Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    27-11-2024 11:06

General

  • Target

    a78ab808bdc185f7a7ccf4e6eee5afa7_JaffaCakes118.exe

  • Size

    1.7MB

  • MD5

    a78ab808bdc185f7a7ccf4e6eee5afa7

  • SHA1

    1a9803f2d2a9fd4019a17bfc4198602566c8a508

  • SHA256

    3d810ccbc67bcb23749038d92f1c6a618ee34994868875548b49e4a9b3362f89

  • SHA512

    1dea56ae8129bdaa5d9ed8db1e75dc792db7da162a17c538c994b9db1f7d335277624b894919556cdef29dbeccf866648f59e72268584cb400658088b96ad9f6

  • SSDEEP

    24576:ZSj+W744GVr+Pt+vYHKxXUU1AeZguIR+gKz3t7jinZPeOktRzEfGtRLv8CKkpUys:ZItestSaYhI9+/uleVtEq2dwZPjS

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

  • Ardamax family
  • Ardamax main executable 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Drops file in System32 directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a78ab808bdc185f7a7ccf4e6eee5afa7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a78ab808bdc185f7a7ccf4e6eee5afa7_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2916
    • C:\Users\Admin\AppData\Local\Temp\akltest.exe
      "C:\Users\Admin\AppData\Local\Temp\akltest.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2852
      • C:\Windows\SysWOW64\CAQPCV\XSU.exe
        "C:\Windows\system32\CAQPCV\XSU.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2768
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\CAQPCV\XSU.exe > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3040

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\akltest.exe

    Filesize

    1.2MB

    MD5

    8236ad92283b9d741bc4050e3b33cee9

    SHA1

    df0b0046af833c1a7be1279ca19c802056c7b88a

    SHA256

    51f45211b33bd5e18b39d8b76361aa95c56e53bc266ce801f29f073c2cb597a7

    SHA512

    401cb9b4881a6cef217b880963082aecdd45f1a64d04ef17ead4125ef90fd975891e5cea9cd18157064d72b7cc275fef70c3d6b5deb57ef0f0e6c66bc13e8245

  • C:\Windows\SysWOW64\CAQPCV\AKV.exe

    Filesize

    485KB

    MD5

    b905540561802896d1609a5709c38795

    SHA1

    a265f7c1d428ccece168d36ae1a5f50abfb69e37

    SHA256

    ce666ce776c30251bb1b465d47826c23efaa86ec5ee50b2a4d23a4ceb343ed53

    SHA512

    7663654f134f47a8092bae1f3f9d46732d2541ab955e7604d43a0def1e61e2bc039a6753e94d99f1d04b69f55a86f1fb937513671019f1bdf100edb97b24badc

  • C:\Windows\SysWOW64\CAQPCV\XSU.002

    Filesize

    43KB

    MD5

    f195701cf2c54d6ceadad943cf5135b8

    SHA1

    9beb03fc097fc58d7375b0511b87ced98a423a08

    SHA256

    177c1dcc7f13158445f0b99713e9cad205da86e764940a48d43dc375565b0dec

    SHA512

    f78def1ab431bb2b7b647ec76c063c30a87cabd22605f94cbe4fbb6f757fd54ddf7861d3842a0e369abfce94b68d41dec0fe2322a74f67d9875f561f92b20025

  • C:\Windows\SysWOW64\CAQPCV\XSU.004

    Filesize

    1KB

    MD5

    00b532a2d193d0ea70e7c5d77b3e1f27

    SHA1

    9d7ca4d44b221d0fdb99e21be6ed4b03954bd54e

    SHA256

    0efcf4092f9358c00590bc48b32c1304d31c31808081e9cad8130ed40de6f365

    SHA512

    aa5865c48af1ab595d47ac4488797b3970ac151aa7ad2a7a1c240d583540ca89e1384c01b1e427fab0b6a0e25e622ff6ac6b6393071a38f1f97d10f66c05ff90

  • \Windows\SysWOW64\CAQPCV\XSU.001

    Filesize

    61KB

    MD5

    f354f72924cdfe4c8afcc85005803b21

    SHA1

    817bf228f2f6fdb45bc54abb30efe96729bd65c8

    SHA256

    d1edf8e95bc50e5fc944b07c19d643a9a3dc17e6744c718257baf8b79789e540

    SHA512

    57e837cc6901558fe114f5cf06590dde935daf4bd16eb9bbce76967944e079b615a8da827d46ff27d0b841a1bf9701a86618090cb5b6dd5e1bac1630cdad0233

  • \Windows\SysWOW64\CAQPCV\XSU.exe

    Filesize

    1.7MB

    MD5

    d95623e481661c678a0546e02f10f24c

    SHA1

    b6949e68a19b270873764585eb1e82448d1e0717

    SHA256

    cecfadce6fb09b3977c20d15fb40f8f66a1d7e488a4794451d048a598c3417da

    SHA512

    dee02644d92ed30e88bb10e9dcdba97abd9949b230059ec20cf5d93061f9cdb77b1e793e5f69d0b51595c30077c3ddd093348d22b070ce898ccefe28b8062591

  • memory/2916-0-0x0000000074C81000-0x0000000074C82000-memory.dmp

    Filesize

    4KB

  • memory/2916-1-0x0000000074C80000-0x000000007522B000-memory.dmp

    Filesize

    5.7MB

  • memory/2916-2-0x0000000074C80000-0x000000007522B000-memory.dmp

    Filesize

    5.7MB

  • memory/2916-25-0x0000000074C80000-0x000000007522B000-memory.dmp

    Filesize

    5.7MB