Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03-11-2024 07:20
Static task
static1
Behavioral task
behavioral1
Sample
8a41ccbad339034e3373451dcaef8e17_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
8a41ccbad339034e3373451dcaef8e17_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
8a41ccbad339034e3373451dcaef8e17_JaffaCakes118.exe
-
Size
1.2MB
-
MD5
8a41ccbad339034e3373451dcaef8e17
-
SHA1
9ef973f43bd96c7e35d2b3b37b3730f306a7e829
-
SHA256
c5ff2f0c8356fabe5c60a06f07adf3f7b0b284ff76179d6dfa701a12e8d175f4
-
SHA512
69bcb18ae99306667a6d837040ce8e94de83f028bc3dbd1584ee4f68c92c676824649412e53a8c6fa5e43f4a01801fec1d599f555ec268bd60d33747f1c1955e
-
SSDEEP
24576:V1ITQpvdvblQlzHFzgH6p7oZMDyviJxE9cgm8Ll2/HkGjx:VSTQlFlQFFMA7gMD0iJi9BmKIZ
Malware Config
Signatures
-
Ardamax family
-
Ardamax main executable 1 IoCs
Processes:
resource yara_rule \Windows\SysWOW64\CLYIVF\VBB.exe family_ardamax -
Executes dropped EXE 1 IoCs
Processes:
VBB.exepid process 2972 VBB.exe -
Loads dropped DLL 2 IoCs
Processes:
8a41ccbad339034e3373451dcaef8e17_JaffaCakes118.exeVBB.exepid process 2148 8a41ccbad339034e3373451dcaef8e17_JaffaCakes118.exe 2972 VBB.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
VBB.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VBB Start = "C:\\Windows\\SysWOW64\\CLYIVF\\VBB.exe" VBB.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 6 IoCs
Processes:
8a41ccbad339034e3373451dcaef8e17_JaffaCakes118.exeVBB.exedescription ioc process File created C:\Windows\SysWOW64\CLYIVF\VBB.004 8a41ccbad339034e3373451dcaef8e17_JaffaCakes118.exe File created C:\Windows\SysWOW64\CLYIVF\VBB.001 8a41ccbad339034e3373451dcaef8e17_JaffaCakes118.exe File created C:\Windows\SysWOW64\CLYIVF\VBB.002 8a41ccbad339034e3373451dcaef8e17_JaffaCakes118.exe File created C:\Windows\SysWOW64\CLYIVF\AKV.exe 8a41ccbad339034e3373451dcaef8e17_JaffaCakes118.exe File created C:\Windows\SysWOW64\CLYIVF\VBB.exe 8a41ccbad339034e3373451dcaef8e17_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\CLYIVF\ VBB.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
8a41ccbad339034e3373451dcaef8e17_JaffaCakes118.exeVBB.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8a41ccbad339034e3373451dcaef8e17_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VBB.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
VBB.exepid process 2972 VBB.exe 2972 VBB.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
VBB.exedescription pid process Token: 33 2972 VBB.exe Token: SeIncBasePriorityPrivilege 2972 VBB.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
VBB.exepid process 2972 VBB.exe 2972 VBB.exe 2972 VBB.exe 2972 VBB.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
8a41ccbad339034e3373451dcaef8e17_JaffaCakes118.exedescription pid process target process PID 2148 wrote to memory of 2972 2148 8a41ccbad339034e3373451dcaef8e17_JaffaCakes118.exe VBB.exe PID 2148 wrote to memory of 2972 2148 8a41ccbad339034e3373451dcaef8e17_JaffaCakes118.exe VBB.exe PID 2148 wrote to memory of 2972 2148 8a41ccbad339034e3373451dcaef8e17_JaffaCakes118.exe VBB.exe PID 2148 wrote to memory of 2972 2148 8a41ccbad339034e3373451dcaef8e17_JaffaCakes118.exe VBB.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8a41ccbad339034e3373451dcaef8e17_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8a41ccbad339034e3373451dcaef8e17_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\CLYIVF\VBB.exe"C:\Windows\system32\CLYIVF\VBB.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2972
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
487KB
MD5ad6bc708ce46e6ffa081d61d4f36c6a7
SHA1d01f95e867eb9333e240f107a11740a33abeb882
SHA25671d5313468cf3e39fe3ddface2f7f81dbf39c0997cfc85b1b9cf3aba1ea12176
SHA512f31be421771a00d1107be595ee22e29abcf8e6c13418c1160c061e541ff93f3b7c741fd2bd14de2501a20aceceb0e4c6f68dd3ebb7cd26c2c93afe25690af672
-
Filesize
61KB
MD5d373bbf76430957bcd2e57b0c9282478
SHA1060e94a44aae965fc871ef99ef72e2903c18a812
SHA2566b417853ea93c6b973d0fb5d12cce6136dcf57b97c8566087c6d8b2b22b499e6
SHA512dc6a7d2e28d169b1c3ed5d8004bb25e4f6ba0cf71f69b8d74204d531f17d3f16b838df0bc699a9c4f4addf979676fffe0fc92f16035f7a5ee774593f9f24249a
-
Filesize
44KB
MD578d9c23d5e387c983ec0f9d1cd5e7a3c
SHA13568035056154177c2f182c0fcb52b5aad99b817
SHA25614099ac39320e34d4924d349da7ee737a764587f24e913a13fbe08d1f9afb82a
SHA5125c0d169434ad2800cc82ef4b6ec3b25c765fdd4314988754c1eec57405cfbdde2c47632a333aacfb80563f427bdd2f567ac291865052f14d9d99f8ca042acdeb
-
Filesize
1KB
MD5bc73fff222e2ec987020e3eb8681ae27
SHA15cf9eee7d2ed3bb5ac0e5571ea7aae6ea09c95c0
SHA256f292129556412e3257a311427363f50cce43141d9be92828d9b6fc7a077fa08f
SHA5128633ca66ef4963d53e2208ef8bbc89788d039110928a3ac3a7a09eeb69dfc9c9c27f84b35a9cdfa1f48d6a8cd03613ecd6dec07745012c5383880cf28fae6902
-
Filesize
1.7MB
MD50c3ef1e16d7066db155af6503190886c
SHA1d606edb9f5c1a6b421eac400e545dbcb78c19353
SHA2568f571c7d18ad3f2facf0662ee183a0ccd42fd1bcdb2cb544ab8bae8411acaa01
SHA5126275471d26b86f2212123aafceccf4a636b29d8e0b635f0a265d0fb99ff04cc282e03d174c37f6eb8ec5c8fc82fb73ca6a97192e6049a9d36f6070969d234da3