Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-07-2024 04:08

General

  • Target

    72878c59a8d5c93bc876b7f11ba0bc32_JaffaCakes118.exe

  • Size

    1.0MB

  • MD5

    72878c59a8d5c93bc876b7f11ba0bc32

  • SHA1

    73df301501f6b378d84937042866f2e037eb43af

  • SHA256

    52b6abb3f02c4d3fb024e0bad88fcab677c5512d8e58119a3c768527fd411302

  • SHA512

    b002528d23b83004ff9e9f90d9062f543b063f7cd7f0e36fe03e6a370bd3497779488a029f71d8a02192ef935f66ff08e4808f3d38745e5b22d53a4db7598617

  • SSDEEP

    24576:Xtg7etcwyCJrSCk6mTnBGLuwcfv6WYbeQ:XgzwyCJeCk5B8uwcfr1Q

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

  • Ardamax main executable 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in System32 directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\72878c59a8d5c93bc876b7f11ba0bc32_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\72878c59a8d5c93bc876b7f11ba0bc32_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3908
    • C:\Windows\SysWOW64\28463\DNOB.exe
      "C:\Windows\system32\28463\DNOB.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:208
    • C:\Users\Admin\AppData\Local\Temp\CZCOMBO.exe
      "C:\Users\Admin\AppData\Local\Temp\CZCOMBO.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:832

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\@AB92.tmp

    Filesize

    4KB

    MD5

    ae40e8e0081ac79260616a167645f5d5

    SHA1

    056a1fd2caac824e2ef5917ec6227733924b0f40

    SHA256

    3b0ad6e71940ce5b0f7e2108a63a803e6838752983d696fae9551d93f7d374cc

    SHA512

    402ea3078d72d6039725790a308773b3a7f87a3987be09bca2d216aa8199b0a33ee137dd4c155635420607708f2e14062130fbc58b16de56a614815b0518311a

  • C:\Users\Admin\AppData\Local\Temp\CZCOMBO.exe

    Filesize

    514KB

    MD5

    194fa33a5089d8e6d2745cfb882825b3

    SHA1

    d914d9698591690bc712c8ab6a94d05d4cb72a29

    SHA256

    9e7868d0b8d4efe28fc054911235eb3371c9b9a7764a10d2b2a00b50062ad2f7

    SHA512

    686d5819d08a2e1e28b210042201f1b245715deb21f8e4290d6d61772a84ae7cfbc989a33a6365a61c58f182d55825863e82fed37f5c865491635e34d51282ad

  • C:\Windows\SysWOW64\28463\AKV.exe

    Filesize

    415KB

    MD5

    c02715a00b92e3c8d227b62c962a596a

    SHA1

    9ba1f5cadb8a4881bb877837584bfc234759ab37

    SHA256

    065f66163d162f864df0924497cb8ce5728b6981292c250f91a1e625a4c32f02

    SHA512

    bbcb6afbdba6a7c1d8e4a5a22a3309d7f1ab01776cfb9b6317d77b935b5fdeba4b3ca43246afc0058e7fe82bf8a5fc8590d10c9cac1efa39d73978da49989b77

  • C:\Windows\SysWOW64\28463\DNOB.001

    Filesize

    438B

    MD5

    3dad3b9b3f1eef3d2237a8311b2161dd

    SHA1

    c0c5bee9ffbcea9818c873944d2684836e60682b

    SHA256

    46c0577551bae4c1938ab49530a125088f048936903b41734ed5dcd1e12e74f0

    SHA512

    21d168bf360abc468bcd947ab869dc6e181554fe72022ed3d90b8e918f48d4e4d65c845eefac31ffe8fca8eccad76020fed0a279521fce72330edcd3928b1525

  • C:\Windows\SysWOW64\28463\DNOB.006

    Filesize

    8KB

    MD5

    7cd001971037d8671cd1df50ab2ebe1f

    SHA1

    a0d80a31686f582d23a9ff64600dd96a4f67c4c5

    SHA256

    43647f5a2a99de59670247c4259e489fdec954f829e0e36c791ff0e57c512c00

    SHA512

    ea0f9c917fb073c8bd554231ce4084d59b0d8b64fea584ec3c1c85dc639ce0be19962e0f6c91b55799d7e228fb18beaf95c9988c705cfb9866787b0b2a3f244f

  • C:\Windows\SysWOW64\28463\DNOB.007

    Filesize

    5KB

    MD5

    eca98214c3022425c070e8d2141db13e

    SHA1

    1c2e753741f211685aaeae7bb372adef6491c8f5

    SHA256

    f475a855fd1f83721eb3184e3b20154aed3b2241a2ec47c41c8753dd2ed2da66

    SHA512

    f17978d843c8108281a9db210ada7d57dd7f8a850f0c7162ee0836e863b4ee0f49a4489807408e129dd6c66e4dc00becd5594e988e8106e8698f1d2daac9e772

  • C:\Windows\SysWOW64\28463\DNOB.exe

    Filesize

    540KB

    MD5

    e5c3d2be1c4e8ffe9b750d91edbbe400

    SHA1

    43f1ba1b1bfff30d1845ae446d936ff140694911

    SHA256

    af5df966c3fac4b4b63d62326db8e0c02aac7ff6bef18ffa71839fb20e09d22d

    SHA512

    6f462020eeaa3be0b80674899f3c957664d979b9e243a6802d75f8fa088f70a7b906b0f90c90e4b1f491e1ae7339b7fcffb986f26f75299b9f0c2364bf146903

  • memory/208-36-0x0000000000690000-0x0000000000691000-memory.dmp

    Filesize

    4KB

  • memory/832-43-0x0000000000400000-0x00000000004EA000-memory.dmp

    Filesize

    936KB

  • memory/832-45-0x0000000000400000-0x00000000004EA000-memory.dmp

    Filesize

    936KB

  • memory/832-29-0x0000000000400000-0x00000000004EA000-memory.dmp

    Filesize

    936KB

  • memory/832-44-0x0000000000400000-0x00000000004EA000-memory.dmp

    Filesize

    936KB

  • memory/832-50-0x0000000000400000-0x00000000004EA000-memory.dmp

    Filesize

    936KB

  • memory/832-46-0x0000000000400000-0x00000000004EA000-memory.dmp

    Filesize

    936KB

  • memory/832-51-0x0000000000400000-0x00000000004EA000-memory.dmp

    Filesize

    936KB

  • memory/832-38-0x0000000000400000-0x00000000004EA000-memory.dmp

    Filesize

    936KB

  • memory/832-42-0x0000000000400000-0x00000000004EA000-memory.dmp

    Filesize

    936KB

  • memory/832-41-0x0000000000400000-0x00000000004EA000-memory.dmp

    Filesize

    936KB

  • memory/832-37-0x00000000004A2000-0x00000000004A3000-memory.dmp

    Filesize

    4KB

  • memory/832-52-0x0000000000400000-0x00000000004EA000-memory.dmp

    Filesize

    936KB

  • memory/832-53-0x0000000000400000-0x00000000004EA000-memory.dmp

    Filesize

    936KB

  • memory/832-56-0x00000000004A2000-0x00000000004A3000-memory.dmp

    Filesize

    4KB