Overview

overview

10

Static

static

3

390d998378...18.exe

windows7-x64

10

390d998378...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/07/2024, 12:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    390d998378d61d45cf8186dda81fda6d_JaffaCakes118.exe

  • Size

    1.0MB

  • MD5

    390d998378d61d45cf8186dda81fda6d

  • SHA1

    04b5001109a6e348b7a9fd4b53114beef94e9098

  • SHA256

    de5f83e416d00716b3837d527ed3ac798fc13b1032bcb271f302fa8b5aa0f12f

  • SHA512

    91f74a922f3d79ecbe2b7a64311e2d7c53148f4ce8328c18b7fd0b75f2de2861f6518406c95e1906bfa6e41c6b6adea92f9441ed4e5597cdf56da886f594eb15

  • SSDEEP

    24576:dZxTwVLKHKof5lDPRj7NOZVGVaIVfX4RdP4jOmVu0V27gTt:dXTwVOHK+nvu0VvfX4voLVu

Score
10/10
ardamaxdiscoverykeyloggerpersistencestealer

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax main executable 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\390d998378d61d45cf8186dda81fda6d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\390d998378d61d45cf8186dda81fda6d_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1456
    • C:\Windows\SysWOW64\IRBCJG\QAS.exe
      "C:\Windows\system32\IRBCJG\QAS.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:776
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\IRBCJG\QAS.exe > nul
        3⤵
          PID:4496
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:2880

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SysWOW64\IRBCJG\QAS.001
        Filesize

        61KB

        MD5

        31c866d8e4448c28ae63660a0521cd92

        SHA1

        0e4dcb44e3c8589688b8eacdd8cc463a920baab9

        SHA256

        dc0eaf9d62f0e40b6522d28b2e06b39ff619f9086ea7aa45fd40396a8eb61aa1

        SHA512

        1076da7f8137a90b5d3bbbbe2b24fd9774de6adbcdfd41fd55ae90c70b9eb4bbf441732689ad25e5b3048987bfb1d63ba59d5831a04c6d84cb05bbfd2d32f839

        Download Submit

      • C:\Windows\SysWOW64\IRBCJG\QAS.002
        Filesize

        43KB

        MD5

        093e599a1281e943ce1592f61d9591af

        SHA1

        6896810fe9b7efe4f5ae68bf280fec637e97adf5

        SHA256

        1ac0964d97b02204f4d4ae79cd5244342f1a1798f5846e9dd7f3448d4177a009

        SHA512

        64cb58fbf6295d15d9ee6a8a7a325e7673af7ee02e4ece8da5a95257f666566a425b348b802b78ac82e7868ba7923f85255c2c31e548618afa9706c1f88d34dc

        Download Submit

      • C:\Windows\SysWOW64\IRBCJG\QAS.004
        Filesize

        1KB

        MD5

        fdd6dca9ffc1b57a986325e5051b5ab3

        SHA1

        4e209c9352ce3f83aa8abe7cdca2e8388603da57

        SHA256

        e27aca239e1246eb9e5e28b07d43a34fb87a932acea721ad0fb192851eccf91f

        SHA512

        65eec3611d1197d16e868967b63a2129243084b4c1f557bdd6a94d79bdc78ad0fad2d3f0de0dc196caf16c96221d0ff84ddee78415f9cc0fc7ebe7801868b861

        Download Submit

      • C:\Windows\SysWOW64\IRBCJG\QAS.exe
        Filesize

        1.5MB

        MD5

        0aaffc12ef1b416b9276bdc3fdec9dff

        SHA1

        9f38d7cf6241d867da58f89db9ff26544314b938

        SHA256

        42b33dd905c5668c2518a6a7d407fb10c303cfedeaefcd7b6e4c7cc1b891c73b

        SHA512

        bbde0986b298c6172e7c8e3f938db9425f54cca097e280736e1ba289afd06a0b86f7cbc91f6d46458bc8e75069c12cda1cf808acf3b6c773b0661d081136ee7c

        Download Submit

      • memory/776-16-0x0000000000850000-0x0000000000851000-memory.dmp

        Filesize

        4KB

        Download