Analysis

  • max time kernel
    121s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    07-12-2024 12:11

General

  • Target

    d2624e9e60cddb53b78bf2b489b44a78_JaffaCakes118.exe

  • Size

    1.3MB

  • MD5

    d2624e9e60cddb53b78bf2b489b44a78

  • SHA1

    3885dbdb9721df95545d158a9009e82f15183bde

  • SHA256

    df6764f8905bee1924b5a41f4b7dc5a4a91d6c3d3f2c9b5b15e2742bbf1663f7

  • SHA512

    c89d95548d47f5fb0e939fc2a1f894022de5062d25092d142bf02654553a7fbaafc75b9ae1f9547bfcb4fead7e58d5ae9bc1b41cbf162e4e1fd87a0c6c0fba24

  • SSDEEP

    24576:1b6z0hJADmZNqCdqhb3C4MfLGTSyx8IaZkmWXP0/ZxwDW0Ax5DZlUjEuL9X:R+0b891b3CtKGyC1kTP0/ZGDu51lUjEi

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

  • Ardamax family
  • Ardamax main executable 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Drops file in System32 directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d2624e9e60cddb53b78bf2b489b44a78_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d2624e9e60cddb53b78bf2b489b44a78_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1964
    • C:\Users\Admin\AppData\Local\Temp\Funny.exe
      "C:\Users\Admin\AppData\Local\Temp\Funny.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2716
      • C:\Windows\SysWOW64\VQJWLQ\BWM.exe
        "C:\Windows\system32\VQJWLQ\BWM.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2528
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\VQJWLQ\BWM.exe > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2152
    • C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\New Text Document.txt
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2720

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\VQJWLQ\AKV.exe

    Filesize

    485KB

    MD5

    b905540561802896d1609a5709c38795

    SHA1

    a265f7c1d428ccece168d36ae1a5f50abfb69e37

    SHA256

    ce666ce776c30251bb1b465d47826c23efaa86ec5ee50b2a4d23a4ceb343ed53

    SHA512

    7663654f134f47a8092bae1f3f9d46732d2541ab955e7604d43a0def1e61e2bc039a6753e94d99f1d04b69f55a86f1fb937513671019f1bdf100edb97b24badc

  • C:\Windows\SysWOW64\VQJWLQ\BWM.002

    Filesize

    43KB

    MD5

    f195701cf2c54d6ceadad943cf5135b8

    SHA1

    9beb03fc097fc58d7375b0511b87ced98a423a08

    SHA256

    177c1dcc7f13158445f0b99713e9cad205da86e764940a48d43dc375565b0dec

    SHA512

    f78def1ab431bb2b7b647ec76c063c30a87cabd22605f94cbe4fbb6f757fd54ddf7861d3842a0e369abfce94b68d41dec0fe2322a74f67d9875f561f92b20025

  • C:\Windows\SysWOW64\VQJWLQ\BWM.004

    Filesize

    1KB

    MD5

    be3db2bf5f4a6830b22415651625d7f3

    SHA1

    f8a41ec6af3e270b19c64a84dce6abcfd544e9be

    SHA256

    32ea211e684d48f90fed84fe48ce1d3ea48343b57e292b86415eeec4a5cdd2e4

    SHA512

    a832c3071233f30971f53567cd01a8b073e7cc7b3bbaeaa5dc80eaebdf805d8645272d9da4f7942167cb0da1dd9c6e4c85f8a981d1dd89178c0536b820ba2dfd

  • C:\Windows\SysWOW64\VQJWLQ\BWM.exe

    Filesize

    1.7MB

    MD5

    d95623e481661c678a0546e02f10f24c

    SHA1

    b6949e68a19b270873764585eb1e82448d1e0717

    SHA256

    cecfadce6fb09b3977c20d15fb40f8f66a1d7e488a4794451d048a598c3417da

    SHA512

    dee02644d92ed30e88bb10e9dcdba97abd9949b230059ec20cf5d93061f9cdb77b1e793e5f69d0b51595c30077c3ddd093348d22b070ce898ccefe28b8062591

  • \Users\Admin\AppData\Local\Temp\Funny.exe

    Filesize

    1.2MB

    MD5

    e3880e06ac84780252ba68f3d9541f39

    SHA1

    011ff4cdb9cb86e7c7e6c6b975c187cf129c3e9f

    SHA256

    e28247aeaa2db782bc9754f266c6db5bc90dfd9fa6a207a0787060b2fec44e99

    SHA512

    7111904dd86249d9efe2651b905f3792479b3b524bd33848e758e584c5ceebdeabe7f904dd72314a56cbdbe31f15bfb23d99904ad5125bf26653e80fedeba186

  • \Windows\SysWOW64\VQJWLQ\BWM.001

    Filesize

    61KB

    MD5

    0e7e847fb96b4faa6cb4d3707a96887e

    SHA1

    896fd4064044e271312e9128e874108eec69521f

    SHA256

    c0f3e18ed0020dae5f75d3338b51f9c8de26d8af0a4d31904ba77cb1d112bbca

    SHA512

    ad680ed30b0cabe1be4e7237b8e620060de9c5f64d088d21a6acf6f293551ab4abc10f8f959aa6041e19aeaea538e72beeecc29b7669546a9a151141d4e73684