Overview

overview

10

Static

static

3

0c3f9600cf...18.exe

windows7-x64

10

0c3f9600cf...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-10-2024 19:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0c3f9600cf2e2caca46b95a6a4eef62e_JaffaCakes118.exe

  • Size

    176KB

  • MD5

    0c3f9600cf2e2caca46b95a6a4eef62e

  • SHA1

    a8bc9078892e87071d03e130d3888fb68524b8f1

  • SHA256

    dd4da34e1824487755b6f25abe47461ab8a62126f59857bb01a8a21ecce000cc

  • SHA512

    89cad159b5b3497c3be499181bb9216bc1922529b2f32bb019b67c2b3eedd14c87c4da57b0e99b5d989e65bf5ac30a894e39b636373d0b09b6f1e1283a93f00e

  • SSDEEP

    3072:DOrFCI2QqZFpl/lyvp1mJWyIxsNevedCj7XP3uJyWa8rrunqJrACL0UdZ9vneK/C:YNmLp7y3mHsfXXmJxdrunqxAS1X/kjuy

Score
10/10
ardamaxdefense_evasiondiscoverykeyloggerstealer

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax main executable 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in System32 directory 4 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0c3f9600cf2e2caca46b95a6a4eef62e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0c3f9600cf2e2caca46b95a6a4eef62e_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2324
    • C:\Windows\SysWOW64\TPD.exe
      "C:\Windows\system32\TPD.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:5008
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\TPD.exe > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1240

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\@BF1A.tmp
    Filesize

    4KB

    MD5

    ccfd350414f3804bbb32ddd7eb3f6153

    SHA1

    e91d270b8481d456a3beabf617ef3379a93f1137

    SHA256

    1dabedfe9c7cda2d8aa74c95ba57fb832a4066b20f4051c0330b4422de237eb3

    SHA512

    328e069aaced9217eb9f4b4f20e27cd7ef933427e3388b3a0829089d694ea2280a2e5511a9eb577cec2a7b409cf367b0f17d8654076931648e152936fad810bd

    Download Submit

  • C:\Windows\SysWOW64\TPD.001
    Filesize

    1KB

    MD5

    fef3884b1322b5e9af85b4c1597f859b

    SHA1

    fbb117c73ee39f4f0f4257b6601dee2c42c74882

    SHA256

    f11ebd77da27c71202c0068fbdcd5f08205ba79238ae2c4c9c7a0cd8001d9a70

    SHA512

    04ca9e5cf3fdfce9625205fd00207c705ae8e0d5a1a50088150c6c0bce278eb0ba768a226ca47afd82ac6da8b7fdf077a5631e65ac464d1f89672c58e4bd1eb0

    Download Submit

  • C:\Windows\SysWOW64\TPD.006
    Filesize

    4KB

    MD5

    0868167c8915fb3d87d4e5a775a57ffd

    SHA1

    5f223134e003382fd8c191a1f4ca94922f1d802e

    SHA256

    6a28449ee15745e772f877b6133913325400a2ca3dbf829d76cf42e0c8d6da4c

    SHA512

    d9f82239d6990b3dcc261f99f5acf20d71965b08146821575f830698fa07a5ec7ba0553494bb779e427692ada39ed5973489d1077aeec5ddfdf5a73d9c91b058

    Download Submit

  • C:\Windows\SysWOW64\TPD.007
    Filesize

    6KB

    MD5

    5e023770dfb9d9068706facc958c7d66

    SHA1

    9cf95074a78239da000452362c2167991970e972

    SHA256

    f16ca7e5533eb28fa882eb500add2a936f8d0a705cfc9f4e6c8f4c522a2cf6db

    SHA512

    a9621e77fe22b054686924cebee3c9a5c448b2f60bd1d4c8a6d6bda161ec270d9a5c76cbe07dcd1d0ee59fdc071de1d271344c629181e14c2c0a54cbac7831af

    Download Submit

  • C:\Windows\SysWOW64\TPD.exe
    Filesize

    239KB

    MD5

    2bada91f44e2a5133a5c056b31866112

    SHA1

    9fbe664832d04d79f96fa090191b73d9811ef08d

    SHA256

    c742feab59b4e1b7b188b02ed91ab34eaeb83c87ac6babfb5f08649ed2b8cd02

    SHA512

    dc797a06061937f8dd657a34d4373d3069c9c1a6752752516042e5d135fc41257c7a3a6738b3accd626a02f1887476197eca0ab28cf568daf57269cbe9c8eb41

    Download Submit