Analysis
-
max time kernel
93s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27-11-2024 13:11
Static task
static1
Behavioral task
behavioral1
Sample
a800c332280c567f9cb51d48160483fb_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
a800c332280c567f9cb51d48160483fb_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
a800c332280c567f9cb51d48160483fb_JaffaCakes118.exe
-
Size
575KB
-
MD5
a800c332280c567f9cb51d48160483fb
-
SHA1
c56bfdf23c61a470a90c2e1f561ff64fae62641f
-
SHA256
e67e641ce511895a6521b806dba4dac05275e05068097cc499d34171bcf3d565
-
SHA512
2806b9c2712c4f3dddedc25c1259ed44f14654554d300bae5564e22946cea56d591d3999b7c1879d270ed2cceee931c3ea6f9da530e6c02516e497c694039736
-
SSDEEP
12288:/7itWH9HbpA/qsYGEdCHuT7krkQ+ZHxzFlWxyag:aWH9HbpEqkEMOPkrkQY9
Malware Config
Signatures
-
Ardamax family
-
Ardamax main executable 1 IoCs
resource yara_rule behavioral2/files/0x0007000000023c9f-12.dat family_ardamax -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation a800c332280c567f9cb51d48160483fb_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation YAXB.exe -
Executes dropped EXE 2 IoCs
pid Process 980 YAXB.exe 224 USInjector.exe -
Loads dropped DLL 3 IoCs
pid Process 1704 a800c332280c567f9cb51d48160483fb_JaffaCakes118.exe 980 YAXB.exe 224 USInjector.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\YAXB = "C:\\Windows\\SysWOW64\\Sys\\YAXB.exe" YAXB.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 8 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Sys YAXB.exe File created C:\Windows\SysWOW64\Sys\YAXB.001 a800c332280c567f9cb51d48160483fb_JaffaCakes118.exe File created C:\Windows\SysWOW64\Sys\YAXB.006 a800c332280c567f9cb51d48160483fb_JaffaCakes118.exe File created C:\Windows\SysWOW64\Sys\YAXB.007 a800c332280c567f9cb51d48160483fb_JaffaCakes118.exe File created C:\Windows\SysWOW64\Sys\YAXB.exe a800c332280c567f9cb51d48160483fb_JaffaCakes118.exe File created C:\Windows\SysWOW64\Sys\AKV.exe a800c332280c567f9cb51d48160483fb_JaffaCakes118.exe File created C:\Windows\SysWOW64\Sys\YAXB.004 a800c332280c567f9cb51d48160483fb_JaffaCakes118.exe File created C:\Windows\SysWOW64\Sys\YAXB.003 a800c332280c567f9cb51d48160483fb_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a800c332280c567f9cb51d48160483fb_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language YAXB.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language USInjector.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 224 USInjector.exe Token: 33 980 YAXB.exe Token: SeIncBasePriorityPrivilege 980 YAXB.exe Token: SeIncBasePriorityPrivilege 980 YAXB.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 980 YAXB.exe 980 YAXB.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 980 YAXB.exe 980 YAXB.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 980 YAXB.exe 980 YAXB.exe 980 YAXB.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1704 wrote to memory of 980 1704 a800c332280c567f9cb51d48160483fb_JaffaCakes118.exe 82 PID 1704 wrote to memory of 980 1704 a800c332280c567f9cb51d48160483fb_JaffaCakes118.exe 82 PID 1704 wrote to memory of 980 1704 a800c332280c567f9cb51d48160483fb_JaffaCakes118.exe 82 PID 1704 wrote to memory of 224 1704 a800c332280c567f9cb51d48160483fb_JaffaCakes118.exe 83 PID 1704 wrote to memory of 224 1704 a800c332280c567f9cb51d48160483fb_JaffaCakes118.exe 83 PID 1704 wrote to memory of 224 1704 a800c332280c567f9cb51d48160483fb_JaffaCakes118.exe 83 PID 980 wrote to memory of 3356 980 YAXB.exe 93 PID 980 wrote to memory of 3356 980 YAXB.exe 93 PID 980 wrote to memory of 3356 980 YAXB.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\a800c332280c567f9cb51d48160483fb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a800c332280c567f9cb51d48160483fb_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\Sys\YAXB.exe"C:\Windows\system32\Sys\YAXB.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:980 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\Sys\YAXB.exe > nul3⤵
- System Location Discovery: System Language Discovery
PID:3356
-
-
-
C:\Users\Admin\AppData\Local\Temp\USInjector.exe"C:\Users\Admin\AppData\Local\Temp\USInjector.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:224
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5b429300c8148810d2e6a8d40009fc124
SHA193ec9660cc0d68cadc6c7f44b35ea0a0ef684ae8
SHA25698445d51b61014815fc43e44933e5dc126c4fe763545141e78ee1358e487b4b7
SHA51247a1cfdba6c1e04a322116538a62b22d61cf6b31966e53cfe4e54eb75a58530a7636e3deffcfb7e96ff2bdae2b99c7bcb312685d1ceac2f79c118f6347bf2407
-
Filesize
415KB
MD5751ca68871ce93aae13403cee81de1d9
SHA17e471c4621042d2c107ad0c79f5564a5557d250f
SHA25600e1a87df451c063de412530069494eed3805252ae5c1c66d5464017186b3e1d
SHA512cd7794ed1bc025982772fee1ba6ba94846506b8a2787dd3ae3b95d8111553ce9490f7a50d3b4810fa612bbbf8b13588a8008ac1b7f958336aa21ff6836b56c50
-
Filesize
387KB
MD5bcf6fab667525797024d0962e41e9b7b
SHA186b3d41b65eb4ed85c6610a4bb595df787bb2a6a
SHA256916385eb000bc6011cac9b11d89fd08ffaaddf7d727f9c9bf0764bbcf905b877
SHA5127e04832d129e3bacb4d4d83259ec02e1e6f5da4da742dbbf010345ccd90a0547e12fcca68da3cff284687a112f570ca269596512605715b3477ae99933afc82c
-
Filesize
3KB
MD51d7c95473b71b9caaf21c483e96f7291
SHA1342865834443aa069a2535e9f73d825254f15920
SHA256e72fc05ad1a830df298ed7e21e968be71d3bae5106ac3fa765d75ad89dacc3c2
SHA512d42c0ca67ae367fc052931ed7dcd630bdf59ab8c944f0f10278c27a1eaacac85aa9d6381244d738d228e1a7afd9afd41477b4d5f8f066a4d2b5b76504c9cbcfc
-
Filesize
15KB
MD591d6e82c612b8184d9fb7398ca4c7134
SHA112e2dc30f5fae76c784c816ee0481f0d85141d7b
SHA256577ae555d810ee950f4bfabc8a0f31b19eb81f69e9177608bff6fa96d04d6968
SHA5125672e2e5309db4e29a68b3e21d0da59b1b8485303c59007b3af27946903d1a8134bd8df300e7446da6eadf054b3bf81c393ddcb5775e658db029dc71de8448dd
-
Filesize
5KB
MD53a2ef41ad6d9415229e0b76ec6df1baf
SHA1e72f2c0d664a4d2323872bd1f586ec60bb0a6342
SHA256b7e321cf9dacead275e600c2b531e96a62c671e0a2d641e141acbefb509adf2b
SHA512b8d5f62e7da21d4114f8764afb16bc409921935d3440f8e712740a50dd7a01f850cfda31f0a4b41e4f514d6bb64e407a83e8e034e5be65cddde27817c728caeb
-
Filesize
4KB
MD5cb576a1e67ddeb42dc0e23a541cefdb8
SHA19684e67a013de4f0f5066856f553674db0f2749c
SHA2568a9a4e62b646f072f6c1b5415b8461af96db307f59c4d32c9e4f455477ffc221
SHA512e173475fbf9541daa6790133ceef4b8af414491c0a198e356ba1b1c2fcbdcf7044e8b8ae22d72f39b2b7b888e254fd742b9b09ae3c4e63fa64b5171508247942
-
Filesize
468KB
MD54b64ea8b01e25e1af067d11698778ce4
SHA120c4d03590cc3ef10e0b3ddbfcdf6fbb41149847
SHA25608b9f18c1098036ae8830caae054c451c66478490dcd4c653a01abaa937ee7c5
SHA5125bea198540fa4dd9234017ec3e7a0cf79da4d3bc53cb715a3a6335567c08ff0871b886d6f4dd80e9f4e9df4cac8be392fc7d0e3456c14624583c6cf337ce65d0