Overview

overview

10

Static

static

3

257196c587...18.exe

windows7-x64

10

257196c587...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/07/2024, 09:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    257196c587f88956733aef5b754fa2fc_JaffaCakes118.exe

  • Size

    1.6MB

  • MD5

    257196c587f88956733aef5b754fa2fc

  • SHA1

    6beb3f81fa874f2259c52f9cdd895b9438c7986f

  • SHA256

    2c85ef7ad9d98e67c576376aa3b4f4d6f5dde48df4a5c2b907c084c0ed5e9e0e

  • SHA512

    5bf524100ba8ecf1ea2bb426691df851c82254a929f520926e939ac0605856c312d9e4432ffee6f385432bd1541ea47658c7f408fe59c67131943d1943d8b7be

  • SSDEEP

    49152:KpUc/5vGFEvgpbUUMgY6stBnM5pK7HQkq7:e/5LlAICFkq7

Score
10/10
ardamaxdiscoverykeyloggerpersistencestealerupx

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax main executable 1 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 14 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 7 IoCs
  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\257196c587f88956733aef5b754fa2fc_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\257196c587f88956733aef5b754fa2fc_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:3852
    • C:\Windows\firefox.exe
      "C:\Windows\firefox.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:4472
      • C:\Windows\SysWOW64\YOF\YMVC.exe
        "C:\Windows\system32\YOF\YMVC.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in System32 directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:3628
      • C:\Users\Admin\AppData\Local\Temp\ctfmon.exe
        "C:\Users\Admin\AppData\Local\Temp\ctfmon.exe"
        3⤵
        • Executes dropped EXE
        PID:3768
    • C:\Windows\iexplorer.exe
      "C:\Windows\iexplorer.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3156
      • C:\Windows\SysWOW64\svchost.exe
        svchost.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Loads dropped DLL
        • Drops file in Windows directory
        • Suspicious behavior: GetForegroundWindowSpam
        PID:4544
    • C:\Windows\winrar380pro.exe
      "C:\Windows\winrar380pro.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      PID:2516

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\@4E10.tmp
    Filesize

    4KB

    MD5

    0850d0451f7b387627be1d8448d4e8cc

    SHA1

    f7f346dbb9399a5f3c1e783c66bc82b7110d6f32

    SHA256

    d0f4b9b1c98c68a583e99af328f25220072bf99350407f4d8168cc15714ed9e1

    SHA512

    bb403196ff80b8971486d4a71246de4d4e4b1bbea4505940574ce2d375bc1d55a5ba7606bba9d4b726ad3ef3fe89a1ed377d6d984f2f08fa1f938694fb2f6535

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ctfmon.exe
    Filesize

    15KB

    MD5

    24232996a38c0b0cf151c2140ae29fc8

    SHA1

    b36d03b56a30187ffc6257459d632a4faac48af2

    SHA256

    d2fed8ccae118f06fd948a4b12445aa8c29a3e7bb5b6fe90970fbc27f426f0b0

    SHA512

    c7b855a664d3359c041c68dffe75c118f9b6cef6c91f150686fb51ad63c1b7daa1b37c0a5de04ec078646f83a2bdea695d7d5e283e651135624208c04dc1cab1

    Download Submit

  • C:\Windows\SysWOW64\YOF\YMVC.001
    Filesize

    602B

    MD5

    004a9160b16fef65e460b0301f18e54b

    SHA1

    0d2f2e018a5ec29e35ccc46ea79ba21ef8f8113f

    SHA256

    c70e57b2799a0d4a7364b7495ef49f1d7277fc686d7647052e26f7c62b436899

    SHA512

    49a794a3d586ff3fea26c0554210360a0b33927ac0a7fd05f923b9ab35683877992fe8ab8ac553e5e22a3a8546538dc55e7fec6376d951e78b1f96cb05ab51a2

    Download Submit

  • C:\Windows\SysWOW64\YOF\YMVC.004
    Filesize

    14KB

    MD5

    21013e97a0e14b81240b09f7c2068db1

    SHA1

    e470749fe4f2d53c0827a41bc316f479fb04883e

    SHA256

    e6f2d4b46176118f098639cf1da6ab125462ba5ed55cf05054f1d728f9e873c2

    SHA512

    ab66149b2ec844731ad48c4af5c19f886f389e5e645e7eafecaed50b880d5abd39aaf97dd41aff1272f2e5ca259cc68fd12d9d4f52afe4468db9b23c48404667

    Download Submit

  • C:\Windows\SysWOW64\YOF\YMVC.006
    Filesize

    8KB

    MD5

    1acf05c81017fb2a272d9c10caeb67f9

    SHA1

    e782df7f04a0146cec392f2200379fc42a4a74ad

    SHA256

    fa5e1d9a2240a678a99a0a11b1d49d6c692bc3ef24a0a1f2cc8f85c1d4e5a894

    SHA512

    c64e5b9c43af483c551b2fd4e143517c79cdef5b4144258f8964695dae3d0e3689194f0be5500369b19d666d0a08b46e15662bc8f1c51e314eee8af54cccb1c3

    Download Submit

  • C:\Windows\SysWOW64\YOF\YMVC.007
    Filesize

    5KB

    MD5

    1f154a8e3d92b44b66de52ea426c772d

    SHA1

    5cca6e4b88dafa2caae56ad98df6ca4bdabbd92f

    SHA256

    6e08d5b0986bd2f6a9f7a981a6d951b9e6b71616ec894a9a3b40a0c12ceb3b95

    SHA512

    06501a567500a05082d03818d33d49f3bf7afcdd5ea6e68ed37f09ed4fe6a945f2e86ce418a86a98d42d436d4b76ffaef2434642c8f2fb24f2f445797e5e8c55

    Download Submit

  • C:\Windows\SysWOW64\YOF\YMVC.exe
    Filesize

    540KB

    MD5

    3fcec6436ceefe496759d5d95a72946d

    SHA1

    90741b60963323ccff6aacc4f9a4e947967f3c65

    SHA256

    e9f4f9a93da9c4977f330450aa485665789b5f0d422ede2e67237c64eb975434

    SHA512

    44c675bc06b036c64f364db3198db29a8affce246006f8d51cd8de45c131de575ded4d5e1aefeeccd8c82d52529a3b312379ea524b7e49d662249a61c71aab06

    Download Submit

  • C:\Windows\firefox.exe
    Filesize

    307KB

    MD5

    86d88dfe2e6ccd68481ee8dabfb83237

    SHA1

    d4e74e05bcbf0588d9493e8394c7a9f31b01c856

    SHA256

    621e54f43f34c30234c1e5414992d8215f404a214c5ad45bd76e7dc2b4b26c89

    SHA512

    f5c1ebed9b57d0817a7b78edc9bb1efb236d66fc84f06827db7edeb171506142523daa225680e3182f8b0cc3afad1766a3ead5dde7c29ed6fa60c68214b167cf

    Download Submit

  • C:\Windows\iexplorer.dll
    Filesize

    87KB

    MD5

    351b35491fd178c9e22abccb0d857da3

    SHA1

    faaa307be857526f3654c2e366598d4c5eca2a49

    SHA256

    e157b6eaf46cb69d17710fce2b443836ec32ce47b854f8a3dd406498660d94f4

    SHA512

    8d3fa3bd97cd7e944ea82ee642d06677e558bffa793f5d2a98293e8d35767342ed419626542c02f1ee00e9411d1fee0ccf9625cda101bc3af33c2895ebbd5692

    Download Submit

  • C:\Windows\iexplorer.exe
    Filesize

    107KB

    MD5

    9a39c9ee08829ee318def97ebb4ea385

    SHA1

    7a0254abe6c84b2346821fdaa112afa063066bfd

    SHA256

    e598eb8922827274461e947931bcb9b77fd5f46adddd25f5281674985dcb68d2

    SHA512

    6471b0655bee573a1a7b21b784cca0d186908dfeeea8ac52b74c47f2cd1993d14893bc1e860094e3c48c617a01857acaea75c62f56ff91561099582cd5c05853

    Download Submit

  • C:\Windows\owegm.kxp
    Filesize

    192B

    MD5

    82b043b124bc11d9214b520263f0d31e

    SHA1

    444f0f91cca942fb44022102d0df2bda6091d1c5

    SHA256

    6b3c6d3812dc01d79e7708b426646d8636296f8b4ae41790c256cb700f32bf99

    SHA512

    0ede172244892825fd0dad60bf7581a7b895323f8d7931536f71d74d1979502811f4d987f6473812a309bbb7e990949647636869be1a2264f3b47d93fab63b3e

    Download Submit

  • C:\Windows\winrar380pro.exe
    Filesize

    1.2MB

    MD5

    16806309676ccf03d2f17123a120beb7

    SHA1

    ebd611306011b1ad567f4db43714c397dfff5c22

    SHA256

    3952ac9c504969dee6aaf6c6daed7743e9960c9a7a92d83fb4f3dc0e3132ae32

    SHA512

    f3095d6c6675ae5fb23f33e96164ae94cc970fc154bf5d35cb1924286f94b50a03396c4b36df66abe4d53fc9178fad80b7c595b6bb92afaeec7ced6c987c5d76

    Download Submit

  • memory/2516-121-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

    Download

  • memory/3156-107-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

    Download

  • memory/3156-23-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

    Download

  • memory/3156-100-0x0000000010410000-0x000000001044C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3156-54-0x0000000010410000-0x000000001044C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3852-34-0x0000000000400000-0x00000000005A5000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4544-103-0x00000000031F0000-0x00000000031F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4544-55-0x00000000008A0000-0x00000000008A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4544-108-0x0000000010410000-0x000000001044C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4544-116-0x0000000010410000-0x000000001044C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4544-115-0x0000000010410000-0x000000001044C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4544-114-0x0000000010410000-0x000000001044C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4544-113-0x0000000010410000-0x000000001044C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4544-69-0x0000000000B60000-0x0000000000B61000-memory.dmp

    Filesize

    4KB

    Download