Overview

overview

10

Static

static

3

4800946509...18.exe

windows7-x64

10

4800946509...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    15/07/2024, 03:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4800946509105261ad272066602f25e4_JaffaCakes118.exe

  • Size

    1.2MB

  • MD5

    4800946509105261ad272066602f25e4

  • SHA1

    0886c63dfdde8563db060c8b1cfe68517c04f5aa

  • SHA256

    0208b064688fa8d20b7a64a8b211a84547489908a5e8e8d751dd93581092d19a

  • SHA512

    24ebbd03fd9ba958705093d5593c48e1dc4a0cd666b6e409fad68b9a949c167a5ac2789ce75d618b752e90d7dfc2f2dc078150c9d6294a5d8a61d87cf885c685

  • SSDEEP

    24576:1ITT3+Wnq80hnf8GrUM4fy3IlStTJ3gkF+oBIVbGPG/pVLna/DiduI:16TX0Nf8g8lStTJNooBcyPqMO

Score
10/10
ardamaxdiscoverykeyloggerpersistencestealer

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax main executable 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4800946509105261ad272066602f25e4_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4800946509105261ad272066602f25e4_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2280
    • C:\Windows\SysWOW64\NXOTCO\YJO.exe
      "C:\Windows\system32\NXOTCO\YJO.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2540

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\NXOTCO\YJO.001
    Filesize

    61KB

    MD5

    bf311791d2f9ea9c82a8d4764a98c0d8

    SHA1

    405ba2bd110590abd0bf340d12e054405afb011f

    SHA256

    d720cf3d297743da7ab1da528f4c086a29d59ef553e1a96569b49a59831d583b

    SHA512

    8be092f068807767b0065de10f9da386b90d8e587356881ba3391380b953b199e818b527e74b305d7c714fc94cb6f8e66c76d89d1785fa9910aa4cb39c5cada8

    Download Submit

  • C:\Windows\SysWOW64\NXOTCO\YJO.002
    Filesize

    44KB

    MD5

    ce365878123962c3438e349621c10198

    SHA1

    5b861d9fc2923c61ef390a0b729a21078aa5fd59

    SHA256

    ba254f6675490a045d4c85a5f46681c175c1321692c20fc808c7c244173dd63f

    SHA512

    efc6f143d5e9244a6635562d7e9a9cea22ab7e7b304e933642a51d66da896e9038208b86c12f6da623a01b9175e73eeb40ab600e6625db3595144bfca1231a76

    Download Submit

  • C:\Windows\SysWOW64\NXOTCO\YJO.004
    Filesize

    1KB

    MD5

    1844e61d0b9668ebe9904b7759b5a908

    SHA1

    dc34901925d40751d20e9ac8ace2bc6a863b4077

    SHA256

    66f51b20de22325e65c49a85942c94219dc0748d600077438cc33454303d76df

    SHA512

    d5bc1f577fd7191ae94a880d0bdd2dd11421ba50376572234e13d6f48a76833da7017a9bfe3b5dbf5c09f72483c008789998fc2c23474d9e86fbf9c3c46d1499

    Download Submit

  • \Windows\SysWOW64\NXOTCO\AKV.exe
    Filesize

    490KB

    MD5

    64a6cc55dc76d26448c30a8a1885f7cb

    SHA1

    149e467026647e080b4c69ab4f99b2d3c2b4dbe4

    SHA256

    5cbc0ec73c901be4ac182e13f6869f6f8cf0831b9603e542a3919f6a06087640

    SHA512

    de8cd7bea8113871ce8a36966fbaefd02b8ef7b09a8cbb631b4ac353bdf65b27d5630146ed700fd6edbc4276f4368ebad76b772d9b84349ddc2bd6f7127c377d

    Download Submit

  • \Windows\SysWOW64\NXOTCO\YJO.exe
    Filesize

    1.7MB

    MD5

    8f7590bbba70748e69612e9e2d5a9f2e

    SHA1

    f3ad9834bc38f33fe501b9076c65ac29d0410578

    SHA256

    2dec3a8fb4a5b198335e7f4a9b611194b0a081abf0c56f9df3f4e2697e69d9e4

    SHA512

    347e9ac793afd627e064ecdfea61c3e2b626ace0ea41928aad93a72567048b8e9bdf773f8a4a59a0d96ce8c08612c542c15982e8051828bef025fea6132838c6

    Download Submit

  • memory/2540-15-0x00000000001C0000-0x00000000001C1000-memory.dmp

    Filesize

    4KB

    Download