Overview

overview

10

Static

static

3

7ea9c07770...18.exe

windows7-x64

10

7ea9c07770...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    66s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    01-08-2024 01:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7ea9c07770240661820a43c283f4b8ad_JaffaCakes118.exe

  • Size

    1.2MB

  • MD5

    7ea9c07770240661820a43c283f4b8ad

  • SHA1

    e345c61bca763bb1afb6c106bfcb5275e3efa2be

  • SHA256

    75a4feadca2da8b21e765d5b65376c5f692b4f2adcb28253999815aa2d648bd2

  • SHA512

    7e6ef50c133f668e5f79fac93b591f04e2504fb7cfda07a3b341efe3725ff7ce2e578f345735b12a331d0c0e8dc9fc926dbabf868de3837f4a8869d4b0fc933d

  • SSDEEP

    24576:RITTHF+2gHp3qN4viAdq7ONHeHQRTaW6vREgS++8uhvjAVVyIzJ0qbrvxsg:R6TKHp304Tq7FwRyREgSJph6l0J

Score
10/10
ardamaxdefense_evasiondiscoverykeyloggerpersistencestealer

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax main executable 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in System32 directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7ea9c07770240661820a43c283f4b8ad_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\7ea9c07770240661820a43c283f4b8ad_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2304
    • C:\Windows\SysWOW64\IUOFJS\AUN.exe
      "C:\Windows\system32\IUOFJS\AUN.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2504
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\IUOFJS\AUN.exe > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2100

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\IUOFJS\AKV.exe
    Filesize

    490KB

    MD5

    64a6cc55dc76d26448c30a8a1885f7cb

    SHA1

    149e467026647e080b4c69ab4f99b2d3c2b4dbe4

    SHA256

    5cbc0ec73c901be4ac182e13f6869f6f8cf0831b9603e542a3919f6a06087640

    SHA512

    de8cd7bea8113871ce8a36966fbaefd02b8ef7b09a8cbb631b4ac353bdf65b27d5630146ed700fd6edbc4276f4368ebad76b772d9b84349ddc2bd6f7127c377d

    Download Submit

  • C:\Windows\SysWOW64\IUOFJS\AUN.001
    Filesize

    61KB

    MD5

    bf311791d2f9ea9c82a8d4764a98c0d8

    SHA1

    405ba2bd110590abd0bf340d12e054405afb011f

    SHA256

    d720cf3d297743da7ab1da528f4c086a29d59ef553e1a96569b49a59831d583b

    SHA512

    8be092f068807767b0065de10f9da386b90d8e587356881ba3391380b953b199e818b527e74b305d7c714fc94cb6f8e66c76d89d1785fa9910aa4cb39c5cada8

    Download Submit

  • C:\Windows\SysWOW64\IUOFJS\AUN.002
    Filesize

    44KB

    MD5

    ce365878123962c3438e349621c10198

    SHA1

    5b861d9fc2923c61ef390a0b729a21078aa5fd59

    SHA256

    ba254f6675490a045d4c85a5f46681c175c1321692c20fc808c7c244173dd63f

    SHA512

    efc6f143d5e9244a6635562d7e9a9cea22ab7e7b304e933642a51d66da896e9038208b86c12f6da623a01b9175e73eeb40ab600e6625db3595144bfca1231a76

    Download Submit

  • C:\Windows\SysWOW64\IUOFJS\AUN.004
    Filesize

    1KB

    MD5

    3d2152eb753394648d75368e5d26da90

    SHA1

    b0492e6e5ef2693d4d0c938da37407794fb4b856

    SHA256

    fcee9bec173c6a8ed947e0d5640e99f8b3b3199e2e325ec3e5da8a8cd1470588

    SHA512

    72df4e01a806241c01c0bf643f733a046b38d6ebf6ff719d592db5a676f15e30e0307b1fa5b714026662f0ecc22c6e339b943306b4cd750f8065d1579d1bf179

    Download Submit

  • \Windows\SysWOW64\IUOFJS\AUN.exe
    Filesize

    1.7MB

    MD5

    8f7590bbba70748e69612e9e2d5a9f2e

    SHA1

    f3ad9834bc38f33fe501b9076c65ac29d0410578

    SHA256

    2dec3a8fb4a5b198335e7f4a9b611194b0a081abf0c56f9df3f4e2697e69d9e4

    SHA512

    347e9ac793afd627e064ecdfea61c3e2b626ace0ea41928aad93a72567048b8e9bdf773f8a4a59a0d96ce8c08612c542c15982e8051828bef025fea6132838c6

    Download Submit

  • memory/2504-15-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2504-17-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

    Download