Overview

overview

10

Static

static

3

27eccbde63...18.exe

windows7-x64

10

27eccbde63...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/07/2024, 08:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    27eccbde63f6ff70152f5700ed24299d_JaffaCakes118.exe

  • Size

    345KB

  • MD5

    27eccbde63f6ff70152f5700ed24299d

  • SHA1

    17fade0059e26df9777293c2de6ea95a4e148fe2

  • SHA256

    0422d1fbfdca89d4197b4f1620bf83077339463c200538846754ae4ac57b825e

  • SHA512

    8d84381f71a13e1d0febc6b62bcfe986c9a5b269fcab81d5396d7d00b1a0d0cef8b625b835b0be6cd193dc0dc9b4510b96c866093425f423255bea56475a1cfa

  • SSDEEP

    6144:gR51w17omW2dW82ZJRovOIzgLm5v4UMohHZcj5kB3Yo3klqW1Hl:QT0djtzgLK4DoykxYo3kZ

Score
10/10
ardamaxdiscoverykeyloggerpersistencestealer

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax main executable 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\27eccbde63f6ff70152f5700ed24299d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\27eccbde63f6ff70152f5700ed24299d_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4968
    • C:\Users\Admin\AppData\Local\Temp\Install.exe
      "C:\Users\Admin\AppData\Local\Temp\Install.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2716
      • C:\Windows\SysWOW64\28463\UWEL.exe
        "C:\Windows\system32\28463\UWEL.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in System32 directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2540

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\@FD1D.tmp
    Filesize

    4KB

    MD5

    27092ec75c1839f36bfe900a38acc484

    SHA1

    fe14b750a0ed653246c5f358891f8c1241913bb2

    SHA256

    e6e29699840ae26c452227f9a1c9fd0e3cda0c2413c4255df9fc066c47af0e07

    SHA512

    815477e8681e38dd3110171adbaf06738eb9d63839671a959a296ec1a1fb17d788682dde5e6a1f0bffa3b4deda4577292ffa37ce10b95ad14276ffcd0795ac0b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Install.exe
    Filesize

    271KB

    MD5

    49d437dac67bb4bfc08fc2f361b2bb8c

    SHA1

    6e69e0788740348fa8d3ca8f32d92bda9be97f52

    SHA256

    1c1ffbb79f50ebd60c7762e72bb3d14e6dc670adf1f0dfffcd248739e8e4f584

    SHA512

    e90a1b451516dccea06bf9b132e8bc5810d291542ab14b8479f169ac472d113bf6dfcbd6f03609b3089b864bc015d32b18d21c13ea6d312e231e30e9dba0d613

    Download Submit

  • C:\Windows\SysWOW64\28463\UWEL.001
    Filesize

    408B

    MD5

    81accaf08dd571b4fd7010b10a08531f

    SHA1

    2e395a9c03eecd9672199ddef588c1961a600750

    SHA256

    4c13b94409e19d0839742ca4c88c8a69705afdba35eb4960e654e4acead486c0

    SHA512

    cec379ca888721155ec01aaf98c081b9cc1166de44cec60c5432d61ea2df8d016c990260e7dd73ef16aafb18ca63a3f88d9b3b6308a8a283f3be733abe05420c

    Download Submit

  • C:\Windows\SysWOW64\28463\UWEL.006
    Filesize

    8KB

    MD5

    aae8ccee5d5eed5748d13f474123efea

    SHA1

    6da78da4de3b99a55fad00be2ec53a3ad3bd06ae

    SHA256

    10c464d1675774e0282171555d59fb8975ed6c0e6a781182490f48e66823a5b8

    SHA512

    d370e1ffeeb81b3f07b83a9cf1e3b44635fde7aa6ac999bccafece8091dbf96f0a78257bb0e03b3689dc47fb4e96ec7deac7848a43ddef62afc9b8cc665ee8bd

    Download Submit

  • C:\Windows\SysWOW64\28463\UWEL.007
    Filesize

    5KB

    MD5

    40685d22d05d92462a2cfc1bba9a81b7

    SHA1

    f0e19012d0ed000148898b1e1264736bed438da8

    SHA256

    cdca1e5bc4c5129caa8eeddf637c820b6241c8790ce1a341e38e8324ae95afa0

    SHA512

    21961d2dd118b45bde4cf00b4570712791a22769d05afb5b6c54355b0aaee9b7f7de00b357845349ef957807452365134d51e11181d2d45f98ed0cc9402de90b

    Download Submit

  • C:\Windows\SysWOW64\28463\UWEL.exe
    Filesize

    473KB

    MD5

    339ae4ce820cda75bbb363b2ed1c06fd

    SHA1

    62399c6102cc98ed66cbcd88a63ff870cf7b2100

    SHA256

    1e4a463ac0d463cee1f52f9529474484157c85d671aea1ab5f4173df12de01b6

    SHA512

    5da8b333a839c4b169c6f4c9a1929918f166a895af7818c8223df7ed22279aac3b6ef88f89ee083a4f475f82ec6078f8e9800a9afc9547712245d090636a284a

    Download Submit

  • memory/2540-30-0x0000000000500000-0x0000000000501000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2540-34-0x0000000000500000-0x0000000000501000-memory.dmp

    Filesize

    4KB

    Download