Analysis
-
max time kernel
138s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
15-08-2024 23:54
General
-
Target
9c22137d162456245835451e4b668fdd_JaffaCakes118.exe
-
Size
1005KB
-
MD5
9c22137d162456245835451e4b668fdd
-
SHA1
7d2f1cf006ead52ba7507e598c79c397ab47bda9
-
SHA256
1fab4a11dbd8b69e39f2b05ec4da209c6696ff9266f6f7f949f10a0a6ac5f4fe
-
SHA512
7efe815efcb14fe473d9e43157d89d30f8f80914288d70f2d0492f5745460241a77bcc69af38112cef9c08bc30f09919a376fae97914d1cb3bd81d1908ada440
-
SSDEEP
24576:2WwTmRev8Jr32QTKxraIAdpbRMZtQitJddZewHRemJC8:xwTwrGQKxraIAdZOfQitfwmx
Malware Config
Signatures
-
Ardamax
A keylogger first seen in 2013.
-
Ardamax main executable 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 7 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 5 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\9c22137d162456245835451e4b668fdd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\9c22137d162456245835451e4b668fdd_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\9283\NUYB.exe"C:\Windows\system32\9283\NUYB.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 9362⤵
- Loads dropped DLL
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1344 -ip 13441⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
41KB
MD5c103dd8cfc71e50400bb22e01cc90e74
SHA18e80d54d9927f351e557b99432af89dd4c5843ab
SHA256647416d984740785203c48faea961dac06d5d465789a4764a68a3b7161ef0c99
SHA512ea8f46086a542423cbbf90d9321e2bf2fa593e0aa7c3c40ca3fac22555caf7dca8d4ab30065860ad827d660e812f4b39cbe1dc05dadd1b71a56620170183444c
-
Filesize
486KB
MD52e451cf07d5556a2e5dec56484973795
SHA1d4738db3a6f907de6971708d10682cfe227a701f
SHA2567080859f952de87a0db34f7138fcd097c461d8d0b3757fa2a816553fd92533c0
SHA5120a4a25b4712afe80d07530da18ea07bdcd4fe3e2a9e9feb844c36946b96840f3e91198243c4b6223d4968280f7c17635cdf8bbfa483a3c76c03f17e2714c87fa
-
Filesize
804B
MD50359a4584690f01414cff9eb9f37289a
SHA15402c5942538468880da485ce17a61491285b5ed
SHA256aa457027e91f3a19405296b80aec4c155c73afa1a09ba4ccbd401ee2d4537d23
SHA512889212a0c9d01616ca742f1208e9a2ab18bc191fe82ee7355ce8b540fc910d28989fca3bb10a3ad3d5e7893aece758aed75600d621cdd4d88fdb114b6f213b10
-
Filesize
60KB
MD58ca14e67822ef959b3934e6bc4caf5c4
SHA1318d1a7b296bf7a9719160f55800fd4ed55fc458
SHA25616ecec3e8e8fa9d72421e0823adc9811ecadee7ecd946bc14a24dffdd901e952
SHA5125b26c6180d07b5c4b01d6207fe680f9443eda26a2a678d44a0c6f792549549b85adec1c09ab777f68bcd425d8e6b76b7f74bc25398eeae7ea4f3d652c2db95dd
-
Filesize
42KB
MD52cafc86224d99e34614a97f55f0a051a
SHA1660e25698426da6d4e9040d6a445915af0a88622
SHA256a533cd921eb312f7b77415bcb17e174a79b03771b65ce883d0be109418a9d378
SHA512e235665aef221e93cb2c4fbb853c76d8d0105c03f52d8f514e583058cfb849192ea0b30cf149e4ae665f820f181abf670f271298dac01e04b4b64fe88f5ac1a5
-
Filesize
1.2MB
MD5c0e301bac810e4787b54a6fb3107fe6f
SHA1146fc627271c7afa69fb14cd56f3ac53e0b06b54
SHA256bd8bf5088c5e512e76a8be647925a434adc96d9add3afe3328a4df70b94cc2d0
SHA51239c83705df36e43f2276070e1aae20da460919ab599b585e12af1ef6a8bd19cdd13fca18087665fe03016dcbc4aebd24ce03b439daa8b4ddfdfabd83786eb68d
-
Filesize
4KB
-
Filesize
56KB
-
Filesize
4KB