Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27-11-2024 11:06
Static task
static1
Behavioral task
behavioral1
Sample
a78ab808bdc185f7a7ccf4e6eee5afa7_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
a78ab808bdc185f7a7ccf4e6eee5afa7_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
a78ab808bdc185f7a7ccf4e6eee5afa7_JaffaCakes118.exe
-
Size
1.7MB
-
MD5
a78ab808bdc185f7a7ccf4e6eee5afa7
-
SHA1
1a9803f2d2a9fd4019a17bfc4198602566c8a508
-
SHA256
3d810ccbc67bcb23749038d92f1c6a618ee34994868875548b49e4a9b3362f89
-
SHA512
1dea56ae8129bdaa5d9ed8db1e75dc792db7da162a17c538c994b9db1f7d335277624b894919556cdef29dbeccf866648f59e72268584cb400658088b96ad9f6
-
SSDEEP
24576:ZSj+W744GVr+Pt+vYHKxXUU1AeZguIR+gKz3t7jinZPeOktRzEfGtRLv8CKkpUys:ZItestSaYhI9+/uleVtEq2dwZPjS
Malware Config
Signatures
-
Ardamax family
-
Ardamax main executable 1 IoCs
resource yara_rule behavioral1/files/0x0009000000016d25-15.dat family_ardamax -
Executes dropped EXE 2 IoCs
pid Process 2852 akltest.exe 2768 XSU.exe -
Loads dropped DLL 3 IoCs
pid Process 2916 a78ab808bdc185f7a7ccf4e6eee5afa7_JaffaCakes118.exe 2852 akltest.exe 2768 XSU.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\XSU Start = "C:\\Windows\\SysWOW64\\CAQPCV\\XSU.exe" XSU.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\SysWOW64\CAQPCV\AKV.exe akltest.exe File created C:\Windows\SysWOW64\CAQPCV\XSU.exe akltest.exe File opened for modification C:\Windows\SysWOW64\CAQPCV\ XSU.exe File created C:\Windows\SysWOW64\CAQPCV\XSU.004 akltest.exe File created C:\Windows\SysWOW64\CAQPCV\XSU.001 akltest.exe File created C:\Windows\SysWOW64\CAQPCV\XSU.002 akltest.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a78ab808bdc185f7a7ccf4e6eee5afa7_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language akltest.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XSU.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2768 XSU.exe 2768 XSU.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2916 a78ab808bdc185f7a7ccf4e6eee5afa7_JaffaCakes118.exe Token: 33 2768 XSU.exe Token: SeIncBasePriorityPrivilege 2768 XSU.exe Token: SeIncBasePriorityPrivilege 2768 XSU.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2768 XSU.exe 2768 XSU.exe 2768 XSU.exe 2768 XSU.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2916 wrote to memory of 2852 2916 a78ab808bdc185f7a7ccf4e6eee5afa7_JaffaCakes118.exe 30 PID 2916 wrote to memory of 2852 2916 a78ab808bdc185f7a7ccf4e6eee5afa7_JaffaCakes118.exe 30 PID 2916 wrote to memory of 2852 2916 a78ab808bdc185f7a7ccf4e6eee5afa7_JaffaCakes118.exe 30 PID 2916 wrote to memory of 2852 2916 a78ab808bdc185f7a7ccf4e6eee5afa7_JaffaCakes118.exe 30 PID 2852 wrote to memory of 2768 2852 akltest.exe 31 PID 2852 wrote to memory of 2768 2852 akltest.exe 31 PID 2852 wrote to memory of 2768 2852 akltest.exe 31 PID 2852 wrote to memory of 2768 2852 akltest.exe 31 PID 2768 wrote to memory of 3040 2768 XSU.exe 33 PID 2768 wrote to memory of 3040 2768 XSU.exe 33 PID 2768 wrote to memory of 3040 2768 XSU.exe 33 PID 2768 wrote to memory of 3040 2768 XSU.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\a78ab808bdc185f7a7ccf4e6eee5afa7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a78ab808bdc185f7a7ccf4e6eee5afa7_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Users\Admin\AppData\Local\Temp\akltest.exe"C:\Users\Admin\AppData\Local\Temp\akltest.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\CAQPCV\XSU.exe"C:\Windows\system32\CAQPCV\XSU.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\CAQPCV\XSU.exe > nul4⤵
- System Location Discovery: System Language Discovery
PID:3040
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD58236ad92283b9d741bc4050e3b33cee9
SHA1df0b0046af833c1a7be1279ca19c802056c7b88a
SHA25651f45211b33bd5e18b39d8b76361aa95c56e53bc266ce801f29f073c2cb597a7
SHA512401cb9b4881a6cef217b880963082aecdd45f1a64d04ef17ead4125ef90fd975891e5cea9cd18157064d72b7cc275fef70c3d6b5deb57ef0f0e6c66bc13e8245
-
Filesize
485KB
MD5b905540561802896d1609a5709c38795
SHA1a265f7c1d428ccece168d36ae1a5f50abfb69e37
SHA256ce666ce776c30251bb1b465d47826c23efaa86ec5ee50b2a4d23a4ceb343ed53
SHA5127663654f134f47a8092bae1f3f9d46732d2541ab955e7604d43a0def1e61e2bc039a6753e94d99f1d04b69f55a86f1fb937513671019f1bdf100edb97b24badc
-
Filesize
43KB
MD5f195701cf2c54d6ceadad943cf5135b8
SHA19beb03fc097fc58d7375b0511b87ced98a423a08
SHA256177c1dcc7f13158445f0b99713e9cad205da86e764940a48d43dc375565b0dec
SHA512f78def1ab431bb2b7b647ec76c063c30a87cabd22605f94cbe4fbb6f757fd54ddf7861d3842a0e369abfce94b68d41dec0fe2322a74f67d9875f561f92b20025
-
Filesize
1KB
MD500b532a2d193d0ea70e7c5d77b3e1f27
SHA19d7ca4d44b221d0fdb99e21be6ed4b03954bd54e
SHA2560efcf4092f9358c00590bc48b32c1304d31c31808081e9cad8130ed40de6f365
SHA512aa5865c48af1ab595d47ac4488797b3970ac151aa7ad2a7a1c240d583540ca89e1384c01b1e427fab0b6a0e25e622ff6ac6b6393071a38f1f97d10f66c05ff90
-
Filesize
61KB
MD5f354f72924cdfe4c8afcc85005803b21
SHA1817bf228f2f6fdb45bc54abb30efe96729bd65c8
SHA256d1edf8e95bc50e5fc944b07c19d643a9a3dc17e6744c718257baf8b79789e540
SHA51257e837cc6901558fe114f5cf06590dde935daf4bd16eb9bbce76967944e079b615a8da827d46ff27d0b841a1bf9701a86618090cb5b6dd5e1bac1630cdad0233
-
Filesize
1.7MB
MD5d95623e481661c678a0546e02f10f24c
SHA1b6949e68a19b270873764585eb1e82448d1e0717
SHA256cecfadce6fb09b3977c20d15fb40f8f66a1d7e488a4794451d048a598c3417da
SHA512dee02644d92ed30e88bb10e9dcdba97abd9949b230059ec20cf5d93061f9cdb77b1e793e5f69d0b51595c30077c3ddd093348d22b070ce898ccefe28b8062591