Analysis
-
max time kernel
136s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-10-2024 03:05
Static task
static1
Behavioral task
behavioral1
Sample
720dc8dc0fd07fe46ca5b4a737dd7b0c_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
720dc8dc0fd07fe46ca5b4a737dd7b0c_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
720dc8dc0fd07fe46ca5b4a737dd7b0c_JaffaCakes118.exe
-
Size
619KB
-
MD5
720dc8dc0fd07fe46ca5b4a737dd7b0c
-
SHA1
60991bb5c57b2273edf5a73acc55f83c92e4b1d4
-
SHA256
ea856536cefde9ab373b1b47ed8f99648c758af7481aabbf516d78e89e13469d
-
SHA512
a86ef98d6512c2e5d2e32267d701ad3dcf025d33c05fa90ed7c838d4d1137f0cc7bcc08bfd6f05eb7110c13004101142e24fb1e4fa92f386612ad390fdca495d
-
SSDEEP
12288:CnKHhWzSiTC+GwJ9C78A1wG9bIcNCq32TNpMcf9Y01xrTJZRxHXq:7hWzlxHK1webIcDSYoxdx6
Malware Config
Signatures
-
Ardamax main executable 1 IoCs
Processes:
resource yara_rule C:\Windows\SysWOW64\Sys\HSRD.exe family_ardamax -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
720dc8dc0fd07fe46ca5b4a737dd7b0c_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation 720dc8dc0fd07fe46ca5b4a737dd7b0c_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
HSRD.exepid process 5100 HSRD.exe -
Loads dropped DLL 4 IoCs
Processes:
720dc8dc0fd07fe46ca5b4a737dd7b0c_JaffaCakes118.exeHSRD.exepid process 3476 720dc8dc0fd07fe46ca5b4a737dd7b0c_JaffaCakes118.exe 5100 HSRD.exe 5100 HSRD.exe 5100 HSRD.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
HSRD.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HSRD Agent = "C:\\Windows\\SysWOW64\\Sys\\HSRD.exe" HSRD.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 6 IoCs
Processes:
720dc8dc0fd07fe46ca5b4a737dd7b0c_JaffaCakes118.exeHSRD.exedescription ioc process File created C:\Windows\SysWOW64\Sys\AKV.exe 720dc8dc0fd07fe46ca5b4a737dd7b0c_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\Sys HSRD.exe File created C:\Windows\SysWOW64\Sys\HSRD.001 720dc8dc0fd07fe46ca5b4a737dd7b0c_JaffaCakes118.exe File created C:\Windows\SysWOW64\Sys\HSRD.006 720dc8dc0fd07fe46ca5b4a737dd7b0c_JaffaCakes118.exe File created C:\Windows\SysWOW64\Sys\HSRD.007 720dc8dc0fd07fe46ca5b4a737dd7b0c_JaffaCakes118.exe File created C:\Windows\SysWOW64\Sys\HSRD.exe 720dc8dc0fd07fe46ca5b4a737dd7b0c_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
720dc8dc0fd07fe46ca5b4a737dd7b0c_JaffaCakes118.exeHSRD.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 720dc8dc0fd07fe46ca5b4a737dd7b0c_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HSRD.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
HSRD.exedescription pid process Token: 33 5100 HSRD.exe Token: SeIncBasePriorityPrivilege 5100 HSRD.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
HSRD.exepid process 5100 HSRD.exe 5100 HSRD.exe 5100 HSRD.exe 5100 HSRD.exe 5100 HSRD.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
720dc8dc0fd07fe46ca5b4a737dd7b0c_JaffaCakes118.exedescription pid process target process PID 3476 wrote to memory of 5100 3476 720dc8dc0fd07fe46ca5b4a737dd7b0c_JaffaCakes118.exe HSRD.exe PID 3476 wrote to memory of 5100 3476 720dc8dc0fd07fe46ca5b4a737dd7b0c_JaffaCakes118.exe HSRD.exe PID 3476 wrote to memory of 5100 3476 720dc8dc0fd07fe46ca5b4a737dd7b0c_JaffaCakes118.exe HSRD.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\720dc8dc0fd07fe46ca5b4a737dd7b0c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\720dc8dc0fd07fe46ca5b4a737dd7b0c_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Windows\SysWOW64\Sys\HSRD.exe"C:\Windows\system32\Sys\HSRD.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5100
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5729fe329c303837d61fc42b2120afc00
SHA1a0bdee5733e4820a7abb630014bba43200d27324
SHA256ad2d3f261425139733e8f8a28b5b1cd1000d570eec994093efd0dc17fed35fac
SHA512c61292b1ae57abc3926a0d912ee14ceb7031e5d1f5bde14b62c1cb65894e964e004365d6c8140511aa92bb39b1a09264c2501bb99299007b7bfa9aa58a28f67f
-
Filesize
389KB
MD5fcd92ab43a3ac19ca060a0b4d62ef5f1
SHA1099cc5f1ec71cc73c23471dcc98543a54e008e2a
SHA2563dfb79f950f069047d89110fc28fefd9d4856e7112f40bda2ccc0daa0d94b53a
SHA512d1a317db049cfa16b2b5259d85b22d3fd3563e210a13bdf6d8eee12a665899f77c3b226b252a80ae1b68538dfb8ecf8561f06f428b5dd4ef96c5c8b37aa0bf21
-
Filesize
444B
MD58732ea77e2251727cd1e4803f85e89d6
SHA115a0919c843f1ff8bea6f5f797baf2b4c76a3d20
SHA256617c1c24cdcb8b75b0328cdccc566f209342da1e4750ad4b31217d384450a5a0
SHA512b0901832e77ce8866726b6c6c7b8e63da1184fd5c10a49ad04b456d3d68616d546c71081e469bee022c9bf96dee83f1ca8e1d740a2aba906eaad583a9ca5ed7f
-
Filesize
7KB
MD5ab65e5da8d42c6b4e855e82c9696b3ad
SHA1fb4cb29ee8b5277eaa432b18582c58d8f383b0df
SHA2565a139a73799eb0c43dc65f4ad5004596751a01f3be7bab1e69a1ee0daaa607a4
SHA5127d37b9efb2bae212015eb5e55ad11d579b66dfd0d2aa9614b0e225d4b0dedd705bfaabcb9eb887ec2274c812e8a4af587aef4c62ee3d8a73dbf54f15c8aba16a
-
Filesize
5KB
MD5cb619d0de6d26ae77e2ca1766d995272
SHA1454725f63828e04b10f8e99c5374e86c407665ca
SHA256ad657781b4e5c666461811fbd4b08ea689dc6953ea5e79f47ca72bdc99789121
SHA5128bbd39817f3f3ae13dca07c233f1889a08a86e3ba353a455cad3e9a9fee81eda9d91cf20122dfc79725d69f97f5f8b163c97d2b8c38bb53aa4b9f6e32f7f6a59
-
Filesize
476KB
MD5b306ff9927251c40c34fe6bfef07756b
SHA18d6975fc095b7a96393d61a63fb610d71931666a
SHA25665083234a079905c3b945cb178388dc287c2521ef59817885f1cc2e522a68db7
SHA51208e633e2d43f13cb748f67378a777cc124f693815f63ed5a3a64ad2ebe11001145a01f83d9d3bddc0f9f590677ee6bcfeabeb5a259b10b426344961e333b3996