Overview

overview

10

Static

static

3

17ddf2ebc8...18.exe

windows7-x64

10

17ddf2ebc8...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    159s
  • max time network
    167s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/06/2024, 23:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    17ddf2ebc8a2c90039757eb88a160e48_JaffaCakes118.exe

  • Size

    6.7MB

  • MD5

    17ddf2ebc8a2c90039757eb88a160e48

  • SHA1

    08ae89e1428e569042a284b52aafaab16e116c43

  • SHA256

    95053ff336290f30f1b26b974cbc567711c1d647e96fbb989e62b6230b9481d8

  • SHA512

    d4be93e43dd02e179e09399add919f623d5aeda6e89556741828ee3e892f9e45eb668551dceae8285bdf3517b86eb2c8c0cc2da7798955a7e60d361df830deb4

  • SSDEEP

    196608:x+TwuskzQ5IAFMhZF2JW7V1796MS6XJq9mJE2pVK++U/z:xAwusJ5IAFof2UXQ6XsmNpT1/

Score
10/10
ardamaxdiscoverykeyloggerpersistencestealer

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax main executable 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\17ddf2ebc8a2c90039757eb88a160e48_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\17ddf2ebc8a2c90039757eb88a160e48_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:4184
    • C:\Windows\SysWOW64\VWGBPJ\IGV.exe
      "C:\Windows\system32\VWGBPJ\IGV.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1128
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\VWGBPJ\IGV.exe > nul
        3⤵
          PID:4740
      • C:\Users\Admin\AppData\Local\Temp\UNLOOCK.exe
        "C:\Users\Admin\AppData\Local\Temp\UNLOOCK.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:1652
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4032 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:2308

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\UNLOOCK.exe
        Filesize

        5.7MB

        MD5

        2b47577b7af16653f93ec2a3b9dcebc7

        SHA1

        0118e14d3b777d2948fce4f5b6f6adfe8cd65367

        SHA256

        5036557640f548acdf7a42890f32063fbb724b31020f49325f44b0cefe992eb8

        SHA512

        3dd3afd368436cb07bb2a188ddd0a963f144412a9cbe14c99df792f19856f3991096b298333725d40411a3634cf7d295fef396122f7aea11c2b9f142f43beb27

        Download Submit

      • C:\Windows\SysWOW64\VWGBPJ\AKV.exe
        Filesize

        456KB

        MD5

        1f29b1075a91b3da0ccc0b9c49eece56

        SHA1

        048e675f087181035aedece9e7b11d065c6355cc

        SHA256

        4f6825548b32329c3360ed9abb7c0a6809a2c2291cf0bcaac511a9fa32a6336e

        SHA512

        7e152caf055f57f599ecc1e3a404b540b721b3315d2ba16bff6eb21f03edeb3a06ae185621e3139293612d94210f500f098bd281489ca7f336efd8b5284ee060

        Download Submit

      • C:\Windows\SysWOW64\VWGBPJ\IGV.001
        Filesize

        61KB

        MD5

        31c866d8e4448c28ae63660a0521cd92

        SHA1

        0e4dcb44e3c8589688b8eacdd8cc463a920baab9

        SHA256

        dc0eaf9d62f0e40b6522d28b2e06b39ff619f9086ea7aa45fd40396a8eb61aa1

        SHA512

        1076da7f8137a90b5d3bbbbe2b24fd9774de6adbcdfd41fd55ae90c70b9eb4bbf441732689ad25e5b3048987bfb1d63ba59d5831a04c6d84cb05bbfd2d32f839

        Download Submit

      • C:\Windows\SysWOW64\VWGBPJ\IGV.002
        Filesize

        43KB

        MD5

        093e599a1281e943ce1592f61d9591af

        SHA1

        6896810fe9b7efe4f5ae68bf280fec637e97adf5

        SHA256

        1ac0964d97b02204f4d4ae79cd5244342f1a1798f5846e9dd7f3448d4177a009

        SHA512

        64cb58fbf6295d15d9ee6a8a7a325e7673af7ee02e4ece8da5a95257f666566a425b348b802b78ac82e7868ba7923f85255c2c31e548618afa9706c1f88d34dc

        Download Submit

      • C:\Windows\SysWOW64\VWGBPJ\IGV.003
        Filesize

        68KB

        MD5

        e62282afbb1c9f894927a0342f66e071

        SHA1

        1ab7481a0e770d92ac8ef50b56efa9730ce31a22

        SHA256

        0e9ad560a655389505223a02839368ed7a85deb0b9b19a3d0885a05f372d6811

        SHA512

        d5c44ab9f014c816be109e508e16eed753e47691df3f87980eafcc3b698ce11f6aff2650a526837d54312a26fe88dfdfc88d33c9bf4044971b654e8be250ff78

        Download Submit

      • C:\Windows\SysWOW64\VWGBPJ\IGV.004
        Filesize

        1KB

        MD5

        74c1aa0508c3a034ac850b7ed0aadc10

        SHA1

        5042d5d48100c999ed015676e1fdeca9b4989c7d

        SHA256

        7b0dd36933b0621c89eece29f632cda618a564d3c8d02dbccd2b4f53b63aa387

        SHA512

        f4806b81651971c09a9253c43d780335e2dc09a6185fc85a20c721d3dbd6d1379b3cf0507f7dcebf5ba4d979669105f2359fafdeca0e1d38fe574f2da72bc39e

        Download Submit

      • C:\Windows\SysWOW64\VWGBPJ\IGV.chm
        Filesize

        20KB

        MD5

        164ea98e2f64635f8a097870781da36c

        SHA1

        7cd9294657902f6bc199007e30f6514fce66f666

        SHA256

        c69e694d6db9a958a99901afb86a8b864a17b510a5dcdd1c176f53abf0c61a61

        SHA512

        4e19842a0d959876cdac60fd145fa36f2d98650b843c6faea2b01e205b2f0ce262b45c1c60fbf483320f012d4c00b96dff36e72d27ecbe9133f09d6618cbde20

        Download Submit

      • C:\Windows\SysWOW64\VWGBPJ\IGV.exe
        Filesize

        1.5MB

        MD5

        0aaffc12ef1b416b9276bdc3fdec9dff

        SHA1

        9f38d7cf6241d867da58f89db9ff26544314b938

        SHA256

        42b33dd905c5668c2518a6a7d407fb10c303cfedeaefcd7b6e4c7cc1b891c73b

        SHA512

        bbde0986b298c6172e7c8e3f938db9425f54cca097e280736e1ba289afd06a0b86f7cbc91f6d46458bc8e75069c12cda1cf808acf3b6c773b0661d081136ee7c

        Download Submit

      • memory/1128-42-0x0000000000630000-0x0000000000631000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1128-47-0x0000000000630000-0x0000000000631000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1652-45-0x0000000000400000-0x0000000000425000-memory.dmp

        Filesize

        148KB

        Download