Analysis
-
max time kernel
94s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2024 17:15
Static task
static1
Behavioral task
behavioral1
Sample
9cd793b2589f1f961bd32df45e261b3b_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
9cd793b2589f1f961bd32df45e261b3b_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
9cd793b2589f1f961bd32df45e261b3b_JaffaCakes118.exe
-
Size
1.3MB
-
MD5
9cd793b2589f1f961bd32df45e261b3b
-
SHA1
1a3ed9b70f9a24a09d8b5a0d1bc5b360ae739fe4
-
SHA256
ce1d50b440c3ecfe3be4c8482811d9d949b7f8b8cb71cab0ba11f3f9c0537895
-
SHA512
2256934e8c6cea84e0d4d5578c5734ddb5979a0fe69d268620a4f5b8887bb754e597585990b06de381506f83b05420261a4fb62182fec3830e601418e74eb23b
-
SSDEEP
24576:jGaUTAAvOEg2q4fP1aBF4EW4l3M236cTltOdvacxfOxqIMvAjWWGdkczBTJCimwm:jGrTAAv3g2q4Fs396cSdycxfzIMEWzz2
Malware Config
Signatures
-
Ardamax family
-
Ardamax main executable 1 IoCs
resource yara_rule behavioral2/files/0x0007000000023c68-8.dat family_ardamax -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation 9cd793b2589f1f961bd32df45e261b3b_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation DHD.exe -
Executes dropped EXE 1 IoCs
pid Process 2356 DHD.exe -
Loads dropped DLL 1 IoCs
pid Process 2356 DHD.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DHD Start = "C:\\Windows\\SysWOW64\\IISWME\\DHD.exe" DHD.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\IISWME\ DHD.exe File created C:\Windows\SysWOW64\IISWME\DHD.004 9cd793b2589f1f961bd32df45e261b3b_JaffaCakes118.exe File created C:\Windows\SysWOW64\IISWME\DHD.001 9cd793b2589f1f961bd32df45e261b3b_JaffaCakes118.exe File created C:\Windows\SysWOW64\IISWME\DHD.002 9cd793b2589f1f961bd32df45e261b3b_JaffaCakes118.exe File created C:\Windows\SysWOW64\IISWME\AKV.exe 9cd793b2589f1f961bd32df45e261b3b_JaffaCakes118.exe File created C:\Windows\SysWOW64\IISWME\DHD.exe 9cd793b2589f1f961bd32df45e261b3b_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9cd793b2589f1f961bd32df45e261b3b_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DHD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: 33 2356 DHD.exe Token: SeIncBasePriorityPrivilege 2356 DHD.exe Token: SeIncBasePriorityPrivilege 2356 DHD.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2356 DHD.exe 2356 DHD.exe 2356 DHD.exe 2356 DHD.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3672 wrote to memory of 2356 3672 9cd793b2589f1f961bd32df45e261b3b_JaffaCakes118.exe 83 PID 3672 wrote to memory of 2356 3672 9cd793b2589f1f961bd32df45e261b3b_JaffaCakes118.exe 83 PID 3672 wrote to memory of 2356 3672 9cd793b2589f1f961bd32df45e261b3b_JaffaCakes118.exe 83 PID 2356 wrote to memory of 684 2356 DHD.exe 101 PID 2356 wrote to memory of 684 2356 DHD.exe 101 PID 2356 wrote to memory of 684 2356 DHD.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\9cd793b2589f1f961bd32df45e261b3b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\9cd793b2589f1f961bd32df45e261b3b_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Windows\SysWOW64\IISWME\DHD.exe"C:\Windows\system32\IISWME\DHD.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\IISWME\DHD.exe > nul3⤵
- System Location Discovery: System Language Discovery
PID:684
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
536KB
MD537b7ccd6152104d6da614c2ac21abf86
SHA1c2a1cb4bc0475a0ee486dc9b3249a267b155e6bf
SHA256e33cd5c9c1e4fb101ab8f95a068a2604641a455105cf3c5e1a45a813d0588c11
SHA512479db2cf0da07fc8604fcff4c658dfe62cf8b45a3a3ee3deacbedc0f6c7fc7914cb2a4a674b68146bc90eccfb29af6e842ef1524790608073eb95936e2b80518
-
Filesize
60KB
MD55b79ad0d1d30119158b5ab4147edbd96
SHA16f802d57d49d7063e40b7bebafa8fb1051e0a907
SHA2564ccebd38ac000cbc33a6cfc2e87e900ef64ba4b978f3facfdb5870e217ac3ff7
SHA512497e3eff3c7356cf12efd153b651d1a1ef2cb07302eb5b71dcff0d6732e5273bcff5f82897dff85cdaae0bc159fa9c4588e3bc90ab12521532675bf116757c6b
-
Filesize
43KB
MD5af3efaa90f29f6506693136ae1674fc7
SHA1897aea8f6df7e29d43954512fc390b97c0eb4550
SHA2564658d92f74df5ee142c08157985e25e41f74aaaa4256df9dfc9a011b7c3f0f44
SHA5121a87ce2d0767204b1d636ce70c083c71f5cfa064680218906ff86c233968baca7ef605f2b1d9bfaf8326a8cbff7074ace766604b283c1a2b50d5788038dc9863
-
Filesize
1KB
MD52d19f1ea4f74d8d7328409a958426d3c
SHA19c144e960917f303ea9962147d9e2249bd02d86d
SHA2569c0e65e90261bc57f1b8a21d4ab354570f46353763a74869b98abec2d0b03d07
SHA512b8c25c8b468ab32a660fe2f153811f7bd128b5b569413d935058ae6039c353f1bfd1a64acfb9e75f165dfc076923eaf37b60d8e7ce9d791a73b6439519a27424
-
Filesize
1.7MB
MD578dd492b06d03744d1954781d33775ca
SHA1ef9462193e6ba7be64458ea1be6afcaeadc574b1
SHA256c0664f94e9b2a7817f79b9457c31e524ef72ed7c073e79546d67e857b4637ede
SHA512f88734970018f46b8c4ce350cccf577ac056957e933deb493becbc30b7165834ca68db423850220f8944b364dc97e1423247192faf4f3e4db85cf25c4576eef9