Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
07-12-2024 19:31
Static task
static1
Behavioral task
behavioral1
Sample
d3427fd297a83c3cd7cc0117f200ed7e_JaffaCakes118.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
d3427fd297a83c3cd7cc0117f200ed7e_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
d3427fd297a83c3cd7cc0117f200ed7e_JaffaCakes118.exe
-
Size
3.5MB
-
MD5
d3427fd297a83c3cd7cc0117f200ed7e
-
SHA1
90bf7162b9c91a825598341a4a76cd3b333beebd
-
SHA256
3bd530438baa822c20f13c3858b2630a8fc417267a50cd87e51b1f6bc4389045
-
SHA512
3a954af93c20886c0827baea696124cc9c0ec04e28b64e9c77bccfd856381b852e34591c063179c6c1a4703de2123b8e21349e2e7e3b1c0e0cbbc33c22255d07
-
SSDEEP
49152:TXTXJo5wuKZ7I8PZyFbAxJxgYtTnX6uzIpMzqJbWx6YuAt1ykJmIspS38e3JCP:nK9YZyoxnTjhW5dmFJ5BbYP
Malware Config
Signatures
-
Ardamax family
-
Ardamax main executable 1 IoCs
resource yara_rule behavioral1/files/0x0006000000019377-6.dat family_ardamax -
Executes dropped EXE 2 IoCs
pid Process 2496 JAU.exe 2256 UpLauncher.exe -
Loads dropped DLL 4 IoCs
pid Process 2192 d3427fd297a83c3cd7cc0117f200ed7e_JaffaCakes118.exe 2192 d3427fd297a83c3cd7cc0117f200ed7e_JaffaCakes118.exe 2496 JAU.exe 2256 UpLauncher.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JAU Start = "C:\\Windows\\SysWOW64\\BWFWHY\\JAU.exe" JAU.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\SysWOW64\BWFWHY\JAU.exe d3427fd297a83c3cd7cc0117f200ed7e_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\BWFWHY\ JAU.exe File created C:\Windows\SysWOW64\BWFWHY\JAU.004 d3427fd297a83c3cd7cc0117f200ed7e_JaffaCakes118.exe File created C:\Windows\SysWOW64\BWFWHY\JAU.001 d3427fd297a83c3cd7cc0117f200ed7e_JaffaCakes118.exe File created C:\Windows\SysWOW64\BWFWHY\JAU.002 d3427fd297a83c3cd7cc0117f200ed7e_JaffaCakes118.exe File created C:\Windows\SysWOW64\BWFWHY\AKV.exe d3427fd297a83c3cd7cc0117f200ed7e_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d3427fd297a83c3cd7cc0117f200ed7e_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JAU.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UpLauncher.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 2496 JAU.exe Token: SeIncBasePriorityPrivilege 2496 JAU.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2496 JAU.exe 2496 JAU.exe 2496 JAU.exe 2496 JAU.exe 2256 UpLauncher.exe 2256 UpLauncher.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2192 wrote to memory of 2496 2192 d3427fd297a83c3cd7cc0117f200ed7e_JaffaCakes118.exe 28 PID 2192 wrote to memory of 2496 2192 d3427fd297a83c3cd7cc0117f200ed7e_JaffaCakes118.exe 28 PID 2192 wrote to memory of 2496 2192 d3427fd297a83c3cd7cc0117f200ed7e_JaffaCakes118.exe 28 PID 2192 wrote to memory of 2496 2192 d3427fd297a83c3cd7cc0117f200ed7e_JaffaCakes118.exe 28 PID 2192 wrote to memory of 2256 2192 d3427fd297a83c3cd7cc0117f200ed7e_JaffaCakes118.exe 29 PID 2192 wrote to memory of 2256 2192 d3427fd297a83c3cd7cc0117f200ed7e_JaffaCakes118.exe 29 PID 2192 wrote to memory of 2256 2192 d3427fd297a83c3cd7cc0117f200ed7e_JaffaCakes118.exe 29 PID 2192 wrote to memory of 2256 2192 d3427fd297a83c3cd7cc0117f200ed7e_JaffaCakes118.exe 29 PID 2192 wrote to memory of 2256 2192 d3427fd297a83c3cd7cc0117f200ed7e_JaffaCakes118.exe 29 PID 2192 wrote to memory of 2256 2192 d3427fd297a83c3cd7cc0117f200ed7e_JaffaCakes118.exe 29 PID 2192 wrote to memory of 2256 2192 d3427fd297a83c3cd7cc0117f200ed7e_JaffaCakes118.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\d3427fd297a83c3cd7cc0117f200ed7e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d3427fd297a83c3cd7cc0117f200ed7e_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\BWFWHY\JAU.exe"C:\Windows\system32\BWFWHY\JAU.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2496
-
-
C:\Users\Admin\AppData\Local\Temp\UpLauncher.exe"C:\Users\Admin\AppData\Local\Temp\UpLauncher.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2256
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.7MB
MD52d37598a87882977d38453517356648d
SHA1d2326eb0752311647e0554467995c8c5902c481e
SHA2564112a7ea3445b41a3b218bfa548778b478f83043654d0d4da13ffb9610dbb58d
SHA512e4f382736c358aa1ccc6afe61e499bba482184dc7d067f3152645c2d879359d815dc4ee3c359f43d5bf05c8c4a49fe5e35b3c6ed04fc50940afebaa52e66d787
-
Filesize
1KB
MD56aa67b7c26e87c2dfcf5ea8929c72135
SHA10ad647cfd3d432117de4aaaea3d09fce57cb9ae5
SHA2562380f759caabac119fee0367357ec52c0accc186e3ad8e03e2cc261e268c1f6d
SHA512660648ef4e47425cecc39e2c14a31093267cc55b561a4c51b383db623d2ca84dc76a5edebc76ff9efa97d1b03c0ac3ad3839da775c60d6d25aa325918e3308c0
-
Filesize
4KB
MD5c75d5836b1e87b7879f3d2883b00d0b9
SHA113eb6f8cc6848ce61ce2156bbfdbe55e15160678
SHA2568ad0ea23768956f058abf42856dbdb99d9a47296296c146e225ee543e7674ad6
SHA5124d9b5d9fe74daa79f971320a77831712901f519f7ca09ed126a464febfd3af212be46ef9f85400c3fe8c2e5ef46ef8848db90919330f807adaf493bccd4b81c4
-
Filesize
456KB
MD5a65c554c77c4607a4efdef07b9503fb9
SHA14faa215bd772deb3223dac1601972fce2f6c05f1
SHA2567d32aa95d682ac91df6efa4efc01e5675f69e72fc9821632006111df44e08d7c
SHA51244be9403aff24e3bdb886a883b7ad8fa06950d969ef1588c4dab43fcc030768d4797fd4ce645ddfe49949d6a97fac5061f2d840ab086b5e43189e5adb441438a
-
Filesize
61KB
MD55901282271c72b6effd11d0ec9c17547
SHA1729945fc0534bd5203dbe02b2dcdf33d0edb84e1
SHA256395e86709d918c7954ee97baaa34634ede86a2af233ac175c15ae3107f2e9a28
SHA51205e92fad30ab5d89ebb6eb33fdc76ef9575dbf4c7d649782fd902010a11505a7499b38a4aceccf46e5f8b31617b730a0436cf821442b59dcdeec71ecc2a90a17
-
Filesize
43KB
MD5c04e0de732e8f56b401e409c4417149c
SHA17b260b3600345fb72af9fd0e4025b4a125c8dd08
SHA2560d359c2c70001f56c14e7e29a12456c82606bb9a46f9db1f8216a9087775dec6
SHA512d9e2bf02bcb144a8c37e05cb2544ca46fe93e1f2b5a4e08832d533ab9348ddb9153b5c36efa4186d625a80af5d546331d740a13f43c5195ccb4829c98eaa69b0
-
Filesize
1KB
MD58981cce7d43aff9ec41fe1ea77a3c909
SHA13d2632b9e522073ce41fd0067c5b1408306218ad
SHA2564fd7411c72345cd8dac96c82370249817e53557bc5025509b720a28511bccdb9
SHA512fec7c8c77c7209957163f3ad3ab54a762fb1e225898af4c5db8b879def45f4a00ecaaf4cdf082e04435ada676faaf19ff2ae39f5afe986d7b16ade7eb0c6ec34
-
Filesize
1.5MB
MD582dc38922620ab6a5850f391584d2657
SHA1ef30f091ff7aa242600f19e87f2b7b0cd7b0764f
SHA256b464e42b8dfef6629030283e19c20bcc69d6d7c1bf9bb7e8df472f762debcea2
SHA5124ec72c1d1599721ee1205f46a74a71fb67801e4d7aa6ca55907c2461a03c41cc3e1333e0b4ed9631b92e2310f45bf27cf865a5cc7ee2507e92f58cdb467023e8