Overview

overview

10

Static

static

3

0a76ae1d64...18.exe

windows7-x64

10

0a76ae1d64...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    54s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/06/2024, 19:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0a76ae1d64e79b9d9d19e065be04ffca_JaffaCakes118.exe

  • Size

    1.1MB

  • MD5

    0a76ae1d64e79b9d9d19e065be04ffca

  • SHA1

    ab2544b157e992053157d1c8cbd530df63f74574

  • SHA256

    4b70fc62fdc106932e6bf2bba83284c8430e3b6692420b77d0f83f033ae88e8e

  • SHA512

    699e47477dd0126746bf1c379faac597fac7b42d2b51ae401a080e465de1f2fc1a84b9c4b6ab194280e8fb24cc425ab35543c56e8faeac8c3e7ec2de31965395

  • SSDEEP

    24576:ck/ATeXYiAFAQ50dZ+D8rSScaH36SCVzCObhQUu1OaF6UJport:FoTEpffcR9CMhu1Z6C6

Score
10/10
ardamaxdiscoverykeyloggerpersistencestealer

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax main executable 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0a76ae1d64e79b9d9d19e065be04ffca_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0a76ae1d64e79b9d9d19e065be04ffca_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:1116
    • C:\Windows\SysWOW64\GANSOJ\XWI.exe
      "C:\Windows\system32\GANSOJ\XWI.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:4428

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\GANSOJ\AKV.exe
    Filesize

    463KB

    MD5

    5e5779ae5ae80c6c63c314fb4ae4f937

    SHA1

    90482bd8fcb2aeea505c33763c8c1e60f5b24c08

    SHA256

    c1ab672486b01d8f1cb79f4edb631ce6752febaedb83ee3a8f0260b4359b1d3b

    SHA512

    d132cda0e75052d4bff46dc72828191fed22745b193c743c4f298273589610cf227aa8ff88831763b1815689c79c4b363b56d72a31250da38c7a8933588b0855

    Download Submit

  • C:\Windows\SysWOW64\GANSOJ\XWI.001
    Filesize

    61KB

    MD5

    531e64a4fe6c3ca60a609d1ee60d5ef5

    SHA1

    618d2ad5cc0d74a9a66946791544540c62ca9317

    SHA256

    89e94f28792d0de2fbb74eb5a2368b30db5e154f6845a1778e2cdf81ce1fb501

    SHA512

    5bf245d3371fcb90401ff5fa735b7e1f2672c9efa90c8917dcbe9164bd49adf43855017db7b14fb51da045362b8d38a293c91ce21825721726f173419336c9ce

    Download Submit

  • C:\Windows\SysWOW64\GANSOJ\XWI.002
    Filesize

    43KB

    MD5

    b42f6052ceed5cce1bcaf3ecfcf65ece

    SHA1

    121e9a32af559261ec7485f8923463beea618e89

    SHA256

    8969214d0824806ae4af98abed05b38a80b9f04390f1b5b81e5351cebc5e6984

    SHA512

    c8907c30535e6bb68ff3175adf97180f01fb6a50b9c65ee4f58f19f17908e348480225b8d7a25d9bff42b29b6dea059480d124ec3ade5346053e26f2597c5175

    Download Submit

  • C:\Windows\SysWOW64\GANSOJ\XWI.004
    Filesize

    1KB

    MD5

    0ead3873825dff6f90c132331103369f

    SHA1

    1931852a5dd6868d1d1041ab2c6051b0350296cd

    SHA256

    08ee325adaecc1e457eebdf38ec2edf9a0ba4f83a9f3f4e545ed2de113ccef12

    SHA512

    1149072b4ba57fd21a0cc939890323d8d734b31d2778fc5f5580afd76420932aea4fd58aa3c91ddb72ff4de2db7061f62fd271968e20c51b8bd75deff15109d2

    Download Submit

  • C:\Windows\SysWOW64\GANSOJ\XWI.exe
    Filesize

    1.5MB

    MD5

    7c66e42411616c20e365cf927e0501b0

    SHA1

    ad749fa5974ad5480caff11d9c412f7321da84c7

    SHA256

    ada5a9d3b0947cc3dbab16da7e8737d5a21fc3decbc413f31fe808b065bca5c3

    SHA512

    04e55da475e1e933527f3320a18fcd2ff47cd19f960a071a1b9b14e710a9caf9d7f9e8a9404719aab4ff32c323d56b9e7eba700b9cd01af25afca6b4023e37cf

    Download Submit

  • memory/4428-16-0x00000000005F0000-0x00000000005F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4428-18-0x00000000005F0000-0x00000000005F1000-memory.dmp

    Filesize

    4KB

    Download