Analysis

  • max time kernel
    93s
  • max time network
    114s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/09/2024, 06:27 UTC

General

  • Target

    d3befbf53dd7ed84b5540d223e86884d_JaffaCakes118.exe

  • Size

    597KB

  • MD5

    d3befbf53dd7ed84b5540d223e86884d

  • SHA1

    cab90d480c0ff4705400e660cf0d6513252a477d

  • SHA256

    ace69a47deb73ba1524da0bb81aba94c6f426a72639cc09eef529989a0c30eac

  • SHA512

    39b0b744a7a92b14177c6d981202e1749976e1ca95d4e1176fae8e9df789cf58adbb5f436e7679c3cce167f25991fb518b7b557785822243308779a96f080c42

  • SSDEEP

    12288:wbzUzGD2qYtRIvzf0jbch/Cz3s7kKH/HgJUN3ApupVnG1DJy:wbzUzRqiIvzf0vyKA7kRJonnG1Jy

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

  • Ardamax main executable 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in System32 directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d3befbf53dd7ed84b5540d223e86884d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d3befbf53dd7ed84b5540d223e86884d_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3836
    • C:\Users\Admin\AppData\Local\Temp\renungan.exe
      "C:\Users\Admin\AppData\Local\Temp\renungan.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5008
      • C:\Windows\SysWOW64\28463\SCLG.exe
        "C:\Windows\system32\28463\SCLG.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:3824

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    154.239.44.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    154.239.44.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    81.144.22.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    81.144.22.2.in-addr.arpa
    IN PTR
    Response
    81.144.22.2.in-addr.arpa
    IN PTR
    a2-22-144-81deploystaticakamaitechnologiescom
  • flag-us
    DNS
    69.31.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    69.31.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    149.220.183.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    149.220.183.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    209.205.72.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    209.205.72.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    103.169.127.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    103.169.127.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    171.39.242.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    171.39.242.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    23.236.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    23.236.111.52.in-addr.arpa
    IN PTR
    Response
No results found
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
    90 B
    1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    154.239.44.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    154.239.44.20.in-addr.arpa

  • 8.8.8.8:53
    81.144.22.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    81.144.22.2.in-addr.arpa

  • 8.8.8.8:53
    69.31.126.40.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    69.31.126.40.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    149.220.183.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    149.220.183.52.in-addr.arpa

  • 8.8.8.8:53
    209.205.72.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    209.205.72.20.in-addr.arpa

  • 8.8.8.8:53
    103.169.127.40.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    103.169.127.40.in-addr.arpa

  • 8.8.8.8:53
    171.39.242.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    171.39.242.20.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    23.236.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    23.236.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\@7C92.tmp

    Filesize

    4KB

    MD5

    13e10cd76f11d6cb43182dcba7370171

    SHA1

    e6b8ce329e49ff09f1cb529c60fc466cb9a579c8

    SHA256

    f1265c88f0077009eaa18db413f156cc7ad8d41dc9d797dd1032b0e0ae9c40d5

    SHA512

    ee32ef3f50838936417e51dfd365b166456900e327dbe51902700bb3d562dea22e6fbd9009c822ba0562687001802a2e61d38123f81ae19f7b3d05bb1fd5cda8

  • C:\Users\Admin\AppData\Local\Temp\renungan.exe

    Filesize

    480KB

    MD5

    f7438819e47e4397ab4486463e0cdf8a

    SHA1

    584a31f107b738f7000289363c114b41ee31cc30

    SHA256

    ed70effb65019ecfb36bf65086d71be49352a4822aa12d9f0a4721c900703d4f

    SHA512

    3cb9817491b5544c1cb99e1342b2bb78676fb82681a25530358fadc4a6f598f70361dcfd94256277e304d37aefdd6ebb48d4289b6c6683f344657ec8c3d1532c

  • C:\Windows\SysWOW64\28463\AKV.exe

    Filesize

    395KB

    MD5

    adbec81b510dcfe49835f95940ef961d

    SHA1

    77940f6e46fbd5f53de23bd49afe9172470769d0

    SHA256

    466efb4b00255f21075b340fc2d2444f182947ab90270840543658c5fd3a9b95

    SHA512

    ef4324a06fbe960933f5551ea6ac587cd87cb6025bc6879a2b81a4d1033cfe87e244b6a87fb5db5ad065321ccbe8035cf24a668452d5b0c6a4063a355a12b2a7

  • C:\Windows\SysWOW64\28463\SCLG.001

    Filesize

    394B

    MD5

    fd7a5e7c9e583dc950b4e9c4a280dc06

    SHA1

    f74385d69d240cc85a19f1d24679e150c8c17599

    SHA256

    dc8b3f83a99a1af7d517c26505823e265121f9c4c40a55cf4c68b64d86aeeca5

    SHA512

    016e37281ef36077d2cc27c9848ee8397395cdff7da7e90ada9b10e6d19decf2c034d69982cb2dab69676cd4b0b0070afa068859070eb2995ad446cd6d0fe104

  • C:\Windows\SysWOW64\28463\SCLG.006

    Filesize

    8KB

    MD5

    f5eff4f716427529b003207d5c953df5

    SHA1

    79696d6c8d67669ea690d240ef8978672e3d151c

    SHA256

    ac54ebb9eec3212f294462ce012fdc42f4b0896d785d776a5a2cc3599dc5bcde

    SHA512

    5a48599a5855f06c3e7d6f89c4e06bab1f4381b9d30cf3824c465b8fd6c142b316e6bd6aaad73d1f9b3e84d96113fb5e7374831bf503744013c9e1a0632a0caf

  • C:\Windows\SysWOW64\28463\SCLG.007

    Filesize

    5KB

    MD5

    bc75eddaa64823014fef0fe70bd34ffc

    SHA1

    15cd2ace3b68257faed33c78b794b2333eab7c0a

    SHA256

    9eada36d17635bedb85ce96a62cb019dbfee696b9986f69de7d5b5bc1f44df5d

    SHA512

    20db25f32f9cfdbffa4f30c0065125052c6e20b7dcc147fa7ebff38e37b51f6a43e48e486f148d7ee11671479b9fb0bbe1c6df151101af3b50c65fd334d13baa

  • C:\Windows\SysWOW64\28463\SCLG.exe

    Filesize

    473KB

    MD5

    3c90d45b1c004e86a7f7a7a340f1abc8

    SHA1

    10602c450bcbda2735dc036f2e399646f0c64f4c

    SHA256

    f6d9c3bba7fc4dfa681cadf68f41093e3c431501c6789e891e599719e5d2781c

    SHA512

    85457be4c2aa76ede288cd185131d46e5f0b37187313f3a54fe789e28929ec6e44282f4ba0981f46354705cd5da83990586c8846f52fcdb807908254c8719cc1

  • memory/3824-31-0x0000000000C10000-0x0000000000C11000-memory.dmp

    Filesize

    4KB

  • memory/3824-35-0x0000000000C10000-0x0000000000C11000-memory.dmp

    Filesize

    4KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.