Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
07-12-2024 12:11
Static task
static1
Behavioral task
behavioral1
Sample
d2624e9e60cddb53b78bf2b489b44a78_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d2624e9e60cddb53b78bf2b489b44a78_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
d2624e9e60cddb53b78bf2b489b44a78_JaffaCakes118.exe
-
Size
1.3MB
-
MD5
d2624e9e60cddb53b78bf2b489b44a78
-
SHA1
3885dbdb9721df95545d158a9009e82f15183bde
-
SHA256
df6764f8905bee1924b5a41f4b7dc5a4a91d6c3d3f2c9b5b15e2742bbf1663f7
-
SHA512
c89d95548d47f5fb0e939fc2a1f894022de5062d25092d142bf02654553a7fbaafc75b9ae1f9547bfcb4fead7e58d5ae9bc1b41cbf162e4e1fd87a0c6c0fba24
-
SSDEEP
24576:1b6z0hJADmZNqCdqhb3C4MfLGTSyx8IaZkmWXP0/ZxwDW0Ax5DZlUjEuL9X:R+0b891b3CtKGyC1kTP0/ZGDu51lUjEi
Malware Config
Signatures
-
Ardamax family
-
Ardamax main executable 1 IoCs
resource yara_rule behavioral1/files/0x000700000001925e-18.dat family_ardamax -
Executes dropped EXE 2 IoCs
pid Process 2716 Funny.exe 2528 BWM.exe -
Loads dropped DLL 8 IoCs
pid Process 1964 d2624e9e60cddb53b78bf2b489b44a78_JaffaCakes118.exe 2716 Funny.exe 2716 Funny.exe 2716 Funny.exe 2528 BWM.exe 2528 BWM.exe 2528 BWM.exe 2720 NOTEPAD.EXE -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BWM Start = "C:\\Windows\\SysWOW64\\VQJWLQ\\BWM.exe" BWM.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\SysWOW64\VQJWLQ\AKV.exe Funny.exe File created C:\Windows\SysWOW64\VQJWLQ\BWM.exe Funny.exe File opened for modification C:\Windows\SysWOW64\VQJWLQ\ BWM.exe File created C:\Windows\SysWOW64\VQJWLQ\BWM.004 Funny.exe File created C:\Windows\SysWOW64\VQJWLQ\BWM.001 Funny.exe File created C:\Windows\SysWOW64\VQJWLQ\BWM.002 Funny.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BWM.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d2624e9e60cddb53b78bf2b489b44a78_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Funny.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2528 BWM.exe 2528 BWM.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: 33 2528 BWM.exe Token: SeIncBasePriorityPrivilege 2528 BWM.exe Token: SeIncBasePriorityPrivilege 2528 BWM.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2528 BWM.exe 2528 BWM.exe 2528 BWM.exe 2528 BWM.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1964 wrote to memory of 2716 1964 d2624e9e60cddb53b78bf2b489b44a78_JaffaCakes118.exe 30 PID 1964 wrote to memory of 2716 1964 d2624e9e60cddb53b78bf2b489b44a78_JaffaCakes118.exe 30 PID 1964 wrote to memory of 2716 1964 d2624e9e60cddb53b78bf2b489b44a78_JaffaCakes118.exe 30 PID 1964 wrote to memory of 2716 1964 d2624e9e60cddb53b78bf2b489b44a78_JaffaCakes118.exe 30 PID 1964 wrote to memory of 2716 1964 d2624e9e60cddb53b78bf2b489b44a78_JaffaCakes118.exe 30 PID 1964 wrote to memory of 2716 1964 d2624e9e60cddb53b78bf2b489b44a78_JaffaCakes118.exe 30 PID 1964 wrote to memory of 2716 1964 d2624e9e60cddb53b78bf2b489b44a78_JaffaCakes118.exe 30 PID 1964 wrote to memory of 2720 1964 d2624e9e60cddb53b78bf2b489b44a78_JaffaCakes118.exe 31 PID 1964 wrote to memory of 2720 1964 d2624e9e60cddb53b78bf2b489b44a78_JaffaCakes118.exe 31 PID 1964 wrote to memory of 2720 1964 d2624e9e60cddb53b78bf2b489b44a78_JaffaCakes118.exe 31 PID 1964 wrote to memory of 2720 1964 d2624e9e60cddb53b78bf2b489b44a78_JaffaCakes118.exe 31 PID 1964 wrote to memory of 2720 1964 d2624e9e60cddb53b78bf2b489b44a78_JaffaCakes118.exe 31 PID 1964 wrote to memory of 2720 1964 d2624e9e60cddb53b78bf2b489b44a78_JaffaCakes118.exe 31 PID 1964 wrote to memory of 2720 1964 d2624e9e60cddb53b78bf2b489b44a78_JaffaCakes118.exe 31 PID 2716 wrote to memory of 2528 2716 Funny.exe 32 PID 2716 wrote to memory of 2528 2716 Funny.exe 32 PID 2716 wrote to memory of 2528 2716 Funny.exe 32 PID 2716 wrote to memory of 2528 2716 Funny.exe 32 PID 2716 wrote to memory of 2528 2716 Funny.exe 32 PID 2716 wrote to memory of 2528 2716 Funny.exe 32 PID 2716 wrote to memory of 2528 2716 Funny.exe 32 PID 2528 wrote to memory of 2152 2528 BWM.exe 33 PID 2528 wrote to memory of 2152 2528 BWM.exe 33 PID 2528 wrote to memory of 2152 2528 BWM.exe 33 PID 2528 wrote to memory of 2152 2528 BWM.exe 33 PID 2528 wrote to memory of 2152 2528 BWM.exe 33 PID 2528 wrote to memory of 2152 2528 BWM.exe 33 PID 2528 wrote to memory of 2152 2528 BWM.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\d2624e9e60cddb53b78bf2b489b44a78_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d2624e9e60cddb53b78bf2b489b44a78_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Users\Admin\AppData\Local\Temp\Funny.exe"C:\Users\Admin\AppData\Local\Temp\Funny.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\VQJWLQ\BWM.exe"C:\Windows\system32\VQJWLQ\BWM.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\VQJWLQ\BWM.exe > nul4⤵
- System Location Discovery: System Language Discovery
PID:2152
-
-
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\New Text Document.txt2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2720
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
485KB
MD5b905540561802896d1609a5709c38795
SHA1a265f7c1d428ccece168d36ae1a5f50abfb69e37
SHA256ce666ce776c30251bb1b465d47826c23efaa86ec5ee50b2a4d23a4ceb343ed53
SHA5127663654f134f47a8092bae1f3f9d46732d2541ab955e7604d43a0def1e61e2bc039a6753e94d99f1d04b69f55a86f1fb937513671019f1bdf100edb97b24badc
-
Filesize
43KB
MD5f195701cf2c54d6ceadad943cf5135b8
SHA19beb03fc097fc58d7375b0511b87ced98a423a08
SHA256177c1dcc7f13158445f0b99713e9cad205da86e764940a48d43dc375565b0dec
SHA512f78def1ab431bb2b7b647ec76c063c30a87cabd22605f94cbe4fbb6f757fd54ddf7861d3842a0e369abfce94b68d41dec0fe2322a74f67d9875f561f92b20025
-
Filesize
1KB
MD5be3db2bf5f4a6830b22415651625d7f3
SHA1f8a41ec6af3e270b19c64a84dce6abcfd544e9be
SHA25632ea211e684d48f90fed84fe48ce1d3ea48343b57e292b86415eeec4a5cdd2e4
SHA512a832c3071233f30971f53567cd01a8b073e7cc7b3bbaeaa5dc80eaebdf805d8645272d9da4f7942167cb0da1dd9c6e4c85f8a981d1dd89178c0536b820ba2dfd
-
Filesize
1.7MB
MD5d95623e481661c678a0546e02f10f24c
SHA1b6949e68a19b270873764585eb1e82448d1e0717
SHA256cecfadce6fb09b3977c20d15fb40f8f66a1d7e488a4794451d048a598c3417da
SHA512dee02644d92ed30e88bb10e9dcdba97abd9949b230059ec20cf5d93061f9cdb77b1e793e5f69d0b51595c30077c3ddd093348d22b070ce898ccefe28b8062591
-
Filesize
1.2MB
MD5e3880e06ac84780252ba68f3d9541f39
SHA1011ff4cdb9cb86e7c7e6c6b975c187cf129c3e9f
SHA256e28247aeaa2db782bc9754f266c6db5bc90dfd9fa6a207a0787060b2fec44e99
SHA5127111904dd86249d9efe2651b905f3792479b3b524bd33848e758e584c5ceebdeabe7f904dd72314a56cbdbe31f15bfb23d99904ad5125bf26653e80fedeba186
-
Filesize
61KB
MD50e7e847fb96b4faa6cb4d3707a96887e
SHA1896fd4064044e271312e9128e874108eec69521f
SHA256c0f3e18ed0020dae5f75d3338b51f9c8de26d8af0a4d31904ba77cb1d112bbca
SHA512ad680ed30b0cabe1be4e7237b8e620060de9c5f64d088d21a6acf6f293551ab4abc10f8f959aa6041e19aeaea538e72beeecc29b7669546a9a151141d4e73684