Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    26/08/2024, 14:03 UTC

General

  • Target

    c32601178ef4d6c2d674448b1ff9b23f_JaffaCakes118.exe

  • Size

    1.1MB

  • MD5

    c32601178ef4d6c2d674448b1ff9b23f

  • SHA1

    0b9dc1847f2c9dd455b7760f96180efa28f6ec24

  • SHA256

    b1b00c296a919139f618bead4663e19da7c699ff8e0143727726e2e97570deda

  • SHA512

    3feb01d4189ed71779f842f477f7fe5e7a5c7a645f65b8658915bb6f9ebe5b8e079ca52c872a1c9b54fea23378bf8a1eaa6db05b39d7642612b1f9b09e222b4b

  • SSDEEP

    24576:JZxTOw/1OJty4zOvHdksoqdYUTE2NmIt5VKJ8yXAAdSa:JXTOwtuty4iv7YwNfDKJHU

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

  • Ardamax main executable 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in System32 directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c32601178ef4d6c2d674448b1ff9b23f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\c32601178ef4d6c2d674448b1ff9b23f_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1596
    • C:\Windows\SysWOW64\TOMUMC\CEL.exe
      "C:\Windows\system32\TOMUMC\CEL.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2732

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\TOMUMC\AKV.exe

    Filesize

    456KB

    MD5

    1f29b1075a91b3da0ccc0b9c49eece56

    SHA1

    048e675f087181035aedece9e7b11d065c6355cc

    SHA256

    4f6825548b32329c3360ed9abb7c0a6809a2c2291cf0bcaac511a9fa32a6336e

    SHA512

    7e152caf055f57f599ecc1e3a404b540b721b3315d2ba16bff6eb21f03edeb3a06ae185621e3139293612d94210f500f098bd281489ca7f336efd8b5284ee060

  • C:\Windows\SysWOW64\TOMUMC\CEL.001

    Filesize

    61KB

    MD5

    31c866d8e4448c28ae63660a0521cd92

    SHA1

    0e4dcb44e3c8589688b8eacdd8cc463a920baab9

    SHA256

    dc0eaf9d62f0e40b6522d28b2e06b39ff619f9086ea7aa45fd40396a8eb61aa1

    SHA512

    1076da7f8137a90b5d3bbbbe2b24fd9774de6adbcdfd41fd55ae90c70b9eb4bbf441732689ad25e5b3048987bfb1d63ba59d5831a04c6d84cb05bbfd2d32f839

  • C:\Windows\SysWOW64\TOMUMC\CEL.002

    Filesize

    43KB

    MD5

    093e599a1281e943ce1592f61d9591af

    SHA1

    6896810fe9b7efe4f5ae68bf280fec637e97adf5

    SHA256

    1ac0964d97b02204f4d4ae79cd5244342f1a1798f5846e9dd7f3448d4177a009

    SHA512

    64cb58fbf6295d15d9ee6a8a7a325e7673af7ee02e4ece8da5a95257f666566a425b348b802b78ac82e7868ba7923f85255c2c31e548618afa9706c1f88d34dc

  • C:\Windows\SysWOW64\TOMUMC\CEL.004

    Filesize

    1KB

    MD5

    fe0524d6641af362328b8c4404811499

    SHA1

    c88c5e16892c7d8f727cd4e66fa8e9708631773c

    SHA256

    68d65b532e50dfdac5f5b0b7f2177f35c2ef33029aa12797ce6844ed5285d955

    SHA512

    00f23bf0c21713dbc64a4956da684a7fdc0d5ac6bdf7dc21d753d89b58427619346d8e68450c2018250353a5967ffa196ad8d4eb5773cf2499ffd35853715445

  • \Windows\SysWOW64\TOMUMC\CEL.exe

    Filesize

    1.5MB

    MD5

    0aaffc12ef1b416b9276bdc3fdec9dff

    SHA1

    9f38d7cf6241d867da58f89db9ff26544314b938

    SHA256

    42b33dd905c5668c2518a6a7d407fb10c303cfedeaefcd7b6e4c7cc1b891c73b

    SHA512

    bbde0986b298c6172e7c8e3f938db9425f54cca097e280736e1ba289afd06a0b86f7cbc91f6d46458bc8e75069c12cda1cf808acf3b6c773b0661d081136ee7c

  • memory/2732-15-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

  • memory/2732-17-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.