Analysis
-
max time kernel
141s -
max time network
104s -
platform
windows11-21h2_x64 -
resource
win11-20250610-en -
resource tags
arch:x64arch:x86image:win11-20250610-enlocale:en-usos:windows11-21h2-x64system -
submitted
04/07/2025, 17:37
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_1c71a0edb69e73f69f83dcd36adcfa08.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
JaffaCakes118_1c71a0edb69e73f69f83dcd36adcfa08.exe
Resource
win11-20250610-en
General
-
Target
JaffaCakes118_1c71a0edb69e73f69f83dcd36adcfa08.exe
-
Size
801KB
-
MD5
1c71a0edb69e73f69f83dcd36adcfa08
-
SHA1
f064dcec48a54131baef7223534dfe4a9b1eb9f8
-
SHA256
2edb2dce6837129e1f164f61480a08cb829646f48a62888006fe9d80eb75da7e
-
SHA512
2f9901d03d011c918e3f024786f377bffecd9d84d378e668d97d03ff2a07f9a29bec1e00f0e8887006cbb2b6c503f03587a8b825dc8b007cadcffa286edc0fe8
-
SSDEEP
24576:FQWcDEciknpGtp8J8o5oRNINsuL0hFa0F2pHG:FQtQcXy/XhFa0F2pHG
Malware Config
Signatures
-
Ardamax family
-
Ardamax main executable 1 IoCs
resource yara_rule behavioral2/files/0x001900000002b0ba-12.dat family_ardamax -
Executes dropped EXE 3 IoCs
pid Process 5132 HKDQ.exe 4808 MigPol.exe 1544 HKDQ.exe -
Loads dropped DLL 7 IoCs
pid Process 5516 JaffaCakes118_1c71a0edb69e73f69f83dcd36adcfa08.exe 5132 HKDQ.exe 5132 HKDQ.exe 5132 HKDQ.exe 1544 HKDQ.exe 1544 HKDQ.exe 1544 HKDQ.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKDQ Agent = "C:\\Windows\\SysWOW64\\28463\\HKDQ.exe" HKDQ.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 7 IoCs
description ioc Process File created C:\Windows\SysWOW64\28463\key.bin JaffaCakes118_1c71a0edb69e73f69f83dcd36adcfa08.exe File created C:\Windows\SysWOW64\28463\AKV.exe JaffaCakes118_1c71a0edb69e73f69f83dcd36adcfa08.exe File opened for modification C:\Windows\SysWOW64\28463 HKDQ.exe File created C:\Windows\SysWOW64\28463\HKDQ.001 JaffaCakes118_1c71a0edb69e73f69f83dcd36adcfa08.exe File created C:\Windows\SysWOW64\28463\HKDQ.006 JaffaCakes118_1c71a0edb69e73f69f83dcd36adcfa08.exe File created C:\Windows\SysWOW64\28463\HKDQ.007 JaffaCakes118_1c71a0edb69e73f69f83dcd36adcfa08.exe File created C:\Windows\SysWOW64\28463\HKDQ.exe JaffaCakes118_1c71a0edb69e73f69f83dcd36adcfa08.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_1c71a0edb69e73f69f83dcd36adcfa08.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HKDQ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MigPol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HKDQ.exe -
Modifies registry class 54 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE4FE7C0-7314-8BEA-4F8C-D25C0AF6938D}\2.6\ HKDQ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE4FE7C0-7314-8BEA-4F8C-D25C0AF6938D}\2.6\0\Win64\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\VBA\\VBA7.1\\VBEUI.DLL" HKDQ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE4FE7C0-7314-8BEA-4F8C-D25C0AF6938D}\2.7\FLAGS HKDQ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE4FE7C0-7314-8BEA-4F8C-D25C0AF6938D}\2.8\0\ HKDQ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B63F13D0-522D-491D-54B8-1566E4E6C0D9}\TypeLib HKDQ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B63F13D0-522D-491D-54B8-1566E4E6C0D9}\TypeLib\ = "{FE4FE7C0-7314-8BEA-4F8C-D25C0AF6938D}" HKDQ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B63F13D0-522D-491D-54B8-1566E4E6C0D9}\VersionIndependentProgID\ = "IMEAPI.CImeRequestSenderJK" HKDQ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE4FE7C0-7314-8BEA-4F8C-D25C0AF6938D}\2.7 HKDQ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE4FE7C0-7314-8BEA-4F8C-D25C0AF6938D}\2.7\ HKDQ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE4FE7C0-7314-8BEA-4F8C-D25C0AF6938D}\2.7\0\ HKDQ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE4FE7C0-7314-8BEA-4F8C-D25C0AF6938D}\2.7\FLAGS\ = "0" HKDQ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE4FE7C0-7314-8BEA-4F8C-D25C0AF6938D}\2.8\0\Win32\ HKDQ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B63F13D0-522D-491D-54B8-1566E4E6C0D9}\VersionIndependentProgID\ HKDQ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B63F13D0-522D-491D-54B8-1566E4E6C0D9}\InprocServer32\ HKDQ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B63F13D0-522D-491D-54B8-1566E4E6C0D9}\ProgID\ HKDQ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE4FE7C0-7314-8BEA-4F8C-D25C0AF6938D}\2.6\Flags\ HKDQ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE4FE7C0-7314-8BEA-4F8C-D25C0AF6938D}\2.7\0 HKDQ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE4FE7C0-7314-8BEA-4F8C-D25C0AF6938D}\2.8\ HKDQ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE4FE7C0-7314-8BEA-4F8C-D25C0AF6938D}\2.8\ = "Microsoft Office 16.0 Object Library" HKDQ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE4FE7C0-7314-8BEA-4F8C-D25C0AF6938D}\2.8\0\Win64\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\MSO.DLL" HKDQ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE4FE7C0-7314-8BEA-4F8C-D25C0AF6938D}\2.8\Flags HKDQ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B63F13D0-522D-491D-54B8-1566E4E6C0D9}\InprocServer32\ = "C:\\Windows\\SysWOW64\\IME\\shared\\imjkapi.dll" HKDQ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE4FE7C0-7314-8BEA-4F8C-D25C0AF6938D}\ HKDQ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE4FE7C0-7314-8BEA-4F8C-D25C0AF6938D}\2.6\0\Win64\ HKDQ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE4FE7C0-7314-8BEA-4F8C-D25C0AF6938D}\2.6\Flags HKDQ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE4FE7C0-7314-8BEA-4F8C-D25C0AF6938D}\2.6\HelpDir HKDQ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE4FE7C0-7314-8BEA-4F8C-D25C0AF6938D}\2.8\0\Win32\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\OFFICE16\\MSO.DLL" HKDQ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE4FE7C0-7314-8BEA-4F8C-D25C0AF6938D}\2.8\0\Win64 HKDQ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B63F13D0-522D-491D-54B8-1566E4E6C0D9}\TypeLib\ HKDQ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE4FE7C0-7314-8BEA-4F8C-D25C0AF6938D}\2.6\0 HKDQ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE4FE7C0-7314-8BEA-4F8C-D25C0AF6938D}\2.6\0\Win64 HKDQ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE4FE7C0-7314-8BEA-4F8C-D25C0AF6938D}\2.6\HelpDir\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\VBA\\VBA7.1\\" HKDQ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE4FE7C0-7314-8BEA-4F8C-D25C0AF6938D}\2.7\0\win32 HKDQ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE4FE7C0-7314-8BEA-4F8C-D25C0AF6938D}\2.8 HKDQ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE4FE7C0-7314-8BEA-4F8C-D25C0AF6938D}\2.8\Flags\ = "0" HKDQ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE4FE7C0-7314-8BEA-4F8C-D25C0AF6938D}\2.8\0\Win32 HKDQ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B63F13D0-522D-491D-54B8-1566E4E6C0D9}\VersionIndependentProgID HKDQ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B63F13D0-522D-491D-54B8-1566E4E6C0D9}\InprocServer32 HKDQ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B63F13D0-522D-491D-54B8-1566E4E6C0D9}\ProgID\ = "IMEAPI.CImeRequestSenderJK.15" HKDQ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE4FE7C0-7314-8BEA-4F8C-D25C0AF6938D} HKDQ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE4FE7C0-7314-8BEA-4F8C-D25C0AF6938D}\2.6 HKDQ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE4FE7C0-7314-8BEA-4F8C-D25C0AF6938D}\2.6\ = "Microsoft Vbe UI 7.1 Object Library" HKDQ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE4FE7C0-7314-8BEA-4F8C-D25C0AF6938D}\2.6\Flags\ = "0" HKDQ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE4FE7C0-7314-8BEA-4F8C-D25C0AF6938D}\2.7\0\win32\ = "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\\MSO.DLL" HKDQ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE4FE7C0-7314-8BEA-4F8C-D25C0AF6938D}\2.7\FLAGS\ HKDQ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B63F13D0-522D-491D-54B8-1566E4E6C0D9}\ = "Zofeleqo Jehov Lidonoho Object" HKDQ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B63F13D0-522D-491D-54B8-1566E4E6C0D9}\ProgID HKDQ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE4FE7C0-7314-8BEA-4F8C-D25C0AF6938D}\2.6\0\ HKDQ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE4FE7C0-7314-8BEA-4F8C-D25C0AF6938D}\2.6\HelpDir\ HKDQ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE4FE7C0-7314-8BEA-4F8C-D25C0AF6938D}\2.7\0\win32\ HKDQ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE4FE7C0-7314-8BEA-4F8C-D25C0AF6938D}\2.8\0 HKDQ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE4FE7C0-7314-8BEA-4F8C-D25C0AF6938D}\2.8\0\Win64\ HKDQ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE4FE7C0-7314-8BEA-4F8C-D25C0AF6938D}\2.8\Flags\ HKDQ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B63F13D0-522D-491D-54B8-1566E4E6C0D9} HKDQ.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 5132 HKDQ.exe Token: SeIncBasePriorityPrivilege 5132 HKDQ.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 5132 HKDQ.exe 5132 HKDQ.exe 5132 HKDQ.exe 5132 HKDQ.exe 5132 HKDQ.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 5516 wrote to memory of 5132 5516 JaffaCakes118_1c71a0edb69e73f69f83dcd36adcfa08.exe 78 PID 5516 wrote to memory of 5132 5516 JaffaCakes118_1c71a0edb69e73f69f83dcd36adcfa08.exe 78 PID 5516 wrote to memory of 5132 5516 JaffaCakes118_1c71a0edb69e73f69f83dcd36adcfa08.exe 78 PID 5516 wrote to memory of 4808 5516 JaffaCakes118_1c71a0edb69e73f69f83dcd36adcfa08.exe 79 PID 5516 wrote to memory of 4808 5516 JaffaCakes118_1c71a0edb69e73f69f83dcd36adcfa08.exe 79 PID 5516 wrote to memory of 4808 5516 JaffaCakes118_1c71a0edb69e73f69f83dcd36adcfa08.exe 79 PID 5680 wrote to memory of 1544 5680 cmd.exe 83 PID 5680 wrote to memory of 1544 5680 cmd.exe 83 PID 5680 wrote to memory of 1544 5680 cmd.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c71a0edb69e73f69f83dcd36adcfa08.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c71a0edb69e73f69f83dcd36adcfa08.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5516 -
C:\Windows\SysWOW64\28463\HKDQ.exe"C:\Windows\system32\28463\HKDQ.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5132
-
-
C:\Users\Admin\AppData\Local\Temp\MigPol.exe"C:\Users\Admin\AppData\Local\Temp\MigPol.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4808
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\28463\HKDQ.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5680 -
C:\Windows\SysWOW64\28463\HKDQ.exeC:\Windows\SysWOW64\28463\HKDQ.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1544
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5d73d89b1ea433724795b3d2b524f596c
SHA1213514f48ece9f074266b122ee2d06e842871c8c
SHA2568aef975a94c800d0e3e4929999d05861868a7129b766315c02a48a122e3455d6
SHA5128b73be757ad3e0f2b29c0b130918e8f257375f9f3bf7b9609bac24b17369de2812341651547546af238936d70f38f050d6984afd16d47b467bcbba4992e42f41
-
Filesize
48KB
MD56341b8be090c334814415ce8708a5388
SHA183abdb7364f17c5357fae33aa9ab31a200c67766
SHA25680f437339788958d1b52858a6e05a8d4e7fafdfe26ea47482e1ea83fd33e85d6
SHA51269c903fa5fb0de54464fec2a7539094b6758b9de1a54a4c2a9af0dea8b550808e036ec692b1ec12584a0e130133c4b82973862ca8f9711ce8aaec6487f33c112
-
Filesize
457KB
MD597eee85d1aebf93d5d9400cb4e9c771b
SHA126fa2bf5fce2d86b891ac0741a6999bff31397de
SHA25630df6c8cbd255011d80fa6e959179d47c458bc4c4d9e78c4cf571aa611cd7d24
SHA5128cecc533c07c91c67b93a7ae46102a0aae7f4d3d88d04c250231f0bcd8e1f173daf06e94b5253a66db3f2a052c51e62154554368929294178d2b3597c1cca7e6
-
Filesize
386B
MD51d30eab3bfc9b5615887e26e3517c245
SHA179853846a1e0cc2e45689047130e3a756fcde3ff
SHA256e612023a86d87025e48488dd31c1610ff1299b99a41a61d846bdeb72e1eea09b
SHA512e232852673492aa4b338f52ae2e0860e94f7c300d94aa2c54ee8fa4b1467ba8efc800294288c52d2ed5a52eb0aeeb08982c01299ed3eaa206420993a691c9806
-
Filesize
8KB
MD535b24c473bdcdb4411e326c6c437e8ed
SHA1ec1055365bc2a66e52de2d66d24d742863c1ce3d
SHA2564530fcc91e4d0697a64f5e24d70e2b327f0acab1a9013102ff04236841c5a617
SHA51232722f1484013bbc9c1b41b3fdaf5cd244ec67facaa2232be0e90455719d664d65cae1cd670adf5c40c67f568122d910b30e3e50f7cc06b0350a6a2d34d371de
-
Filesize
5KB
MD5a8e19de6669e831956049685225058a8
SHA16d2546d49d92b18591ad4fedbc92626686e7e979
SHA25634856528d8b7e31caa83f350bc4dbc861120dc2da822a9eb896b773bc7e1f564
SHA5125c407d4aa5731bd62c2a1756127f794382dc5e2b214298acfa68698c709fbbe3f2aa8dbdcbef02ed2a49f8f35969959946e9f727895bdca4500d16e84f4ef2e8
-
Filesize
646KB
MD5b863a9ac3bcdcde2fd7408944d5bf976
SHA14bd106cd9aefdf2b51f91079760855e04f73f3b0
SHA2560fe8e3cd44a89c15dec75ff2949bac1a96e1ea7e0040f74df3230569ac9e37b0
SHA5124b30c3b119c1e7b2747d2745b2b79c61669a33b84520b88ab54257793e3ed6e76378dea2b8ff048cb1822187ffdc20e921d658bb5b0482c23cfa7d70f4e7aa1a
-
Filesize
106B
MD5639d75ab6799987dff4f0cf79fa70c76
SHA1be2678476d07f78bb81e8813c9ee2bfff7cc7efb
SHA256fc42ab050ffdfed8c8c7aac6d7e4a7cad4696218433f7ca327bcfdf9f318ac98
SHA5124b511d0330d7204af948ce7b15615d745e8d4ea0a73bbece4e00fb23ba2635dd99e4fa54a76236d6f74bdbcdba57d32fd4c36b608d52628e72d11d5ed6f8cde2