Overview

overview

10

Static

static

3

eace767a70...18.exe

windows7-x64

10

eace767a70...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    135s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-09-2024 06:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eace767a7084110c7be0bda411cbd996_JaffaCakes118.exe

  • Size

    1.4MB

  • MD5

    eace767a7084110c7be0bda411cbd996

  • SHA1

    01b7a569cb1581480c39509962402e92a3cdd0c1

  • SHA256

    19e6ba9ae6beab5549a1a2553cdd57ed2e5e1690b44bcd5bba39fc171c1106b2

  • SHA512

    4dd32be6e324214751c1fcb12fd8271412925d23ba1603870583c52c4c7cb2365f8549aaf8234de0f698b1dbfa6f39bbd4ad21b23dab47a39ea5edb44347b98f

  • SSDEEP

    24576:r3LJTFySGlWcmnYPke+1/4H5TzMBm/k7P6QWWpaUBZ9wEm9LNDFuhNdxlRljqQ:r3tTosR/45zAm/k1QVLex9j

Score
10/10
ardamaxdiscoverykeyloggerpersistencestealerupx

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax main executable 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 17 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • AutoIT Executable 15 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eace767a7084110c7be0bda411cbd996_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\eace767a7084110c7be0bda411cbd996_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4476
    • C:\Windows\SysWOW64\XTOBCC\PIB.exe
      "C:\Windows\system32\XTOBCC\PIB.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:912
    • C:\Users\Admin\AppData\Local\Temp\picker.exe
      "C:\Users\Admin\AppData\Local\Temp\picker.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4000

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\picker.exe
    Filesize

    356KB

    MD5

    f23b16d1c2a6dc8a590d7c0deb7df2d3

    SHA1

    8b876e900d3cf51e3e8251f224403062fd751f5f

    SHA256

    d459d0d9f93d4f5617525f4bc330dc813d7d44d19e1dbc22397fb7b1e9729f0d

    SHA512

    e9777767a6d51ab1df232e7733d4c5ffe1b9882212ec37301a39ee160f6f8c34ebc27067ccf9f9b97b17d335e684679e9fdfbe6cf7cbfdd8005df2924c2c2946

    Download Submit

  • C:\Windows\SysWOW64\XTOBCC\PIB.001
    Filesize

    61KB

    MD5

    513c67ebf0379f75a6920540283a4579

    SHA1

    2fe191acb478d62026a8dbf63f65619d168ddee6

    SHA256

    8f636876880c59251548fca626731e648553e0b81b02f4667c22cbfadfbd6e30

    SHA512

    2330f5bbd8d7de91473430bc35a125fe13b261afa5b4ef9533d4d6ebcde6cfe27f705fccbdefa092eb9123eb33dcc1448deab72adab981726517afe458beb01d

    Download Submit

  • C:\Windows\SysWOW64\XTOBCC\PIB.002
    Filesize

    44KB

    MD5

    1db8aa9ffda07a5f5559cbf25087147b

    SHA1

    eea77894bff8e24fb0861159927f67decb629184

    SHA256

    8cf369255b48195b8ecec1c7bf2e76924641880aa7311e6cf504ca534bbfcd62

    SHA512

    b9f80191dd8975c2e484eeec1bc7c6212d1b614061e69d96eda87b7a061a78a34de220f22607c3eb1c0fa37f152744a5c8f65a896e2884a9daf969db54a11704

    Download Submit

  • C:\Windows\SysWOW64\XTOBCC\PIB.004
    Filesize

    1KB

    MD5

    d2e051c82fdf8c8faaaed6ce52d1add6

    SHA1

    843dd4dc56b19b3aeacdbd0b331a3a61eecd49ce

    SHA256

    371fc975e8360aa5de02e3caee8e435e3ac6ace0fd9f628dae05578ec064df7a

    SHA512

    5704abf88f88884e3b38f1f2ecd4516b1acd03d67196e6b15693c47fcb34874ddc889c1a3a809769a3b1e44b02a2106c6349f401a762ffcea162a98d0fca1e6b

    Download Submit

  • C:\Windows\SysWOW64\XTOBCC\PIB.exe
    Filesize

    1.7MB

    MD5

    7dc8f94e34ad6f38e94f957043c39617

    SHA1

    081a26dc478bd3de6f2889b9c8da8b2e79723d8b

    SHA256

    618fb51d23c0ca116dbd24dc5e0240ebda862e405283d64871549321fde08202

    SHA512

    539c239670369f34e7907d072bdf6b91becb927454db3212b0c307363289b1900edffa2f9fac22d3d14435fcee28b7bdeee1f039f027d74f84627c85774b9f56

    Download Submit

  • memory/912-31-0x0000000000780000-0x0000000000781000-memory.dmp

    Filesize

    4KB

    Download

  • memory/912-26-0x0000000000780000-0x0000000000781000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4000-32-0x0000000000400000-0x00000000004DC000-memory.dmp

    Filesize

    880KB

    Download

  • memory/4000-36-0x0000000000400000-0x00000000004DC000-memory.dmp

    Filesize

    880KB

    Download

  • memory/4000-30-0x0000000000400000-0x00000000004DC000-memory.dmp

    Filesize

    880KB

    Download

  • memory/4000-22-0x0000000000400000-0x00000000004DC000-memory.dmp

    Filesize

    880KB

    Download

  • memory/4000-33-0x0000000000400000-0x00000000004DC000-memory.dmp

    Filesize

    880KB

    Download

  • memory/4000-34-0x0000000000400000-0x00000000004DC000-memory.dmp

    Filesize

    880KB

    Download

  • memory/4000-35-0x0000000000400000-0x00000000004DC000-memory.dmp

    Filesize

    880KB

    Download

  • memory/4000-29-0x0000000000400000-0x00000000004DC000-memory.dmp

    Filesize

    880KB

    Download

  • memory/4000-37-0x0000000000400000-0x00000000004DC000-memory.dmp

    Filesize

    880KB

    Download

  • memory/4000-38-0x0000000000400000-0x00000000004DC000-memory.dmp

    Filesize

    880KB

    Download

  • memory/4000-39-0x0000000000400000-0x00000000004DC000-memory.dmp

    Filesize

    880KB

    Download

  • memory/4000-40-0x0000000000400000-0x00000000004DC000-memory.dmp

    Filesize

    880KB

    Download

  • memory/4000-41-0x0000000000400000-0x00000000004DC000-memory.dmp

    Filesize

    880KB

    Download

  • memory/4000-42-0x0000000000400000-0x00000000004DC000-memory.dmp

    Filesize

    880KB

    Download

  • memory/4000-43-0x0000000000400000-0x00000000004DC000-memory.dmp

    Filesize

    880KB

    Download

  • memory/4000-44-0x0000000000400000-0x00000000004DC000-memory.dmp

    Filesize

    880KB

    Download