Analysis

  • max time kernel
    134s
  • max time network
    104s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-07-2024 22:17

General

  • Target

    692a17f0316e72f95c2865d2e3a75da5_JaffaCakes118.exe

  • Size

    3.2MB

  • MD5

    692a17f0316e72f95c2865d2e3a75da5

  • SHA1

    b640153939a78eded04125012200ccbc18182161

  • SHA256

    df0cf224c5d36aa12ea0c993aceef953765fcd64148fa2b26f3a4bb70280552e

  • SHA512

    d23a45cad8bb803a3770943b5cd0f62dcdbd81a217a52fec5a24d3ac594e51323b0c1c2c8ec9c5b16f4b224ffe27b8026c986d42e999b4089e5a8cb5eb5aadad

  • SSDEEP

    49152:xGrT1Sk3NAbC1uMWawyxzLaSbgK9dROBvK1sInRhaV1d1N0AsJp+EIzZSj:xmSk3mu1ozy9rgKruwzO1+AsJoz6

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

  • Ardamax main executable 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in System32 directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\692a17f0316e72f95c2865d2e3a75da5_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\692a17f0316e72f95c2865d2e3a75da5_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3624
    • C:\Windows\SysWOW64\YUPIRK\FOE.exe
      "C:\Windows\system32\YUPIRK\FOE.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:3532
    • C:\Users\Admin\AppData\Local\Temp\msnmsgr.exe
      "C:\Users\Admin\AppData\Local\Temp\msnmsgr.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2148

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\msnmsgr.exe

    Filesize

    5.5MB

    MD5

    fdec512cb8752174649d3a513893938a

    SHA1

    9abd77cbe226d820997af6dc47d3e71b2fe3d254

    SHA256

    d5048027c7530d6b7f0c9dd7436f755fa328d4819fca9a1b95fcc8af906096b2

    SHA512

    1258301b2f3e9e7a19c92644cfad73b7db57a35277497315f78603d7ecf1c01e43beeeee6a01f7f23044e360935537369993426a3d4249261a79bec662171cfa

  • C:\Windows\SysWOW64\YUPIRK\FOE.001

    Filesize

    60KB

    MD5

    5b79ad0d1d30119158b5ab4147edbd96

    SHA1

    6f802d57d49d7063e40b7bebafa8fb1051e0a907

    SHA256

    4ccebd38ac000cbc33a6cfc2e87e900ef64ba4b978f3facfdb5870e217ac3ff7

    SHA512

    497e3eff3c7356cf12efd153b651d1a1ef2cb07302eb5b71dcff0d6732e5273bcff5f82897dff85cdaae0bc159fa9c4588e3bc90ab12521532675bf116757c6b

  • C:\Windows\SysWOW64\YUPIRK\FOE.002

    Filesize

    43KB

    MD5

    af3efaa90f29f6506693136ae1674fc7

    SHA1

    897aea8f6df7e29d43954512fc390b97c0eb4550

    SHA256

    4658d92f74df5ee142c08157985e25e41f74aaaa4256df9dfc9a011b7c3f0f44

    SHA512

    1a87ce2d0767204b1d636ce70c083c71f5cfa064680218906ff86c233968baca7ef605f2b1d9bfaf8326a8cbff7074ace766604b283c1a2b50d5788038dc9863

  • C:\Windows\SysWOW64\YUPIRK\FOE.004

    Filesize

    1KB

    MD5

    464347ea2485f7510c1c127cf6cebf2f

    SHA1

    8d31e5f1b2a4b912cd3a9facd34ee0d51d089dcb

    SHA256

    e2d69466e60ab756962c932744fabdd5f8323a958747e59de576cb4c92554797

    SHA512

    2c200554ed3c0c9a8ef1dd3385f7f44a661d98d0f3fd5d43d64a6e38d43e70cc49ac698b2087e4ede3403b7547489d124dc86d6057303a6b6c5a75572b0320ac

  • C:\Windows\SysWOW64\YUPIRK\FOE.exe

    Filesize

    1.7MB

    MD5

    78dd492b06d03744d1954781d33775ca

    SHA1

    ef9462193e6ba7be64458ea1be6afcaeadc574b1

    SHA256

    c0664f94e9b2a7817f79b9457c31e524ef72ed7c073e79546d67e857b4637ede

    SHA512

    f88734970018f46b8c4ce350cccf577ac056957e933deb493becbc30b7165834ca68db423850220f8944b364dc97e1423247192faf4f3e4db85cf25c4576eef9

  • memory/3532-15-0x0000000000A30000-0x0000000000A31000-memory.dmp

    Filesize

    4KB

  • memory/3532-27-0x0000000000A30000-0x0000000000A31000-memory.dmp

    Filesize

    4KB