Analysis
-
max time kernel
142s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-12-2024 06:55
Static task
static1
Behavioral task
behavioral1
Sample
dd862858d44add6103c8418cf9ab0ba4_JaffaCakes118.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
dd862858d44add6103c8418cf9ab0ba4_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
dd862858d44add6103c8418cf9ab0ba4_JaffaCakes118.exe
-
Size
933KB
-
MD5
dd862858d44add6103c8418cf9ab0ba4
-
SHA1
b6f7e01f094346b566b287b3f8815aa3175da5d0
-
SHA256
d69d32aa77b6b5050d0ed6acc792ada048815cb68b94bf537f02f448f257145a
-
SHA512
c5516321982655557bfd6165fc296033d9ff44b9dc0cf85c18ffdb68a6af8f71bea5d3f4350c9259d94cc0e78653209dd46e937e4eb7876341ff1350b194d093
-
SSDEEP
24576:zZB2uzn2FiYiQ1e6cCshswP1UeWxt2M9R3ZAtcqUV:zZYuz2wYiC8suFWxt2Mn3ZcIV
Malware Config
Signatures
-
Ardamax family
-
Ardamax main executable 1 IoCs
resource yara_rule behavioral2/files/0x0008000000023c0a-22.dat family_ardamax -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation TibiaMC.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation dd862858d44add6103c8418cf9ab0ba4_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 3924 TibiaMC.exe 2816 XLDN.exe -
Loads dropped DLL 4 IoCs
pid Process 3924 TibiaMC.exe 2816 XLDN.exe 2816 XLDN.exe 2816 XLDN.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\XLDN Agent = "C:\\Windows\\SysWOW64\\28463\\XLDN.exe" XLDN.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 7 IoCs
description ioc Process File created C:\Windows\SysWOW64\28463\key.bin TibiaMC.exe File created C:\Windows\SysWOW64\28463\AKV.exe TibiaMC.exe File opened for modification C:\Windows\SysWOW64\28463 XLDN.exe File created C:\Windows\SysWOW64\28463\XLDN.001 TibiaMC.exe File created C:\Windows\SysWOW64\28463\XLDN.006 TibiaMC.exe File created C:\Windows\SysWOW64\28463\XLDN.007 TibiaMC.exe File created C:\Windows\SysWOW64\28463\XLDN.exe TibiaMC.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dd862858d44add6103c8418cf9ab0ba4_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TibiaMC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XLDN.exe -
Modifies registry class 33 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DE150B91-25B2-813E-BF35-B1DF6A7E23E6}\1.0\0 XLDN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DE150B91-25B2-813E-BF35-B1DF6A7E23E6}\1.0\0\win32 XLDN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DE150B91-25B2-813E-BF35-B1DF6A7E23E6}\1.0\HELPDIR\ = "%SystemRoot%\\system32" XLDN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CFF41CFA-E1DB-402C-0CB9-5B7AEC8B676A}\TypeLib\ = "{DE150B91-25B2-813E-BF35-B1DF6A7E23E6}" XLDN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CFF41CFA-E1DB-402C-0CB9-5B7AEC8B676A} XLDN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CFF41CFA-E1DB-402C-0CB9-5B7AEC8B676A}\InProcServer32 XLDN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CFF41CFA-E1DB-402C-0CB9-5B7AEC8B676A}\InProcServer32\ XLDN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DE150B91-25B2-813E-BF35-B1DF6A7E23E6}\1.0\ XLDN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DE150B91-25B2-813E-BF35-B1DF6A7E23E6}\1.0\ = "Definition: UCM Extension API for WWAN Type Library" XLDN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DE150B91-25B2-813E-BF35-B1DF6A7E23E6}\1.0\HELPDIR\ XLDN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CFF41CFA-E1DB-402C-0CB9-5B7AEC8B676A}\Version XLDN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CFF41CFA-E1DB-402C-0CB9-5B7AEC8B676A}\ProgID XLDN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DE150B91-25B2-813E-BF35-B1DF6A7E23E6}\1.0\0\ XLDN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DE150B91-25B2-813E-BF35-B1DF6A7E23E6}\1.0\HELPDIR XLDN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CFF41CFA-E1DB-402C-0CB9-5B7AEC8B676A}\TypeLib\ XLDN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CFF41CFA-E1DB-402C-0CB9-5B7AEC8B676A}\ProgID\ = "Shell.Application.1" XLDN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DE150B91-25B2-813E-BF35-B1DF6A7E23E6}\1.0\0\win32\ XLDN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CFF41CFA-E1DB-402C-0CB9-5B7AEC8B676A}\InProcServer32\ = "%SystemRoot%\\SysWow64\\shell32.dll" XLDN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DE150B91-25B2-813E-BF35-B1DF6A7E23E6}\1.0\FLAGS XLDN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CFF41CFA-E1DB-402C-0CB9-5B7AEC8B676A}\ = "Itowa.Aqiqoqro" XLDN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DE150B91-25B2-813E-BF35-B1DF6A7E23E6}\1.0\FLAGS\ = "0" XLDN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CFF41CFA-E1DB-402C-0CB9-5B7AEC8B676A}\Version\ XLDN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CFF41CFA-E1DB-402C-0CB9-5B7AEC8B676A}\ProgID\ XLDN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CFF41CFA-E1DB-402C-0CB9-5B7AEC8B676A}\TypeLib XLDN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CFF41CFA-E1DB-402C-0CB9-5B7AEC8B676A}\VersionIndependentProgID\ = "Shell.Application" XLDN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CFF41CFA-E1DB-402C-0CB9-5B7AEC8B676A}\VersionIndependentProgID\ XLDN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DE150B91-25B2-813E-BF35-B1DF6A7E23E6} XLDN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DE150B91-25B2-813E-BF35-B1DF6A7E23E6}\ XLDN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DE150B91-25B2-813E-BF35-B1DF6A7E23E6}\1.0 XLDN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DE150B91-25B2-813E-BF35-B1DF6A7E23E6}\1.0\0\win32\ = "%SystemRoot%\\SysWow64\\wwanapi.dll" XLDN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DE150B91-25B2-813E-BF35-B1DF6A7E23E6}\1.0\FLAGS\ XLDN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CFF41CFA-E1DB-402C-0CB9-5B7AEC8B676A}\Version\ = "1.0" XLDN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CFF41CFA-E1DB-402C-0CB9-5B7AEC8B676A}\VersionIndependentProgID XLDN.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 2816 XLDN.exe Token: SeIncBasePriorityPrivilege 2816 XLDN.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 2816 XLDN.exe 2816 XLDN.exe 2816 XLDN.exe 2816 XLDN.exe 2816 XLDN.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 956 wrote to memory of 3924 956 dd862858d44add6103c8418cf9ab0ba4_JaffaCakes118.exe 82 PID 956 wrote to memory of 3924 956 dd862858d44add6103c8418cf9ab0ba4_JaffaCakes118.exe 82 PID 956 wrote to memory of 3924 956 dd862858d44add6103c8418cf9ab0ba4_JaffaCakes118.exe 82 PID 3924 wrote to memory of 2816 3924 TibiaMC.exe 83 PID 3924 wrote to memory of 2816 3924 TibiaMC.exe 83 PID 3924 wrote to memory of 2816 3924 TibiaMC.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\dd862858d44add6103c8418cf9ab0ba4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\dd862858d44add6103c8418cf9ab0ba4_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Users\Admin\AppData\Local\Temp\TibiaMC.exe"C:\Users\Admin\AppData\Local\Temp\TibiaMC.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Windows\SysWOW64\28463\XLDN.exe"C:\Windows\system32\28463\XLDN.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2816
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5d372a0cb21c005b26e1a0b64ec73ff3d
SHA1ecdbc27845aa2c4f5640e08588161fe81957d10f
SHA256c8ed006ecda67e5e4e655f645b86d5c59ba5cf6c4bf71aa037960845344abf57
SHA51289fb94bdc77800352ee96106e3b3170a205e479062fc63e8b0f7fef76a49519f6758a646636ee12f93856095fb9b7c9261e56bb70e4094472d0137fc61f01987
-
Filesize
783KB
MD57d317cab674e9bd65ec46f8fa6b1f766
SHA1f607724bd3982d5c171896cef94c58240edee8c4
SHA256d78eaed216df170542a3e4f6b582b086f512184ea5072f7c2ebf2baa07c431ee
SHA5124e743b8491fcfc0125f0b2526a4e94c6eec33e4e7a354a227a68eaf1529813b66d64a6923d0c08004cd8d6cb2734023292d2c09fd28b3d34d6b870e6abc3bec3
-
Filesize
457KB
MD584d41e2f2f9dddb3eeb1835c283a2d7f
SHA14e4e051703d7e5475e71f8ea818d9d6882fcbe83
SHA256206dad55f739fb7be3861d332573cc39e620e553d0e637a1807c9acb4d983a7b
SHA512325f62644f9bc0412b2f8c1decd5be7cdbb6c348b0ca21658f97b44efde7f94ccfa7af9bfebb4c67414cedf79468f74ccf05fd357c76699ffdb4a86068028c20
-
Filesize
450B
MD53e042c26beb272328b6fe56140aaf409
SHA1091a9485b3b6c0fcbad43108409317590fdf41ca
SHA256c4b331e45c3943f7b551609567cf6b8f21683fe29236027ee146533558e1b741
SHA512d97f6b110efcdd507b64e521d93fb31644af6fa13351134d2d704fa02e6206acebd3b28a4c0e532da9c91e138ddd46bcfeb505e7c6643003948e44910618fe13
-
Filesize
8KB
MD523053b1e316c4965e84118c7564bae8d
SHA175277b63f42edf5596f258958f53b584a52a88a5
SHA2564714d9b2e492a97f6d8f615147e2189a7ed09702627b8783b9351380b1cebe6f
SHA51211c250458b301c99afcd6ead5d3d5f367ade0884dba8accf2c8ead93f83eadb4f8ec7f756aa9767f4877885a0301d5b21f6180a0efbe58649a1d4d9ed995e602
-
Filesize
5KB
MD5d1634f55997e7f03ab860e50dd9f0cb6
SHA16fb3cb0f34750245686ed6d880fa637e6149ea94
SHA256caadc012d814d37d1a7ae1a6741c0a56ba288a0b7731b3ab4019c6e796100036
SHA512931964902fe4eb685f20be69cc85d3c88095138ed4f7788d1dfb2f6d61cdf2c4257eb475476bd6741554eb944f5d7cdead1a864e38dd28113beb84e54f6772da
-
Filesize
646KB
MD5ee9b8abea7a9715d1d119576f3f03e67
SHA108b7d55a300602a51299d488b4937f9e9c2371e1
SHA25634d9747e63a3390353d8f448b0a319b8b3229a4cc2aa0e0f4330597b04daf3b2
SHA512ae562f5cdd881905d063be09d31dfb3cfd6a7729505ce69b005df7f696ef82acf7f1d4941d3306b0061821861bf1e722f1e5d54cec76f9abfd23d8cfcc1b23aa
-
Filesize
105B
MD527c90d4d9b049f4cd00f32ed1d2e5baf
SHA1338a3ea8f1e929d8916ece9b6e91e697eb562550
SHA256172d6f21165fb3ca925e5b000451fd8946920206f7438018c28b158b90cf5ffb
SHA512d73dadb3cf74c647ce5bad5b87d3fb42a212defcba8afb8cf962020b61a0369c0a2b1005797583daf1f1ae88b29b7288bc544a53d643f3519cf604aa0ffd6dae