Overview

overview

10

Static

static

3

ebb68d5877...18.exe

windows7-x64

10

ebb68d5877...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19-09-2024 16:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ebb68d587792734a41d2cc9cb4108883_JaffaCakes118.exe

  • Size

    261KB

  • MD5

    ebb68d587792734a41d2cc9cb4108883

  • SHA1

    8b72589a0369088c6bebd51c6866d732f984e20d

  • SHA256

    10e4be086813a732d597f944e48ac2d5fe383e9969c9f6cfb681fad7e60afb2a

  • SHA512

    d675454c5b7b94f2a8abc222ef5835f864ea8b64c86231845cb148fad6b2be1119922f4bc682e673a79338d4bb8ef17a5855cb1ebc361524e448de74e01b8921

  • SSDEEP

    6144:OmNs4fAfqVMewEXc6UXWDc9MP92k51vuEuRR:OmNs4cqVMYs6UmBwPR

Score
10/10
ardamaxdiscoverykeyloggerpersistencestealer

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax main executable 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 4 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ebb68d587792734a41d2cc9cb4108883_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ebb68d587792734a41d2cc9cb4108883_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3048
    • C:\Windows\SysWOW64\NSK.exe
      "C:\Windows\system32\NSK.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:2072
    • C:\Users\Admin\AppData\Local\Temp\bafometro.exe
      "C:\Users\Admin\AppData\Local\Temp\bafometro.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2392

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\NSK.001
    Filesize

    1KB

    MD5

    100d5d6fb19e30525c2a1e50d8264577

    SHA1

    27488ac68647ec87dd981ff826932ae5cd9d9450

    SHA256

    a0e18be4811e1c0c7e06ae836296d16787140f9ff46156511972bdf32fb51015

    SHA512

    416bb6f978f16931c44b4bfc4eccecbf8bb40ecca53436e127dc104d6634f201cf366d3e9179456587bb8e7bb18cbdef3a0d6da27d4046747dec243fcdc2a8cb

    Download Submit

  • \Users\Admin\AppData\Local\Temp\@B79C.tmp
    Filesize

    4KB

    MD5

    ccfd350414f3804bbb32ddd7eb3f6153

    SHA1

    e91d270b8481d456a3beabf617ef3379a93f1137

    SHA256

    1dabedfe9c7cda2d8aa74c95ba57fb832a4066b20f4051c0330b4422de237eb3

    SHA512

    328e069aaced9217eb9f4b4f20e27cd7ef933427e3388b3a0829089d694ea2280a2e5511a9eb577cec2a7b409cf367b0f17d8654076931648e152936fad810bd

    Download Submit

  • \Users\Admin\AppData\Local\Temp\bafometro.exe
    Filesize

    212KB

    MD5

    0b69bead0fd93128cda7980c4bf9344f

    SHA1

    2e179c08feb9ff3c0a36c5215784e62354f6cf44

    SHA256

    1c0adc42188797023bd2ae06c0225004e32fddd8fdbedb48092a5f44961a9580

    SHA512

    87c78ade59dc8346cc7cae3c7815cbd8b850869919e2e03f4a8ded317c653a51155db07d21c0de50c94ffd6a058756af007cfebf8302c3290f8471ae87abeea8

    Download Submit

  • \Windows\SysWOW64\NSK.006
    Filesize

    4KB

    MD5

    0868167c8915fb3d87d4e5a775a57ffd

    SHA1

    5f223134e003382fd8c191a1f4ca94922f1d802e

    SHA256

    6a28449ee15745e772f877b6133913325400a2ca3dbf829d76cf42e0c8d6da4c

    SHA512

    d9f82239d6990b3dcc261f99f5acf20d71965b08146821575f830698fa07a5ec7ba0553494bb779e427692ada39ed5973489d1077aeec5ddfdf5a73d9c91b058

    Download Submit

  • \Windows\SysWOW64\NSK.exe
    Filesize

    239KB

    MD5

    2bada91f44e2a5133a5c056b31866112

    SHA1

    9fbe664832d04d79f96fa090191b73d9811ef08d

    SHA256

    c742feab59b4e1b7b188b02ed91ab34eaeb83c87ac6babfb5f08649ed2b8cd02

    SHA512

    dc797a06061937f8dd657a34d4373d3069c9c1a6752752516042e5d135fc41257c7a3a6738b3accd626a02f1887476197eca0ab28cf568daf57269cbe9c8eb41

    Download Submit

  • memory/2392-30-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2392-31-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

    Download

  • memory/2392-32-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download