Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-11-2024 03:19

General

  • Target

    9f86f954eac6b3d681d0cca5006902bf_JaffaCakes118.exe

  • Size

    1.0MB

  • MD5

    9f86f954eac6b3d681d0cca5006902bf

  • SHA1

    121baa6cd1713088a4aad05a2df1f337f8399c7b

  • SHA256

    e955528268ea2c049598faf922c2acd83dc53b5579b2a6896d0c5d52067e619a

  • SHA512

    d5af495dfacd252100843da128d09ca63d8eaea1c5d7950aa478c4490edd19c175cc892f9cf6fb9366280bbc1258c267679f439fe8a825389e316d4f50e93014

  • SSDEEP

    24576:W64MVTz+VxRx9xJujv/0X8NK+UueUqF+vtX6xMb8vUVinY:W64MTaZx9Sjv/0sNnFeLQc48C2

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

  • Ardamax family
  • Ardamax main executable 1 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Disables Task Manager via registry modification
  • Stops running service(s) 4 TTPs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Windows directory 7 IoCs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Kills process with taskkill 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9f86f954eac6b3d681d0cca5006902bf_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\9f86f954eac6b3d681d0cca5006902bf_JaffaCakes118.exe"
    1⤵
    • Disables RegEdit via registry modification
    • Checks computer location settings
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:628
    • C:\Windows\SysWOW64\sc.exe
      sc stop wscsvs
      2⤵
      • Launches sc.exe
      • System Location Discovery: System Language Discovery
      PID:2072
    • C:\Windows\SysWOW64\sc.exe
      sc stop SharedAccess
      2⤵
      • Launches sc.exe
      • System Location Discovery: System Language Discovery
      PID:2732
    • C:\Windows\SysWOW64\sc.exe
      sc delete shared access
      2⤵
      • Launches sc.exe
      • System Location Discovery: System Language Discovery
      PID:220
    • C:\Windows\SysWOW64\sc.exe
      sc delete wscsvs
      2⤵
      • Launches sc.exe
      • System Location Discovery: System Language Discovery
      PID:2476
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /IM CMain.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:828
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /IM CAVSubmit.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4532
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /IM navapsvc.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2444
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /IM nod32krn.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3176
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /IM mcvsescn.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:780
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /IM ashWebSv.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3240
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /IM istsvc.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:212
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /IM avp.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1716
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /IM avgamsvr.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3900
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /IM avgw.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4000
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /IM avguard.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3832
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /IM sockspy.dll
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:400
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /IM nanapsvc.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4032
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /IM SPBBCS.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1604
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /IM AvKWCtl.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4464
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /IM Nvoy.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4792
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /IM isafe.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4088
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /IM vsmon.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2912
    • C:\Users\Admin\AppData\Local\Temp\install.exe
      "C:\Users\Admin\AppData\Local\Temp\install.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:2624
      • C:\Windows\NDMKPG\BIC.exe
        "C:\Windows\NDMKPG\BIC.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:1520

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\install.exe

    Filesize

    934KB

    MD5

    c8038a2d96c20a6664da287a49e1f451

    SHA1

    26ae3ddd4bae2ad6e5e2b3056a7a17e4c5c58dce

    SHA256

    5d24b03937e102aee1248aef511905f159bce3df8509c3a8f22d0b3a2b7cc658

    SHA512

    6bf27328e13245ad7680588fe605e327edba10eb11893e06229c1c3e25e5412d9cd8a02d84c2e72b36b1c22ea56e3cbb5b7269daec9174c630f359c0b93d6509

  • C:\Windows\NDMKPG\BIC.001

    Filesize

    61KB

    MD5

    383d5f5d4240d590e7dec3f7312a4ac7

    SHA1

    f6bcade8d37afb80cf52a89b3e84683f4643fbce

    SHA256

    7e87f6817b17a75106d34ce9884c40ddfb381bf8f2013930916498d1df0a6422

    SHA512

    e652c41ec95d653940b869426bc2cbd8e5b3159110ffaab7d623e23eebe1f34ca65be6a9a9cdcd5f41aec7567469d6b4d6362d24ae92267cddb8940e1265806a

  • C:\Windows\NDMKPG\BIC.002

    Filesize

    43KB

    MD5

    93df156c4bd9d7341f4c4a4847616a69

    SHA1

    c7663b32c3c8e247bc16b51aff87b45484652dc1

    SHA256

    e55b6eabf0f99b90bd4cf3777c25813bded7b6fc5c9955188c8aa5224d299c3e

    SHA512

    ed2e98c5fd1f0d49e5bac8baa515d489c89f8d42772ae05e4b7a32da8f06d511adad27867034ca0865beae9f78223e95c7d0f826154fc663f2fab9bd61e36e35

  • C:\Windows\NDMKPG\BIC.004

    Filesize

    1KB

    MD5

    39947400e6f176b636ae3997f16e1904

    SHA1

    a157f25c23774081f31e555c5bb7367982355527

    SHA256

    ab9525e12b47738a89a5ddbb56f86a819e6c98fda24e0407d1c6412b61c17992

    SHA512

    75f4ec191308ea233d346dca6805e000892b9d2eb7a8a10355d843113d368c17d37878e82b7b4ea90ec60c7b9c59b73f63fc7319fdb0aa8c2395b82544fb0e33

  • C:\Windows\NDMKPG\BIC.exe

    Filesize

    1.7MB

    MD5

    3cd29c0df98a7aeb69a9692843ca3edb

    SHA1

    7c86aea093f1979d18901bd1b89a2b02a60ac3e2

    SHA256

    5a37cd66508fa3fc85ae547de3498e709bd45167cb57f5e9b271dc3a1cb71a32

    SHA512

    e78f3206b1878e8db1766d4038a375bbebcbcdb8d1b0a0cb9b0dc72c54881392b9c27e2864ad9118702da58f203f13e0ad5d230980ad1ef2370391a2c4acffc9

  • memory/628-0-0x0000000075222000-0x0000000075223000-memory.dmp

    Filesize

    4KB

  • memory/628-1-0x0000000075220000-0x00000000757D1000-memory.dmp

    Filesize

    5.7MB

  • memory/628-2-0x0000000075220000-0x00000000757D1000-memory.dmp

    Filesize

    5.7MB

  • memory/628-30-0x0000000075222000-0x0000000075223000-memory.dmp

    Filesize

    4KB

  • memory/628-31-0x0000000075220000-0x00000000757D1000-memory.dmp

    Filesize

    5.7MB