee94d46a3e13e4844831a56a3442b047c7163d3a9fa88831e34fa21c79252a0ffe6f1eed3d5c864d9ae

Download Submit
C:\Windows\SysWOW64\28463\EQYA.exe

Filesize
472KB

MD5
7ca78f42e7c88f01fb7fd88321b283ff

SHA1
8f6fb4e3f5b696cac4fd54490d5f8c1862d0bb6b

SHA256
2354f408b272232ea4bb74d17d22a4332b97f1003fb9bace174a9811f2b41729

SHA512
06e822f04a4657b492a485b5a542e5c8400060abf7e71020d17965fee11f1f7c0807e32b5f9426a4fb9b4d7dd05a68ae871e5fef0807e24204351ebe569eb4ca

Download Submit
\Users\Admin\AppData\Local\Temp\@C4B6.tmp

Filesize
4KB

MD5
908f7f4b0cf93759447afca95cd84aa6

SHA1
d1903a49b211bcb4a460904019ee7441420aa961

SHA256
3e6378164f9dc4148b86c9312b63c5a6b1fabcfebf9557f182d331e9cb32fc23

SHA512
958e0880565b008cdb045d6aba5103f0ba820ac037facf24b78924187a119258e3a8a97de4c3874694962114ef672d41a55feb71b92d5038e7d45bc3d91d6b0d

Download Submit
\Users\Admin\AppData\Local\Temp\Install.exe

Filesize
478KB

MD5
a99947c273f98e555e39836f3577f59e

SHA1
3ef998600835c3ebefc7b24dff9ec7f24e19a407

SHA256
28da14cea71f419fa9f2110d46f08da1df00b76bfaffaaaa5857bc7373831dcc

SHA512
8d21be01cb913cc3627eb7cbee6011cf146b40945d8ef5afae1878aa62ebbfac37f4e0a703cde13368f983f01fcc7109f9aa86546fd344e882fabd7a7bbb8dae

Download Submit
\Windows\SysWOW64\28463\EQYA.006

Filesize
7KB

MD5
e0fcfa7cad88d1a8a462cee6b06cf668

SHA1
a7e49078517abc929a6da261df06556c8f5a8cf0

SHA256
340ff9f7f784e299030abb9982c88547e67251a6cca07d30ca8073d01a2840c4

SHA512
430fd640432769047de7bb4432f710193855a5121fe5944ef07f6b68749608312e7c22b29834967d429637fc9b285671cd10bbc9e1cfb43654695a206ba9cf82

Download Submit
\Windows\SysWOW64\28463\EQYA.007

Filesize
5KB

MD5
ca72cd485d116033f1b776903ce7ee0a

SHA1
85b0b73a75b0498f56200dd1a5cf0de5371e42a3

SHA256
e583532d6b4d8cfc1def5e550674e9e1a4eef2a107adacddf729fddac64f49c4

SHA512
8dbf6920af64aac6a80c3da4a567473dc20c8d4e24078f7e66bb5aa1a08641e5081b0a1ee05f82fb1dd14218b62572c198ff39b1add5f19893008b3d8e54538f

Download Submit
memory/1288-0-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/1288-56-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/1288-1-0x0000000000401000-0x0000000000407000-memory.dmp

Filesize
24KB

Download
memory/1288-53-0x0000000004600000-0x000000000462E000-memory.dmp

Filesize
184KB

Download
memory/1288-52-0x0000000004600000-0x000000000462E000-memory.dmp

Filesize
184KB

Download
memory/1288-62-0x0000000000401000-0x0000000000407000-memory.dmp

Filesize
24KB

Download
memory/2332-55-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2332-57-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2332-83-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads