Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    09-12-2024 17:29

General

  • Target

    dabc537658c490f3bec6af67daec0092_JaffaCakes118.exe

  • Size

    1.4MB

  • MD5

    dabc537658c490f3bec6af67daec0092

  • SHA1

    a08e90f3157980d8a2f2daeb8cf9a88904835c8a

  • SHA256

    ab8f334d3e7167d5e2eab34072db4ffc93ea56bc536ce31ed0a9a9484ff41622

  • SHA512

    a3b815d0c500d56e4ba759794d1967f3d44153ef5e7925c506ae8d2f013be8eee08ccb26884cd0dd1fd28964ed1774ab33970fbe1f5dd5fcaeab86deacdd864d

  • SSDEEP

    24576:HbPTzpzDfr4exd/N3nXqH3tne0sMTfys7d+6jf4p71wJ44ZJl4MPWzovDnnzS:H7Ttzn42d/N3X/037M6cl24aJlHOW

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

  • Ardamax family
  • Ardamax main executable 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Drops file in System32 directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dabc537658c490f3bec6af67daec0092_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\dabc537658c490f3bec6af67daec0092_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1884
    • C:\Windows\SysWOW64\AHLCIX\RRB.exe
      "C:\Windows\system32\AHLCIX\RRB.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2880
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\AHLCIX\RRB.exe > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2028
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:2648

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Purple drank.png

    Filesize

    510KB

    MD5

    9a3b62a65928262e5945761bce92a867

    SHA1

    87508bf5e666bdd4eb2b2965557ddb9b04ffb1fc

    SHA256

    8d8d86f2703bc845c950464364bfe6be604157d29f47b700d73a17a94f751440

    SHA512

    0129f3fd65a4e187bd3fbb6f511459d2bc26e05913a06dab6b695a86db7ec669a038639775beb4d05958bcd1a0ac56c5048de0ee1dceb980bb4ffc22c4fa4c64

  • C:\Windows\SysWOW64\AHLCIX\RRB.001

    Filesize

    61KB

    MD5

    8d8041fe45149cc7383c52f719c4d1d6

    SHA1

    ae81719657952ad493161bcf0788fb45357dc03e

    SHA256

    cd6a210bcc19fc0f301fe3fb0cc58318d275df9666057877f7dc56ff0c134531

    SHA512

    0eb1168a4596b4ca5fbe864e16e5ec3cb8fc7cd6a6407ee095a34d7d5dcaa4ca270022b00f1ece2ee9048b6fd29cfdad9a0900dbf5a75d7a69d09bfa73c23983

  • C:\Windows\SysWOW64\AHLCIX\RRB.002

    Filesize

    43KB

    MD5

    d977f26d7f7ffcb0f002813b55ff032d

    SHA1

    7e17b642dc1286908c18caba6fedb890de8fcc86

    SHA256

    2ce6c66843f0d0f156ae523f25d2cf4c9886fcae7b4f69deefbde4bc5328bf29

    SHA512

    e291f6acf5df88c52eb9232d55eb43fc08cbd423b7ae46148f710de909db49c04fc1d64e05b8e307ddd880134c525188109b94182ca99ea5934b66b9316e9e25

  • C:\Windows\SysWOW64\AHLCIX\RRB.004

    Filesize

    636B

    MD5

    9b69baa37c6655a8317033092b598800

    SHA1

    5974b98d630891344ca0844fe09f832d80fd8bfc

    SHA256

    8012a81c1316282e07e226bf1d2ea49d878ae2cfc75b85f30150c8cd3b6c14fc

    SHA512

    c88661dd19869a77eb46b9e60f896a7a9f7280148b8d1c0e96f9448352884e7fab8231f6eb8259f6f3e6309bc153d578697990f7f1e288e3726c7e007a5e5b08

  • \Windows\SysWOW64\AHLCIX\RRB.exe

    Filesize

    1.4MB

    MD5

    27a49221ba75a90934342bbe70f6c954

    SHA1

    751e322d6f7e46c132f0f97c56d60344248f1959

    SHA256

    946611f5091452aa46310d3ba8a885e808617b8ae9c57a468f7fe3abda4b052d

    SHA512

    9476f49d2e3c10f3e5cd91313e03405f944bc9887fd65e6c2236caab3a42e2c9a5392d7c34f6c5787a7dc8c3cfd43a3a90a6e052176aa60a43da0327d7ff78d6

  • memory/1884-18-0x0000000000A40000-0x0000000000A42000-memory.dmp

    Filesize

    8KB

  • memory/2648-19-0x0000000000220000-0x0000000000222000-memory.dmp

    Filesize

    8KB

  • memory/2880-14-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

  • memory/2880-21-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB