Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27-11-2024 11:12
Static task
static1
Behavioral task
behavioral1
Sample
a791021f9f08803dd8fe1b7929645e5b_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
a791021f9f08803dd8fe1b7929645e5b_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
a791021f9f08803dd8fe1b7929645e5b_JaffaCakes118.exe
-
Size
2.0MB
-
MD5
a791021f9f08803dd8fe1b7929645e5b
-
SHA1
2e242194f3c0e48202be24217df7b68a885be688
-
SHA256
ba4544516d049bac33dc73c85310f8ca3f78d7c0580f1ab4cf2f2e6014470401
-
SHA512
f54eebb6e7ce20c5575209981db218e1e4c641a0a0a99cbb152acda0b2b8f0c2d32cf5785ba1de45b8fc6cfa1ee29f631e39748f44df4767a53f1abefe698bfe
-
SSDEEP
49152:yoTXykbXtSwmx9pVoP4AfR9y1aDhFYqDQwD1D4M+CP6iGhIS7UjI1p:etw2VoQAfR9Fdn5hnGhIWUjI1
Malware Config
Signatures
-
Ardamax family
-
Ardamax main executable 1 IoCs
resource yara_rule behavioral1/files/0x0007000000016d0b-9.dat family_ardamax -
Executes dropped EXE 2 IoCs
pid Process 2084 VEO.exe 2696 CrazyMulti.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine CrazyMulti.exe -
Loads dropped DLL 6 IoCs
pid Process 2120 a791021f9f08803dd8fe1b7929645e5b_JaffaCakes118.exe 2084 VEO.exe 2120 a791021f9f08803dd8fe1b7929645e5b_JaffaCakes118.exe 2120 a791021f9f08803dd8fe1b7929645e5b_JaffaCakes118.exe 2120 a791021f9f08803dd8fe1b7929645e5b_JaffaCakes118.exe 2696 CrazyMulti.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VEO Start = "C:\\Windows\\SysWOW64\\XNHLMW\\VEO.exe" VEO.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA CrazyMulti.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 CrazyMulti.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\SysWOW64\XNHLMW\VEO.004 a791021f9f08803dd8fe1b7929645e5b_JaffaCakes118.exe File created C:\Windows\SysWOW64\XNHLMW\VEO.001 a791021f9f08803dd8fe1b7929645e5b_JaffaCakes118.exe File created C:\Windows\SysWOW64\XNHLMW\VEO.002 a791021f9f08803dd8fe1b7929645e5b_JaffaCakes118.exe File created C:\Windows\SysWOW64\XNHLMW\AKV.exe a791021f9f08803dd8fe1b7929645e5b_JaffaCakes118.exe File created C:\Windows\SysWOW64\XNHLMW\VEO.exe a791021f9f08803dd8fe1b7929645e5b_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\XNHLMW\ VEO.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2696 CrazyMulti.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a791021f9f08803dd8fe1b7929645e5b_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VEO.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CrazyMulti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2696 CrazyMulti.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: 33 2084 VEO.exe Token: SeIncBasePriorityPrivilege 2084 VEO.exe Token: SeIncBasePriorityPrivilege 2084 VEO.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2084 VEO.exe 2084 VEO.exe 2084 VEO.exe 2084 VEO.exe 2696 CrazyMulti.exe 2696 CrazyMulti.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2120 wrote to memory of 2084 2120 a791021f9f08803dd8fe1b7929645e5b_JaffaCakes118.exe 31 PID 2120 wrote to memory of 2084 2120 a791021f9f08803dd8fe1b7929645e5b_JaffaCakes118.exe 31 PID 2120 wrote to memory of 2084 2120 a791021f9f08803dd8fe1b7929645e5b_JaffaCakes118.exe 31 PID 2120 wrote to memory of 2084 2120 a791021f9f08803dd8fe1b7929645e5b_JaffaCakes118.exe 31 PID 2120 wrote to memory of 2696 2120 a791021f9f08803dd8fe1b7929645e5b_JaffaCakes118.exe 32 PID 2120 wrote to memory of 2696 2120 a791021f9f08803dd8fe1b7929645e5b_JaffaCakes118.exe 32 PID 2120 wrote to memory of 2696 2120 a791021f9f08803dd8fe1b7929645e5b_JaffaCakes118.exe 32 PID 2120 wrote to memory of 2696 2120 a791021f9f08803dd8fe1b7929645e5b_JaffaCakes118.exe 32 PID 2084 wrote to memory of 1896 2084 VEO.exe 33 PID 2084 wrote to memory of 1896 2084 VEO.exe 33 PID 2084 wrote to memory of 1896 2084 VEO.exe 33 PID 2084 wrote to memory of 1896 2084 VEO.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\a791021f9f08803dd8fe1b7929645e5b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a791021f9f08803dd8fe1b7929645e5b_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\XNHLMW\VEO.exe"C:\Windows\system32\XNHLMW\VEO.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\XNHLMW\VEO.exe > nul3⤵
- System Location Discovery: System Language Discovery
PID:1896
-
-
-
C:\Users\Admin\AppData\Local\Temp\CrazyMulti.exe"C:\Users\Admin\AppData\Local\Temp\CrazyMulti.exe"2⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2696
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Indicator Removal
1File Deletion
1Modify Registry
1Pre-OS Boot
1Bootkit
1Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92B
MD5362e13f4c0e95eb7866ecdb11a6e5836
SHA17d3c457bace293fac8ade4c24f2a0d5c5b39bdab
SHA256440b22d61e94f82fce42fe3dd02a43b93c17374d2ed3f87114a2c9f57a95bcbd
SHA51292fd0d7a3c3629682c92da9cbd7e47ef9f3ff9cc85bbbdf3a7805f9ce4f79d47e3828e2dc2ecce5f9a68237f996ab21e4bbdaf9c7058f4f05700579e1950cc27
-
Filesize
463KB
MD5eb916da4abe4ff314662089013c8f832
SHA11e7e611cc6922a2851bcf135806ab51cdb499efa
SHA25696af80e7ba0f3997d59ebcb5ecef619f980d71ca29113e2cd2f2e8adcdea3061
SHA512d0dbe1d1612982b9cd2a3ed3cbd3e3b5be49237f580f91d5e5d5b6d20ed4dc0babb69a666c19bf4e0f10776a43b9b1dcda91a4cd381ce3705b1795ef9d731c8b
-
Filesize
61KB
MD5425ff37c76030ca0eb60321eedd4afdd
SHA17dde5e9ce5c4057d3db149f323fa43ed29d90e09
SHA25670b00b09ae76a7ecfd6680ab22df546b17826755087c069fc87d14895e1a4e24
SHA512ef5ff97c0d682b6155eff8f92dace1789cf01ca8bca55af1c1d0f2243b5e18bc12a657bb2bb12601b51ef9e1b942f02feb8462644da291fd1b2239c34ef2b59b
-
Filesize
43KB
MD512fb4f589942682a478b7c7881dfcba2
SHA1a3d490c6cda965708a1ff6a0dc4e88037e0d6336
SHA2564de0c277800ae36b85a11ed9765f732a73578d4dce053ff7179f96ab776fb60d
SHA512dd1c6a4ea5bc9698701ec941c4e90fe8dfb0993dc321edc052d1a80cc49bc46be665a85ec678876e698de60cda5dbf1d6279742a16d648f9d18e642a3ea33ddd
-
Filesize
1KB
MD5a47810da0d5bf894fb612a40d2326a94
SHA1f6b6675f975241b42a5127986fe3c7a2b2b3eb8b
SHA256b33496bed471a0cf57273e9399876fc36a1ca8bf61c0b48256810e03b9ddd7ce
SHA512221fc14d3f9b9399a87798f425a0168281c57f803e293e085e58ee58e7765105a58fb99834dddb7d6d54b242d91109518fc470e3ed492db44ff3239ce821abc1
-
Filesize
1.5MB
MD5f8530f0dfe90c7c1e20239b0a7643041
SHA13e0208ab84b8444a69c8d62ad0b81c4186395802
SHA256734439c4049ae1a832b4cc5c8d227112106406945d1a7cbb355e11a3f5e356c4
SHA5125cb01517938789e006e00d69729ae7d73ad480f1ae17a80059bf81ee5d9cebb1263a35732c84f03d742684a650b116b13e6731ca80b0b9cdb3908e5588649399
-
Filesize
946KB
MD5b789af6449e5deebe33f3ef667c51f8a
SHA1f3f6fe93311c3b5b2ecf39d934553a6ef816e41f
SHA256d9626bc1792f3e4cc5b21b2331959140022105be9c33bc80bb3f8ad16e7516a2
SHA5120c4a2f04eeeed67f26657c3de94930888a60828640a981c64595b147352e87b36ec7e80d684f0e315ec4ed27451cfcf6fa8d7581038f441c164adfa8c59f8468