Analysis

  • max time kernel
    93s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-11-2024 13:11

General

  • Target

    a800c332280c567f9cb51d48160483fb_JaffaCakes118.exe

  • Size

    575KB

  • MD5

    a800c332280c567f9cb51d48160483fb

  • SHA1

    c56bfdf23c61a470a90c2e1f561ff64fae62641f

  • SHA256

    e67e641ce511895a6521b806dba4dac05275e05068097cc499d34171bcf3d565

  • SHA512

    2806b9c2712c4f3dddedc25c1259ed44f14654554d300bae5564e22946cea56d591d3999b7c1879d270ed2cceee931c3ea6f9da530e6c02516e497c694039736

  • SSDEEP

    12288:/7itWH9HbpA/qsYGEdCHuT7krkQ+ZHxzFlWxyag:aWH9HbpEqkEMOPkrkQY9

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

  • Ardamax family
  • Ardamax main executable 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Drops file in System32 directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a800c332280c567f9cb51d48160483fb_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a800c332280c567f9cb51d48160483fb_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1704
    • C:\Windows\SysWOW64\Sys\YAXB.exe
      "C:\Windows\system32\Sys\YAXB.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:980
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\Sys\YAXB.exe > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3356
    • C:\Users\Admin\AppData\Local\Temp\USInjector.exe
      "C:\Users\Admin\AppData\Local\Temp\USInjector.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:224

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\@9E05.tmp

    Filesize

    4KB

    MD5

    b429300c8148810d2e6a8d40009fc124

    SHA1

    93ec9660cc0d68cadc6c7f44b35ea0a0ef684ae8

    SHA256

    98445d51b61014815fc43e44933e5dc126c4fe763545141e78ee1358e487b4b7

    SHA512

    47a1cfdba6c1e04a322116538a62b22d61cf6b31966e53cfe4e54eb75a58530a7636e3deffcfb7e96ff2bdae2b99c7bcb312685d1ceac2f79c118f6347bf2407

  • C:\Users\Admin\AppData\Local\Temp\USInjector.exe

    Filesize

    415KB

    MD5

    751ca68871ce93aae13403cee81de1d9

    SHA1

    7e471c4621042d2c107ad0c79f5564a5557d250f

    SHA256

    00e1a87df451c063de412530069494eed3805252ae5c1c66d5464017186b3e1d

    SHA512

    cd7794ed1bc025982772fee1ba6ba94846506b8a2787dd3ae3b95d8111553ce9490f7a50d3b4810fa612bbbf8b13588a8008ac1b7f958336aa21ff6836b56c50

  • C:\Windows\SysWOW64\Sys\AKV.exe

    Filesize

    387KB

    MD5

    bcf6fab667525797024d0962e41e9b7b

    SHA1

    86b3d41b65eb4ed85c6610a4bb595df787bb2a6a

    SHA256

    916385eb000bc6011cac9b11d89fd08ffaaddf7d727f9c9bf0764bbcf905b877

    SHA512

    7e04832d129e3bacb4d4d83259ec02e1e6f5da4da742dbbf010345ccd90a0547e12fcca68da3cff284687a112f570ca269596512605715b3477ae99933afc82c

  • C:\Windows\SysWOW64\Sys\YAXB.001

    Filesize

    3KB

    MD5

    1d7c95473b71b9caaf21c483e96f7291

    SHA1

    342865834443aa069a2535e9f73d825254f15920

    SHA256

    e72fc05ad1a830df298ed7e21e968be71d3bae5106ac3fa765d75ad89dacc3c2

    SHA512

    d42c0ca67ae367fc052931ed7dcd630bdf59ab8c944f0f10278c27a1eaacac85aa9d6381244d738d228e1a7afd9afd41477b4d5f8f066a4d2b5b76504c9cbcfc

  • C:\Windows\SysWOW64\Sys\YAXB.004

    Filesize

    15KB

    MD5

    91d6e82c612b8184d9fb7398ca4c7134

    SHA1

    12e2dc30f5fae76c784c816ee0481f0d85141d7b

    SHA256

    577ae555d810ee950f4bfabc8a0f31b19eb81f69e9177608bff6fa96d04d6968

    SHA512

    5672e2e5309db4e29a68b3e21d0da59b1b8485303c59007b3af27946903d1a8134bd8df300e7446da6eadf054b3bf81c393ddcb5775e658db029dc71de8448dd

  • C:\Windows\SysWOW64\Sys\YAXB.006

    Filesize

    5KB

    MD5

    3a2ef41ad6d9415229e0b76ec6df1baf

    SHA1

    e72f2c0d664a4d2323872bd1f586ec60bb0a6342

    SHA256

    b7e321cf9dacead275e600c2b531e96a62c671e0a2d641e141acbefb509adf2b

    SHA512

    b8d5f62e7da21d4114f8764afb16bc409921935d3440f8e712740a50dd7a01f850cfda31f0a4b41e4f514d6bb64e407a83e8e034e5be65cddde27817c728caeb

  • C:\Windows\SysWOW64\Sys\YAXB.007

    Filesize

    4KB

    MD5

    cb576a1e67ddeb42dc0e23a541cefdb8

    SHA1

    9684e67a013de4f0f5066856f553674db0f2749c

    SHA256

    8a9a4e62b646f072f6c1b5415b8461af96db307f59c4d32c9e4f455477ffc221

    SHA512

    e173475fbf9541daa6790133ceef4b8af414491c0a198e356ba1b1c2fcbdcf7044e8b8ae22d72f39b2b7b888e254fd742b9b09ae3c4e63fa64b5171508247942

  • C:\Windows\SysWOW64\Sys\YAXB.exe

    Filesize

    468KB

    MD5

    4b64ea8b01e25e1af067d11698778ce4

    SHA1

    20c4d03590cc3ef10e0b3ddbfcdf6fbb41149847

    SHA256

    08b9f18c1098036ae8830caae054c451c66478490dcd4c653a01abaa937ee7c5

    SHA512

    5bea198540fa4dd9234017ec3e7a0cf79da4d3bc53cb715a3a6335567c08ff0871b886d6f4dd80e9f4e9df4cac8be392fc7d0e3456c14624583c6cf337ce65d0

  • memory/980-35-0x0000000000580000-0x0000000000581000-memory.dmp

    Filesize

    4KB

  • memory/980-38-0x0000000000580000-0x0000000000581000-memory.dmp

    Filesize

    4KB