Analysis
-
max time kernel
145s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2024 07:58
Static task
static1
Behavioral task
behavioral1
Sample
ab96d11e6643d675c853f83753b51c1e_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
ab96d11e6643d675c853f83753b51c1e_JaffaCakes118.exe
-
Size
675KB
-
MD5
ab96d11e6643d675c853f83753b51c1e
-
SHA1
f388ead80109ec4f714d48e841ae9188f89b61ee
-
SHA256
d9c06711926d23d2c0b85447a75e0b5ba6af0d94afcb79cfb6915c72ada1b135
-
SHA512
d13b965dae013d6ea2d681c63450fad4c0f18cbd3afac211b84eac3064920f13d3cdd4c4476843cab463195431cb52f7eb99393a227421d8bf89d33488315c95
-
SSDEEP
12288:fTdED8z8zfnAUU2YgzPo3QL/wkZOrPm9lU9e7NYAg+q:pEuym2YgzPCQLxOrPmlU9SN5Lq
Malware Config
Signatures
-
Ardamax family
-
Ardamax main executable 1 IoCs
resource yara_rule behavioral2/files/0x000a000000023b96-12.dat family_ardamax -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation ab96d11e6643d675c853f83753b51c1e_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 644 system32UXNG.exe 1740 LogitechMaster.exe -
Loads dropped DLL 7 IoCs
pid Process 4572 ab96d11e6643d675c853f83753b51c1e_JaffaCakes118.exe 644 system32UXNG.exe 1740 LogitechMaster.exe 644 system32UXNG.exe 644 system32UXNG.exe 1740 LogitechMaster.exe 1740 LogitechMaster.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system32UXNG Agent = "C:\\Windows\\system32UXNG.exe" system32UXNG.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
resource yara_rule behavioral2/files/0x000a000000023b98-21.dat upx behavioral2/memory/1740-29-0x0000000000400000-0x0000000000495000-memory.dmp upx behavioral2/memory/1740-42-0x0000000000400000-0x0000000000495000-memory.dmp upx behavioral2/memory/1740-47-0x0000000000400000-0x0000000000495000-memory.dmp upx -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\system32UXNG.001 ab96d11e6643d675c853f83753b51c1e_JaffaCakes118.exe File created C:\Windows\system32UXNG.006 ab96d11e6643d675c853f83753b51c1e_JaffaCakes118.exe File created C:\Windows\system32UXNG.007 ab96d11e6643d675c853f83753b51c1e_JaffaCakes118.exe File created C:\Windows\system32UXNG.exe ab96d11e6643d675c853f83753b51c1e_JaffaCakes118.exe File created C:\Windows\system32AKV.exe ab96d11e6643d675c853f83753b51c1e_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32UXNG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LogitechMaster.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ab96d11e6643d675c853f83753b51c1e_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 1740 LogitechMaster.exe 1740 LogitechMaster.exe 1740 LogitechMaster.exe 1740 LogitechMaster.exe 1740 LogitechMaster.exe 1740 LogitechMaster.exe 1740 LogitechMaster.exe 1740 LogitechMaster.exe 1740 LogitechMaster.exe 1740 LogitechMaster.exe 1740 LogitechMaster.exe 1740 LogitechMaster.exe 1740 LogitechMaster.exe 1740 LogitechMaster.exe 1740 LogitechMaster.exe 1740 LogitechMaster.exe 1740 LogitechMaster.exe 1740 LogitechMaster.exe 1740 LogitechMaster.exe 1740 LogitechMaster.exe 1740 LogitechMaster.exe 1740 LogitechMaster.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: 33 644 system32UXNG.exe Token: SeIncBasePriorityPrivilege 644 system32UXNG.exe Token: SeDebugPrivilege 1740 LogitechMaster.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 644 system32UXNG.exe 644 system32UXNG.exe 644 system32UXNG.exe 644 system32UXNG.exe 644 system32UXNG.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4572 wrote to memory of 644 4572 ab96d11e6643d675c853f83753b51c1e_JaffaCakes118.exe 82 PID 4572 wrote to memory of 644 4572 ab96d11e6643d675c853f83753b51c1e_JaffaCakes118.exe 82 PID 4572 wrote to memory of 644 4572 ab96d11e6643d675c853f83753b51c1e_JaffaCakes118.exe 82 PID 4572 wrote to memory of 1740 4572 ab96d11e6643d675c853f83753b51c1e_JaffaCakes118.exe 83 PID 4572 wrote to memory of 1740 4572 ab96d11e6643d675c853f83753b51c1e_JaffaCakes118.exe 83 PID 4572 wrote to memory of 1740 4572 ab96d11e6643d675c853f83753b51c1e_JaffaCakes118.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab96d11e6643d675c853f83753b51c1e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ab96d11e6643d675c853f83753b51c1e_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Windows\system32UXNG.exe"C:\Windows\system32UXNG.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:644
-
-
C:\Users\Admin\AppData\Local\Temp\LogitechMaster.exe"C:\Users\Admin\AppData\Local\Temp\LogitechMaster.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1740
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD551bee0ab97691836dc058cc6edb0a3bc
SHA1e7a79d9eeaa9b3eb4650389d590e72f3305767d4
SHA256fcb57ac50b7ced25bba2f806824dbbbcdf26208a1ceb2244c6f52a572b1f5f06
SHA51292e15cf965bf2e4c258e6bf53543647b470fba9376c0fb3e9cc8d003f3be74f87f7d7935cf67b66205f1cc103df613856e2aef129a4b373336b1f0f1b5645fcc
-
Filesize
203KB
MD56acfdb6f768497ecaadbd68cd544146f
SHA1b37b007426393a7e0d0e5e5efd95de0b176e2078
SHA25680421e3cb9d2c0bb1652e19f48cdcf49d33533fb558d6b3cdd045fac070e3263
SHA512cb707cb05c2817f5ef5584eb6656d9f6e001756e12c3935bdca28d52a427e06c99438cae376f0b8238cefbba1ef84fd7c74ba89072bec14b2d4f83be7388efbe
-
Filesize
406B
MD552c3c986cb3f0cad8982213316b7bee0
SHA14663d5e50eb4bc0b85f5052584fb6249551783dc
SHA25697c33fa04d3fda9bf75e40b1bcf151e0b4b49a67c7d0679e02333201aa147402
SHA512e1307120b3bd44cafdc32f0016789ad10cf01b7b5c8e1a152b825a7dcd31017a9543b93030a6d973029a941dd8be011116769bd72403f513fd0c2200ee5409a1
-
Filesize
7KB
MD5ed3c7e9a789e0c5c8c49e46d4bf6a3df
SHA1e74e617680edd83ea0172960c4389ba3f7ed431d
SHA256f2b983e3e8cdcad665bdd0024725bb03a1a4919dcf115d031d1d4e4fe3225856
SHA5121c70224ccf2d95563d54c8eb52e0e3fc09dee8528a8a0041517f1f85f36eec5f08ed5b8e9064827290a7b66f48849575ecb2cce3e81b4250e12806ffb7aff06d
-
Filesize
5KB
MD5d7b3b4076038485800c17684ac22550f
SHA1d6ce8bc1a16d46cf6bdae41308f4eafd8d24ae4f
SHA2567f67f9360d43cc337ad5f878372e1eec94a83e7cf6b5cf56c43a8c7e2e8d869a
SHA512209eae97c7854f26fb32132be5722a5fb7b0c275774599b456b3f8a99c5b70d90a676ecf17ab7867c47a0f653c3f7d80d02d902ddb116acb7ba366ab0662750b
-
Filesize
471KB
MD5186403d9ea3c30fb5c9cc7ec135c7866
SHA10b2ee531ae2f5c0658ffa720c1c71e986433a4fc
SHA25699b102ae1b219cc471c47aa54da4ab4c3f4d0ee7a07ef85c7f0bca8cc6eb9bf1
SHA512af30f64237e9998c4c2c41213a67c0bbf8687318c8e957f8a87aff43e383dd301ca674e0158cde5ab209bcf03263625fefcd0b6602c14f3d40231da7d9809dcd