Overview

overview

10

Static

static

3

9f5923d425...18.exe

windows7-x64

10

9f5923d425...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-08-2024 17:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9f5923d425dac2dd7d0b17eea269b98c_JaffaCakes118.exe

  • Size

    2.1MB

  • MD5

    9f5923d425dac2dd7d0b17eea269b98c

  • SHA1

    130a13a2f109b4888db93130cee2746c1cb10bd3

  • SHA256

    90c54934fc5887d22ac8fc84b3873acf00957a700ad83341af90536b31056975

  • SHA512

    91940d065d577d2aebb3a2fc7c2899f6741345353954616ea7d90bf08dbd7b017567655ba2a4f3f694e2578836ad3fd5a8e998bf9b3bab9747bda49ae9ac27f7

  • SSDEEP

    49152:50pTFz4RZI0s+VGDtLQhx455NcBl9qebx0eufRVRyg:5Gz4RZjPViLQC3N85x0ZZPyg

Score
10/10
ardamaxdiscoverykeyloggerpersistencestealer

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax main executable 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9f5923d425dac2dd7d0b17eea269b98c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\9f5923d425dac2dd7d0b17eea269b98c_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2512
    • C:\Windows\SysWOW64\BGKTVN\LHV.exe
      "C:\Windows\system32\BGKTVN\LHV.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:4668
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:3276

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\BGKTVN\AKV.exe
      Filesize

      484KB

      MD5

      4f60429f20ac507bb61cb45998a73847

      SHA1

      c094a508b75c7c9a83cb04cd1fa9a547ab87fded

      SHA256

      65478b0bded54534eb7e1241a8da267c57b55c3da90adce2880c04b861c6ddc9

      SHA512

      e5f879e4e21051d91f7bf88e77dbbf1c288d595988d55a13ef703e242094e8a762c3262200cf478d55ac91d12cefcdd176646cffaf88439313d8e44b12c5fa91

      Download Submit

    • C:\Windows\SysWOW64\BGKTVN\LHV.001
      Filesize

      61KB

      MD5

      0d52ec4abb6e5055a153d97eab5bc2da

      SHA1

      f01f83ac6741d9d53aa43501d456c5b003746fe9

      SHA256

      845e34cf0373b2e959d3d27cfe09d858283dd6a4b335014c3b82e4af1161b321

      SHA512

      5876e5a0401d9520678e733fc89147d6a6d7ef5bf6f8dbbb59276c79f8cf57301a49b3c20861a5696ee36337d6b151c32c3be2abcdb2990301bf0c616ff0be19

      Download Submit

    • C:\Windows\SysWOW64\BGKTVN\LHV.002
      Filesize

      43KB

      MD5

      fab6c7c9f60f3a391f22754e221ba23f

      SHA1

      b885a44fa6a8d6c0f08069f202527de1e93d460e

      SHA256

      11c28e015fb748bf664203c92288252a90aa7119079094d5fed17bc6ebfc803b

      SHA512

      86c368b8d542ec4dde120effcdac80a03118b8296188f3e09dde81883903b6a51a1bb6b981d394e05ff21bdc1cdcda125a427bfdb76aa209e706a58666e342bb

      Download Submit

    • C:\Windows\SysWOW64\BGKTVN\LHV.004
      Filesize

      1KB

      MD5

      4c24146644b7cfef39155e6136b2a625

      SHA1

      33d0faec8d30803f415af12d9c4929ea873da672

      SHA256

      1b4430bab2fdb45125b82357655a3b21cd33743efb304a5632f7e77232d8c0b8

      SHA512

      b9cd75fc2f810bb826422177ca610655498bf384169c94093cc4b826882f9f7042ed7c045adcdf0cd32f16654b3679505036e857cafe2935d4f3ecfe0fb2b8c9

      Download Submit

    • C:\Windows\SysWOW64\BGKTVN\LHV.exe
      Filesize

      1.7MB

      MD5

      cfeee152a39c265c34b5163548f8c59b

      SHA1

      5807f521bf8c48e8fb0abb657b6df7d21a533dc4

      SHA256

      0f86eb289dc6b99c7560607e4e8e84b134515cee05becae947056026bfd21844

      SHA512

      b50eafbade678e6a29dcae61e6eb251bcbc26d25427adf313aa7eb654de710d48236f1749e59cd0b19e28967b26a37bde364e584853b9b7f007d89c999d08ecd

      Download Submit

    • memory/4668-18-0x00000000006E0000-0x00000000006E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4668-20-0x00000000006E0000-0x00000000006E1000-memory.dmp

      Filesize

      4KB

      Download