Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
-
submitted
18-07-2024 17:30
General
-
Target
58613636824b792c643400dd4eb83689_JaffaCakes118.exe
-
Size
968KB
-
MD5
58613636824b792c643400dd4eb83689
-
SHA1
3e389ba974790143487e052f450aa3364c70bb46
-
SHA256
fae7252ed994b1bc9e58cf13848c2aab33984c058a82102198b2ee928e67493a
-
SHA512
f09c60f309973f4195b773ecd037a2e4d784d2fa240090280dda6a93f84b7c58549521145a55feb091d3b5ed53369ddbf42426f10508da3f282dfccd3036e477
-
SSDEEP
24576:kDrTkLNK3ANVDRFnfKemOGytV/qQLINByAU4VYLUgtx:kXTX3A3bfV6Q91UyvWg3t
Malware Config
Signatures
-
Ardamax
A keylogger first seen in 2013.
-
Ardamax main executable 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\58613636824b792c643400dd4eb83689_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\58613636824b792c643400dd4eb83689_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\FYAGUI\STF.exe"C:\Windows\system32\FYAGUI\STF.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
61KB
MD5da40e93ad90ab590fe53693447794639
SHA1ecf59a5ecbd382191169eda65f86ea331dd08547
SHA256b82f906b6429aa5c3df2dd7d2b61f33912c8db41ff783d35731050a024bc6420
SHA51287dbcbd1825ea71c78583680650236e8a8f8d4f718cf85f1542ed51fb1caaa4ff059ff0f201125564bcd80fa9d20c1d9ccd11e37133c7fef5ad30b27996f44e6
-
Filesize
44KB
MD5377ce908ebaea0de394f2e850ca6a26a
SHA1d54276a5deeab532d5e5e3602e08d608e95c0707
SHA256dd81ace139ab0d6ca157775a5479fe6b94dc58de3a9bf81d39225967697cbcef
SHA512fda6bd43017754e7fa23037591073a52bdecac8629b5b2fe0eb924fd958dd450074b742ee94879430e0d4155efa9fc0a080b6dd035cf726cce3cb575ac6eb35f
-
Filesize
1KB
MD510ef36e4bdbee0402d897a7baef86c4d
SHA1e640daa538be5c93c1d2cd65e1272c2237969d53
SHA256d6a0d38441fe4b8a47eb615973e523cf68c969e95f941618f3bbc6802ad17ae1
SHA51262789b6d3da7003c8e7247acb869988315f91e21db52dcf7eabe0a084e3fceadc8716b95847ba8a1619704b5f8555cb774681f71243338aa0d2440caf37d1fb5
-
Filesize
1.7MB
MD5913606bf5ce3b52911d6645f99b066da
SHA11a651dbc73e39f9f8ff4b8979b463e9b2c480f60
SHA256082036e132e0317a4dfa2add3e76ec42a82c6c64623d4cffc92314f3511bdc4d
SHA512d136e882a1a87eac4706b4aea82a10584d7570116e6b025f6ee419d13eb2760dde2f54a10fa1ac149be62441f75f171ba0dc8503c00d404877ff9d433212604a
-
Filesize
1.7MB
-
Filesize
1.7MB