Analysis

  • max time kernel
    120s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    18-09-2024 02:18

General

  • Target

    e8235f369bed9d092bda176cd5fd7466_JaffaCakes118.exe

  • Size

    1.3MB

  • MD5

    e8235f369bed9d092bda176cd5fd7466

  • SHA1

    02ac1c6604fc55b4478534f3020041c53a725eb2

  • SHA256

    20e69215971cd1615920e55183b2186794a81322a44086c3582ef7e820ad533a

  • SHA512

    3cafcc573ff0b9e87ccc0f85cf07228c5610fa23caf7b554512ac1aad8aa2633a3ca956964295123be7505e253c7ba9bb9a80567bb673b6caf9f2921a49d9f1c

  • SSDEEP

    24576:dzwTT6VrDtLzW/nQI/ZH65X78Dr2YWIsdP9+FhIMoYTL/rI2GSF:dz+TqrDFW/nQ/uDCEsdG6M9TLM7

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

  • Ardamax main executable 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in System32 directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e8235f369bed9d092bda176cd5fd7466_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e8235f369bed9d092bda176cd5fd7466_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2024
    • C:\Windows\SysWOW64\ENUJXA\GKK.exe
      "C:\Windows\system32\ENUJXA\GKK.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2628
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    PID:2680

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\controle20011.ico

    Filesize

    31KB

    MD5

    7704bedbb1885b07b82e1007b9f3e968

    SHA1

    0a3b4f7ec84ae18d303b0aee8aa56edd6370bbd6

    SHA256

    7c7db85af38b44ede7e15010690bbb6909c946a7f423b288c1ea8057cc249941

    SHA512

    43a2dd4188d2a1b67edfc366056dce1cb28389658c9eeeb2666d0ef57e9ca866c166c11c2464012369c7f8767aeb428623aa0c44711d1d2811d6f7061389d480

  • C:\Windows\SysWOW64\ENUJXA\AKV.exe

    Filesize

    485KB

    MD5

    42150775d201a85ebc379d21aa253f85

    SHA1

    fccd7df34e16abaf8d55935016cdb15df8041e06

    SHA256

    00206ccef9ee8da111cc547c698b7e61736b328de48ac5c307d05f2921ef0b9c

    SHA512

    4ff3c587a8d88e319acb028829c75ecb3e11c16a62ba9c2090720613c51c6555af698ba8ff75672b405602f196ed1b99dbeb9395bae62aac2140fa31600b36e0

  • C:\Windows\SysWOW64\ENUJXA\GKK.001

    Filesize

    61KB

    MD5

    9681d3e1f2c53ad98b8467b3acca33fc

    SHA1

    04d5d08781f27d6e08ad0262f7325b2be4db7743

    SHA256

    baecddca15ea6932b9cd4e7f5bae848c3c290660a85c408b898150c6f8fd744e

    SHA512

    5c6191fb676ace9d1c2ddfd4e98651959ab24b718ab626c343e2bb271d31edd8ba43ed9de528c7832ddcc2137d2424c22bb19f115dc252e1400cfcd3edce2098

  • C:\Windows\SysWOW64\ENUJXA\GKK.002

    Filesize

    44KB

    MD5

    e65e4bdb2c86226589b88f101153c01b

    SHA1

    731be43621721dba20f0bb74966ea08043ef37fd

    SHA256

    e8a9477bc04824357c0f0bcc1cb665e1dfb6cf5c05f68517749f6cb11821cec2

    SHA512

    7700ee197f109a8f2cff2e529715e371e36c1d9924af0bedef9285f76898d3448847af3bff342813b9bd8ca619b7c39b9607150596008ffc6fe68b338f6769cd

  • C:\Windows\SysWOW64\ENUJXA\GKK.004

    Filesize

    1KB

    MD5

    dcd582e0797b4f2f986af7d49bb81a6e

    SHA1

    733f946842bfca54fd36b980ac4f663f0a5140aa

    SHA256

    db61e08b0df8d0ec562ddf22679b01d0c95b9e8f1cc7a677c7701c709898595d

    SHA512

    0de2a2fe282429593966e7ec5f9963abf02ffeb4e9118d65b90949e1199c0495e8b9de4d24730c5940cbe02d8813fa97dde013a9d04126d194915e437c7be3f2

  • C:\Windows\SysWOW64\ENUJXA\GKK.008

    Filesize

    458B

    MD5

    4c124cda2262488e26de5d63a79c4825

    SHA1

    02bcd356e48330c3570c1a608aa926f3870b5fa9

    SHA256

    e9aac31dddc303403269d1113e0ef4c1a02a828af926728623b52c98f002fdb6

    SHA512

    08528c077749899e8635b18c2279ed415948f425daeab1c0906cdd81b5576ee50fa3ffe247a685b40ab56979dee6be31092aa6b366998c3b245b9ea080e5e28f

  • \Windows\SysWOW64\ENUJXA\GKK.exe

    Filesize

    1.7MB

    MD5

    9a6a50772539f5a61fefa29c34666223

    SHA1

    b2b8650d817ef7d86bfef48420e9716f0ffdccce

    SHA256

    93db12799d366bbb10f28b923188e3f1457b3ec931ddf33ddeb131a80e46f00b

    SHA512

    eb5f89e6b27981d85dc235edc477a4397d08b9e89d638b0e07301a26ca6e640f12251fdcfe1386df4167a2928bc60959289329531bc7a9e14a232ead22935fed

  • memory/2024-24-0x0000000000A00000-0x0000000000A02000-memory.dmp

    Filesize

    8KB

  • memory/2628-16-0x00000000003D0000-0x00000000003D1000-memory.dmp

    Filesize

    4KB

  • memory/2628-30-0x00000000003D0000-0x00000000003D1000-memory.dmp

    Filesize

    4KB

  • memory/2680-25-0x00000000001A0000-0x00000000001A2000-memory.dmp

    Filesize

    8KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.