Analysis

  • max time kernel
    94s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2024 17:15

General

  • Target

    9cd793b2589f1f961bd32df45e261b3b_JaffaCakes118.exe

  • Size

    1.3MB

  • MD5

    9cd793b2589f1f961bd32df45e261b3b

  • SHA1

    1a3ed9b70f9a24a09d8b5a0d1bc5b360ae739fe4

  • SHA256

    ce1d50b440c3ecfe3be4c8482811d9d949b7f8b8cb71cab0ba11f3f9c0537895

  • SHA512

    2256934e8c6cea84e0d4d5578c5734ddb5979a0fe69d268620a4f5b8887bb754e597585990b06de381506f83b05420261a4fb62182fec3830e601418e74eb23b

  • SSDEEP

    24576:jGaUTAAvOEg2q4fP1aBF4EW4l3M236cTltOdvacxfOxqIMvAjWWGdkczBTJCimwm:jGrTAAv3g2q4Fs396cSdycxfzIMEWzz2

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

  • Ardamax family
  • Ardamax main executable 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Drops file in System32 directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9cd793b2589f1f961bd32df45e261b3b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\9cd793b2589f1f961bd32df45e261b3b_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3672
    • C:\Windows\SysWOW64\IISWME\DHD.exe
      "C:\Windows\system32\IISWME\DHD.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2356
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\IISWME\DHD.exe > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:684

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\IISWME\AKV.exe

    Filesize

    536KB

    MD5

    37b7ccd6152104d6da614c2ac21abf86

    SHA1

    c2a1cb4bc0475a0ee486dc9b3249a267b155e6bf

    SHA256

    e33cd5c9c1e4fb101ab8f95a068a2604641a455105cf3c5e1a45a813d0588c11

    SHA512

    479db2cf0da07fc8604fcff4c658dfe62cf8b45a3a3ee3deacbedc0f6c7fc7914cb2a4a674b68146bc90eccfb29af6e842ef1524790608073eb95936e2b80518

  • C:\Windows\SysWOW64\IISWME\DHD.001

    Filesize

    60KB

    MD5

    5b79ad0d1d30119158b5ab4147edbd96

    SHA1

    6f802d57d49d7063e40b7bebafa8fb1051e0a907

    SHA256

    4ccebd38ac000cbc33a6cfc2e87e900ef64ba4b978f3facfdb5870e217ac3ff7

    SHA512

    497e3eff3c7356cf12efd153b651d1a1ef2cb07302eb5b71dcff0d6732e5273bcff5f82897dff85cdaae0bc159fa9c4588e3bc90ab12521532675bf116757c6b

  • C:\Windows\SysWOW64\IISWME\DHD.002

    Filesize

    43KB

    MD5

    af3efaa90f29f6506693136ae1674fc7

    SHA1

    897aea8f6df7e29d43954512fc390b97c0eb4550

    SHA256

    4658d92f74df5ee142c08157985e25e41f74aaaa4256df9dfc9a011b7c3f0f44

    SHA512

    1a87ce2d0767204b1d636ce70c083c71f5cfa064680218906ff86c233968baca7ef605f2b1d9bfaf8326a8cbff7074ace766604b283c1a2b50d5788038dc9863

  • C:\Windows\SysWOW64\IISWME\DHD.004

    Filesize

    1KB

    MD5

    2d19f1ea4f74d8d7328409a958426d3c

    SHA1

    9c144e960917f303ea9962147d9e2249bd02d86d

    SHA256

    9c0e65e90261bc57f1b8a21d4ab354570f46353763a74869b98abec2d0b03d07

    SHA512

    b8c25c8b468ab32a660fe2f153811f7bd128b5b569413d935058ae6039c353f1bfd1a64acfb9e75f165dfc076923eaf37b60d8e7ce9d791a73b6439519a27424

  • C:\Windows\SysWOW64\IISWME\DHD.exe

    Filesize

    1.7MB

    MD5

    78dd492b06d03744d1954781d33775ca

    SHA1

    ef9462193e6ba7be64458ea1be6afcaeadc574b1

    SHA256

    c0664f94e9b2a7817f79b9457c31e524ef72ed7c073e79546d67e857b4637ede

    SHA512

    f88734970018f46b8c4ce350cccf577ac056957e933deb493becbc30b7165834ca68db423850220f8944b364dc97e1423247192faf4f3e4db85cf25c4576eef9

  • memory/2356-16-0x0000000000760000-0x0000000000761000-memory.dmp

    Filesize

    4KB

  • memory/2356-18-0x0000000000760000-0x0000000000761000-memory.dmp

    Filesize

    4KB