Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26-11-2024 15:16
Static task
static1
Behavioral task
behavioral1
Sample
a2a5e09f8ab3e116a51e1e6b968e1ec9_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
a2a5e09f8ab3e116a51e1e6b968e1ec9_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
a2a5e09f8ab3e116a51e1e6b968e1ec9_JaffaCakes118.exe
-
Size
494KB
-
MD5
a2a5e09f8ab3e116a51e1e6b968e1ec9
-
SHA1
3df06912a734a1a883b558e926ac478499be59aa
-
SHA256
ce3a44c2e4e03c465ea022d6b8b28b680088d0dcf899934da94da894eae42750
-
SHA512
23f39124321faf71830823051c7ccda43332dc05cd5a11244e98ae5dc157ac129335e72bf42b2b5e450f61472c6917d5b8e6d520148ef8b00ded6b4c75655028
-
SSDEEP
12288:RbezHjnVySxaWOIxZESa4NbZEAahLn53xWQc6qt9N:wntZrxJa4nol3xWQc6qtz
Malware Config
Signatures
-
Ardamax family
-
Ardamax main executable 1 IoCs
resource yara_rule behavioral1/files/0x0008000000016ea4-9.dat family_ardamax -
Executes dropped EXE 1 IoCs
pid Process 1712 AUFP.exe -
Loads dropped DLL 8 IoCs
pid Process 2068 a2a5e09f8ab3e116a51e1e6b968e1ec9_JaffaCakes118.exe 2068 a2a5e09f8ab3e116a51e1e6b968e1ec9_JaffaCakes118.exe 2068 a2a5e09f8ab3e116a51e1e6b968e1ec9_JaffaCakes118.exe 1712 AUFP.exe 1740 DllHost.exe 2068 a2a5e09f8ab3e116a51e1e6b968e1ec9_JaffaCakes118.exe 1712 AUFP.exe 1740 DllHost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AUFP Agent = "C:\\Windows\\SysWOW64\\Sys32\\AUFP.exe" AUFP.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\SysWOW64\Sys32\AUFP.006 a2a5e09f8ab3e116a51e1e6b968e1ec9_JaffaCakes118.exe File created C:\Windows\SysWOW64\Sys32\AUFP.007 a2a5e09f8ab3e116a51e1e6b968e1ec9_JaffaCakes118.exe File created C:\Windows\SysWOW64\Sys32\AUFP.exe a2a5e09f8ab3e116a51e1e6b968e1ec9_JaffaCakes118.exe File created C:\Windows\SysWOW64\Sys32\AKV.exe a2a5e09f8ab3e116a51e1e6b968e1ec9_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\Sys32 AUFP.exe File created C:\Windows\SysWOW64\Sys32\AUFP.001 a2a5e09f8ab3e116a51e1e6b968e1ec9_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a2a5e09f8ab3e116a51e1e6b968e1ec9_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AUFP.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: 33 1712 AUFP.exe Token: SeIncBasePriorityPrivilege 1712 AUFP.exe Token: SeIncBasePriorityPrivilege 1712 AUFP.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1740 DllHost.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1712 AUFP.exe 1712 AUFP.exe 1712 AUFP.exe 1712 AUFP.exe 1712 AUFP.exe 1740 DllHost.exe 1740 DllHost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2068 wrote to memory of 1712 2068 a2a5e09f8ab3e116a51e1e6b968e1ec9_JaffaCakes118.exe 30 PID 2068 wrote to memory of 1712 2068 a2a5e09f8ab3e116a51e1e6b968e1ec9_JaffaCakes118.exe 30 PID 2068 wrote to memory of 1712 2068 a2a5e09f8ab3e116a51e1e6b968e1ec9_JaffaCakes118.exe 30 PID 2068 wrote to memory of 1712 2068 a2a5e09f8ab3e116a51e1e6b968e1ec9_JaffaCakes118.exe 30 PID 1712 wrote to memory of 2360 1712 AUFP.exe 33 PID 1712 wrote to memory of 2360 1712 AUFP.exe 33 PID 1712 wrote to memory of 2360 1712 AUFP.exe 33 PID 1712 wrote to memory of 2360 1712 AUFP.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\a2a5e09f8ab3e116a51e1e6b968e1ec9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a2a5e09f8ab3e116a51e1e6b968e1ec9_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\Sys32\AUFP.exe"C:\Windows\system32\Sys32\AUFP.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\Sys32\AUFP.exe > nul3⤵
- System Location Discovery: System Language Discovery
PID:2360
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1740
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
27KB
MD5fd3740a2eff7c52711ab0c0d24679f36
SHA1fdb47235d09c8d6ca62a86417baad55d4d6fdf4e
SHA256cb9ce1811d72d2622131005f34e3bd41a6ef71bce248e64216bd69e9312765a5
SHA51265de09aebf1c97d7390498f383175348f131583fe232c7c730b071626d383ca56764af07ed53fc51edc39363ce87823dba9bc1fa7a324d7938b1d2bba175f718
-
Filesize
389KB
MD540f15729e871733ee4e3b526a72f0725
SHA143f4f1bb97a6e722ec796027aebd219199136833
SHA2564ab6592bff060a990b7820e9ee412b4318fb47e85eb01c069fa797399991b472
SHA5120f8b4bb24813334941d8cdcf137bdc7f4904648b97e5b92c448c053005a29d63c5ddfc6a7fdf1d3a7c1185b8c9dea15d13668bad963b651df6088dcfc32b7967
-
Filesize
390B
MD541c04f9466c6d2d50a640fe34033bee8
SHA1e0d60726ea3953f0223039d36ae9d2317b61aca2
SHA2562adba05a9143a08bba7cb48114947b6fde23bf4d1d19942a3fc32e28ae3bf95c
SHA5129dc17a0d90fb1e4dac6af029996b154f1054a4a01f20ea70f7f7a99998c937234a85395388a88f64c228c6cc982d839fd53bf6e0f8752ee04c2e70d0dc0a30f9
-
Filesize
7KB
MD5489d664845e0e001de7e6a87fb355366
SHA1c0b339c9b8d18dad3b6f425b0eba2833ed313202
SHA256aab3b216ae3c1415739d487c3d6df9af2b5d055959c289cd803e872b835d55fd
SHA5127e403f33d0717a3e30664f9702de589c8065690dc423cf69245122e96db346c8112ed15ba53d6ab26c538a1fea9e63dd29a01e2f18be8c1ad439a5466d066be3
-
Filesize
5KB
MD58148ef191adcb3a30fbf777b1642dd06
SHA179027d2c6b2b14da631a133eeba2a0a102914e39
SHA256ce5f8b7b0c338711fbc5359ed79c12139c6cdce2a5cdbb53797287800239c2e0
SHA5128b285260652ce586fc4c8dd8ab26f726634fd50208e9278767461c37f9f4d98857a867322e312ee3b5bcbb9b33d9ff9cb055af7ec9318c2419244c2efcbb2153
-
Filesize
3KB
MD51af114b264a783148f112ae8a4392450
SHA1bf5493d1c7794cc9e44f219a5038990215494fd4
SHA2563071cfecb4af30dbfef855370ed538f332338c35b5f6d5d14045c144796f7ff9
SHA512b9c833cca0adfad35cbe4392b170cb4820c50874f7b6cf1717a67007c95878e1980c2cbd283ffa671feec0c8794ac229551c5f0b38700d932840a7073f562355
-
Filesize
475KB
MD5f7f2f0d8ed270a51c6bce37645b0e8dc
SHA13f48aff739c3add1bd951e28c4d11ec24e345adf
SHA256fa0921f68dec9797bff50e5f3e466c01702eeeff254070c1705ced427edc725b
SHA512a9c948ad52df9cd83cb4972938b1e1a1751e316d61303eb571ea47e3175d823545ec15951701173f40f1577cc644d1f612e477376730a5fb5d375f2683cc9092