Overview

overview

10

Static

static

3

a984e304a5...18.exe

windows7-x64

10

a984e304a5...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    104s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-08-2024 04:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a984e304a598fff974fbe3a0c1ef4daf_JaffaCakes118.exe

  • Size

    1.5MB

  • MD5

    a984e304a598fff974fbe3a0c1ef4daf

  • SHA1

    417190ed75f70a5c2b0d2ff9e1eaadefcca77d16

  • SHA256

    8b0666ef182baa4dae0544a16567cd999aec3392ad71c95741dcc6a5f3f8153e

  • SHA512

    bef8e50a90e9e1b6f1a1d426b07d75fe7dfdc9409bf57df6603796d20c8b1d0727eb6ab1a18db0099243b4e0c92b192ef4aaba5a0f8b94651a5f9bd04285d1e7

  • SSDEEP

    24576:2sCS7MMLKRW+MkWhYQS8JyEm9R8BngdS0mqog23ItPltyTCYY/H6:2Ba2xOhPJyP9OBm5metPlYTY/H6

Score
10/10
ardamaxdefense_evasiondiscoverykeyloggerpersistencestealer

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax main executable 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in System32 directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a984e304a598fff974fbe3a0c1ef4daf_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a984e304a598fff974fbe3a0c1ef4daf_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:916
    • C:\Users\Admin\AppData\Local\Temp\Install.exe
      "C:\Users\Admin\AppData\Local\Temp\Install.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4992
      • C:\Windows\SysWOW64\YEMIJC\IJG.exe
        "C:\Windows\system32\YEMIJC\IJG.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:5016
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\YEMIJC\IJG.exe > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:212
    • C:\Users\Admin\AppData\Local\Temp\Tcpview.exe
      "C:\Users\Admin\AppData\Local\Temp\Tcpview.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2296

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Install.exe
    Filesize

    875KB

    MD5

    924b4de5dbd1714c0c391e081a765db2

    SHA1

    530299c9c0914abf97a75c7df1c3ae4f9f794f8c

    SHA256

    5dd08bd38c985a7fbd25ae223d9d77398ed0b8fcd4917493278bcd684cb468fb

    SHA512

    79ab99f336a13e3ea74987c6ff6bd114598f0128c841429f85d6f89c205dee7e75e96ad4ec5bf77641b48c83c967c2ed4ea69b834146ae32e86ce51391abe301

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tcpview.exe
    Filesize

    292KB

    MD5

    e567d97018bec01adf3ef18492d41617

    SHA1

    5213e144a7cf5e0d7faafa0584a58ba43c702fef

    SHA256

    51c2307fdb7f1481581c97ac47bf954d6d5424f1a4f3f0d06e8169df21ed30cf

    SHA512

    5047e19dd1a90538d72580943c0ab47feb7c093e276b7013ca1e711100f5e8c088782b8cc92142981351c927e0013aa79c6384e85b48f5c233fba7f36133eaf0

    Download Submit

  • C:\Windows\SysWOW64\YEMIJC\IJG.001
    Filesize

    61KB

    MD5

    7a5612cc859be918c5767487f8a6815a

    SHA1

    a855d3a3e6336ac0508a8099e8ace14680394c36

    SHA256

    643419bc7e3a46ecdd7196858b3489c806c5edc486b513ce58519a109544c9d1

    SHA512

    31c541870dbc695c34d132c4232accc2fe511f30188a4db33d5c41758cf5af00a4906b55b0a208b5848436313fd3d8ccf6be7f1af62ecedd3a5c4c301dc5e11d

    Download Submit

  • C:\Windows\SysWOW64\YEMIJC\IJG.002
    Filesize

    43KB

    MD5

    b2bcd668abf17ee408d232cc636614b2

    SHA1

    c354f941121515536c4f0d9ae49ed1a9b28534b4

    SHA256

    563f5e99f0beb961ecf6a8284bf41fee3e85d6f63cdff1669438f5a2168bfd99

    SHA512

    ba1be164de5919ae45f4bedfebe7e7799626b457f07b42fc43b8912f2932955833617b45e147e2e4d406f57f57f50c1869aa611db18a569919395e42fa53a702

    Download Submit

  • C:\Windows\SysWOW64\YEMIJC\IJG.004
    Filesize

    1KB

    MD5

    c6e93a6deb7d7dcbda1b7bcd9b77d78c

    SHA1

    07d7af65a60f97d7ca90d04c3fbf7422ca17276a

    SHA256

    fd9f9b907f9b0fac19a4c1ca0d2e149843c55a43817da1429fc8182a4a4f4c66

    SHA512

    be15509bdcc32c6da2f65eb017166566f1ec10ba07847ea5379b88cc3530b8bc9d776acf36c75bfabfc9199627a92e9c1555a2fcc5009fbeeec4d358fd11c198

    Download Submit

  • C:\Windows\SysWOW64\YEMIJC\IJG.exe
    Filesize

    1.5MB

    MD5

    a9ea3f61a57b36cde9953afd91f18d34

    SHA1

    e7e931b96b6e39b64a2a38d704bbe9561a234cbc

    SHA256

    accbdc6de9b6b671e6dc5bda9f1f983fbfcaa07467fbf6eabd25b9d5314d82ec

    SHA512

    0a6a42a772a3afd66233d9d3abb962b3a8cbf3d6e0e719352795b6441a148617dbe788991f0cead29d4b1540726504c9c56bebd9836ae6263b82a121fafd89fc

    Download Submit

  • memory/5016-29-0x00000000006B0000-0x00000000006B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5016-32-0x00000000006B0000-0x00000000006B1000-memory.dmp

    Filesize

    4KB

    Download