Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    27-11-2024 11:12

General

  • Target

    a791021f9f08803dd8fe1b7929645e5b_JaffaCakes118.exe

  • Size

    2.0MB

  • MD5

    a791021f9f08803dd8fe1b7929645e5b

  • SHA1

    2e242194f3c0e48202be24217df7b68a885be688

  • SHA256

    ba4544516d049bac33dc73c85310f8ca3f78d7c0580f1ab4cf2f2e6014470401

  • SHA512

    f54eebb6e7ce20c5575209981db218e1e4c641a0a0a99cbb152acda0b2b8f0c2d32cf5785ba1de45b8fc6cfa1ee29f631e39748f44df4767a53f1abefe698bfe

  • SSDEEP

    49152:yoTXykbXtSwmx9pVoP4AfR9y1aDhFYqDQwD1D4M+CP6iGhIS7UjI1p:etw2VoQAfR9Fdn5hnGhIWUjI1

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

  • Ardamax family
  • Ardamax main executable 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Drops file in System32 directory 6 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a791021f9f08803dd8fe1b7929645e5b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a791021f9f08803dd8fe1b7929645e5b_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2120
    • C:\Windows\SysWOW64\XNHLMW\VEO.exe
      "C:\Windows\system32\XNHLMW\VEO.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2084
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\XNHLMW\VEO.exe > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1896
    • C:\Users\Admin\AppData\Local\Temp\CrazyMulti.exe
      "C:\Users\Admin\AppData\Local\Temp\CrazyMulti.exe"
      2⤵
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Writes to the Master Boot Record (MBR)
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2696

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MyINI.INI

    Filesize

    92B

    MD5

    362e13f4c0e95eb7866ecdb11a6e5836

    SHA1

    7d3c457bace293fac8ade4c24f2a0d5c5b39bdab

    SHA256

    440b22d61e94f82fce42fe3dd02a43b93c17374d2ed3f87114a2c9f57a95bcbd

    SHA512

    92fd0d7a3c3629682c92da9cbd7e47ef9f3ff9cc85bbbdf3a7805f9ce4f79d47e3828e2dc2ecce5f9a68237f996ab21e4bbdaf9c7058f4f05700579e1950cc27

  • C:\Windows\SysWOW64\XNHLMW\AKV.exe

    Filesize

    463KB

    MD5

    eb916da4abe4ff314662089013c8f832

    SHA1

    1e7e611cc6922a2851bcf135806ab51cdb499efa

    SHA256

    96af80e7ba0f3997d59ebcb5ecef619f980d71ca29113e2cd2f2e8adcdea3061

    SHA512

    d0dbe1d1612982b9cd2a3ed3cbd3e3b5be49237f580f91d5e5d5b6d20ed4dc0babb69a666c19bf4e0f10776a43b9b1dcda91a4cd381ce3705b1795ef9d731c8b

  • C:\Windows\SysWOW64\XNHLMW\VEO.001

    Filesize

    61KB

    MD5

    425ff37c76030ca0eb60321eedd4afdd

    SHA1

    7dde5e9ce5c4057d3db149f323fa43ed29d90e09

    SHA256

    70b00b09ae76a7ecfd6680ab22df546b17826755087c069fc87d14895e1a4e24

    SHA512

    ef5ff97c0d682b6155eff8f92dace1789cf01ca8bca55af1c1d0f2243b5e18bc12a657bb2bb12601b51ef9e1b942f02feb8462644da291fd1b2239c34ef2b59b

  • C:\Windows\SysWOW64\XNHLMW\VEO.002

    Filesize

    43KB

    MD5

    12fb4f589942682a478b7c7881dfcba2

    SHA1

    a3d490c6cda965708a1ff6a0dc4e88037e0d6336

    SHA256

    4de0c277800ae36b85a11ed9765f732a73578d4dce053ff7179f96ab776fb60d

    SHA512

    dd1c6a4ea5bc9698701ec941c4e90fe8dfb0993dc321edc052d1a80cc49bc46be665a85ec678876e698de60cda5dbf1d6279742a16d648f9d18e642a3ea33ddd

  • C:\Windows\SysWOW64\XNHLMW\VEO.004

    Filesize

    1KB

    MD5

    a47810da0d5bf894fb612a40d2326a94

    SHA1

    f6b6675f975241b42a5127986fe3c7a2b2b3eb8b

    SHA256

    b33496bed471a0cf57273e9399876fc36a1ca8bf61c0b48256810e03b9ddd7ce

    SHA512

    221fc14d3f9b9399a87798f425a0168281c57f803e293e085e58ee58e7765105a58fb99834dddb7d6d54b242d91109518fc470e3ed492db44ff3239ce821abc1

  • C:\Windows\SysWOW64\XNHLMW\VEO.exe

    Filesize

    1.5MB

    MD5

    f8530f0dfe90c7c1e20239b0a7643041

    SHA1

    3e0208ab84b8444a69c8d62ad0b81c4186395802

    SHA256

    734439c4049ae1a832b4cc5c8d227112106406945d1a7cbb355e11a3f5e356c4

    SHA512

    5cb01517938789e006e00d69729ae7d73ad480f1ae17a80059bf81ee5d9cebb1263a35732c84f03d742684a650b116b13e6731ca80b0b9cdb3908e5588649399

  • \Users\Admin\AppData\Local\Temp\CrazyMulti.exe

    Filesize

    946KB

    MD5

    b789af6449e5deebe33f3ef667c51f8a

    SHA1

    f3f6fe93311c3b5b2ecf39d934553a6ef816e41f

    SHA256

    d9626bc1792f3e4cc5b21b2331959140022105be9c33bc80bb3f8ad16e7516a2

    SHA512

    0c4a2f04eeeed67f26657c3de94930888a60828640a981c64595b147352e87b36ec7e80d684f0e315ec4ed27451cfcf6fa8d7581038f441c164adfa8c59f8468

  • memory/2084-37-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

  • memory/2084-16-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

  • memory/2120-26-0x0000000003260000-0x0000000003470000-memory.dmp

    Filesize

    2.1MB

  • memory/2120-51-0x0000000003260000-0x0000000003470000-memory.dmp

    Filesize

    2.1MB

  • memory/2696-28-0x0000000000400000-0x0000000000610000-memory.dmp

    Filesize

    2.1MB

  • memory/2696-30-0x0000000000401000-0x0000000000419000-memory.dmp

    Filesize

    96KB

  • memory/2696-32-0x0000000000400000-0x0000000000610000-memory.dmp

    Filesize

    2.1MB

  • memory/2696-33-0x0000000000400000-0x0000000000610000-memory.dmp

    Filesize

    2.1MB

  • memory/2696-34-0x0000000000400000-0x0000000000610000-memory.dmp

    Filesize

    2.1MB

  • memory/2696-35-0x0000000000400000-0x0000000000610000-memory.dmp

    Filesize

    2.1MB

  • memory/2696-36-0x0000000000400000-0x0000000000610000-memory.dmp

    Filesize

    2.1MB

  • memory/2696-48-0x0000000000400000-0x0000000000610000-memory.dmp

    Filesize

    2.1MB

  • memory/2696-50-0x0000000000400000-0x0000000000610000-memory.dmp

    Filesize

    2.1MB