Overview

overview

10

Static

static

3

0f823f3384...18.exe

windows7-x64

10

0f823f3384...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    51s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/06/2024, 20:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0f823f33844f4ff2f7b7a9549012058b_JaffaCakes118.exe

  • Size

    1.3MB

  • MD5

    0f823f33844f4ff2f7b7a9549012058b

  • SHA1

    e7b73c7df148db3f1c4501d583c993c4ccd1ec5d

  • SHA256

    59b3ce0cabc98514427da764cde0a14fb486c48f7fd7c6312f285aba8c8db34a

  • SHA512

    29aba2f01ca120a0786221f83804149b8f62c2dc19c833f0918e0ce65206261531bc377411f6900945e8f89ce8c1c586713b4f248c3c14c57081bc11af1396cb

  • SSDEEP

    24576:BOnITfjkLGTKcrsgrcg8bc3swP2Fa2cX4gKmEGyfBdRTCEdHfxq:BOITx24rcg8bnwOFXE3EG8BRN

Score
10/10
ardamaxdiscoverykeyloggerpersistencestealer

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax main executable 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0f823f33844f4ff2f7b7a9549012058b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0f823f33844f4ff2f7b7a9549012058b_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:5072
    • C:\Windows\SysWOW64\JJWATW\JOG.exe
      "C:\Windows\system32\JJWATW\JOG.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:4812
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:3572

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\JJWATW\AKV.exe
    Filesize

    490KB

    MD5

    4a9c593eecd544d364a177b13c2bca08

    SHA1

    4d45a5bd2ae551e1094eb5b05a1dd771dd5c5a2f

    SHA256

    f834b097641aeea37281d50353f3b88fd83749ed77a8db0bfc1f28dc1dfeac7e

    SHA512

    b7d5e5eb03f05763b34b722e7b19d320db3b2bb32b1d367bf79376c56a01d3c06541db6c2518623e9aa1ca6a7880189519aa1d09fe27817eb5aff67c62dfea03

    Download Submit

  • C:\Windows\SysWOW64\JJWATW\JOG.001
    Filesize

    61KB

    MD5

    1b96913d74f1c4f36c846c0a804a7037

    SHA1

    8e0dfc0012edb64042b018d470950cd5e415aa5a

    SHA256

    553b04ef8dd080a1c8c9b285008fbef1134c44fd98ca7cc2d3600b870882e761

    SHA512

    ed6b01ad0dd6ef9ed24c1e5fd8c7f6f1e68c4c5d5c1d75e770c9cda4cdde09c5eefde6009c864956ff1e1e379d40ee105bf7a1a033bd1ee95c797762d1f06f9f

    Download Submit

  • C:\Windows\SysWOW64\JJWATW\JOG.002
    Filesize

    44KB

    MD5

    6d836081d32019c0a5928587be5ef42c

    SHA1

    d51bdc15dca361f17418746bbe0efa3a7dee046c

    SHA256

    6ca6cab6f131ee5b69d445a64cc269f1489ee8ecaf6dbfdbc400b829490f8c21

    SHA512

    2cabc9d6e8f017b8f42680018cadea69824bb40ec60c7a534135c66363be1b53e575c6fe39b8861923744f62b5e531492f1d729f12de32e29ff9cf7869d22ade

    Download Submit

  • C:\Windows\SysWOW64\JJWATW\JOG.004
    Filesize

    1KB

    MD5

    d38921d5eee4ddb468a83e6852501706

    SHA1

    a10160373dab91a118d906451d74c9b0078ffd26

    SHA256

    30c8facfd49a951ba6ffbf8d85d525a80afc946dd03e498aa92e7eff510749fb

    SHA512

    1fc3fbe7b1a3758c5d77fe81db59658a7ff1f42334bc11654790f67c71d9803b340545cfe52e286294e6969a361894976bdf8adaf25fafb31b33de4345e5e70e

    Download Submit

  • C:\Windows\SysWOW64\JJWATW\JOG.008
    Filesize

    327B

    MD5

    63ba797a91e632b1bc21c9cb8ab0aa76

    SHA1

    9434f58a07e188c08518611e93a8f7250d95f824

    SHA256

    7ddb2e2afacf49b50e97d53f0c05d5c9c794608e42ae5a245322653673941670

    SHA512

    ae2ed78481e617a2f4b5949674638999376727f06ca0b41a308e91a3660e6437310b86aba6502d1a5f28936f250bbb7cda55fed0483da8b744cd0c7d64f904fa

    Download Submit

  • C:\Windows\SysWOW64\JJWATW\JOG.exe
    Filesize

    1.7MB

    MD5

    a2ff5d2b7214bd4c0d5e13223ece568c

    SHA1

    a710b1d805aba3abd7734c0c07f300d7be95a1af

    SHA256

    60a09a85e7779af967967925237a5408735ea2ecca9b182e0c1049f4f261b302

    SHA512

    909a51ab15b6b793087728bf5ddae551dbd7b32ed16929e6db0a23c897f742e2218b270c9d055fd6f261b3a1e1595daffc387511e85643bf35a8c0b6155c18d8

    Download Submit

  • memory/4812-17-0x0000000000660000-0x0000000000661000-memory.dmp

    Filesize

    4KB

    Download