Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-12-2024 07:15
Static task
static1
Behavioral task
behavioral1
Sample
dd9b2df8a16a5a98d7fb325e51fe4b23_JaffaCakes118.exe
Resource
win7-20241010-en
General
-
Target
dd9b2df8a16a5a98d7fb325e51fe4b23_JaffaCakes118.exe
-
Size
531KB
-
MD5
dd9b2df8a16a5a98d7fb325e51fe4b23
-
SHA1
414d1d6ee1cb9ad4e0adad87ab961b6426034006
-
SHA256
0a3a89c155e009f035b13c37fdbbdeefa3a487e4e569be8512405ee9686585c9
-
SHA512
3fe8452bb6159a43e7ae5340496113dc6396d47ae6a2a9dced8c3927264a22c94fb32079ed7a0837d0be5b9bf6bdef3352a7c5122c4c61d38b6eefe243283f13
-
SSDEEP
12288:hDd/kA1S4w4TVfeU+DwRkjZa4eaJ00wBO4OEAwSq:pNOQVfsDwRk1V/K0N43F
Malware Config
Signatures
-
Ardamax family
-
Ardamax main executable 1 IoCs
resource yara_rule behavioral2/files/0x000a000000023b97-12.dat family_ardamax -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation dd9b2df8a16a5a98d7fb325e51fe4b23_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 1068 system32VKHD.exe 3664 TTTest1.5.exe -
Loads dropped DLL 9 IoCs
pid Process 1208 dd9b2df8a16a5a98d7fb325e51fe4b23_JaffaCakes118.exe 1068 system32VKHD.exe 1208 dd9b2df8a16a5a98d7fb325e51fe4b23_JaffaCakes118.exe 1208 dd9b2df8a16a5a98d7fb325e51fe4b23_JaffaCakes118.exe 1068 system32VKHD.exe 1068 system32VKHD.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system32VKHD Agent = "C:\\Windows\\system32VKHD.exe" system32VKHD.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 15 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/3664-43-0x0000000000400000-0x000000000049E000-memory.dmp autoit_exe behavioral2/memory/3664-44-0x0000000000400000-0x000000000049E000-memory.dmp autoit_exe behavioral2/memory/3664-45-0x0000000000400000-0x000000000049E000-memory.dmp autoit_exe behavioral2/memory/3664-46-0x0000000000400000-0x000000000049E000-memory.dmp autoit_exe behavioral2/memory/3664-47-0x0000000000400000-0x000000000049E000-memory.dmp autoit_exe behavioral2/memory/3664-48-0x0000000000400000-0x000000000049E000-memory.dmp autoit_exe behavioral2/memory/3664-49-0x0000000000400000-0x000000000049E000-memory.dmp autoit_exe behavioral2/memory/3664-50-0x0000000000400000-0x000000000049E000-memory.dmp autoit_exe behavioral2/memory/3664-51-0x0000000000400000-0x000000000049E000-memory.dmp autoit_exe behavioral2/memory/3664-52-0x0000000000400000-0x000000000049E000-memory.dmp autoit_exe behavioral2/memory/3664-53-0x0000000000400000-0x000000000049E000-memory.dmp autoit_exe behavioral2/memory/3664-54-0x0000000000400000-0x000000000049E000-memory.dmp autoit_exe behavioral2/memory/3664-55-0x0000000000400000-0x000000000049E000-memory.dmp autoit_exe behavioral2/memory/3664-56-0x0000000000400000-0x000000000049E000-memory.dmp autoit_exe behavioral2/memory/3664-57-0x0000000000400000-0x000000000049E000-memory.dmp autoit_exe -
resource yara_rule behavioral2/files/0x000a000000023b98-33.dat upx behavioral2/memory/3664-34-0x0000000000400000-0x000000000049E000-memory.dmp upx behavioral2/memory/3664-43-0x0000000000400000-0x000000000049E000-memory.dmp upx behavioral2/memory/3664-44-0x0000000000400000-0x000000000049E000-memory.dmp upx behavioral2/memory/3664-45-0x0000000000400000-0x000000000049E000-memory.dmp upx behavioral2/memory/3664-46-0x0000000000400000-0x000000000049E000-memory.dmp upx behavioral2/memory/3664-47-0x0000000000400000-0x000000000049E000-memory.dmp upx behavioral2/memory/3664-48-0x0000000000400000-0x000000000049E000-memory.dmp upx behavioral2/memory/3664-49-0x0000000000400000-0x000000000049E000-memory.dmp upx behavioral2/memory/3664-50-0x0000000000400000-0x000000000049E000-memory.dmp upx behavioral2/memory/3664-51-0x0000000000400000-0x000000000049E000-memory.dmp upx behavioral2/memory/3664-52-0x0000000000400000-0x000000000049E000-memory.dmp upx behavioral2/memory/3664-53-0x0000000000400000-0x000000000049E000-memory.dmp upx behavioral2/memory/3664-54-0x0000000000400000-0x000000000049E000-memory.dmp upx behavioral2/memory/3664-55-0x0000000000400000-0x000000000049E000-memory.dmp upx behavioral2/memory/3664-56-0x0000000000400000-0x000000000049E000-memory.dmp upx behavioral2/memory/3664-57-0x0000000000400000-0x000000000049E000-memory.dmp upx -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\system32VKHD.001 dd9b2df8a16a5a98d7fb325e51fe4b23_JaffaCakes118.exe File created C:\Windows\system32VKHD.006 dd9b2df8a16a5a98d7fb325e51fe4b23_JaffaCakes118.exe File created C:\Windows\system32VKHD.007 dd9b2df8a16a5a98d7fb325e51fe4b23_JaffaCakes118.exe File created C:\Windows\system32VKHD.exe dd9b2df8a16a5a98d7fb325e51fe4b23_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dd9b2df8a16a5a98d7fb325e51fe4b23_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32VKHD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TTTest1.5.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3664 TTTest1.5.exe 3664 TTTest1.5.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3664 TTTest1.5.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 1068 system32VKHD.exe Token: SeIncBasePriorityPrivilege 1068 system32VKHD.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe 3664 TTTest1.5.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 1068 system32VKHD.exe 1068 system32VKHD.exe 1068 system32VKHD.exe 1068 system32VKHD.exe 1068 system32VKHD.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1208 wrote to memory of 1068 1208 dd9b2df8a16a5a98d7fb325e51fe4b23_JaffaCakes118.exe 82 PID 1208 wrote to memory of 1068 1208 dd9b2df8a16a5a98d7fb325e51fe4b23_JaffaCakes118.exe 82 PID 1208 wrote to memory of 1068 1208 dd9b2df8a16a5a98d7fb325e51fe4b23_JaffaCakes118.exe 82 PID 1208 wrote to memory of 3664 1208 dd9b2df8a16a5a98d7fb325e51fe4b23_JaffaCakes118.exe 83 PID 1208 wrote to memory of 3664 1208 dd9b2df8a16a5a98d7fb325e51fe4b23_JaffaCakes118.exe 83 PID 1208 wrote to memory of 3664 1208 dd9b2df8a16a5a98d7fb325e51fe4b23_JaffaCakes118.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\dd9b2df8a16a5a98d7fb325e51fe4b23_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\dd9b2df8a16a5a98d7fb325e51fe4b23_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\system32VKHD.exe"C:\Windows\system32VKHD.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1068
-
-
C:\Users\Admin\AppData\Local\Temp\TTTest1.5.exe"C:\Users\Admin\AppData\Local\Temp\TTTest1.5.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3664
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5d9e02f226fc338d14df200ba9a700625
SHA1414f134a16a309b31e418ed9e08c0c48aaf6e2bc
SHA2568165757efb79acceb9fd0bfae6b2c19b8f087cc0461abb17941d460dbdf2e260
SHA51213c73381602fe2593312d41ab4bc5cd5f922ac651f9e71e3fe3c58e7f0c5c73ecc9d79d61ec46f33a0a81cf73373421eeb510bd99650c0f53af30974ed61b8ca
-
Filesize
258KB
MD5c2dc0d66fdfcc8f6f99f6953df8f994b
SHA194821320472a8b842611b1df5f12dc53c7b55308
SHA25606bcd47e5cb92ef8bc697d109a55bb0913683e239628ecebc2b57b264b0f376e
SHA51269ba0df9e05bba1934c16c7f205ae74951014b20cda6d14625bb1d7feacad91c91df49342251d375daad0e44676912c02c21a02a9864ab004261142e325468a5
-
Filesize
522B
MD53b3bf3c29846e2dd094221713c06b9d3
SHA1dbf65720337f0899cd7f699fec83f49e8c83e279
SHA256cda7754c08b4dba91c5c5cb711a02b231f38cd71f5be256d1a27db87953956b2
SHA5124f82ef375f0ba6ff746a96427800e460181a8bd8b83aec218c45fee0f4f751d6e81a64a031535f3a8d76e7a3face15930efb05e342cae8ec61485bdb4f4cd8be
-
Filesize
7KB
MD532dd7b4bc8b6f290b0ece3cc1c011c96
SHA1b979683868b399c6a6204ebaed9fc9c784a0429a
SHA2566dcce9bbba5c2de47eea3abf7597a9c4fb2e4d358efc3752fa65c169cccfa2a1
SHA5129e0d720799fe816f7d09c8a722b762203b6f12a8625c1c93cd640219ecc35969bd641b4d9e6dc04ab6f95ceb73235a438eb7d48ee9402118db3618b5760551ea
-
Filesize
5KB
MD5e8155b68775ed29590e14df80fdc0e9f
SHA1ed449da02e648a524004c265f3c37496d2f07f1f
SHA256b39ba894b0a9a3201461ddd9ee9b297928e793dff221a47f019e75c11df631f3
SHA512b14e00c46cf9bed0aca0f85775f624ff064f2d2afe1fa68b61bee5729db73cf9a8eced669c52d7cbb9504ff1b369a9a16a0f36c71a70c13c0bd1eaf5e07ccc11
-
Filesize
471KB
MD53c06bbc025b61d2182ef5573f2852bda
SHA1ebc1464c00b13fb5b3f80a59c80b595020e1fe7c
SHA256e7f64e7215284cdeb8ef1eba28733f7aeae7f6977f82809d8de1e76a2e249085
SHA5129d839ada211b85fc1efb1fe7bb3ce66fcf0e8069221d958234649c2ac5dc0f1bd06f1a016f9c727077af36fb46cac5409be9c8a8201d17f689c6b473aa01acdc