Overview

overview

10

Static

static

3

f4f3f5435f...18.exe

windows7-x64

10

f4f3f5435f...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/04/2024, 03:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f4f3f5435f422b09978f05881db1ab4e_JaffaCakes118.exe

  • Size

    698KB

  • MD5

    f4f3f5435f422b09978f05881db1ab4e

  • SHA1

    6e73daf050cdbdb657bef4258e514a84a340ad7c

  • SHA256

    c3e07b98a8da60e715048ccf35eb7cea372e76f40777f5f638d3a3a356a9e53f

  • SHA512

    d61a2b9815e6edd87fbda79e43e16680f9aa371a8c8bc79eb4aec4e00cc0bcc7238df21ddb784d14ac5e65667672509afabb8f6ba49fee1f16130c20fd44b3b7

  • SSDEEP

    12288:m/PyRUz/5qSHSgndJUpwOymFkbKOfMLXZ5cX4RE2M6iSe68OsL5DOqY5DEfapAs:kKRsHRUPSbKO+XjcXYe68O4Y5DEfHs

Score
10/10
ardamaxdiscoverykeyloggerpersistencestealer

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax main executable 1 IoCs
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f4f3f5435f422b09978f05881db1ab4e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f4f3f5435f422b09978f05881db1ab4e_JaffaCakes118.exe"
    1⤵
    • Checks BIOS information in registry
    • Checks computer location settings
    • Maps connected drives based on registry
    • Checks processor information in registry
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:636
    • C:\Users\Admin\AppData\Local\Temp\Exporer32.exe
      "C:\Users\Admin\AppData\Local\Temp\Exporer32.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2964
      • C:\Windows\SysWOW64\28463\JTOV.exe
        "C:\Windows\system32\28463\JTOV.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in System32 directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2168
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 820
          4⤵
          • Loads dropped DLL
          • Program crash
          PID:1968
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\28463\JTOV.exe > nul
          4⤵
            PID:2144
        • C:\Users\Admin\AppData\Local\Temp\Daemon Crypt V2 Public.exe
          "C:\Users\Admin\AppData\Local\Temp\Daemon Crypt V2 Public.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetWindowsHookEx
          PID:2984
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2168 -ip 2168
      1⤵
        PID:1824

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\@DD60.tmp
        Filesize

        4KB

        MD5

        a33680859a24229dc931c0e8a82ae84a

        SHA1

        dff1e7e7160ffbfaae221cd3a85de40722fddde6

        SHA256

        d5913b88289154f5979c03325b29f00d1d8c6a1e5f6195df915d96a46d0f71f3

        SHA512

        a419214699ab3478926fbb7f621a616e192eae22db20e72c83a4b529ba5307ab4dc906e0b1286bc4e4cb13ba1e28fb93fa4918c3ff7345273197e39c206c10bf

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Daemon Crypt V2 Public.exe
        Filesize

        276KB

        MD5

        dfe516972fb621ff9a1dc714480cb9e0

        SHA1

        04ea4c2a0c49645991d2776a844977e8c9c5ed63

        SHA256

        07d7e4de0ffb5e3924ed2fbc08931526497f367d62b12a4503aededffe35e020

        SHA512

        1c385b7735f356ebc4466948046af664a8beae87b4c6719ab618c0f74db95c847d56bca920ac51e41597c2f39c0de66df6b35d2cd3d60c063a0a3bf5daefa5d7

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Exporer32.exe
        Filesize

        593KB

        MD5

        17c1da8d5b5625cde1645e0e038dc989

        SHA1

        f4df06118bb79b395943bbeae9b7b99a6a6cba9c

        SHA256

        f7573a2a9cc7c5ecbbd9530f72d19d4976aa826f2ec9688974888a41021aea41

        SHA512

        21234005e55998653b7932f0abfcfe53e3bb8040eccedf61999c2ef2fc90e7e5f947a9a7f857548ea33eae66e8b71561950ca494ecd110e06a1c154395ad68ef

        Download Submit

      • C:\Windows\SysWOW64\28463\AKV.exe
        Filesize

        393KB

        MD5

        1e13f68fd4258a545d262c77e38c76cd

        SHA1

        b8f6710c83e52ad354d8763a1b51293ee5758956

        SHA256

        d7785409d6e2512d9d907670f79b313192a85138707c6ca0cc59a71f8fd6a247

        SHA512

        938880407818a1489ecb9911cf05d4c9b69ecb2e0f908c3d3b8ba87b8c437ae16916e46bdf780bba24c38ad2c3981a5dcd4d3acd8ea227ac4dced12f1ca21eb3

        Download Submit

      • C:\Windows\SysWOW64\28463\JTOV.001
        Filesize

        486B

        MD5

        572cc4ec71193903d04c033b4610a41c

        SHA1

        7b3f063185c2bf905df0cb687caf7df07a6e442e

        SHA256

        8af31258752caecd8cfa8366ccd7773226760ac5d0f7c89a96cb13e3a6cbec3a

        SHA512

        dc3510d223cb6c1233017bbd5ebb039469c22fb7982ea256b2c12a6337920d673fbd8de82397746315dedccd29f5e2c5bbf24f5852af13ee8b3c57427569ba5e

        Download Submit

      • C:\Windows\SysWOW64\28463\JTOV.006
        Filesize

        7KB

        MD5

        46e0f5831dfe24c3105ef20190c5f0d7

        SHA1

        dbd701062695f9df971bffc1fa433eb18ef61727

        SHA256

        d7c7932d10e19ebde38c50583b4f5a0215a0ac88a2b131ea1b2a97824af759f9

        SHA512

        3dbe9e90f989ae3939d304f9f7822c3886e2d76ef575162e6a0518b61f5a52fcd8d0c63e06bbcf920c6f8298cb918ef5f3c0b92d42e99fa3eaabd787fc686a61

        Download Submit

      • C:\Windows\SysWOW64\28463\JTOV.007
        Filesize

        5KB

        MD5

        70c68ec7e4e7f18abf35d47976a47f0f

        SHA1

        f1263f67e712760e055833d3030ed4583611ad6f

        SHA256

        cb8664787c631611643518ca2853f10ba9d460c25e476f55fb1b9f79838801fb

        SHA512

        80cad83643c9c83be70809eebb4b662f58a323cbd5f1bfbc328722fbfa16f1a846f9ef159552a066850f12157cb7388d6ab37ea6f4e7563fff7cc26258b77a81

        Download Submit

      • C:\Windows\SysWOW64\28463\JTOV.exe
        Filesize

        471KB

        MD5

        328ef8c28309203cfbe5655274d5ea48

        SHA1

        403399787e94f7d4e3c8e237e25399263e9f4047

        SHA256

        0f92918405d195ce10b0c897f07a73493d06e9e49505371a525d50cea75213bb

        SHA512

        93dde6ab2d06af2d09b7f52619f2f475912152bbfd4b4ff93796eeffe7363f0ee777f4a46edb808039466fe0f82036dc291a378d4a8c6e407f0e1d4f3f6ea40a

        Download Submit

      • memory/636-23-0x0000000000400000-0x000000000041A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/636-31-0x00000000006C0000-0x00000000006D5000-memory.dmp

        Filesize

        84KB

        Download

      • memory/636-0-0x0000000000400000-0x000000000041A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/636-1-0x00000000006C0000-0x00000000006D5000-memory.dmp

        Filesize

        84KB

        Download

      • memory/2168-58-0x0000000002220000-0x0000000002221000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2168-66-0x0000000002220000-0x0000000002221000-memory.dmp

        Filesize

        4KB

        Download