Analysis

  • max time kernel
    119s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08/09/2024, 06:27 UTC

General

  • Target

    d3befbf53dd7ed84b5540d223e86884d_JaffaCakes118.exe

  • Size

    597KB

  • MD5

    d3befbf53dd7ed84b5540d223e86884d

  • SHA1

    cab90d480c0ff4705400e660cf0d6513252a477d

  • SHA256

    ace69a47deb73ba1524da0bb81aba94c6f426a72639cc09eef529989a0c30eac

  • SHA512

    39b0b744a7a92b14177c6d981202e1749976e1ca95d4e1176fae8e9df789cf58adbb5f436e7679c3cce167f25991fb518b7b557785822243308779a96f080c42

  • SSDEEP

    12288:wbzUzGD2qYtRIvzf0jbch/Cz3s7kKH/HgJUN3ApupVnG1DJy:wbzUzRqiIvzf0vyKA7kRJonnG1Jy

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

  • Ardamax main executable 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 13 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in System32 directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d3befbf53dd7ed84b5540d223e86884d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d3befbf53dd7ed84b5540d223e86884d_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1796
    • C:\Users\Admin\AppData\Local\Temp\renungan.exe
      "C:\Users\Admin\AppData\Local\Temp\renungan.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2468
      • C:\Windows\SysWOW64\28463\SCLG.exe
        "C:\Windows\system32\28463\SCLG.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2656

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\28463\AKV.exe

    Filesize

    395KB

    MD5

    adbec81b510dcfe49835f95940ef961d

    SHA1

    77940f6e46fbd5f53de23bd49afe9172470769d0

    SHA256

    466efb4b00255f21075b340fc2d2444f182947ab90270840543658c5fd3a9b95

    SHA512

    ef4324a06fbe960933f5551ea6ac587cd87cb6025bc6879a2b81a4d1033cfe87e244b6a87fb5db5ad065321ccbe8035cf24a668452d5b0c6a4063a355a12b2a7

  • C:\Windows\SysWOW64\28463\SCLG.001

    Filesize

    394B

    MD5

    fd7a5e7c9e583dc950b4e9c4a280dc06

    SHA1

    f74385d69d240cc85a19f1d24679e150c8c17599

    SHA256

    dc8b3f83a99a1af7d517c26505823e265121f9c4c40a55cf4c68b64d86aeeca5

    SHA512

    016e37281ef36077d2cc27c9848ee8397395cdff7da7e90ada9b10e6d19decf2c034d69982cb2dab69676cd4b0b0070afa068859070eb2995ad446cd6d0fe104

  • C:\Windows\SysWOW64\28463\SCLG.006

    Filesize

    8KB

    MD5

    f5eff4f716427529b003207d5c953df5

    SHA1

    79696d6c8d67669ea690d240ef8978672e3d151c

    SHA256

    ac54ebb9eec3212f294462ce012fdc42f4b0896d785d776a5a2cc3599dc5bcde

    SHA512

    5a48599a5855f06c3e7d6f89c4e06bab1f4381b9d30cf3824c465b8fd6c142b316e6bd6aaad73d1f9b3e84d96113fb5e7374831bf503744013c9e1a0632a0caf

  • C:\Windows\SysWOW64\28463\SCLG.007

    Filesize

    5KB

    MD5

    bc75eddaa64823014fef0fe70bd34ffc

    SHA1

    15cd2ace3b68257faed33c78b794b2333eab7c0a

    SHA256

    9eada36d17635bedb85ce96a62cb019dbfee696b9986f69de7d5b5bc1f44df5d

    SHA512

    20db25f32f9cfdbffa4f30c0065125052c6e20b7dcc147fa7ebff38e37b51f6a43e48e486f148d7ee11671479b9fb0bbe1c6df151101af3b50c65fd334d13baa

  • \Users\Admin\AppData\Local\Temp\@DBDE.tmp

    Filesize

    4KB

    MD5

    13e10cd76f11d6cb43182dcba7370171

    SHA1

    e6b8ce329e49ff09f1cb529c60fc466cb9a579c8

    SHA256

    f1265c88f0077009eaa18db413f156cc7ad8d41dc9d797dd1032b0e0ae9c40d5

    SHA512

    ee32ef3f50838936417e51dfd365b166456900e327dbe51902700bb3d562dea22e6fbd9009c822ba0562687001802a2e61d38123f81ae19f7b3d05bb1fd5cda8

  • \Users\Admin\AppData\Local\Temp\renungan.exe

    Filesize

    480KB

    MD5

    f7438819e47e4397ab4486463e0cdf8a

    SHA1

    584a31f107b738f7000289363c114b41ee31cc30

    SHA256

    ed70effb65019ecfb36bf65086d71be49352a4822aa12d9f0a4721c900703d4f

    SHA512

    3cb9817491b5544c1cb99e1342b2bb78676fb82681a25530358fadc4a6f598f70361dcfd94256277e304d37aefdd6ebb48d4289b6c6683f344657ec8c3d1532c

  • \Windows\SysWOW64\28463\SCLG.exe

    Filesize

    473KB

    MD5

    3c90d45b1c004e86a7f7a7a340f1abc8

    SHA1

    10602c450bcbda2735dc036f2e399646f0c64f4c

    SHA256

    f6d9c3bba7fc4dfa681cadf68f41093e3c431501c6789e891e599719e5d2781c

    SHA512

    85457be4c2aa76ede288cd185131d46e5f0b37187313f3a54fe789e28929ec6e44282f4ba0981f46354705cd5da83990586c8846f52fcdb807908254c8719cc1

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.