Analysis

  • max time kernel
    141s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/09/2024, 18:37 UTC

General

  • Target

    dafbe70a0e0c355d3b38a06671d0f3fa_JaffaCakes118.exe

  • Size

    565KB

  • MD5

    dafbe70a0e0c355d3b38a06671d0f3fa

  • SHA1

    0c90933be0af2e852c7cfa247bef6c5f31a64df8

  • SHA256

    ef1dac65d328cc6074e8d639970c19e516078ae63a379f1e5496cf9ce403c92f

  • SHA512

    20878cb551a3d000c2a7acff7c3d299a876d3a71e9f85651672a3fb00f71e5c3fcaff661fc78f0c5fb76af307a26f446ab6a7962bb6b49f037b2a6a901df3a45

  • SSDEEP

    12288:nEeFO2rpBZZUJojSR55ogstIvS5Q0L0pTPUGcH7JA1EhbYkYmpUDgoSMIi0CP:To21BPUh5mI/04p7BcbJA1EBs5Ii5P

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

  • Ardamax main executable 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in System32 directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dafbe70a0e0c355d3b38a06671d0f3fa_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\dafbe70a0e0c355d3b38a06671d0f3fa_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3148
    • C:\Windows\SysWOW64\28463\YCLH.exe
      "C:\Windows\system32\28463\YCLH.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2980

Network

  • flag-us
    DNS
    13.86.106.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.86.106.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    81.144.22.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    81.144.22.2.in-addr.arpa
    IN PTR
    Response
    81.144.22.2.in-addr.arpa
    IN PTR
    a2-22-144-81deploystaticakamaitechnologiescom
  • flag-us
    DNS
    140.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    140.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    28.118.140.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    28.118.140.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    97.17.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.17.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    26.165.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.165.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.31.95.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.31.95.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    217.135.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.135.221.88.in-addr.arpa
    IN PTR
    Response
    217.135.221.88.in-addr.arpa
    IN PTR
    a88-221-135-217deploystaticakamaitechnologiescom
  • flag-us
    DNS
    48.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    48.229.111.52.in-addr.arpa
    IN PTR
    Response
No results found
  • 8.8.8.8:53
    13.86.106.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    13.86.106.20.in-addr.arpa

  • 8.8.8.8:53
    81.144.22.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    81.144.22.2.in-addr.arpa

  • 8.8.8.8:53
    140.32.126.40.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    140.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    28.118.140.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    28.118.140.52.in-addr.arpa

  • 8.8.8.8:53
    97.17.167.52.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    97.17.167.52.in-addr.arpa

  • 8.8.8.8:53
    26.165.165.52.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    26.165.165.52.in-addr.arpa

  • 8.8.8.8:53
    18.31.95.13.in-addr.arpa
    dns
    70 B
    144 B
    1
    1

    DNS Request

    18.31.95.13.in-addr.arpa

  • 8.8.8.8:53
    217.135.221.88.in-addr.arpa
    dns
    73 B
    139 B
    1
    1

    DNS Request

    217.135.221.88.in-addr.arpa

  • 8.8.8.8:53
    48.229.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    48.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\@87FC.tmp

    Filesize

    4KB

    MD5

    cb07753c45624238b4403480372be5db

    SHA1

    10af5bfbed599165d996470278f011728e866df7

    SHA256

    63c3ed8cbe11314a2f2cd6ff50305bad98075be9e09d22e45b47af557a3388e7

    SHA512

    2c72cca45ef924104c6892dd96f2e27a5d43bacc9f3eb0eeee24c871cc1bd1642d77734822d9d934f93a77c884fa1c682cf1ceddffe157a613978d9edd184312

  • C:\Windows\SysWOW64\28463\YCLH.001

    Filesize

    298B

    MD5

    dbeb839788d3834c37238cb460fc23bb

    SHA1

    4ff9b9a697ef8ed6aa95a2d7c21f6e4c7f1b2c59

    SHA256

    1a97cf95d45d519264e6dadc260bae0ba91373458ef821b0ceb86069dac4e76d

    SHA512

    24fe3c43de00f020dceb150dcafa196d6316a7754cc8269588278c2ea09052d2a4d9521ed8a50a6108d3960cca0275adc1feaf9ec01af48f44c4096697e7ed8a

  • C:\Windows\SysWOW64\28463\YCLH.006

    Filesize

    8KB

    MD5

    3da3041787b72a7909d9f6184ce6bc5e

    SHA1

    fc7f00b8a1341b5341e2ba6f94ba85364bc90843

    SHA256

    18e06896cc71e99b717cff8d68cba86fea3eba5087b93734f6418e53cadab5b3

    SHA512

    150fa3f8eeec3621ac61eab0da3f2692dd776887ec0c1791404df3dd8784982563496e1e990217a99c4fd53c5d5d68e0574737879b72d78ab737033f1b08560a

  • C:\Windows\SysWOW64\28463\YCLH.007

    Filesize

    5KB

    MD5

    50d0bcf6b5a6b11d9e274ccefba3f02e

    SHA1

    57acf2a1236b7534f2db661a9d95aeadcd41aa2a

    SHA256

    a5e5cf8b3133031f25db37fd13b029cdfc9d1588ca7f68041e52349f46cbbf5c

    SHA512

    c0288f92c75f4a6ea45434e3960a3c5d8ed3d890121a3fd6da2449e1313db523224e301451d85a15ea8ee9b5c2fb3bf294ee90869a4d5608bcf48fa94458e938

  • C:\Windows\SysWOW64\28463\YCLH.exe

    Filesize

    647KB

    MD5

    a7b322839cedf8d56cb0a7dcdb50ab59

    SHA1

    d27855e65f5d9e87666f39d2af694a0d75330a75

    SHA256

    ba7362315c0608c9203c9d607fd85695fbc15f034ea40b3de7dd1abebd5859a3

    SHA512

    86a416ae639ca458e56093d5c04f3406ac0389cf9a1047f714424ba89ffd047ca58e6927bc941d285d4db9e8a95e91e0d578be3038a83945b6af90586ea9f649

  • C:\Windows\SysWOW64\28463\key.bin

    Filesize

    105B

    MD5

    27c90d4d9b049f4cd00f32ed1d2e5baf

    SHA1

    338a3ea8f1e929d8916ece9b6e91e697eb562550

    SHA256

    172d6f21165fb3ca925e5b000451fd8946920206f7438018c28b158b90cf5ffb

    SHA512

    d73dadb3cf74c647ce5bad5b87d3fb42a212defcba8afb8cf962020b61a0369c0a2b1005797583daf1f1ae88b29b7288bc544a53d643f3519cf604aa0ffd6dae

  • memory/2980-25-0x0000000002420000-0x0000000002421000-memory.dmp

    Filesize

    4KB

  • memory/2980-22-0x00000000023C0000-0x00000000023C1000-memory.dmp

    Filesize

    4KB

  • memory/2980-29-0x0000000003210000-0x0000000003212000-memory.dmp

    Filesize

    8KB

  • memory/2980-28-0x0000000003220000-0x0000000003221000-memory.dmp

    Filesize

    4KB

  • memory/2980-27-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

    Filesize

    4KB

  • memory/2980-26-0x00000000023E0000-0x00000000023E1000-memory.dmp

    Filesize

    4KB

  • memory/2980-31-0x0000000003260000-0x0000000003261000-memory.dmp

    Filesize

    4KB

  • memory/2980-24-0x0000000002400000-0x0000000002401000-memory.dmp

    Filesize

    4KB

  • memory/2980-23-0x0000000002410000-0x0000000002411000-memory.dmp

    Filesize

    4KB

  • memory/2980-30-0x0000000003260000-0x0000000003261000-memory.dmp

    Filesize

    4KB

  • memory/2980-35-0x0000000003230000-0x0000000003231000-memory.dmp

    Filesize

    4KB

  • memory/2980-34-0x0000000000670000-0x0000000000671000-memory.dmp

    Filesize

    4KB

  • memory/2980-33-0x0000000000650000-0x0000000000651000-memory.dmp

    Filesize

    4KB

  • memory/2980-32-0x0000000003260000-0x0000000003261000-memory.dmp

    Filesize

    4KB

  • memory/2980-20-0x00000000009E0000-0x0000000000A3A000-memory.dmp

    Filesize

    360KB

  • memory/2980-19-0x0000000000400000-0x00000000004DF000-memory.dmp

    Filesize

    892KB

  • memory/2980-42-0x0000000000400000-0x00000000004DF000-memory.dmp

    Filesize

    892KB

  • memory/2980-43-0x00000000009E0000-0x0000000000A3A000-memory.dmp

    Filesize

    360KB

  • memory/2980-44-0x0000000003260000-0x0000000003261000-memory.dmp

    Filesize

    4KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.