Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09-12-2024 17:29
Static task
static1
Behavioral task
behavioral1
Sample
dabc537658c490f3bec6af67daec0092_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
dabc537658c490f3bec6af67daec0092_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
dabc537658c490f3bec6af67daec0092_JaffaCakes118.exe
-
Size
1.4MB
-
MD5
dabc537658c490f3bec6af67daec0092
-
SHA1
a08e90f3157980d8a2f2daeb8cf9a88904835c8a
-
SHA256
ab8f334d3e7167d5e2eab34072db4ffc93ea56bc536ce31ed0a9a9484ff41622
-
SHA512
a3b815d0c500d56e4ba759794d1967f3d44153ef5e7925c506ae8d2f013be8eee08ccb26884cd0dd1fd28964ed1774ab33970fbe1f5dd5fcaeab86deacdd864d
-
SSDEEP
24576:HbPTzpzDfr4exd/N3nXqH3tne0sMTfys7d+6jf4p71wJ44ZJl4MPWzovDnnzS:H7Ttzn42d/N3X/037M6cl24aJlHOW
Malware Config
Signatures
-
Ardamax family
-
Ardamax main executable 1 IoCs
resource yara_rule behavioral1/files/0x0007000000014c23-5.dat family_ardamax -
Executes dropped EXE 1 IoCs
pid Process 2880 RRB.exe -
Loads dropped DLL 4 IoCs
pid Process 1884 dabc537658c490f3bec6af67daec0092_JaffaCakes118.exe 2880 RRB.exe 2648 DllHost.exe 1884 dabc537658c490f3bec6af67daec0092_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RRB Start = "C:\\Windows\\SysWOW64\\AHLCIX\\RRB.exe" RRB.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 5 IoCs
description ioc Process File created C:\Windows\SysWOW64\AHLCIX\RRB.002 dabc537658c490f3bec6af67daec0092_JaffaCakes118.exe File created C:\Windows\SysWOW64\AHLCIX\RRB.exe dabc537658c490f3bec6af67daec0092_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\AHLCIX\ RRB.exe File created C:\Windows\SysWOW64\AHLCIX\RRB.004 dabc537658c490f3bec6af67daec0092_JaffaCakes118.exe File created C:\Windows\SysWOW64\AHLCIX\RRB.001 dabc537658c490f3bec6af67daec0092_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dabc537658c490f3bec6af67daec0092_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RRB.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: 33 2880 RRB.exe Token: SeIncBasePriorityPrivilege 2880 RRB.exe Token: SeIncBasePriorityPrivilege 2880 RRB.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2648 DllHost.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2880 RRB.exe 2880 RRB.exe 2880 RRB.exe 2880 RRB.exe 2648 DllHost.exe 2648 DllHost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1884 wrote to memory of 2880 1884 dabc537658c490f3bec6af67daec0092_JaffaCakes118.exe 28 PID 1884 wrote to memory of 2880 1884 dabc537658c490f3bec6af67daec0092_JaffaCakes118.exe 28 PID 1884 wrote to memory of 2880 1884 dabc537658c490f3bec6af67daec0092_JaffaCakes118.exe 28 PID 1884 wrote to memory of 2880 1884 dabc537658c490f3bec6af67daec0092_JaffaCakes118.exe 28 PID 2880 wrote to memory of 2028 2880 RRB.exe 32 PID 2880 wrote to memory of 2028 2880 RRB.exe 32 PID 2880 wrote to memory of 2028 2880 RRB.exe 32 PID 2880 wrote to memory of 2028 2880 RRB.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\dabc537658c490f3bec6af67daec0092_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\dabc537658c490f3bec6af67daec0092_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\SysWOW64\AHLCIX\RRB.exe"C:\Windows\system32\AHLCIX\RRB.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\AHLCIX\RRB.exe > nul3⤵
- System Location Discovery: System Language Discovery
PID:2028
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2648
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
510KB
MD59a3b62a65928262e5945761bce92a867
SHA187508bf5e666bdd4eb2b2965557ddb9b04ffb1fc
SHA2568d8d86f2703bc845c950464364bfe6be604157d29f47b700d73a17a94f751440
SHA5120129f3fd65a4e187bd3fbb6f511459d2bc26e05913a06dab6b695a86db7ec669a038639775beb4d05958bcd1a0ac56c5048de0ee1dceb980bb4ffc22c4fa4c64
-
Filesize
61KB
MD58d8041fe45149cc7383c52f719c4d1d6
SHA1ae81719657952ad493161bcf0788fb45357dc03e
SHA256cd6a210bcc19fc0f301fe3fb0cc58318d275df9666057877f7dc56ff0c134531
SHA5120eb1168a4596b4ca5fbe864e16e5ec3cb8fc7cd6a6407ee095a34d7d5dcaa4ca270022b00f1ece2ee9048b6fd29cfdad9a0900dbf5a75d7a69d09bfa73c23983
-
Filesize
43KB
MD5d977f26d7f7ffcb0f002813b55ff032d
SHA17e17b642dc1286908c18caba6fedb890de8fcc86
SHA2562ce6c66843f0d0f156ae523f25d2cf4c9886fcae7b4f69deefbde4bc5328bf29
SHA512e291f6acf5df88c52eb9232d55eb43fc08cbd423b7ae46148f710de909db49c04fc1d64e05b8e307ddd880134c525188109b94182ca99ea5934b66b9316e9e25
-
Filesize
636B
MD59b69baa37c6655a8317033092b598800
SHA15974b98d630891344ca0844fe09f832d80fd8bfc
SHA2568012a81c1316282e07e226bf1d2ea49d878ae2cfc75b85f30150c8cd3b6c14fc
SHA512c88661dd19869a77eb46b9e60f896a7a9f7280148b8d1c0e96f9448352884e7fab8231f6eb8259f6f3e6309bc153d578697990f7f1e288e3726c7e007a5e5b08
-
Filesize
1.4MB
MD527a49221ba75a90934342bbe70f6c954
SHA1751e322d6f7e46c132f0f97c56d60344248f1959
SHA256946611f5091452aa46310d3ba8a885e808617b8ae9c57a468f7fe3abda4b052d
SHA5129476f49d2e3c10f3e5cd91313e03405f944bc9887fd65e6c2236caab3a42e2c9a5392d7c34f6c5787a7dc8c3cfd43a3a90a6e052176aa60a43da0327d7ff78d6