Analysis

  • max time kernel
    66s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    29-09-2024 23:54

General

  • Target

    ff87c346af525e2d84b797d6c1aae5e7_JaffaCakes118.exe

  • Size

    1.0MB

  • MD5

    ff87c346af525e2d84b797d6c1aae5e7

  • SHA1

    4ed733f35f027d56bfae661f4c48cc38a95c8cbf

  • SHA256

    77a65648073afb27ceb84694efe9265ae3b283988db704ecbe538b018b08ff14

  • SHA512

    f389031260c39a49cf98e7340a3d1871c2edd96a2822d39f6cd80abbe4958b8d211d6ae564fdfa6710a8b62b628b04ceda6395d2f6ce405596900ce83bc7db6d

  • SSDEEP

    24576:fU4oTd2MFLCxoGPKDub/nI6d3Qzd/HXpvPY3pP:fULTd2WQ3znPgzV9PO

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

  • Ardamax main executable 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ff87c346af525e2d84b797d6c1aae5e7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ff87c346af525e2d84b797d6c1aae5e7_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2260
    • C:\Windows\PEVMFP\KRB.exe
      "C:\Windows\PEVMFP\KRB.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2372
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\PEVMFP\KRB.exe > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:952

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\PEVMFP\KRB.001

    Filesize

    60KB

    MD5

    a15c556f17d7db8287e023138942d5db

    SHA1

    880bf8ec944120830dc2e2e040e5996e4e0e6c83

    SHA256

    f3716810ab011a4cb7693d31b69cd540380ef2a067724e0d568070c8a558694e

    SHA512

    930339711e3d73e5af0778367a648c94411c20d23bf4c27ec5d72222e76b8902eb3fc0992d70cc4141600c19087159514246d42f1e762c98dad306f8e0bd99cd

  • C:\Windows\PEVMFP\KRB.002

    Filesize

    43KB

    MD5

    daabecdfba287a3333b60ae82211acd7

    SHA1

    e67b4c7bf0dd71ad47263a58bb60be4bce504b84

    SHA256

    12981c35adf6f00c7dddbc3ab23c04c30133cc5be107015dab9fd7ba4e8b4173

    SHA512

    937f551f959bd823292fe5983bbfb1c3a6dd86426a5da228dc7ddba38138c898599bc713d707b9d3463b20825cee0783d92c1c19019cd0328986a8aef5c1222f

  • C:\Windows\PEVMFP\KRB.004

    Filesize

    1KB

    MD5

    552f0e44ef070d229192ec395ae2ba3c

    SHA1

    b8d60002a0055fde19ce0d7baeb12698fb837b44

    SHA256

    baeeb7c02516440613eb183893763785d054297caeb5bd2ad21e71d164d3de0f

    SHA512

    64ed0ac1869f8e5c66f7d49fe0b8bc9246bee21ac7cc7955f4bb74d456c0c7605d3a36c889b0812424742f232410af1b7502cc7095c0bd0c43a3b959eb1d4472

  • \Windows\PEVMFP\KRB.exe

    Filesize

    1.7MB

    MD5

    f3819a6cab8ae058254c4abb3844d87e

    SHA1

    0f8b1a74af87f1823ec0d76e21a8d54d55a53a8b

    SHA256

    3d656d1364b4b2382020f64990a2c630b7b9422ca7b7fe2c30646fda3303e6c9

    SHA512

    dfe9d342f3ad543fec8bd278e21ac5059b1c36ed3f735734e9b92d639cb25609f9307862ab2b35ea3e88713f4a652abe5863871225f915462c79d493ac5e1f57

  • memory/2372-13-0x00000000002B0000-0x00000000002B1000-memory.dmp

    Filesize

    4KB

  • memory/2372-15-0x00000000002B0000-0x00000000002B1000-memory.dmp

    Filesize

    4KB