Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/01/2025, 06:10 UTC
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_5faa0dd84426f798a53c11c222d66e30.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_5faa0dd84426f798a53c11c222d66e30.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_5faa0dd84426f798a53c11c222d66e30.exe
-
Size
321KB
-
MD5
5faa0dd84426f798a53c11c222d66e30
-
SHA1
40f0f035d0a1467f919e2a9b8c44682d3f85817a
-
SHA256
c5612b17662ada258a7f49719dcb905be96f419054ab8858ec5835eb12118b8c
-
SHA512
7a9e785de7d30379f3b265a06d9c0a3d264bef39e0c8362ffc519907d383b6487ea359178e8c122aa64803e8d6ce01cdc4b23404f1fa096c37b235dc796a7bcf
-
SSDEEP
6144:/RXe6t5AN4uLpVWMRrtNAT7+vvun3mB4/SdYpSoehL:/RXeGDuLpVWMRpNq7wvu26/SkSoex
Malware Config
Signatures
-
Ardamax family
-
Ardamax main executable 1 IoCs
resource yara_rule behavioral1/files/0x0017000000018663-9.dat family_ardamax -
Executes dropped EXE 2 IoCs
pid Process 2776 JBLW.exe 2588 Rmpg2011©.exe -
Loads dropped DLL 6 IoCs
pid Process 2160 JaffaCakes118_5faa0dd84426f798a53c11c222d66e30.exe 2160 JaffaCakes118_5faa0dd84426f798a53c11c222d66e30.exe 2160 JaffaCakes118_5faa0dd84426f798a53c11c222d66e30.exe 2776 JBLW.exe 2160 JaffaCakes118_5faa0dd84426f798a53c11c222d66e30.exe 2588 Rmpg2011©.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JBLW Agent = "C:\\Windows\\SysWOW64\\Sys32\\JBLW.exe" JBLW.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 5 IoCs
description ioc Process File created C:\Windows\SysWOW64\Sys32\JBLW.001 JaffaCakes118_5faa0dd84426f798a53c11c222d66e30.exe File created C:\Windows\SysWOW64\Sys32\JBLW.006 JaffaCakes118_5faa0dd84426f798a53c11c222d66e30.exe File created C:\Windows\SysWOW64\Sys32\JBLW.007 JaffaCakes118_5faa0dd84426f798a53c11c222d66e30.exe File created C:\Windows\SysWOW64\Sys32\JBLW.exe JaffaCakes118_5faa0dd84426f798a53c11c222d66e30.exe File opened for modification C:\Windows\SysWOW64\Sys32 JBLW.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_5faa0dd84426f798a53c11c222d66e30.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JBLW.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Rmpg2011©.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 2776 JBLW.exe Token: SeIncBasePriorityPrivilege 2776 JBLW.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2776 JBLW.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 2776 JBLW.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2776 JBLW.exe 2776 JBLW.exe 2776 JBLW.exe 2776 JBLW.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2160 wrote to memory of 2776 2160 JaffaCakes118_5faa0dd84426f798a53c11c222d66e30.exe 30 PID 2160 wrote to memory of 2776 2160 JaffaCakes118_5faa0dd84426f798a53c11c222d66e30.exe 30 PID 2160 wrote to memory of 2776 2160 JaffaCakes118_5faa0dd84426f798a53c11c222d66e30.exe 30 PID 2160 wrote to memory of 2776 2160 JaffaCakes118_5faa0dd84426f798a53c11c222d66e30.exe 30 PID 2160 wrote to memory of 2588 2160 JaffaCakes118_5faa0dd84426f798a53c11c222d66e30.exe 31 PID 2160 wrote to memory of 2588 2160 JaffaCakes118_5faa0dd84426f798a53c11c222d66e30.exe 31 PID 2160 wrote to memory of 2588 2160 JaffaCakes118_5faa0dd84426f798a53c11c222d66e30.exe 31 PID 2160 wrote to memory of 2588 2160 JaffaCakes118_5faa0dd84426f798a53c11c222d66e30.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5faa0dd84426f798a53c11c222d66e30.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5faa0dd84426f798a53c11c222d66e30.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\Sys32\JBLW.exe"C:\Windows\system32\Sys32\JBLW.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2776
-
-
C:\Users\Admin\AppData\Local\Temp\Rmpg2011©.exe"C:\Users\Admin\AppData\Local\Temp\Rmpg2011©.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2588
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
462B
MD56eb280ad991da09c2192333ea2e42122
SHA1a04894e6465fb030d950e3414a775ebe7f3ba4a4
SHA256897d1dcfb02f4f80e87b38c7d8935ec85a9c40b74d7489579ddc4d46de3b2412
SHA512e649eaa0338ccc0ad72f30bc77ca3cacad97756d8456ddea7ba2715ab2b371c3eb83ad8ca5c65789c7cc377c402292aca35f3564ab10defd181ebb2c8fa0331e
-
Filesize
7KB
MD5928cc65dc793834c709a054ca57c19c8
SHA1a1e5d8407199c1bd6a4b274044de640fe0d9e99b
SHA256e3473d81a02ed30e4236591384136f41f17b6a4aae24b5468789644ccd4bf192
SHA512f7c8f7a75c4f8a418630e2ac15676740a902449d9a3c4baf3184409f8701c9caa3e82304d141362d95503f1af6b693eed7b77f690d92ca0162f7ea3ecbc80fdf
-
Filesize
5KB
MD53e1f5d5a06cf97b0495b8d129fbe02e4
SHA1b0de258a813f5edde85004f6865b6ed91f6d6f8f
SHA256f49448fc7c567e64eaeb9cc4dbd3c8021a82b5d9df0a622a439f7b42dc2f26d7
SHA512b0e0b81cb5776d298e96346aa61027c9799a47191c94de50be2209c32747774959d002ddeb98fd15556ee893b0d7bd1f0c8a901469dce4e3acf94e2c4c3e2bfd
-
Filesize
4KB
MD533303ca8abef9221cb410b8a232e9fe4
SHA10cdfc25dbf0e9ad7d4585cd9037dc2e6604be00c
SHA2565110301dee966f0f26307ab1b430279d1e4999c2c4a0ea924ff32f1a9ded869a
SHA512da29821045773ba776def985966b62e09e69bb5bf1786b16c2fff6feb68a03b9e22c5f7d081e3dd58d1785cd7ac64736497c043b7cf6c7149c3a54f8ef111800
-
Filesize
51KB
MD5677b168330c9127d6f549740ba7d92fe
SHA158621cc7d55a7eeda8c8b39fefd405ef3263d651
SHA2569639d46696884246e64ecc6781c6cb53026d1477515b07aacc6e0d8430da982b
SHA512f81c96cee5e32256830336bc3d81f20ed1ef181210be8f8312485d85a96a9e0a285b95bc3c637b01fed83a5e9aa25618890de8a49513aa26abbf4960e93c2d5c
-
Filesize
476KB
MD5ef52b540cb404d908338e9cbf7cff283
SHA1778765e1736c0a197685978c3fee7a44e7bde419
SHA25639d8bdb975fbfcbcec8fe63be4e9fe6ce39ae5d23a005118aeffa07b17a3f815
SHA512596b77bf5b15455c326a5a2efd66bc69685eb625e3e211ea0341ad4d8920ada7618a7107e42f2c0963fe6c2d92f2acf47b641ef33071a7c42004e5874d5219a6