Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    24-07-2024 08:00

General

  • Target

    6ad76f2b1b2bbede5c9e2aa481100f97_JaffaCakes118.exe

  • Size

    2.6MB

  • MD5

    6ad76f2b1b2bbede5c9e2aa481100f97

  • SHA1

    4526934645816ec62c54e5ef009b83dae1ea00ad

  • SHA256

    f65a6c764b773dbe55a8dc0b5a992b55e0b3621bf11081ffb273d71eece10641

  • SHA512

    5f5d5d0d86ce8b7eaeb711354e87153243b9a699c3c73e3ddc7a16dbae70b7ddf5dfbbaebc0b95addad0295210df900cb0809a910117e84703409181e1b78d23

  • SSDEEP

    49152:qFtVGpDecreGezCVhTyMhnCoFIZnve0auUpGotkEm2L/Voqc8OpgpNLC6jHq:IGpKCbBCoFIJ2luUpGot02jBnt2

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

  • Ardamax main executable 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 26 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in System32 directory 15 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • NSIS installer 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6ad76f2b1b2bbede5c9e2aa481100f97_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\6ad76f2b1b2bbede5c9e2aa481100f97_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1944
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ardamax Keylogger 2.8.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ardamax Keylogger 2.8.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2144
      • C:\Windows\SysWOW64\28463\KGCU.exe
        "C:\Windows\system32\28463\KGCU.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2732
      • C:\Users\Admin\AppData\Local\Temp\Ardamax Keylogger.exe
        "C:\Users\Admin\AppData\Local\Temp\Ardamax Keylogger.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        PID:2692
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2788
      • C:\Windows\SysWOW64\28463\OTKQ.exe
        "C:\Windows\system32\28463\OTKQ.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2624
      • C:\Program Files\Java\jre7\bin\javaw.exe
        "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\minecraft.jar"
        3⤵
          PID:2536

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ardamax Keylogger 2.8.exe

      Filesize

      920KB

      MD5

      a5f59c67e5389f26d603a3480300522c

      SHA1

      02b58320d4992933538c5ce758156a7d55772344

      SHA256

      cb5560d6115f7a5b198f46ac38b959bb06c0a782afbd29c22349389c2c77bf3a

      SHA512

      0537c9cb587135dbf208160fb52db578a4e02fd7f556e69604f2ec0c1d4162790a0dc3377674addee5a5fcb7eb9f9970b3dc22e348c47d180195dd441dfc2163

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe

      Filesize

      1.6MB

      MD5

      bdb7540a3514347c8156c332b8792239

      SHA1

      c3b5f467047ea2ddf4c42afa529cdbc7dcec9e56

      SHA256

      918b396d1dc07cc04e223271204d186ba3cd65dab2ddeb1308c7ff18a0627d66

      SHA512

      23c473cb35cc52bc0267687bdfaaba1a3105bddab2dbd1686d114287a67d2cb99ccf3dcdf575da896ab7d589f75cca531eec91f9ceb1f9d3694806d748758ac9

    • C:\Users\Admin\AppData\Local\Temp\minecraft.jar

      Filesize

      1.2MB

      MD5

      4203826f35e1036f089919032c3d19d1

      SHA1

      add3809d2c075e985d4b583632dac3d9c3872945

      SHA256

      e993b789dd450e1538667def644e1376bd702fe26eebec3197598d5157042684

      SHA512

      4902e4805454174c00b98d1fd44b737302103b0c3919ad453aed79c83153729b4e6205de6c5e299a2833b9127a2ad97b74d5c2cea801343a225596286a4e4f5a

    • C:\Windows\SysWOW64\28463\AKV.exe

      Filesize

      395KB

      MD5

      d63cc8679a63448db1c64252e14e4ab5

      SHA1

      10b3a9ac4bc16e8ac1cd05e50b4d540fa3ef223e

      SHA256

      29b3646a556879a4a48e4f2f81e09179c34ac2051ed3e4f4c28e293092470d3d

      SHA512

      cb1911e1a77fb9be560aa4fd8bbef65e181b6d4438d65657501dbcd8dbf488ba01738a7222f35f8d4317e8df8c6f307d9e3623d6e3e45753e138b80fb68ff768

    • C:\Windows\SysWOW64\28463\KGCU.001

      Filesize

      506B

      MD5

      5c1f64b94ca19c5f180da89e8d760391

      SHA1

      7fdc5d16777994203ae0f65c8a7bc371211c55d4

      SHA256

      a7bf4e3713d5e8f378bb395eeea9740b241fd5ae56d7fbf50d1312cf34bf37c1

      SHA512

      d9f92ca7e2bd728cc3bcc016d41b787c90b98b7ff249414ac2b19583b9a6e17f37c9a56c3338a210edfeda480d3696f1e6233978c654ad74f7f17039fc5addc0

    • C:\Windows\SysWOW64\28463\KGCU.004

      Filesize

      14KB

      MD5

      1e9efc9747213f87a89eefb656d221a1

      SHA1

      beaa459418de39ded935109cdfc6ef1c9924cad0

      SHA256

      fb38bfcf3c9067cf387311b10ba5a817e2016dba5e00ff4a144218e5bab78fac

      SHA512

      7c8d344eb920f5c494fa835b8ff49d6074caa3bed09438244c51b787cc3cb3508807160976b8087e400e29056978bb6ee3172c23120a22eabb950aaa5a2320b0

    • C:\Windows\SysWOW64\28463\KGCU.006

      Filesize

      8KB

      MD5

      81e20f4361cf8f5a57812871c24d945e

      SHA1

      5d7877d6959ab26599b05795a71633f00c37a3da

      SHA256

      e6e8b4a29dccb3531f58c75b754caf7f26afe3e7043239305fd0ae7ab2f7571d

      SHA512

      69b1d75ab7123054bf98cf3a0f2cc7a0749cda8d85ebdef85be7d89f1454154ce29070907b934727a6c5276ff430e94810b87a5634d25d8529df9ee36fd20818

    • C:\Windows\SysWOW64\28463\KGCU.007

      Filesize

      5KB

      MD5

      e9fbdcc2f5fb657fa519b3f5c69fc52d

      SHA1

      c49cca77b46a59d620711de7564d43e5dafcd2b5

      SHA256

      cc440cfc4ce1a1ff503cc9e8937c59aae64bfce4daa3e7dc757220a25cadc2e4

      SHA512

      913759967e16b99d8ea66433e5dc99d5ddbf737be6784306e67c2b23a525b7a578fcae1028221d3209abc452ff30508eb750c62113c3868a7af36b544e525fb1

    • C:\Windows\SysWOW64\28463\KGCU.chm

      Filesize

      33KB

      MD5

      4cacfe8589b381143e7436a67138bd6b

      SHA1

      9b32ec887ccf78e89b647c7b2d0d8f714b4f57cf

      SHA256

      fc790cdfa6002c81b16af111100286e601c93490485df0a394c8f462e838103a

      SHA512

      fa0988c0cb2315e614d5467c6c92694b9347c4044d8e9152430adad893e39a55b6470b94a8d21bb0fed74630b68ddbf6073e2e1c879869abebe0be6f78dd404b

    • C:\Windows\SysWOW64\28463\OTKQ.001

      Filesize

      424B

      MD5

      8a873315194627354e5ba557a523eb6d

      SHA1

      3138603dc2cb31282052f50c0535d5172fff24a6

      SHA256

      40d5dfd79b8cab534511554b6cc0da570fdea75eb3da82c183ded04f3bd15ad0

      SHA512

      6eb6f194945beae199bfe3ef091332a4196cd6ea5ae362f5d407d65a8fd9ca23cd88b0d94952c17a71e46621d6420948af9e642facc9b8414d8a04c332a6b92a

    • \Users\Admin\AppData\Local\Temp\@E070.tmp

      Filesize

      4KB

      MD5

      25530555085337eb644b061f239aa9d4

      SHA1

      8d91e099aba5439d4bfa8bce464c94e3e1acf620

      SHA256

      3fb6b438ad1530abdd068bffb303fb8a4de51430e0e18ddb6b1a0469ffab8325

      SHA512

      b1f9de0c276533a5a7070aeb2b6415cc1c0bdd2baf5e0645c6ac5ba767cab0d76e5b4461800d89724992af2c863294ada3c1eb2e4516183fe2010c33d47d6a2a

    • \Users\Admin\AppData\Local\Temp\Ardamax Keylogger.exe

      Filesize

      418KB

      MD5

      fc68feb55209138d4afdd985b26f1f81

      SHA1

      8d6a2e5864444376ba763b5a3e608858624b398f

      SHA256

      f18237ed1188eeb6289710efd7cd3505c73c093d01bab9bfd9fed6707a047567

      SHA512

      296805acb72f28c5f31135a5c851d75c94a532a5ddd51e6f98dc0d6b6c007afb97c50f78cf399747a3cc39849f9cef89113efa939c2ef8aaa12c1726b17b4425

    • \Windows\SysWOW64\28463\KGCU.exe

      Filesize

      473KB

      MD5

      97d8ad45f48b4b28a93aab94699b7168

      SHA1

      8b69b7fd7c008b95d12386f6da415097e72151de

      SHA256

      661df22a66b2062b233eb0bd9665de924cfe0ac9c6ba29e20ffef24f817f9331

      SHA512

      3351eac970bab391de410fcf1937da75d2e4722b808f10332f487ddfe469544e32e7d4ed0e5bdc19bd5f472cffcc55ca1498c95945b4e9c4ceff6ff5cc521c8a

    • memory/2536-112-0x0000000001B60000-0x0000000001B61000-memory.dmp

      Filesize

      4KB

    • memory/2732-41-0x00000000001E0000-0x00000000001E1000-memory.dmp

      Filesize

      4KB