Overview

overview

10

Static

static

7

f5a80619f9...18.exe

windows7-x64

10

f5a80619f9...18.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    120s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    25-09-2024 09:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f5a80619f99b2bbe81ee25835b3f71fc_JaffaCakes118.exe

  • Size

    1.7MB

  • MD5

    f5a80619f99b2bbe81ee25835b3f71fc

  • SHA1

    0e5b887dac29b5f931e4c3a577280f10eba46b38

  • SHA256

    b7a16cb08484d1e58057ca2dd7666d315cde459b2b26ecf86855469a8f5a30a6

  • SHA512

    5031abd527db133cb7e0e0877d397fa4054f5b2e1d3ad28e483edc409d79440495802cb74e6095dc497577bc57eb1ee9c72235e6f8d89ac804242ce0fa1c7cf9

  • SSDEEP

    49152:bJoH3PXPrie5vQmbMB+GovrLTFbVURiOrbmaHUrv:bJo/XPD1b/FLT7aHmv

Score
10/10
ardamaxdiscoverykeyloggerpersistencestealerthemida

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax main executable 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 10 IoCs
  • Themida packer 3 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f5a80619f99b2bbe81ee25835b3f71fc_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f5a80619f99b2bbe81ee25835b3f71fc_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1348
    • C:\Users\Admin\AppData\Local\Temp\chargea.exe
      "C:\Users\Admin\AppData\Local\Temp\chargea.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2688
      • C:\Windows\SysWOW64\28463\PXRY.exe
        "C:\Windows\system32\28463\PXRY.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2140
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    PID:2572

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\ATgAAAB9s-yu3hw3ph1ucnuMx9Uw9Xl6c4ADkn0_Fr4kQAH--GWK882PFWSu7y-pDIBjJqOWyONUFTrsA4W2hkttfpTHAJtU9VDEszLssP9rIwgF9KjnNcLlYXlo2g.jpg
    Filesize

    33KB

    MD5

    dc4f47613faa386b20396d842f297abc

    SHA1

    af659cb4652aba0f8e87e8466c7fa65516a7d01a

    SHA256

    f505b849065b4513bcd434b4641d3097402ae9437b7ef283db3abb36414566e2

    SHA512

    45ee2cc4d8ec3b33ad0b4ae06b215b33a5602324b758811de66b44d9e18c9ee716910d08fcc6f37de2c4aff4560af78a737cc97ed2762f9aa3c317d2fd52d2ce

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\chargea.exe
    Filesize

    533KB

    MD5

    4bd3f76dfb5f862db168072bf151683f

    SHA1

    787e9b11d94205f22006b0474aca48c7912c2b12

    SHA256

    51821fef2c7a636ea4bae3867949436b3713819d5401bc24043de085bc7d84d7

    SHA512

    dab6a6fdcb6b5cbaac25bbc84d9d2eeab47bcabaecd57d1fa3ec3ee38fc6563f682473e3400a32ca6fe468602b2f356c7529fe1c7849a6f734a38e7875995046

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\yakusa.jpg
    Filesize

    8KB

    MD5

    2b7027b6044715e98d73ef9a13b93d65

    SHA1

    cb60a02d83b30599fa836dfc303a9542fc946c3e

    SHA256

    49cb1dfc9e0656c382102bbdcddf9e186a97d01de77a85e9d12902bba3494d02

    SHA512

    8e6dbbebb3b6913019e29f89d6d5f14c4619d09eb954ad0b99907976dcbc188e025253f29f9158877526dd50ba5505402d8f27c303f1b04827c94c68ace142b3

    Download Submit

  • C:\Windows\SysWOW64\28463\AKV.exe
    Filesize

    395KB

    MD5

    adabb1cc5c00784846c6f082f7e95f21

    SHA1

    0d1bf1674cd5b077e7e601874f3f438d2bcbc690

    SHA256

    9797854eb963309d21e33e4edb092c01859d00465d7da76aa26d28da54a5f0ed

    SHA512

    29ca5369514f53721099fd94d4cc50cd02b2815f255026611358c75e9161826fa17ba1043db6aae886adcd45be9616c19e706e405a14a11b24522e5278ca6f5f

    Download Submit

  • C:\Windows\SysWOW64\28463\PXRY.001
    Filesize

    518B

    MD5

    a88a80ae152542476d05d2cbc15e16c0

    SHA1

    ae46d60c018a4a0941db906bd75fcee882b7a868

    SHA256

    7a26f73955996270a66380ddfa7b746ad95cb6d3e09c33abe663bb9f63d6d203

    SHA512

    60452b6fea855c91c75384eaa04e2a565738397085e0eb8e4c4b1243eec404ecdc7526c793359b917323a792373d0b0bb55195f19f8e5b907c43779f46cd7f93

    Download Submit

  • C:\Windows\SysWOW64\28463\PXRY.006
    Filesize

    8KB

    MD5

    20efb1eb38ad96b4b5e85ed073e21883

    SHA1

    b2680fe3698d768d1b72eab5afdd2d8b50a89c69

    SHA256

    dd8045ef5d36c1b053806cef96c77dd2a9ebe4d9e3dcd6c480ef3ec16ff1894f

    SHA512

    0f5fbe07a3a79f904456d3c112a8508cc2f37a328938b6fd2cef29c5183a404563a8fe21906d48318b5fef4f7326e48afe3d1213a4c913306070e5ebf263ad98

    Download Submit

  • C:\Windows\SysWOW64\28463\PXRY.007
    Filesize

    5KB

    MD5

    84dd6324b3dce57f35d7c1d2d1a80492

    SHA1

    d332d0076613ef7c15f74a3a105b2249654855d3

    SHA256

    036a3db0118139b5e3767cb3a3714af80e508264ad97fbdeac7f4edf8c9561a9

    SHA512

    659bb8ed05760b159bef3f587b5c4bcd37dd5e492225a3e7199456381889bf30d0659c36deb4f49fa19347769e3ad9ef75331f300724d39df8fd2ef98c24d6cc

    Download Submit

  • \Users\Admin\AppData\Local\Temp\@4827.tmp
    Filesize

    4KB

    MD5

    8ec77ec0a37da46ea4cfe747c450babd

    SHA1

    cbcdb4fae0aca8a33dae7c4639e1bdfe8480353d

    SHA256

    366e2c9fc249f38d5f0dda163488dc7c165def62421b34dfbe1c7a39d6bf0453

    SHA512

    14e7946d352baa8fe8cbacefb267d1de9d0c00af7361d712923bb67c66acc6ac28d4c1be30871676a9a7b1750f17db6ee4df203370b413ab4551faa7a8cc1eeb

    Download Submit

  • \Windows\SysWOW64\28463\PXRY.exe
    Filesize

    473KB

    MD5

    4d1b16621c0698cc15407296046c5f13

    SHA1

    895ad41339a41718bd8a7b49fe5f9df5861a5f62

    SHA256

    2e17c5b2ee80ea87344c586a2049fd96a5a69ef53d9211399f503c62743c181c

    SHA512

    5c2e431be346dd72e53b37817320f9c2df69823741e3b53313ffbe686266d4903633155f63812e81f605511320ec3b12b87b586bc930393716382af0be474ff8

    Download Submit

  • memory/1348-7-0x0000000000400000-0x000000000065D000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/1348-36-0x0000000004BF0000-0x0000000004BF2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1348-0-0x0000000000260000-0x0000000000261000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1348-5-0x0000000000400000-0x000000000065D000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/1348-47-0x0000000000400000-0x000000000065D000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/1348-2-0x0000000000401000-0x0000000000402000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1348-1-0x0000000002010000-0x00000000020F8000-memory.dmp

    Filesize

    928KB

    Download

  • memory/2572-37-0x00000000001B0000-0x00000000001B2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2688-43-0x0000000002680000-0x0000000002682000-memory.dmp

    Filesize

    8KB

    Download