Analysis
-
max time kernel
140s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
11-12-2024 08:43
Static task
static1
Behavioral task
behavioral1
Sample
e0ab2dcbb97c13383fcb3be56a6dbaf9_JaffaCakes118.exe
Resource
win7-20241010-en
General
-
Target
e0ab2dcbb97c13383fcb3be56a6dbaf9_JaffaCakes118.exe
-
Size
435KB
-
MD5
e0ab2dcbb97c13383fcb3be56a6dbaf9
-
SHA1
7872b2bc5f02cbf1be4f342c852ec9bf007c2144
-
SHA256
ed3357b129c0585e56327515a38f9fdac091e9a0a8c0f2595889d79f3f970f0c
-
SHA512
1a298f814f3465eb6d4938926007166aec674ceacec5ec87602491df72dd58c5ac0bf27ba1d7686eb88fe3369ac2a2e43c600626682b1e27032c1eaaca3ac3b2
-
SSDEEP
6144:RLHEh7M7qGzXrhSaPp1lHKR381Z9aMhaaV6ksT62UkRGqP6eTyIorWgLi1O2:RDSythS01UZ81Z8M8NTfRxPl9lol2
Malware Config
Signatures
-
Ardamax family
-
Ardamax main executable 1 IoCs
resource yara_rule behavioral1/files/0x00060000000194e4-9.dat family_ardamax -
Executes dropped EXE 2 IoCs
pid Process 1536 NKM.exe 2828 Project1.exe -
Loads dropped DLL 8 IoCs
pid Process 752 e0ab2dcbb97c13383fcb3be56a6dbaf9_JaffaCakes118.exe 752 e0ab2dcbb97c13383fcb3be56a6dbaf9_JaffaCakes118.exe 752 e0ab2dcbb97c13383fcb3be56a6dbaf9_JaffaCakes118.exe 752 e0ab2dcbb97c13383fcb3be56a6dbaf9_JaffaCakes118.exe 752 e0ab2dcbb97c13383fcb3be56a6dbaf9_JaffaCakes118.exe 1536 NKM.exe 1536 NKM.exe 2828 Project1.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\NKM.001 e0ab2dcbb97c13383fcb3be56a6dbaf9_JaffaCakes118.exe File created C:\Windows\SysWOW64\NKM.006 e0ab2dcbb97c13383fcb3be56a6dbaf9_JaffaCakes118.exe File created C:\Windows\SysWOW64\NKM.007 e0ab2dcbb97c13383fcb3be56a6dbaf9_JaffaCakes118.exe File created C:\Windows\SysWOW64\NKM.exe e0ab2dcbb97c13383fcb3be56a6dbaf9_JaffaCakes118.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64 NKM.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NKM.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Project1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e0ab2dcbb97c13383fcb3be56a6dbaf9_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
description pid Process Token: 33 1536 NKM.exe Token: SeIncBasePriorityPrivilege 1536 NKM.exe Token: SeIncreaseQuotaPrivilege 2828 Project1.exe Token: SeSecurityPrivilege 2828 Project1.exe Token: SeTakeOwnershipPrivilege 2828 Project1.exe Token: SeLoadDriverPrivilege 2828 Project1.exe Token: SeSystemProfilePrivilege 2828 Project1.exe Token: SeSystemtimePrivilege 2828 Project1.exe Token: SeProfSingleProcessPrivilege 2828 Project1.exe Token: SeIncBasePriorityPrivilege 2828 Project1.exe Token: SeCreatePagefilePrivilege 2828 Project1.exe Token: SeShutdownPrivilege 2828 Project1.exe Token: SeDebugPrivilege 2828 Project1.exe Token: SeSystemEnvironmentPrivilege 2828 Project1.exe Token: SeRemoteShutdownPrivilege 2828 Project1.exe Token: SeUndockPrivilege 2828 Project1.exe Token: SeManageVolumePrivilege 2828 Project1.exe Token: 33 2828 Project1.exe Token: 34 2828 Project1.exe Token: 35 2828 Project1.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1536 NKM.exe 1536 NKM.exe 1536 NKM.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 752 wrote to memory of 1536 752 e0ab2dcbb97c13383fcb3be56a6dbaf9_JaffaCakes118.exe 31 PID 752 wrote to memory of 1536 752 e0ab2dcbb97c13383fcb3be56a6dbaf9_JaffaCakes118.exe 31 PID 752 wrote to memory of 1536 752 e0ab2dcbb97c13383fcb3be56a6dbaf9_JaffaCakes118.exe 31 PID 752 wrote to memory of 1536 752 e0ab2dcbb97c13383fcb3be56a6dbaf9_JaffaCakes118.exe 31 PID 752 wrote to memory of 2828 752 e0ab2dcbb97c13383fcb3be56a6dbaf9_JaffaCakes118.exe 32 PID 752 wrote to memory of 2828 752 e0ab2dcbb97c13383fcb3be56a6dbaf9_JaffaCakes118.exe 32 PID 752 wrote to memory of 2828 752 e0ab2dcbb97c13383fcb3be56a6dbaf9_JaffaCakes118.exe 32 PID 752 wrote to memory of 2828 752 e0ab2dcbb97c13383fcb3be56a6dbaf9_JaffaCakes118.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\e0ab2dcbb97c13383fcb3be56a6dbaf9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e0ab2dcbb97c13383fcb3be56a6dbaf9_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:752 -
C:\Windows\SysWOW64\NKM.exe"C:\Windows\system32\NKM.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1536
-
-
C:\Users\Admin\AppData\Local\Temp\Project1.exe"C:\Users\Admin\AppData\Local\Temp\Project1.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2828
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
500KB
MD568c7de33ebf4abe5780891a9fe8b0dcd
SHA125b76ba4cde119d094348dde6343bd0ae929cf72
SHA2561ed1280890b51956b2678ffef615ac3ad11cd8ee4bf1000f8a687ad5544bd027
SHA5125e15435f1e35eaea67da9092bc3f3fcea78a6b5e912ce147346269d28f5aa33ee8e9cca5f468287e9d789af2cf397cae6213647ce58d9f1ef1585d41466e11d1
-
Filesize
1KB
MD5702407da5bb8c06cf92c15a10828b2d6
SHA1d41e37547b1832eaf8a7564ae605705b66360c16
SHA256bcf5c002fb729759480bb89ce4232c4035140343c4ebd814f612dd927452c290
SHA51220837b9785871ca6a98d2b93e58c4065205c337ad8791b6e1d642524f849212cf38c38c766b3cc49ce0cd6a0c7a714cd6843da622e64fab2e1d56800d73130ef
-
Filesize
4KB
MD5055d9be92c48b8dbd29370193b620776
SHA16366eb064050f9415837bfd853ee4a363a3a1baa
SHA25625926f6f362c71844d2163d23f0b9955adb8a7e036bd834391f2eb7dbbfd6bb1
SHA512af46d3da7d63872e768847829df6e9179c7d47c26be17ac4ea48f2e18618c03cad2ae2ff3af805ba6cc8e321bfa305cc2f0e2981d74f9b07e0beb0bffe8c170b
-
Filesize
4KB
MD5cf2b6b38e667e7245a19fbd79016de0d
SHA1ae11c687270a39199089f7fc5023271df5d9e4d7
SHA256d97e4fc5143e090951fe1fae771e1edcf7bb01c589c8abd36d58a7d053f983a1
SHA512417316a9f353250939dfd752c8734c1d67cea0f0825802c84ed9f368c370e17634f75ac3d3c7201ddac956e07c055c8df1da70e27365694d57ed64b14e166518
-
Filesize
6KB
MD5a6a4100ecd5848e2c59b4564f544b065
SHA1c966bf4b091cef9ce1ba7fbbfc71cd22b70f75d5
SHA2566e69f705d707b8e2c1f4fb927468420660c91a1292b411b2555b738f0c9fac0b
SHA5120d9f968665a68dfbff5331044f53e3c7a5fa50e1c3876fcce2c5c5538b66a093ce020507f866ee609b369d6ce7b6d30c43e5050a4c1b099f858c8ae252e2fb81
-
Filesize
239KB
MD54f5c5fe12e61562705abc9ed53039f32
SHA1fcd283219c4a765226bde9f38041dd1eaf866b0d
SHA256ed679c963691e4c4eda0e94bc860ad78ca30f274219cf0c5adc468153985055d
SHA512f53e6e7506e6a3ae226f0d085727a7df95b1ff050c96698233ae997ee59752b21a5973c0b13e47106ee945379b84d407ed8ac15065cfe582eb30a2a3f158b740