Overview

overview

10

Static

static

3

0be0bdaf24...18.exe

windows7-x64

10

0be0bdaf24...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    25/06/2024, 01:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0be0bdaf2411b80e5dbfbd4ac2182401_JaffaCakes118.exe

  • Size

    1.2MB

  • MD5

    0be0bdaf2411b80e5dbfbd4ac2182401

  • SHA1

    34b7c4dd92be1fd2a279d2e16d5a2cbdd28d9085

  • SHA256

    196fc16f7dea1f5a38abc8884ec90209d101f35eeda4c5b9cb780c4dd6a77839

  • SHA512

    e6fbed8ad3132449ba9ce7bdc6b25eb46c6f9d2dec7d46b48c2c2ff633e92123e6e8fdc0cbc75137fa9b4eb650c711fc613a21f0914044b974f9f1358e8569de

  • SSDEEP

    24576:oU4oTrASu6kfbfXWalUVrVq8F3YVMYw8PEQfoYZUTT8gbBhLdfCoYzsTV5no:oULTrA/fzXfMrVJCM+gYKZ756oYzO

Score
10/10
ardamaxdiscoverykeyloggerpersistencestealer

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax main executable 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0be0bdaf2411b80e5dbfbd4ac2182401_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0be0bdaf2411b80e5dbfbd4ac2182401_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2368
    • C:\Windows\SysWOW64\RJGHFY\ABQ.exe
      "C:\Windows\system32\RJGHFY\ABQ.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2720
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\RJGHFY\ABQ.exe > nul
        3⤵
          PID:2816

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\RJGHFY\ABQ.001
      Filesize

      60KB

      MD5

      a15c556f17d7db8287e023138942d5db

      SHA1

      880bf8ec944120830dc2e2e040e5996e4e0e6c83

      SHA256

      f3716810ab011a4cb7693d31b69cd540380ef2a067724e0d568070c8a558694e

      SHA512

      930339711e3d73e5af0778367a648c94411c20d23bf4c27ec5d72222e76b8902eb3fc0992d70cc4141600c19087159514246d42f1e762c98dad306f8e0bd99cd

      Download Submit

    • C:\Windows\SysWOW64\RJGHFY\ABQ.002
      Filesize

      43KB

      MD5

      daabecdfba287a3333b60ae82211acd7

      SHA1

      e67b4c7bf0dd71ad47263a58bb60be4bce504b84

      SHA256

      12981c35adf6f00c7dddbc3ab23c04c30133cc5be107015dab9fd7ba4e8b4173

      SHA512

      937f551f959bd823292fe5983bbfb1c3a6dd86426a5da228dc7ddba38138c898599bc713d707b9d3463b20825cee0783d92c1c19019cd0328986a8aef5c1222f

      Download Submit

    • C:\Windows\SysWOW64\RJGHFY\ABQ.004
      Filesize

      1KB

      MD5

      52b24a3e4d624fcda22ae914df451ce9

      SHA1

      f8c956b4375dac4bd26d509152eef292d37d81b8

      SHA256

      43dc816b0931cee27a40e4dd4c64f5466b6240ae33ee804b217655a426736186

      SHA512

      07d47b582e803c34673fd7b9f2652bc41c331b953092c2b2b364b4e61fa3d5a5c0c2272f53c9456e51709ae6857a3116b6f38777f7519ae6105f106d9794d439

      Download Submit

    • C:\Windows\SysWOW64\RJGHFY\AKV.exe
      Filesize

      456KB

      MD5

      48cfaed4d566c34716326302b49bdad2

      SHA1

      566e0989b6bc7ed205f9ae250ea98e3a4d7fba52

      SHA256

      54c2e10de3ed7135d20c239a7f656c6ff57d1158607fa4c6779e042681de87ea

      SHA512

      96c871ed9af039142aab5904021d3ef3f75a58c5cc1fdf4d59e40e3699fd03e7cff384b788f7359a1de519ebdcafdad55891fef4f67e2c216ea89ebc945996a0

      Download Submit

    • \Windows\SysWOW64\RJGHFY\ABQ.exe
      Filesize

      1.7MB

      MD5

      f3819a6cab8ae058254c4abb3844d87e

      SHA1

      0f8b1a74af87f1823ec0d76e21a8d54d55a53a8b

      SHA256

      3d656d1364b4b2382020f64990a2c630b7b9422ca7b7fe2c30646fda3303e6c9

      SHA512

      dfe9d342f3ad543fec8bd278e21ac5059b1c36ed3f735734e9b92d639cb25609f9307862ab2b35ea3e88713f4a652abe5863871225f915462c79d493ac5e1f57

      Download Submit

    • memory/2720-15-0x0000000000230000-0x0000000000231000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2720-17-0x0000000000230000-0x0000000000231000-memory.dmp

      Filesize

      4KB

      Download