Analysis
-
max time kernel
121s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27-11-2024 13:34
Static task
static1
Behavioral task
behavioral1
Sample
a81604d0c7b6350b40bd0635ce4328d0_JaffaCakes118.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
a81604d0c7b6350b40bd0635ce4328d0_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
a81604d0c7b6350b40bd0635ce4328d0_JaffaCakes118.exe
-
Size
3.5MB
-
MD5
a81604d0c7b6350b40bd0635ce4328d0
-
SHA1
3622fe4c275e411a46b2554a8a7ee7a2396963aa
-
SHA256
e8a799c07a4b4beabe65eb402c920a8492b4738d2ff2b41f925912d0c7371c84
-
SHA512
1f0e960e1b7b6f9d6b8106f0e20e19247d99764095c58a4d37728e1d23b65b264b198452ca8f18365d91ff9315e3c5e09404e436e8d8fbbed12583ac8b332613
-
SSDEEP
24576:vjX2TdqIQz+gdNvpmeryhm1iXhPD93arPRQQlMErsv3kMQyLU0w8kU7x7vFqWDfD:Qm16nWRPlnrs4dj8pw6YannJWkdoHC
Malware Config
Signatures
-
Ardamax family
-
Ardamax main executable 1 IoCs
resource yara_rule behavioral2/files/0x0007000000023c86-17.dat family_ardamax -
Executes dropped EXE 1 IoCs
pid Process 1684 LOU.exe -
Loads dropped DLL 1 IoCs
pid Process 1684 LOU.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LOU Start = "C:\\Windows\\SysWOW64\\VKVXBC\\LOU.exe" LOU.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\SysWOW64\VKVXBC\LOU.004 vbc.exe File created C:\Windows\SysWOW64\VKVXBC\LOU.001 vbc.exe File created C:\Windows\SysWOW64\VKVXBC\LOU.002 vbc.exe File created C:\Windows\SysWOW64\VKVXBC\AKV.exe vbc.exe File created C:\Windows\SysWOW64\VKVXBC\LOU.exe vbc.exe File opened for modification C:\Windows\SysWOW64\VKVXBC\ LOU.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1240 set thread context of 5012 1240 a81604d0c7b6350b40bd0635ce4328d0_JaffaCakes118.exe 84 -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\Raphael.jpg vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a81604d0c7b6350b40bd0635ce4328d0_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LOU.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 1684 LOU.exe Token: SeIncBasePriorityPrivilege 1684 LOU.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1684 LOU.exe 1684 LOU.exe 1684 LOU.exe 1684 LOU.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 1240 wrote to memory of 5012 1240 a81604d0c7b6350b40bd0635ce4328d0_JaffaCakes118.exe 84 PID 1240 wrote to memory of 5012 1240 a81604d0c7b6350b40bd0635ce4328d0_JaffaCakes118.exe 84 PID 1240 wrote to memory of 5012 1240 a81604d0c7b6350b40bd0635ce4328d0_JaffaCakes118.exe 84 PID 1240 wrote to memory of 5012 1240 a81604d0c7b6350b40bd0635ce4328d0_JaffaCakes118.exe 84 PID 1240 wrote to memory of 5012 1240 a81604d0c7b6350b40bd0635ce4328d0_JaffaCakes118.exe 84 PID 1240 wrote to memory of 5012 1240 a81604d0c7b6350b40bd0635ce4328d0_JaffaCakes118.exe 84 PID 1240 wrote to memory of 5012 1240 a81604d0c7b6350b40bd0635ce4328d0_JaffaCakes118.exe 84 PID 1240 wrote to memory of 5012 1240 a81604d0c7b6350b40bd0635ce4328d0_JaffaCakes118.exe 84 PID 1240 wrote to memory of 5012 1240 a81604d0c7b6350b40bd0635ce4328d0_JaffaCakes118.exe 84 PID 1240 wrote to memory of 5012 1240 a81604d0c7b6350b40bd0635ce4328d0_JaffaCakes118.exe 84 PID 5012 wrote to memory of 1684 5012 vbc.exe 85 PID 5012 wrote to memory of 1684 5012 vbc.exe 85 PID 5012 wrote to memory of 1684 5012 vbc.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\a81604d0c7b6350b40bd0635ce4328d0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a81604d0c7b6350b40bd0635ce4328d0_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\SysWOW64\VKVXBC\LOU.exe"C:\Windows\system32\VKVXBC\LOU.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1684
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
459KB
MD53a96acb4dc45307f05fc177cf07742aa
SHA1f8d198305383ac8c1ef2c359a898d1d4f431576b
SHA25614a550138c38cb91d2b9967dfd607bc4a46c6fa6d267a6f5e1c0131162d1527d
SHA5123cba04fc5e3b85c4a7a33bda3ef96091e9763b1db6a76c2ad50a809ebc2232752c331807074b6ab1490182f97d052d24b6e550a74991f65c0b4cea557db87a0f
-
Filesize
61KB
MD5661dbca8402ba82c0700f0adfa8a3ce5
SHA1f90fb758a2b76335be66497cd173fb0ef059516f
SHA256d8924592792dbc41ada0741375bf5960417676491a2696c9c1bffc5eea9c9d22
SHA512774c35ec0938e1658f30c523babf5c393a1d4d3733f4b974ae734824b3afd690621c5a8be4541bd769c7181bd1468f86fe31a30a60445cc4897033f60459a4ca
-
Filesize
43KB
MD576a1d9ae4d761069b795d6e891855aa5
SHA11540e9abb812497007aee9885d1ea35e810defff
SHA25602a1f41970ded0a4fb834db6ced2f54b432a29048831de7793bc0aa459970567
SHA5124dc3af04fa7494ea67ef4f44bdb3c681d01ef8cd2ad37c98e5a1b41d7ef10efff1bf55c167f7faac9b0298773a5864d06fb860fee5724463f8eef2c1a978bbfa
-
Filesize
1KB
MD509f571f7a3fa4051039ec104aa6d3909
SHA16a003cf47e8a472a8094d98aafa3cdd356227dbd
SHA256fc43a94e90cde34f9ad906e203b5cc13e58e77ae1c937e49c716255e9c4cccd4
SHA5120729beb496a0c88db5562c05620912c43e7d749609e73283ee4b8821c7d9c11147a6b8bde4c5b64cbec8a296b7693b3ac71589ff3586b1ee558bd2fd55b1c8fd
-
Filesize
1.7MB
MD59be3091aa81569ce6ae396c39a4bdd9e
SHA1805d6fa574027836c13bdd1fae956fd55c0002e9
SHA25674d1f43449380ab7960d9655d897d413010a2171e201ea7c8039a3c9a671fd46
SHA512e1627ecb79a5e4a5fafa1f31fe4c22c5f899eb4f0ea2887da9090b42d3ecba1a0540829b42064aad2779346dad493e25ad428703b932448c1d5973d46b6ba4e0