Overview

overview

10

Static

static

3

ea94ca2f26...18.exe

windows7-x64

10

ea94ca2f26...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    102s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-09-2024 04:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ea94ca2f26b68c60d382793f6b138075_JaffaCakes118.exe

  • Size

    1.3MB

  • MD5

    ea94ca2f26b68c60d382793f6b138075

  • SHA1

    68253e94bb46f747e048c160369a95b57bfc3f65

  • SHA256

    eccf0fdd26a4943b1c5bff0b83492d3d605ce23c27a2524167bb76bb9eac8e25

  • SHA512

    3b86b3cd9eda5c443d2e0442ac119792c0edafcc3694c74493278ac01920f06bd7670ceb879dcf29ed150a568e79aaf2194c1ebefad0a081dd84bf2656728e29

  • SSDEEP

    24576:qk/ATig2g7ru5yeO7VeQ0DjrDTlJJn6gz2m1qAJlYQ8xS:zoTr7ru5p4VehDj5KuZ1qAJlT8x

Score
10/10
ardamaxdiscoverykeyloggerpersistencestealer

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax main executable 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ea94ca2f26b68c60d382793f6b138075_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ea94ca2f26b68c60d382793f6b138075_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4892
    • C:\Windows\SysWOW64\URMDEK\XBK.exe
      "C:\Windows\system32\URMDEK\XBK.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:4184
    • C:\Users\Admin\AppData\Local\Temp\Bot.exe
      "C:\Users\Admin\AppData\Local\Temp\Bot.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2804
      • C:\Windows\SysWOW64\regsvr32.exe
        regsvr32 MSCOMCTL.OCX /s
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:4268
      • C:\Windows\SysWOW64\regsvr32.exe
        regsvr32 TABCTL32.OCX /s
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:1824
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 2840
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:372
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2804 -ip 2804
    1⤵
      PID:1568

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Bot.exe
      Filesize

      656KB

      MD5

      539f5e51557d5233f068fd60903257e0

      SHA1

      e7d8dc3b4cbcc3b4538b77e1e54c51f6fc10d56d

      SHA256

      15b0316a891ba7259d85a1f7a46c48678583c3f9b9dc2bc869aec135eedccdbd

      SHA512

      90b6ccfd8562e269b68a004dc1b387cab6c00e8eb9088db87e4351dd1986266ede557ac5339f7121d62143c9f5d15bd9144f9a162a54b75d6f7ee0470cabd3d1

      Download Submit

    • C:\Windows\SysWOW64\URMDEK\AKV.exe
      Filesize

      466KB

      MD5

      4c5711d8a02899113661bdff195d80d5

      SHA1

      263592abea6d60887defb4b1bcb47dbb383edfb6

      SHA256

      661eee852ace18c0fe63548e3ca276866b40dd0dce722f67976b8c4bfdb92195

      SHA512

      4b16ee6c75a169ad02c6b30d08efcd969ba8840adf49f6eeec3abbe8b9f5f288e1b1cfb4431711a74510a6973663335e43d256ae0dcd1a68f55331152a4f64ae

      Download Submit

    • C:\Windows\SysWOW64\URMDEK\XBK.001
      Filesize

      61KB

      MD5

      7a5612cc859be918c5767487f8a6815a

      SHA1

      a855d3a3e6336ac0508a8099e8ace14680394c36

      SHA256

      643419bc7e3a46ecdd7196858b3489c806c5edc486b513ce58519a109544c9d1

      SHA512

      31c541870dbc695c34d132c4232accc2fe511f30188a4db33d5c41758cf5af00a4906b55b0a208b5848436313fd3d8ccf6be7f1af62ecedd3a5c4c301dc5e11d

      Download Submit

    • C:\Windows\SysWOW64\URMDEK\XBK.002
      Filesize

      43KB

      MD5

      b2bcd668abf17ee408d232cc636614b2

      SHA1

      c354f941121515536c4f0d9ae49ed1a9b28534b4

      SHA256

      563f5e99f0beb961ecf6a8284bf41fee3e85d6f63cdff1669438f5a2168bfd99

      SHA512

      ba1be164de5919ae45f4bedfebe7e7799626b457f07b42fc43b8912f2932955833617b45e147e2e4d406f57f57f50c1869aa611db18a569919395e42fa53a702

      Download Submit

    • C:\Windows\SysWOW64\URMDEK\XBK.003
      Filesize

      68KB

      MD5

      6bd4c1228b95c18c37fbb64e489d6f8c

      SHA1

      2cb9a5768aa9b7c1be737768acd4b57204e81249

      SHA256

      643f37d64e68ef5a1da38c72f555ed0e0997ca894ad1aad6eda3554f008a6ed9

      SHA512

      a5672175699d27e735acf50641e7dcbf8af5a193d8153818aaa7c97532f0dd19805be37df8e2e7c5cd0c0a233c2babc75ebf7eb90bce54992bac77881cd4e14e

      Download Submit

    • C:\Windows\SysWOW64\URMDEK\XBK.004
      Filesize

      1KB

      MD5

      9fbea67da48448ab4d0678a07789af29

      SHA1

      6aeaec449be9de791bcbd22766530fd45ab26af6

      SHA256

      f05ec1298316aa304bfd0dd84d1f8e4f775d0a9fb2431b7262c5fe3a5fb72940

      SHA512

      a0aa510362cb58803e81b948994b3a1d72ac8a33bc99cb93d92c5e6a38ceddd4591bddedeb9f71d6662b4ec918903e11dd4b6b49873c27c688c86850a4e1146b

      Download Submit

    • C:\Windows\SysWOW64\URMDEK\XBK.exe
      Filesize

      1.5MB

      MD5

      a9ea3f61a57b36cde9953afd91f18d34

      SHA1

      e7e931b96b6e39b64a2a38d704bbe9561a234cbc

      SHA256

      accbdc6de9b6b671e6dc5bda9f1f983fbfcaa07467fbf6eabd25b9d5314d82ec

      SHA512

      0a6a42a772a3afd66233d9d3abb962b3a8cbf3d6e0e719352795b6441a148617dbe788991f0cead29d4b1540726504c9c56bebd9836ae6263b82a121fafd89fc

      Download Submit

    • memory/4184-19-0x00000000005E0000-0x00000000005E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4184-54-0x00000000005E0000-0x00000000005E1000-memory.dmp

      Filesize

      4KB

      Download