Analysis
-
max time kernel
95s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07-12-2024 10:01
Static task
static1
Behavioral task
behavioral1
Sample
d1ddf3043d7e818ecdc49a916bcca0ec_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d1ddf3043d7e818ecdc49a916bcca0ec_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
d1ddf3043d7e818ecdc49a916bcca0ec_JaffaCakes118.exe
-
Size
385KB
-
MD5
d1ddf3043d7e818ecdc49a916bcca0ec
-
SHA1
7cb2cfe49c16f75b97ecae782dba897e02f87cc5
-
SHA256
11c9cb9bbd091436fb485626d94f0e8098533d4a96358fb3bf15e763e68de9bd
-
SHA512
81f8475aa7cd555a4455cd74c4cf59a6f75234eb93680e1046fa2fc6701914bc19718f5e4ac7264654bdfb3b3f47def484a82c207a382c5d1fe0dbf18af55bbf
-
SSDEEP
6144:YAHNj9eotSOL0xB1vNGcDc768ytK1RcTCXiC6+ywakKd2dIFmJEY6DV:YANGxNNc7rD1KTPznQdIwEV
Malware Config
Signatures
-
Ardamax family
-
Ardamax main executable 1 IoCs
resource yara_rule behavioral2/files/0x000a000000023ba1-12.dat family_ardamax -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation d1ddf3043d7e818ecdc49a916bcca0ec_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 4852 NSK.exe 2376 TTaimbot unpatched.exe -
Loads dropped DLL 1 IoCs
pid Process 2524 d1ddf3043d7e818ecdc49a916bcca0ec_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NSK = "C:\\Windows\\SysWOW64\\NSK.exe" NSK.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File created C:\Windows\SysWOW64\NSK.007 d1ddf3043d7e818ecdc49a916bcca0ec_JaffaCakes118.exe File created C:\Windows\SysWOW64\NSK.exe d1ddf3043d7e818ecdc49a916bcca0ec_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\NSK.001 NSK.exe File created C:\Windows\SysWOW64\NSK.001 d1ddf3043d7e818ecdc49a916bcca0ec_JaffaCakes118.exe File created C:\Windows\SysWOW64\NSK.006 d1ddf3043d7e818ecdc49a916bcca0ec_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 832 2376 WerFault.exe 83 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d1ddf3043d7e818ecdc49a916bcca0ec_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NSK.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TTaimbot unpatched.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2524 wrote to memory of 4852 2524 d1ddf3043d7e818ecdc49a916bcca0ec_JaffaCakes118.exe 82 PID 2524 wrote to memory of 4852 2524 d1ddf3043d7e818ecdc49a916bcca0ec_JaffaCakes118.exe 82 PID 2524 wrote to memory of 4852 2524 d1ddf3043d7e818ecdc49a916bcca0ec_JaffaCakes118.exe 82 PID 2524 wrote to memory of 2376 2524 d1ddf3043d7e818ecdc49a916bcca0ec_JaffaCakes118.exe 83 PID 2524 wrote to memory of 2376 2524 d1ddf3043d7e818ecdc49a916bcca0ec_JaffaCakes118.exe 83 PID 2524 wrote to memory of 2376 2524 d1ddf3043d7e818ecdc49a916bcca0ec_JaffaCakes118.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\d1ddf3043d7e818ecdc49a916bcca0ec_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d1ddf3043d7e818ecdc49a916bcca0ec_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\NSK.exe"C:\Windows\system32\NSK.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4852
-
-
C:\Users\Admin\AppData\Local\Temp\TTaimbot unpatched.exe"C:\Users\Admin\AppData\Local\Temp\TTaimbot unpatched.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2376 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 3123⤵
- Program crash
PID:832
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2376 -ip 23761⤵PID:2756
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5ccfd350414f3804bbb32ddd7eb3f6153
SHA1e91d270b8481d456a3beabf617ef3379a93f1137
SHA2561dabedfe9c7cda2d8aa74c95ba57fb832a4066b20f4051c0330b4422de237eb3
SHA512328e069aaced9217eb9f4b4f20e27cd7ef933427e3388b3a0829089d694ea2280a2e5511a9eb577cec2a7b409cf367b0f17d8654076931648e152936fad810bd
-
Filesize
235KB
MD5fba2a6d4fdb061ad0069ab811d39d868
SHA146bd1a1af3e6a7f8d5fcca320e93082880707a7d
SHA2563c29c08ea6b529eeb3f47b757646f59f191236d6edfe53dd3174e620a6a09881
SHA5123635c563856d3927e4dcffb0c7997a76fd8a457e1ea1eb16aea55317080796421fe9582494922806d02a339c4141078cc3f1df42c7a46b8ff4f88f4c5bd4902a
-
Filesize
1KB
MD51629ed2fe828bc2480af878053772c5e
SHA122c254d5f3f889732ee766199ecbfc4300575b9c
SHA2562af1d9c3da29d64c6275608693e52ccc949d3e442b6c646dfb525c81e281564a
SHA51225ce7f73d6ec8d3255c96d2b366893ab2736d6496d3dc9f77cb9f2f1412badbe9c588149882e87d144fcb6b2f7d1453f9a10af7710df63264fcd1e30475f0692
-
Filesize
239KB
MD52bada91f44e2a5133a5c056b31866112
SHA19fbe664832d04d79f96fa090191b73d9811ef08d
SHA256c742feab59b4e1b7b188b02ed91ab34eaeb83c87ac6babfb5f08649ed2b8cd02
SHA512dc797a06061937f8dd657a34d4373d3069c9c1a6752752516042e5d135fc41257c7a3a6738b3accd626a02f1887476197eca0ab28cf568daf57269cbe9c8eb41