Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
27-11-2024 13:34
Static task
static1
Behavioral task
behavioral1
Sample
a81604d0c7b6350b40bd0635ce4328d0_JaffaCakes118.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
a81604d0c7b6350b40bd0635ce4328d0_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
a81604d0c7b6350b40bd0635ce4328d0_JaffaCakes118.exe
-
Size
3.5MB
-
MD5
a81604d0c7b6350b40bd0635ce4328d0
-
SHA1
3622fe4c275e411a46b2554a8a7ee7a2396963aa
-
SHA256
e8a799c07a4b4beabe65eb402c920a8492b4738d2ff2b41f925912d0c7371c84
-
SHA512
1f0e960e1b7b6f9d6b8106f0e20e19247d99764095c58a4d37728e1d23b65b264b198452ca8f18365d91ff9315e3c5e09404e436e8d8fbbed12583ac8b332613
-
SSDEEP
24576:vjX2TdqIQz+gdNvpmeryhm1iXhPD93arPRQQlMErsv3kMQyLU0w8kU7x7vFqWDfD:Qm16nWRPlnrs4dj8pw6YannJWkdoHC
Malware Config
Signatures
-
Ardamax family
-
Ardamax main executable 1 IoCs
resource yara_rule behavioral1/files/0x0006000000019240-36.dat family_ardamax -
Executes dropped EXE 1 IoCs
pid Process 2684 LOU.exe -
Loads dropped DLL 4 IoCs
pid Process 2960 vbc.exe 2684 LOU.exe 2620 DllHost.exe 2960 vbc.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LOU Start = "C:\\Windows\\SysWOW64\\VKVXBC\\LOU.exe" LOU.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\SysWOW64\VKVXBC\LOU.004 vbc.exe File created C:\Windows\SysWOW64\VKVXBC\LOU.001 vbc.exe File created C:\Windows\SysWOW64\VKVXBC\LOU.002 vbc.exe File created C:\Windows\SysWOW64\VKVXBC\AKV.exe vbc.exe File created C:\Windows\SysWOW64\VKVXBC\LOU.exe vbc.exe File opened for modification C:\Windows\SysWOW64\VKVXBC\ LOU.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2172 set thread context of 2960 2172 a81604d0c7b6350b40bd0635ce4328d0_JaffaCakes118.exe 29 -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\Raphael.jpg vbc.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\Raphael.jpg DllHost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LOU.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a81604d0c7b6350b40bd0635ce4328d0_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 2684 LOU.exe Token: SeIncBasePriorityPrivilege 2684 LOU.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2620 DllHost.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2684 LOU.exe 2684 LOU.exe 2684 LOU.exe 2684 LOU.exe 2620 DllHost.exe 2620 DllHost.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2172 wrote to memory of 2960 2172 a81604d0c7b6350b40bd0635ce4328d0_JaffaCakes118.exe 29 PID 2172 wrote to memory of 2960 2172 a81604d0c7b6350b40bd0635ce4328d0_JaffaCakes118.exe 29 PID 2172 wrote to memory of 2960 2172 a81604d0c7b6350b40bd0635ce4328d0_JaffaCakes118.exe 29 PID 2172 wrote to memory of 2960 2172 a81604d0c7b6350b40bd0635ce4328d0_JaffaCakes118.exe 29 PID 2172 wrote to memory of 2960 2172 a81604d0c7b6350b40bd0635ce4328d0_JaffaCakes118.exe 29 PID 2172 wrote to memory of 2960 2172 a81604d0c7b6350b40bd0635ce4328d0_JaffaCakes118.exe 29 PID 2172 wrote to memory of 2960 2172 a81604d0c7b6350b40bd0635ce4328d0_JaffaCakes118.exe 29 PID 2172 wrote to memory of 2960 2172 a81604d0c7b6350b40bd0635ce4328d0_JaffaCakes118.exe 29 PID 2172 wrote to memory of 2960 2172 a81604d0c7b6350b40bd0635ce4328d0_JaffaCakes118.exe 29 PID 2172 wrote to memory of 2960 2172 a81604d0c7b6350b40bd0635ce4328d0_JaffaCakes118.exe 29 PID 2172 wrote to memory of 2960 2172 a81604d0c7b6350b40bd0635ce4328d0_JaffaCakes118.exe 29 PID 2960 wrote to memory of 2684 2960 vbc.exe 30 PID 2960 wrote to memory of 2684 2960 vbc.exe 30 PID 2960 wrote to memory of 2684 2960 vbc.exe 30 PID 2960 wrote to memory of 2684 2960 vbc.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\a81604d0c7b6350b40bd0635ce4328d0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a81604d0c7b6350b40bd0635ce4328d0_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\VKVXBC\LOU.exe"C:\Windows\system32\VKVXBC\LOU.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2684
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2620
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
52KB
MD59bc3e6090e65534667bee17b30ee35a2
SHA145882acca3b9235c4d7e3619495bf58fb0b0e9c9
SHA256dec28b495f4ba8a0a46f18988feda3db0c0e963c853dcb211773bb39d20b58fd
SHA5123a17736afc2e6c419db05d0439f95275aa285c8290004fd2438008ead04e054695355cd8281386a3584a7e906b1a5e9f6eb78654b40f87fc3ae4ede8b8930730
-
Filesize
459KB
MD53a96acb4dc45307f05fc177cf07742aa
SHA1f8d198305383ac8c1ef2c359a898d1d4f431576b
SHA25614a550138c38cb91d2b9967dfd607bc4a46c6fa6d267a6f5e1c0131162d1527d
SHA5123cba04fc5e3b85c4a7a33bda3ef96091e9763b1db6a76c2ad50a809ebc2232752c331807074b6ab1490182f97d052d24b6e550a74991f65c0b4cea557db87a0f
-
Filesize
43KB
MD576a1d9ae4d761069b795d6e891855aa5
SHA11540e9abb812497007aee9885d1ea35e810defff
SHA25602a1f41970ded0a4fb834db6ced2f54b432a29048831de7793bc0aa459970567
SHA5124dc3af04fa7494ea67ef4f44bdb3c681d01ef8cd2ad37c98e5a1b41d7ef10efff1bf55c167f7faac9b0298773a5864d06fb860fee5724463f8eef2c1a978bbfa
-
Filesize
1KB
MD509f571f7a3fa4051039ec104aa6d3909
SHA16a003cf47e8a472a8094d98aafa3cdd356227dbd
SHA256fc43a94e90cde34f9ad906e203b5cc13e58e77ae1c937e49c716255e9c4cccd4
SHA5120729beb496a0c88db5562c05620912c43e7d749609e73283ee4b8821c7d9c11147a6b8bde4c5b64cbec8a296b7693b3ac71589ff3586b1ee558bd2fd55b1c8fd
-
Filesize
1.7MB
MD59be3091aa81569ce6ae396c39a4bdd9e
SHA1805d6fa574027836c13bdd1fae956fd55c0002e9
SHA25674d1f43449380ab7960d9655d897d413010a2171e201ea7c8039a3c9a671fd46
SHA512e1627ecb79a5e4a5fafa1f31fe4c22c5f899eb4f0ea2887da9090b42d3ecba1a0540829b42064aad2779346dad493e25ad428703b932448c1d5973d46b6ba4e0
-
Filesize
61KB
MD5661dbca8402ba82c0700f0adfa8a3ce5
SHA1f90fb758a2b76335be66497cd173fb0ef059516f
SHA256d8924592792dbc41ada0741375bf5960417676491a2696c9c1bffc5eea9c9d22
SHA512774c35ec0938e1658f30c523babf5c393a1d4d3733f4b974ae734824b3afd690621c5a8be4541bd769c7181bd1468f86fe31a30a60445cc4897033f60459a4ca