Overview

overview

10

Static

static

3

6b84c6ae87...18.exe

windows7-x64

10

6b84c6ae87...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    24-07-2024 12:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6b84c6ae8724d9ab87154aa07293da4e_JaffaCakes118.exe

  • Size

    514KB

  • MD5

    6b84c6ae8724d9ab87154aa07293da4e

  • SHA1

    d96066b599457cb26d13871df8048e39351b787e

  • SHA256

    45741908aba41ce4ff4b0140a1eda218ad305eeba332eff777ea2c3da5c2e593

  • SHA512

    aa53a237714f67b12e7e83d1bee4c4b0a4a624c445558182ec601ec705a65da4fa1c227d6dd0e78f8db74f75caa045163c39f2985b4619a7efcff94d52d822eb

  • SSDEEP

    12288:iIyZQI56Uys3G/1p9WTfXeMo5LBPxZGhWOZdZ8mUgNX:EZ9ys3C1UXPYBpZEWAGmvd

Score
10/10
ardamaxdiscoverykeyloggerpersistencestealer

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax main executable 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6b84c6ae8724d9ab87154aa07293da4e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\6b84c6ae8724d9ab87154aa07293da4e_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2676
    • C:\Windows\SysWOW64\28463\TWTI.exe
      "C:\Windows\system32\28463\TWTI.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      PID:2540

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\28463\AKV.exe
    Filesize

    458KB

    MD5

    14f8412a6efc0043fdf855f6eff2217f

    SHA1

    99c8ada8c45b390c44e7daf706705a653914f85f

    SHA256

    57dad901c66f57147e75656fa5b4df9fd62158b546dc7ceee18767f1ca95e6bc

    SHA512

    cafbbb42a9b0877f1bcf17a0219d9570bee5878cccbfe2a30f947cff492d3bc089fed34dbf12e410031f9f70decccbaf3464c1e4e71d7d771efa048580bbeb81

    Download Submit

  • C:\Windows\SysWOW64\28463\TWTI.001
    Filesize

    452B

    MD5

    226ee506dfdf089f613d4b6149d88d36

    SHA1

    0475b9dbf38faa471b8d2a71ff776cd84d130ef5

    SHA256

    a5d1cbbe29084f4255c03c7e9bd65d0f9d9c89a7bf031ab8adb9d1b09f21048c

    SHA512

    d4bc34d55735269343dfb21678f8bf9f4a0641b211e5fb8e39b05f1dfff15e1523a50fc175f6205b7bcc675c54a654f089fd844652c681d4ea9fc26aab5015f5

    Download Submit

  • C:\Windows\SysWOW64\28463\TWTI.006
    Filesize

    8KB

    MD5

    acfe714319d5092d079a46d20785dab8

    SHA1

    67c491b9abb9ecffa1c87ce9ec1d516cd5fd9715

    SHA256

    832732c6ebefed88a2db93f73867ca0d5bd5b2a012ccbcfcf26e22bed6dc4fac

    SHA512

    895b25109ae1d6b64c6383cd74e8354cda27aa4925c06d7ef90edb748fb7765a07253ce0f69b3d0a13f8c63d1d226df61f50a56fe05569d31a4a5265f4175a8f

    Download Submit

  • C:\Windows\SysWOW64\28463\TWTI.007
    Filesize

    5KB

    MD5

    dd462f9742de6d9d95459334538c2b1f

    SHA1

    8718400320b2aa38ff37dba0fe82062e5d3839bd

    SHA256

    b172cb7ab44abac00ea09707fe8926aa327e01f22726a887fa0e8eb72cdf1e54

    SHA512

    bc21d555ade6009250a892ef4b55f8ee96998dfafb3557da1e347297f0dc5f0e53e635f4b5d53261cccc46629adabd208fbc7a53fb826ff1606c47eb57e4537c

    Download Submit

  • \Users\Admin\AppData\Local\Temp\@B7CB.tmp
    Filesize

    4KB

    MD5

    cde9827bcff03c6c1f883f693c8c6700

    SHA1

    c2ce6d6a1dd2e17d8736e779ebe1f6d0383b4f46

    SHA256

    ba4566adf8b2cd5a6afb6fcb2a43cd80139d1882f71f03ccd4d0eea71fac8252

    SHA512

    11b901e644a52826c317435dc87872b55a36fa9d477530a030d1f137beb2710544b1f0e2fd23b3f6528f2f71ab55c66d219a87f1d5bc0f6ec0fd5aecd7659bc5

    Download Submit

  • \Windows\SysWOW64\28463\TWTI.exe
    Filesize

    567KB

    MD5

    4ea1467f05af54ad8c98ee4926aff85c

    SHA1

    a377d95a18ed943cae552af415647ec6e9861c1e

    SHA256

    b5a510cf3884c0217cafd5f378ce3eb389bd4e88eea5f662e5c364a6e3fb4476

    SHA512

    049b8f935e96773f35f67d0ff6de74e6dda04f5add09964500a356184db0c3229943ef5a27df2b1e8098bf693e3016007272e797c37e99a1ebdce0999363963d

    Download Submit

  • memory/2540-21-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

    Download