Overview

overview

10

Static

static

3

fc16b8f315...18.exe

windows7-x64

10

fc16b8f315...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-04-2024 06:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fc16b8f315aeb8a58e9b3e04e961a26a_JaffaCakes118.exe

  • Size

    631KB

  • MD5

    fc16b8f315aeb8a58e9b3e04e961a26a

  • SHA1

    8a5a2343d4caaabd1d25622910595f912a5139a7

  • SHA256

    e22cc73ca6292597c56847b093c491761bc87e202826332bdd9804d1ce45cae7

  • SHA512

    5339a1b76383a49d75f306fd1dc797b02837d23e5a97e854a9074f48c4a3c9fb21c6f143fafd4e51d36f3efe14360ec150a289888ea91606b845e9946e5b6489

  • SSDEEP

    12288:NYYkJgAClFX/FIl1TaRVgJ0sLRlobWf8zMih:e7kral1WVgJ0sLRDxo

Score
10/10
ardamaxdiscoverykeyloggerpersistencestealerupx

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax main executable 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fc16b8f315aeb8a58e9b3e04e961a26a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fc16b8f315aeb8a58e9b3e04e961a26a_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:5076
    • C:\Users\Admin\AppData\Local\Temp\hotkeys0.exe
      C:\Windows\system32\
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:396
      • C:\Windows\system32SMGJ.exe
        "C:\Windows\system32SMGJ.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:4924
    • C:\Users\Admin\AppData\Local\Temp\hotkeys1.exe
      "C:\Users\Admin\AppData\Local\Temp\hotkeys1.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3344

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\@3066.tmp
    Filesize

    4KB

    MD5

    d9e02f226fc338d14df200ba9a700625

    SHA1

    414f134a16a309b31e418ed9e08c0c48aaf6e2bc

    SHA256

    8165757efb79acceb9fd0bfae6b2c19b8f087cc0461abb17941d460dbdf2e260

    SHA512

    13c73381602fe2593312d41ab4bc5cd5f922ac651f9e71e3fe3c58e7f0c5c73ecc9d79d61ec46f33a0a81cf73373421eeb510bd99650c0f53af30974ed61b8ca

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\hotkeys0.exe
    Filesize

    270KB

    MD5

    bbf10f650946c7097c21730ec9ac3179

    SHA1

    3ddf427b4a664f19313e92212423fdb776f6d9d6

    SHA256

    6b15dd64fb3493d85206bb016905be4a3dd9df6b268fa09ac1370d1ea309530d

    SHA512

    8694c95ffe1a1346275395ba2548b674df94c25666400b2441d01e44d28a62889da6e9f115c5c71b9d9a5601245032d008edd4a098781fa8d54130e06099d00f

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\hotkeys1.exe
    Filesize

    241KB

    MD5

    87caa3fd0cd88ecef9fd84655ed627b6

    SHA1

    ffff33abbd125fdafd37ca346118fa732890558b

    SHA256

    96bb8fdb03681379358d8a6bb5ad3af6b7e0f555da74cd200eb2380fe060a06b

    SHA512

    a44584c3f0f11d0b3124b8213c3023b56a7d5f8a2b717aafde52fca50325d05d815faea522a7e29633a8012be9bea561f7a81f8dcbd0cdca78416a859c10f754

    Download Submit
  • C:\Windows\system32SMGJ.001
    Filesize

    460B

    MD5

    e6eef13328bb16cbf79da6d5ff4d34f9

    SHA1

    e238a3470717de5d928441b5c86bc30b03262b53

    SHA256

    1c6a672929aa97364a1f2ee4d881c992c5ff9ab9ecd03ff6a45c7b4224e3500a

    SHA512

    cc07a263169e7e792ec8c9d3f820cd70ccada73c22e775b5e8001ac82b6eb259f73f940ae74b8ac26586f893ce7a6a644acfff9498bbf25e4667a7112c47d088

    Download Submit
  • C:\Windows\system32SMGJ.006
    Filesize

    7KB

    MD5

    32dd7b4bc8b6f290b0ece3cc1c011c96

    SHA1

    b979683868b399c6a6204ebaed9fc9c784a0429a

    SHA256

    6dcce9bbba5c2de47eea3abf7597a9c4fb2e4d358efc3752fa65c169cccfa2a1

    SHA512

    9e0d720799fe816f7d09c8a722b762203b6f12a8625c1c93cd640219ecc35969bd641b4d9e6dc04ab6f95ceb73235a438eb7d48ee9402118db3618b5760551ea

    Download Submit
  • C:\Windows\system32SMGJ.007
    Filesize

    5KB

    MD5

    e8155b68775ed29590e14df80fdc0e9f

    SHA1

    ed449da02e648a524004c265f3c37496d2f07f1f

    SHA256

    b39ba894b0a9a3201461ddd9ee9b297928e793dff221a47f019e75c11df631f3

    SHA512

    b14e00c46cf9bed0aca0f85775f624ff064f2d2afe1fa68b61bee5729db73cf9a8eced669c52d7cbb9504ff1b369a9a16a0f36c71a70c13c0bd1eaf5e07ccc11

    Download Submit
  • C:\Windows\system32SMGJ.exe
    Filesize

    471KB

    MD5

    3c06bbc025b61d2182ef5573f2852bda

    SHA1

    ebc1464c00b13fb5b3f80a59c80b595020e1fe7c

    SHA256

    e7f64e7215284cdeb8ef1eba28733f7aeae7f6977f82809d8de1e76a2e249085

    SHA512

    9d839ada211b85fc1efb1fe7bb3ce66fcf0e8069221d958234649c2ac5dc0f1bd06f1a016f9c727077af36fb46cac5409be9c8a8201d17f689c6b473aa01acdc

    Download Submit
  • memory/3344-27-0x0000000000400000-0x0000000000499000-memory.dmp
    Filesize

    612KB

    Download
  • memory/3344-31-0x0000000000770000-0x0000000000771000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3344-38-0x0000000000400000-0x0000000000499000-memory.dmp
    Filesize

    612KB

    Download
  • memory/3344-41-0x0000000000770000-0x0000000000771000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4924-28-0x0000000002220000-0x0000000002221000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4924-40-0x0000000002220000-0x0000000002221000-memory.dmp
    Filesize

    4KB

    Download