Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
15-09-2024 02:08
General
-
Target
e17fa88e77674357c33bc11528a6491c_JaffaCakes118.exe
-
Size
1.0MB
-
MD5
e17fa88e77674357c33bc11528a6491c
-
SHA1
6d19521225ad11073bb049250340966a17b7ce3f
-
SHA256
fb598e3bf618d597221a3b53cdeb7dc6de89d489435f6c49c1a4330d8788c36f
-
SHA512
6d6cdc7788f8513d9a5c33bbcc8d21188657c87ec3e4571e5080448228ea3777cd7e9b5ba5f5dff122b833b6db8abc247989963a281e63ead30d2dc406ac547f
-
SSDEEP
24576:jBaTPZKilZZMG2lCzslCja1L+SI6+DwmcrK0O7U:jYTBNlZmJCja0LEmcZO
Malware Config
Signatures
-
Ardamax
A keylogger first seen in 2013.
-
Ardamax main executable 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e17fa88e77674357c33bc11528a6491c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e17fa88e77674357c33bc11528a6491c_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\COLICU\NVT.exe"C:\Windows\system32\COLICU\NVT.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
439KB
MD5b6f067d8cbe8f570879b0ec97a00e9d9
SHA157cfc7bb9386956796ca8bd57d42c70027dbe716
SHA25657785904b380980f4c65b1ffe052ad9e4cd0d270b14176244b8129f0c78c4034
SHA512dced303f3d316ec2988d3f46ae6af2045d4d054d80b30350ffc4126c5c2979e2914f7586f3dde7cb4718141a75bc10cb211ebdc1d2b91ed61a97b8465e0e961d
-
Filesize
61KB
MD5d7ab0bd450bbb9c9a080ef462fee6294
SHA1c407c9ec0cbcc0de96f44b54a3ebda9bcde7521f
SHA2565f6b4fd853d0b887dec7f1cb19e7888720d288f01c762d8f83aa88adb9c26d6a
SHA51211369b86f347be2614523caf9dac4caea2cec15705a710706cbfad1e1f49de24ffee6ba4f16bdf4c8a8aa5e440e51fda959dafa90a7b32332151917e4c7e82ba
-
Filesize
43KB
MD5fe922952228e14b29160444d20cd12ca
SHA1cab385224fa717fbc24d790d8b4c888dcbb8cf12
SHA256a17c9e61994dac89f3945ec0744be6f44e4982e5b2fe2c336af2d2675ed94b2f
SHA51237d23ad969a647f515749ecdd86410a47331fd424dc8f851270bb30e05e624bdf0c627bf2475d22838692fdb648daba0e85547734e926f3dd3b192af583d4847
-
Filesize
660B
MD5c04d7216f1780b7eb8b0e7ba52e74f0f
SHA113fbebd76f037504f316a4122383636fc6253bf9
SHA2567bdd36ca5789a5fcb7cfc675dfc9bd733f7b639ea0f429e986dd7a0cfa6936d5
SHA51294079acc4437d3ef124b78d1f5d7e0571d775f0470395d7e665041ffea900a93f69b0a0d04f57275709627c05741ea1ebb0ddac674822d75ce14019e281d9d14
-
Filesize
1.4MB
MD5291cbc9a00f52d4b3e0129f6e649b857
SHA1d30127f960c7aa374c31685275e8e6142ee9b8ba
SHA256f63ca7832cbca9474e10266e9b4b31f1309d977b6f0dd7886f03ef7bac7e7d26
SHA51280ec35905e85f7f4ee3573cfc2f54a2a25a668450f71a12f228d3f42da4c3be91e0f3ad47275c98c522ee38c503876b74ca11456f96885fb32a9f5f83301d394
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
228KB
-
Filesize
228KB