Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-10-2024 09:56
Static task
static1
Behavioral task
behavioral1
Sample
73335537220bdfd701774177b09d94b0_JaffaCakes118.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
73335537220bdfd701774177b09d94b0_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
73335537220bdfd701774177b09d94b0_JaffaCakes118.exe
-
Size
543KB
-
MD5
73335537220bdfd701774177b09d94b0
-
SHA1
000c2db050d7d04567ca5150f52b85c484dc3aa0
-
SHA256
fcb5a8b669aed84a2c97f1f2b3a90981f1a7701bc99e56409942d9aceef58da6
-
SHA512
8753209bc479b0baea8ebd56c4041eda93f3ff9417ee2eca6998113ddc98386fb767bcb3f1540014de544cdd94d1b5c26456faa4875b8458c82bcd104222643e
-
SSDEEP
12288:OIZsut4Cfk1B3Cb1KX4GKaOxYP3uA0JQiIBPrCeKIekAYn09+i:MuCCM1BCwXyaGyIQlJ2ws3
Malware Config
Signatures
-
Ardamax main executable 1 IoCs
Processes:
resource yara_rule behavioral2/files/0x0007000000023cc5-12.dat family_ardamax -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
73335537220bdfd701774177b09d94b0_JaffaCakes118.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 73335537220bdfd701774177b09d94b0_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
DGYR.exepid Process 4884 DGYR.exe -
Loads dropped DLL 1 IoCs
Processes:
73335537220bdfd701774177b09d94b0_JaffaCakes118.exepid Process 244 73335537220bdfd701774177b09d94b0_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
DGYR.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DGYR Agent = "C:\\Windows\\SysWOW64\\74638\\DGYR.exe" DGYR.exe -
Drops file in System32 directory 5 IoCs
Processes:
73335537220bdfd701774177b09d94b0_JaffaCakes118.exedescription ioc Process File created C:\Windows\SysWOW64\74638\DGYR.001 73335537220bdfd701774177b09d94b0_JaffaCakes118.exe File created C:\Windows\SysWOW64\74638\DGYR.006 73335537220bdfd701774177b09d94b0_JaffaCakes118.exe File created C:\Windows\SysWOW64\74638\DGYR.007 73335537220bdfd701774177b09d94b0_JaffaCakes118.exe File created C:\Windows\SysWOW64\74638\DGYR.exe 73335537220bdfd701774177b09d94b0_JaffaCakes118.exe File created C:\Windows\SysWOW64\74638\AKV.exe 73335537220bdfd701774177b09d94b0_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
73335537220bdfd701774177b09d94b0_JaffaCakes118.exeDGYR.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 73335537220bdfd701774177b09d94b0_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DGYR.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
73335537220bdfd701774177b09d94b0_JaffaCakes118.exedescription pid Process procid_target PID 244 wrote to memory of 4884 244 73335537220bdfd701774177b09d94b0_JaffaCakes118.exe 94 PID 244 wrote to memory of 4884 244 73335537220bdfd701774177b09d94b0_JaffaCakes118.exe 94 PID 244 wrote to memory of 4884 244 73335537220bdfd701774177b09d94b0_JaffaCakes118.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\73335537220bdfd701774177b09d94b0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\73335537220bdfd701774177b09d94b0_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:244 -
C:\Windows\SysWOW64\74638\DGYR.exe"C:\Windows\system32\74638\DGYR.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:4884
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5c88da5c55de230053bb94c597184e4ae
SHA17d7a4cf6466165c6c1c507f7910ecb27ad0da331
SHA25664e12bb2b0fdeed4187cb4748a97b75379ff2c4e72c3655efe5b23eab8cd2869
SHA51240f163ea795150dae74c6df09bff38d68b52d58b6ee9cf2aac873062588cc18f6e445c5ee9410a5060ecd2cc87c70be44a41b8b4f32250a6ce20bc6bf41bc623
-
Filesize
458KB
MD5e28b8e6368b1a9edb3de05e8bedbda3d
SHA1d219b27b16558a560cbdd568ab42a08adb7547be
SHA256ce9cc662186b1f46448434150afcf521ff753077ccdddb03b9c5dfb56178fda5
SHA512096f2e77303636fceba5e5abbfffc2949a9551ed44a0e34f9445544e8318854c4138d4313f99d7904b58ee567963bdc76d89ebb550637fd6841a00d74eb762fb
-
Filesize
426B
MD51b72c3de319a128482fc02c7d19d1595
SHA1792c85f3be569eeea4cb763a8bcb7db848e04afd
SHA2565aa46a1bdf9621942407bdc9aecb24317ec976f22d16d5e0f0e79576e2b3bb9b
SHA512947ca12d5c1f72782554edc07fdb13f5436092420600809b6e687a63d2f202889b2e9afff05759bdd07fa00115c1bf1051815f3ee72fbbc7a34cf2e6d1f1e3f5
-
Filesize
8KB
MD58d093334c5c1ab69afff0e4322c3158b
SHA105c415e71e7dcacb78f49f25925f5177b02f0021
SHA256e0e54c8f86327bcb48df4c803a2ebd7299f839e77b8ee77665210f4e33885a40
SHA51220acde6e65c87b6dcbb44e48b12165bf9565dbf1f96f431d6b5367f61f1ae9ae20bf637f1f696078b7a7f3aaf078cbf7c4257d9d2a3fbebcbb165b0b941ca275
-
Filesize
5KB
MD5f9fb0e65a3753ca6530eda233cf7fd3d
SHA13eee3da17c67440102371450791d4474f0d5d537
SHA2564c1f344695d2a4773b0106a21e8b0bc97a7a88c04787420907afc3f14e9cf2a3
SHA51297bc5e069c7e1ffdbfdd7379b91f3aedd1b2483196ee916ed7a737036d2e7dd3dc070a583391ac88456fa7e9c0e8c9edee81edd4f5ad3b9c6b972f0ec96ecf8d
-
Filesize
568KB
MD59c04bcdac0f7fa9100cf3418eaac9ed1
SHA1d1e566631886b2882e7ac0709d04e98f6d44de4a
SHA256c82c2989bf19daf8d201dd25de7933488de98825257e549a8c7c2d21736a32c3
SHA5122d3c39c3c249c58109e49b733cc68dbb5e2bed1749e0f90c0e7ae2995ec14d9ea36116abefb84ada0377d108a79f446d4fbbb4454c8f3ee7ad3446ada0be2aac