Overview

overview

10

Static

static

3

390405fc04...18.exe

windows7-x64

10

390405fc04...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/07/2024, 11:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    390405fc046ae32cd3054789355dcfcf_JaffaCakes118.exe

  • Size

    1.2MB

  • MD5

    390405fc046ae32cd3054789355dcfcf

  • SHA1

    b6df3ec348102f53101a27d2b7b71490d2bbcfe3

  • SHA256

    682104fc430fa80720e1cd611a6b563cde1bcc9a3989bb3be824788a72b59ccc

  • SHA512

    351fac2477e476b70b655a42b57b43c17c6d2f2ab47c9133e3b2280e2132dd286f98153df53dd7d8307091ed896e4aae8bbc0662054a845dfb3003e89e697461

  • SSDEEP

    24576:nGaUTvUwuPTfTMmTjzVbCBlZ7OiyaHv7lcVTkQplZHaGHM0lnZK8G5KQP5:nGrTvULPTfTrzhCFODQKV3h9ALB

Score
10/10
ardamaxdiscoverykeyloggerpersistencestealer

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax main executable 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\390405fc046ae32cd3054789355dcfcf_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\390405fc046ae32cd3054789355dcfcf_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:380
    • C:\Windows\SysWOW64\MITGWG\KUY.exe
      "C:\Windows\system32\MITGWG\KUY.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4896
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\MITGWG\KUY.exe > nul
        3⤵
          PID:4328

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\MITGWG\AKV.exe
      Filesize

      456KB

      MD5

      45a56a60fc710085ef72a86ae4de2a44

      SHA1

      91133410b770cfc8433b976aa44fc34346e614e6

      SHA256

      82d3a18d8121ad32e61d0c1fc1dabb2073d21ce82431c9d1259e2589aad373e2

      SHA512

      c4322b3b668efd8858ce71e1d80e25f21f75b39d4331d8c88050a8f484e524eac58226dfdbeb89fe569e89a6e93fcbb3300d537666126eb3fbf4fe54136aabbf

      Download Submit

    • C:\Windows\SysWOW64\MITGWG\KUY.001
      Filesize

      60KB

      MD5

      5b79ad0d1d30119158b5ab4147edbd96

      SHA1

      6f802d57d49d7063e40b7bebafa8fb1051e0a907

      SHA256

      4ccebd38ac000cbc33a6cfc2e87e900ef64ba4b978f3facfdb5870e217ac3ff7

      SHA512

      497e3eff3c7356cf12efd153b651d1a1ef2cb07302eb5b71dcff0d6732e5273bcff5f82897dff85cdaae0bc159fa9c4588e3bc90ab12521532675bf116757c6b

      Download Submit

    • C:\Windows\SysWOW64\MITGWG\KUY.002
      Filesize

      43KB

      MD5

      af3efaa90f29f6506693136ae1674fc7

      SHA1

      897aea8f6df7e29d43954512fc390b97c0eb4550

      SHA256

      4658d92f74df5ee142c08157985e25e41f74aaaa4256df9dfc9a011b7c3f0f44

      SHA512

      1a87ce2d0767204b1d636ce70c083c71f5cfa064680218906ff86c233968baca7ef605f2b1d9bfaf8326a8cbff7074ace766604b283c1a2b50d5788038dc9863

      Download Submit

    • C:\Windows\SysWOW64\MITGWG\KUY.004
      Filesize

      1KB

      MD5

      b3cc977d0924d844cb85db9ca5e825c0

      SHA1

      9a9e43f2c799b211668d6fe7a3d88adff3890f72

      SHA256

      6d6a07734788efc8393671aaa343adb6a56327c2c54d2be61c60ce1f878b11ec

      SHA512

      0a84f1827cc9fe821b91ecd92d4b424e69823720b712fc81ff23730addc7de681e558fafe158edbfa93ed0087d4c6dd86f426a76da450bf9cb3f3ee4ae5bc764

      Download Submit

    • C:\Windows\SysWOW64\MITGWG\KUY.exe
      Filesize

      1.7MB

      MD5

      78dd492b06d03744d1954781d33775ca

      SHA1

      ef9462193e6ba7be64458ea1be6afcaeadc574b1

      SHA256

      c0664f94e9b2a7817f79b9457c31e524ef72ed7c073e79546d67e857b4637ede

      SHA512

      f88734970018f46b8c4ce350cccf577ac056957e933deb493becbc30b7165834ca68db423850220f8944b364dc97e1423247192faf4f3e4db85cf25c4576eef9

      Download Submit

    • memory/4896-18-0x0000000000D00000-0x0000000000D01000-memory.dmp

      Filesize

      4KB

      Download