Overview

overview

10

Static

static

3

e1ef1a87e8...18.exe

windows7-x64

10

e1ef1a87e8...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15-09-2024 06:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e1ef1a87e8870a258409381cf005c39c_JaffaCakes118.exe

  • Size

    1.3MB

  • MD5

    e1ef1a87e8870a258409381cf005c39c

  • SHA1

    2eae3742bbd7585c0860981e90dd18e35b9ac732

  • SHA256

    418423971a7dc99cb1e1f1676a39c359ef22b9a9941e51d151b12c13c8e55124

  • SHA512

    f63c0a38c5fbcbe759ec119a81857239478e28ad2263d4f947813364c0852475959a42dc94dafb69a77c4e78a6795ab6f887622594770892bd71bcef91c42506

  • SSDEEP

    24576:ZHvZTCpS7HweVGVAofbCOImY7GQRgbavM0/0o0KbqSauOpjDLXZcbRV2QyRPp:xBTCY7ZhKm75sav6oTbqSauaLXZcbRcf

Score
10/10
ardamaxdefense_evasiondiscoverykeyloggerpersistencestealer

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax main executable 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in System32 directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e1ef1a87e8870a258409381cf005c39c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e1ef1a87e8870a258409381cf005c39c_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2824
    • C:\Windows\SysWOW64\LYSHVR\TAF.exe
      "C:\Windows\system32\LYSHVR\TAF.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2268
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\LYSHVR\TAF.exe > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3024
    • C:\Users\Admin\AppData\Local\Temp\File Compare.exe
      "C:\Users\Admin\AppData\Local\Temp\File Compare.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2748

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\LYSHVR\AKV.exe
    Filesize

    459KB

    MD5

    28f68e988bfb6a7c9d45d23058cf74e5

    SHA1

    a0740aea5602429f844cc7ba35c637d26c59edf9

    SHA256

    1dd66d2320104e426a9d8ae390d3199a6ae2ecadb85e35eed9c6ed7a1819d478

    SHA512

    dccc2cb961f86a0e11a27976d9f53043df895edf8ca624ace1be2b002b5ce2c372a833b87fdbeb518ada7666c72d01b9724f5ba203b301af444e1ac01104fcda

    Download Submit

  • C:\Windows\SysWOW64\LYSHVR\TAF.002
    Filesize

    43KB

    MD5

    94aba5bdc0756bc2ceb5f521c4b620c6

    SHA1

    fbfd46ae5704c7dd6d63b959c1edb869f7dd19cf

    SHA256

    5bc8115fdcbe153a33a3feb65bc9eefe4e2a0357a145525f05689054939779e3

    SHA512

    0f4e154a0813f39f76acc95ec70b87241017d4210b44395bea9ef66c31f0da05503cf8ad665e03fd0c7aed8084e99bf3358de699bbcae2ffbe5176987640e33b

    Download Submit

  • C:\Windows\SysWOW64\LYSHVR\TAF.003
    Filesize

    68KB

    MD5

    d60681fbc823778563c48ee4b60738a9

    SHA1

    edba51b88c7d3e53e96cfc599722e786648b68e4

    SHA256

    eecfbf0329505b64616240086a69538a02fa1e0fbc0e1d9032c27d80f10b97f4

    SHA512

    e3b41bdf63330e53f4823039537bad120c174f7aed102b9fa3c67141afa16d4b6b6710b8cb4fbdb2e7c3f7fa3edff899dffd18ecc13961e5d61e402d947efa5c

    Download Submit

  • C:\Windows\SysWOW64\LYSHVR\TAF.004
    Filesize

    1KB

    MD5

    83e1df9d802f121b59c292213dd65870

    SHA1

    2186d3945dedf8e60082e82632d43ef81a914f9f

    SHA256

    8eb1eb0c0293fc9667908ca7f217f1eda6df2d9f10ae66a225f0adea10965359

    SHA512

    11a2c0d81dac2ecf666a1139382d2ee24df28c8c94eb06fe0f27de3dbb7e9ca88d0e77e1abf720aab28c89989cfa889de552477f08bd49fdd6df71b74c9ead52

    Download Submit

  • \Users\Admin\AppData\Local\Temp\File Compare.exe
    Filesize

    391KB

    MD5

    2951e0186e410bb029286648d145a4e0

    SHA1

    e322e158d59a31eba57af7ac852835e4be563548

    SHA256

    0888125019f61e0e1621f440af2e3b105e443e89ea2967d83194f577416854c8

    SHA512

    92e8793607c055f7ff3d4ae2439bde9a6fddb33722fca315cd3d29641eb2a7d52b182d61079b1d5cca6fcc4c9ede276cfa0cdac0cdba7d632304f4217cd2d267

    Download Submit

  • \Windows\SysWOW64\LYSHVR\TAF.001
    Filesize

    61KB

    MD5

    a2e848c23f0e2cca1974ea55e6a99779

    SHA1

    34a5a236c6bdfb6b9a47d5cd213147da7a507ad9

    SHA256

    e852249a3fc489ee5c3fb4928dab911c4d826ef180f27faaa2f37a7179d231e4

    SHA512

    70b67fd7368b0efdcaaad3cf8478b7519761afcb0578bded88f61bc357cbddf0c851e8248cab32c1d3b12dc933a33ccd23906aee695a9a9748a1d465566a108f

    Download Submit

  • \Windows\SysWOW64\LYSHVR\TAF.exe
    Filesize

    1.5MB

    MD5

    b2d5e28fcce82e8ee5e1c0b1502e8730

    SHA1

    2573726de59c9c342e3d77bf7436704e74ad90f4

    SHA256

    b69590e97e053d49295aa1776526052caf3669579e81302825c954b0a4804095

    SHA512

    0318b6cc12c373a200fdfd144af551c90e2db0219115c6d7d3ec43275f177831c71a06a1c9741cc9522defb293212375707df73e28824d4b37c1d8a6d7c0638b

    Download Submit

  • memory/2268-18-0x0000000000240000-0x0000000000241000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2268-31-0x0000000000240000-0x0000000000241000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2748-30-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2748-33-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2748-32-0x0000000000400000-0x0000000000468000-memory.dmp

    Filesize

    416KB

    Download