Overview

overview

10

Static

static

3

f039ba0206...18.exe

windows7-x64

10

f039ba0206...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-09-2024 16:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f039ba0206d99acf666c9523bc2f4f8b_JaffaCakes118.exe

  • Size

    334KB

  • MD5

    f039ba0206d99acf666c9523bc2f4f8b

  • SHA1

    a4008925fdc49ced659ee7112a3b8ef87a670f1a

  • SHA256

    a676bd39c2939e13185063e83fbcdb02f52b11f3f6433a52b84638c456c0f3ac

  • SHA512

    d717a429d32d0d7cdfe26aa38c8a348151140955c9c771e28896347ed264170423ff5cb3efab5319f671e1c1224832ae64e5fab06b2d986399a1ab02f25edcd4

  • SSDEEP

    6144:nlW1wiBz/+cF69C9XYJLo7XL9788xGKvR47spQnxaA9yEQ2pD3:lQwIzmcY9C9omxY8xrvR473R9yEQ2N3

Score
10/10
ardamaxdefense_evasiondiscoverykeyloggerstealer

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax main executable 3 IoCs
  • System Binary Proxy Execution: Rundll32 1 TTPs 1 IoCs

    Abuse Rundll32 to proxy execution of malicious code.

    defense_evasion
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in Program Files directory 9 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f039ba0206d99acf666c9523bc2f4f8b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f039ba0206d99acf666c9523bc2f4f8b_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1036
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy TC.inf C:\Windows\INF
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:2332
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" advpack,LaunchINFSection TC.inf,DefaultInstall,0
      2⤵
      • System Binary Proxy Execution: Rundll32
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2288
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c del TC.inf /q
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2724
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c xcopy * "C:\Program Files (x86)\Tray Commander" /s /e /i /y
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2852
      • C:\Windows\SysWOW64\xcopy.exe
        xcopy * "C:\Program Files (x86)\Tray Commander" /s /e /i /y
        3⤵
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Enumerates system info in registry
        PID:2820

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Tray Commander\MouseHook.dll
    Filesize

    56KB

    MD5

    3e745f22481b07450f30e64f936a37a2

    SHA1

    ba6700f0a3d948d99db882004d2da20152df7947

    SHA256

    06d72e1818e33ebdc2be3af82829e56845d539263e2b6d24712368fe3ae68185

    SHA512

    98fe9dc8ac9b346ad7cd0488507ee8667a7fd63861be2411de88eae1c6e98567641229bd6b42e622a18fae79f5e23e1ec9968bb6d7414221768c76973ee885af

    Download Submit

  • C:\Program Files (x86)\Tray Commander\Russian.lng
    Filesize

    7KB

    MD5

    0900b52f35547a4fc0ec9e93c4a406e4

    SHA1

    9b223991d6b229c114f956bcb2ba2befe51dabcc

    SHA256

    3a90c09063db79d994ed940552243d5f6e49d63b7358390f7934ecc0bd2b2ad6

    SHA512

    6c694c392c44534a8b8e42af1c407a91af404ebc813ede3e9aa78d5901295e696eafdba9876970ea69cc51188fb7b8a1d1cdab0300379d2a481808d00f98ade4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\English.lng
    Filesize

    6KB

    MD5

    8dd863ee37377b9262d8c0d1fe7c0ab3

    SHA1

    7a7b610e2d4157029b76960ff1ef76eeac270738

    SHA256

    e971b69b010ccd268e61e5d8513be87967d731ea0d3ff31a91ee2328ffecf9c8

    SHA512

    81f9c34af78485b61dff7ee2e335433602e18c46e0dbbbcfeec47c1320f4f89af088bde737e5f6f3a10f17c4099b6c5ce6d151c7cf2d5f7a6fb0810a45e2f0e4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\TC.exe
    Filesize

    912KB

    MD5

    6cb58710d2d5e150f3939f9da788a027

    SHA1

    32fa977a1ebba73dc5315ae70d0753577949e1e9

    SHA256

    ba6a656e609f20a59e5bc3d1ef0c65b06aeb5d6d0442691737b78fb464789fde

    SHA512

    e4f3dc946ce2a40e95f3addcd14a54c598bf57c59eef116888a02960afb3aac69b1fab05a6d9ac0444908c4f20b3507e66cf9caf0684a44c1f679eeba11e5cf5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\TC.inf
    Filesize

    2KB

    MD5

    815a8ca02a3a97f0696c890b35492fcd

    SHA1

    beda158470bb3d7fe9b1b0691155b59b58bdfa27

    SHA256

    8fe36a0fb3b8b15c4578b1c1caeb020afa28e910419ab7b57311c76dcb3e1076

    SHA512

    81f2faf79f4035ca2f4b6237d10cd4ff98b7343962ecdb32f5daf509d65c5eebac74d827318a75b0f2d338e72d9c55530ecfe4250a1e11f9969b54261da30781

    Download Submit