Overview

overview

10

Static

static

3

f4f3f5435f...18.exe

windows7-x64

10

f4f3f5435f...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    17/04/2024, 03:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f4f3f5435f422b09978f05881db1ab4e_JaffaCakes118.exe

  • Size

    698KB

  • MD5

    f4f3f5435f422b09978f05881db1ab4e

  • SHA1

    6e73daf050cdbdb657bef4258e514a84a340ad7c

  • SHA256

    c3e07b98a8da60e715048ccf35eb7cea372e76f40777f5f638d3a3a356a9e53f

  • SHA512

    d61a2b9815e6edd87fbda79e43e16680f9aa371a8c8bc79eb4aec4e00cc0bcc7238df21ddb784d14ac5e65667672509afabb8f6ba49fee1f16130c20fd44b3b7

  • SSDEEP

    12288:m/PyRUz/5qSHSgndJUpwOymFkbKOfMLXZ5cX4RE2M6iSe68OsL5DOqY5DEfapAs:kKRsHRUPSbKO+XjcXYe68O4Y5DEfHs

Score
10/10
ardamaxdiscoverykeyloggerpersistencestealer

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax main executable 1 IoCs
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 11 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f4f3f5435f422b09978f05881db1ab4e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f4f3f5435f422b09978f05881db1ab4e_JaffaCakes118.exe"
    1⤵
    • Checks BIOS information in registry
    • Loads dropped DLL
    • Maps connected drives based on registry
    • Checks processor information in registry
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2924
    • C:\Users\Admin\AppData\Local\Temp\Exporer32.exe
      "C:\Users\Admin\AppData\Local\Temp\Exporer32.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2276
      • C:\Windows\SysWOW64\28463\JTOV.exe
        "C:\Windows\system32\28463\JTOV.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in System32 directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2564
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\28463\JTOV.exe > nul
          4⤵
            PID:772
        • C:\Users\Admin\AppData\Local\Temp\Daemon Crypt V2 Public.exe
          "C:\Users\Admin\AppData\Local\Temp\Daemon Crypt V2 Public.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetWindowsHookEx
          PID:2636

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\pcgdemo\PCGWIN32.LI4
      Filesize

      528B

      MD5

      fd8502ffdfbe27b53a058593ab8923a0

      SHA1

      244c45f439d67b8dee481c22a60a2d0b03d1ca39

      SHA256

      33b82ab50778974cb8137b0d446e1a839fbdb1660c06db692e9a00ed0968975a

      SHA512

      068d9b8b20e19829be7800f04d8a9717ed8e9e5715234b1748521861f9eb5a689e37d895c77a3c1802746ba43823595a37e6920b59a8dbf2f35bf65315125e8f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Exporer32.exe
      Filesize

      593KB

      MD5

      17c1da8d5b5625cde1645e0e038dc989

      SHA1

      f4df06118bb79b395943bbeae9b7b99a6a6cba9c

      SHA256

      f7573a2a9cc7c5ecbbd9530f72d19d4976aa826f2ec9688974888a41021aea41

      SHA512

      21234005e55998653b7932f0abfcfe53e3bb8040eccedf61999c2ef2fc90e7e5f947a9a7f857548ea33eae66e8b71561950ca494ecd110e06a1c154395ad68ef

      Download Submit

    • C:\Windows\SysWOW64\28463\AKV.exe
      Filesize

      393KB

      MD5

      1e13f68fd4258a545d262c77e38c76cd

      SHA1

      b8f6710c83e52ad354d8763a1b51293ee5758956

      SHA256

      d7785409d6e2512d9d907670f79b313192a85138707c6ca0cc59a71f8fd6a247

      SHA512

      938880407818a1489ecb9911cf05d4c9b69ecb2e0f908c3d3b8ba87b8c437ae16916e46bdf780bba24c38ad2c3981a5dcd4d3acd8ea227ac4dced12f1ca21eb3

      Download Submit

    • C:\Windows\SysWOW64\28463\JTOV.001
      Filesize

      486B

      MD5

      572cc4ec71193903d04c033b4610a41c

      SHA1

      7b3f063185c2bf905df0cb687caf7df07a6e442e

      SHA256

      8af31258752caecd8cfa8366ccd7773226760ac5d0f7c89a96cb13e3a6cbec3a

      SHA512

      dc3510d223cb6c1233017bbd5ebb039469c22fb7982ea256b2c12a6337920d673fbd8de82397746315dedccd29f5e2c5bbf24f5852af13ee8b3c57427569ba5e

      Download Submit

    • C:\Windows\SysWOW64\28463\JTOV.006
      Filesize

      7KB

      MD5

      46e0f5831dfe24c3105ef20190c5f0d7

      SHA1

      dbd701062695f9df971bffc1fa433eb18ef61727

      SHA256

      d7c7932d10e19ebde38c50583b4f5a0215a0ac88a2b131ea1b2a97824af759f9

      SHA512

      3dbe9e90f989ae3939d304f9f7822c3886e2d76ef575162e6a0518b61f5a52fcd8d0c63e06bbcf920c6f8298cb918ef5f3c0b92d42e99fa3eaabd787fc686a61

      Download Submit

    • C:\Windows\SysWOW64\28463\JTOV.007
      Filesize

      5KB

      MD5

      70c68ec7e4e7f18abf35d47976a47f0f

      SHA1

      f1263f67e712760e055833d3030ed4583611ad6f

      SHA256

      cb8664787c631611643518ca2853f10ba9d460c25e476f55fb1b9f79838801fb

      SHA512

      80cad83643c9c83be70809eebb4b662f58a323cbd5f1bfbc328722fbfa16f1a846f9ef159552a066850f12157cb7388d6ab37ea6f4e7563fff7cc26258b77a81

      Download Submit

    • \Users\Admin\AppData\Local\Temp\@451B.tmp
      Filesize

      4KB

      MD5

      a33680859a24229dc931c0e8a82ae84a

      SHA1

      dff1e7e7160ffbfaae221cd3a85de40722fddde6

      SHA256

      d5913b88289154f5979c03325b29f00d1d8c6a1e5f6195df915d96a46d0f71f3

      SHA512

      a419214699ab3478926fbb7f621a616e192eae22db20e72c83a4b529ba5307ab4dc906e0b1286bc4e4cb13ba1e28fb93fa4918c3ff7345273197e39c206c10bf

      Download Submit

    • \Users\Admin\AppData\Local\Temp\Daemon Crypt V2 Public.exe
      Filesize

      276KB

      MD5

      dfe516972fb621ff9a1dc714480cb9e0

      SHA1

      04ea4c2a0c49645991d2776a844977e8c9c5ed63

      SHA256

      07d7e4de0ffb5e3924ed2fbc08931526497f367d62b12a4503aededffe35e020

      SHA512

      1c385b7735f356ebc4466948046af664a8beae87b4c6719ab618c0f74db95c847d56bca920ac51e41597c2f39c0de66df6b35d2cd3d60c063a0a3bf5daefa5d7

      Download Submit

    • \Windows\SysWOW64\28463\JTOV.exe
      Filesize

      471KB

      MD5

      328ef8c28309203cfbe5655274d5ea48

      SHA1

      403399787e94f7d4e3c8e237e25399263e9f4047

      SHA256

      0f92918405d195ce10b0c897f07a73493d06e9e49505371a525d50cea75213bb

      SHA512

      93dde6ab2d06af2d09b7f52619f2f475912152bbfd4b4ff93796eeffe7363f0ee777f4a46edb808039466fe0f82036dc291a378d4a8c6e407f0e1d4f3f6ea40a

      Download Submit

    • memory/2564-55-0x0000000000260000-0x0000000000261000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2564-67-0x0000000000260000-0x0000000000261000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2636-65-0x0000000076FAF000-0x0000000076FB0000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2636-66-0x0000000076FAF000-0x0000000076FB0000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2636-68-0x0000000076FAF000-0x0000000076FB0000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2924-1-0x0000000000220000-0x0000000000235000-memory.dmp

      Filesize

      84KB

      Download

    • memory/2924-22-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2924-32-0x0000000000220000-0x0000000000235000-memory.dmp

      Filesize

      84KB

      Download

    • memory/2924-0-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download