Analysis
-
max time kernel
151s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
26-11-2024 06:10
Static task
static1
Behavioral task
behavioral1
Sample
a0414ea0f21387ab4f6a5ab5cfa8c3d4_JaffaCakes118.exe
Resource
win7-20241010-en
General
-
Target
a0414ea0f21387ab4f6a5ab5cfa8c3d4_JaffaCakes118.exe
-
Size
769KB
-
MD5
a0414ea0f21387ab4f6a5ab5cfa8c3d4
-
SHA1
64604bacdd217011fac23abf60404f04cd1379ad
-
SHA256
a9512fa7fe0e7cd53e2612cef370f1bb5e62485864cfc7a9d3c39270ace97fd0
-
SHA512
861896c1194a5806b8f387813e0380e0f722294801959ab5b653261c1167a0a2679247bea46412b14ebf1eafec54b8e19591d19ad0b242ed8344e2ee95a3b744
-
SSDEEP
12288:OlQD3uWAOGfYvjHendWVUf3DT6Xp4juCdiGeOtJ76vSYli+9xmjxUSL2OIhzu:OEbHedPHgKD0GNJmpHxmjxfazu
Malware Config
Signatures
-
Ardamax family
-
Ardamax main executable 1 IoCs
resource yara_rule behavioral1/files/0x000900000001756b-9.dat family_ardamax -
Executes dropped EXE 2 IoCs
pid Process 2040 TKDG.exe 2324 PerX.exe -
Loads dropped DLL 9 IoCs
pid Process 2352 a0414ea0f21387ab4f6a5ab5cfa8c3d4_JaffaCakes118.exe 2352 a0414ea0f21387ab4f6a5ab5cfa8c3d4_JaffaCakes118.exe 2352 a0414ea0f21387ab4f6a5ab5cfa8c3d4_JaffaCakes118.exe 2352 a0414ea0f21387ab4f6a5ab5cfa8c3d4_JaffaCakes118.exe 2352 a0414ea0f21387ab4f6a5ab5cfa8c3d4_JaffaCakes118.exe 2040 TKDG.exe 2324 PerX.exe 2040 TKDG.exe 2324 PerX.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TKDG Agent = "C:\\Windows\\SysWOW64\\28463\\TKDG.exe" TKDG.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\SysWOW64\28463\TKDG.001 a0414ea0f21387ab4f6a5ab5cfa8c3d4_JaffaCakes118.exe File created C:\Windows\SysWOW64\28463\TKDG.006 a0414ea0f21387ab4f6a5ab5cfa8c3d4_JaffaCakes118.exe File created C:\Windows\SysWOW64\28463\TKDG.007 a0414ea0f21387ab4f6a5ab5cfa8c3d4_JaffaCakes118.exe File created C:\Windows\SysWOW64\28463\TKDG.exe a0414ea0f21387ab4f6a5ab5cfa8c3d4_JaffaCakes118.exe File created C:\Windows\SysWOW64\28463\AKV.exe a0414ea0f21387ab4f6a5ab5cfa8c3d4_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\28463 TKDG.exe -
resource yara_rule behavioral1/memory/2324-35-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/files/0x00050000000194eb-32.dat upx behavioral1/memory/2324-43-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2324-48-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2324-55-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2324-56-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2324-58-0x0000000000400000-0x00000000004B5000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a0414ea0f21387ab4f6a5ab5cfa8c3d4_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TKDG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PerX.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2324 PerX.exe 2324 PerX.exe 2324 PerX.exe 2324 PerX.exe 2324 PerX.exe 2324 PerX.exe 2324 PerX.exe 2324 PerX.exe 2324 PerX.exe 2324 PerX.exe 2324 PerX.exe 2324 PerX.exe 2324 PerX.exe 2324 PerX.exe 2324 PerX.exe 2324 PerX.exe 2324 PerX.exe 2324 PerX.exe 2324 PerX.exe 2324 PerX.exe 2324 PerX.exe 2324 PerX.exe 2324 PerX.exe 2324 PerX.exe 2324 PerX.exe 2324 PerX.exe 2324 PerX.exe 2324 PerX.exe 2324 PerX.exe 2324 PerX.exe 2324 PerX.exe 2324 PerX.exe 2324 PerX.exe 2324 PerX.exe 2324 PerX.exe 2324 PerX.exe 2324 PerX.exe 2324 PerX.exe 2324 PerX.exe 2324 PerX.exe 2324 PerX.exe 2324 PerX.exe 2324 PerX.exe 2324 PerX.exe 2324 PerX.exe 2324 PerX.exe 2324 PerX.exe 2324 PerX.exe 2324 PerX.exe 2324 PerX.exe 2324 PerX.exe 2324 PerX.exe 2324 PerX.exe 2324 PerX.exe 2324 PerX.exe 2324 PerX.exe 2324 PerX.exe 2324 PerX.exe 2324 PerX.exe 2324 PerX.exe 2324 PerX.exe 2324 PerX.exe 2324 PerX.exe 2324 PerX.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 2040 TKDG.exe Token: SeIncBasePriorityPrivilege 2040 TKDG.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 2040 TKDG.exe 2040 TKDG.exe 2040 TKDG.exe 2040 TKDG.exe 2040 TKDG.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2352 wrote to memory of 2040 2352 a0414ea0f21387ab4f6a5ab5cfa8c3d4_JaffaCakes118.exe 31 PID 2352 wrote to memory of 2040 2352 a0414ea0f21387ab4f6a5ab5cfa8c3d4_JaffaCakes118.exe 31 PID 2352 wrote to memory of 2040 2352 a0414ea0f21387ab4f6a5ab5cfa8c3d4_JaffaCakes118.exe 31 PID 2352 wrote to memory of 2040 2352 a0414ea0f21387ab4f6a5ab5cfa8c3d4_JaffaCakes118.exe 31 PID 2352 wrote to memory of 2324 2352 a0414ea0f21387ab4f6a5ab5cfa8c3d4_JaffaCakes118.exe 32 PID 2352 wrote to memory of 2324 2352 a0414ea0f21387ab4f6a5ab5cfa8c3d4_JaffaCakes118.exe 32 PID 2352 wrote to memory of 2324 2352 a0414ea0f21387ab4f6a5ab5cfa8c3d4_JaffaCakes118.exe 32 PID 2352 wrote to memory of 2324 2352 a0414ea0f21387ab4f6a5ab5cfa8c3d4_JaffaCakes118.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\a0414ea0f21387ab4f6a5ab5cfa8c3d4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a0414ea0f21387ab4f6a5ab5cfa8c3d4_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\28463\TKDG.exe"C:\Windows\system32\28463\TKDG.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2040
-
-
C:\Users\Admin\AppData\Local\Temp\PerX.exe"C:\Users\Admin\AppData\Local\Temp\PerX.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2324
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
262KB
MD5e974a7ed7fa0c096aa1f59ae6d8cce72
SHA124b215e712fa745ac94d033ee7c5a556a5df0dab
SHA256d042a6add7b1547e5165d0c0c0f0eb21ee778b44c27e0a2bbce9f02b79156c0b
SHA512156cfa7b252d8737a4d3fdc3f8095353051d7f15e1293d6c1213de36ea44d526fd94e75765b3a1f75ed83f9b02dd4329b9eab466e9188fea107e622d0c1d6ba4
-
Filesize
395KB
MD5adbec81b510dcfe49835f95940ef961d
SHA177940f6e46fbd5f53de23bd49afe9172470769d0
SHA256466efb4b00255f21075b340fc2d2444f182947ab90270840543658c5fd3a9b95
SHA512ef4324a06fbe960933f5551ea6ac587cd87cb6025bc6879a2b81a4d1033cfe87e244b6a87fb5db5ad065321ccbe8035cf24a668452d5b0c6a4063a355a12b2a7
-
Filesize
508B
MD5a0081ab1e2c7e2216dbdfd2437a0e094
SHA1ebf32bf41b5775804f53d61ffc2041ce0c29e0e1
SHA2565e4920c511a64cc5dc917d15b4ed95e046531e16abfa961cba6f83a8495f1c01
SHA51250b5549bc3e95468ee976d77b637ad98f7fe041e27c6a805e8540cb2311455b70ed82d316dc6e5a5db45d9a94b1930029c847ff8f37775c2500eba7a6329ff67
-
Filesize
5KB
MD5bc75eddaa64823014fef0fe70bd34ffc
SHA115cd2ace3b68257faed33c78b794b2333eab7c0a
SHA2569eada36d17635bedb85ce96a62cb019dbfee696b9986f69de7d5b5bc1f44df5d
SHA51220db25f32f9cfdbffa4f30c0065125052c6e20b7dcc147fa7ebff38e37b51f6a43e48e486f148d7ee11671479b9fb0bbe1c6df151101af3b50c65fd334d13baa
-
Filesize
4KB
MD513e10cd76f11d6cb43182dcba7370171
SHA1e6b8ce329e49ff09f1cb529c60fc466cb9a579c8
SHA256f1265c88f0077009eaa18db413f156cc7ad8d41dc9d797dd1032b0e0ae9c40d5
SHA512ee32ef3f50838936417e51dfd365b166456900e327dbe51902700bb3d562dea22e6fbd9009c822ba0562687001802a2e61d38123f81ae19f7b3d05bb1fd5cda8
-
Filesize
8KB
MD5f5eff4f716427529b003207d5c953df5
SHA179696d6c8d67669ea690d240ef8978672e3d151c
SHA256ac54ebb9eec3212f294462ce012fdc42f4b0896d785d776a5a2cc3599dc5bcde
SHA5125a48599a5855f06c3e7d6f89c4e06bab1f4381b9d30cf3824c465b8fd6c142b316e6bd6aaad73d1f9b3e84d96113fb5e7374831bf503744013c9e1a0632a0caf
-
Filesize
473KB
MD53c90d45b1c004e86a7f7a7a340f1abc8
SHA110602c450bcbda2735dc036f2e399646f0c64f4c
SHA256f6d9c3bba7fc4dfa681cadf68f41093e3c431501c6789e891e599719e5d2781c
SHA51285457be4c2aa76ede288cd185131d46e5f0b37187313f3a54fe789e28929ec6e44282f4ba0981f46354705cd5da83990586c8846f52fcdb807908254c8719cc1