Overview

overview

10

Static

static

3

18ed05e5ac...18.exe

windows7-x64

10

18ed05e5ac...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    06-10-2024 16:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    18ed05e5acdaac76ccb1e6e5a7110e3a_JaffaCakes118.exe

  • Size

    197KB

  • MD5

    18ed05e5acdaac76ccb1e6e5a7110e3a

  • SHA1

    31eecee2955933a0f971817af1d081c515f355ea

  • SHA256

    fcba9bf7e20a98a9dd051c4768d49bc921b1822809a8e894b9f62607849a2b29

  • SHA512

    132c5c425e25c1c51943be415c7d2189adf5b6d2d3cb46aca76791e5dabff3bcc8ff1a93498c032a3e226e3817d4fcb041069b2a0ffe9ddf9a9b4f6f2cedf12c

  • SSDEEP

    6144:BsmpyGKnvYkgaVgJmOZk9ojAXiKTqALlI:BsTnvKmOZUojoJI

Score
10/10
ardamaxdiscoverykeyloggerpersistencestealer

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax main executable 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\18ed05e5acdaac76ccb1e6e5a7110e3a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\18ed05e5acdaac76ccb1e6e5a7110e3a_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1976
    • C:\Windows\Sys\HJB.exe
      "C:\Windows\Sys\HJB.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:2780
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:2716

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\9.jpg
    Filesize

    22KB

    MD5

    e11a78af6437f456954904a134de9737

    SHA1

    c74a70bb82b32731c09c5cbc7df5d6ab74ac4dac

    SHA256

    c100382f2e3277a68ad79547740f5c62135f72c9b361ff2e28a0f86feccebe8c

    SHA512

    660d68a83de83acb22749465ea28b6216bcfe05309e4f232b551e35311828bb546f08028c022eeaddc7282ca8a31501cfe924948c54b19c510fa6d3886e70663

    Download Submit

  • C:\Windows\Sys\HJB.001
    Filesize

    2KB

    MD5

    338aca73c2f542d59a15457b663d5628

    SHA1

    bb17b72a3521155513d8ef642664cc367cca6160

    SHA256

    239c91cc9438b6daff3d8f3817ce4acdfd7133367da43fd0ff796092dcb76603

    SHA512

    2456f954814aa3c1760e5e0778bc8a0140b0c6429e946ef61defb3d1b894a0268a8568012bccd6178a88adefcb4dc3939e2101194a799be0ba1c4acbc33fc4e6

    Download Submit

  • C:\Windows\Sys\HJB.006
    Filesize

    5KB

    MD5

    da15b042859c40bf9c1b3b1c69cfa9fa

    SHA1

    aaef340d372124ebf06939a7294ed731722b42a4

    SHA256

    65d45fbe1df04445e22791955695fbe6a88f5bc8cf2c49fb02aeaf71b287a53b

    SHA512

    97ef80532a425192b2985f9740acf98ae8d8f87c71fc0207d2aa91e9a0a0d8567a028de647976709a2606600a2ac1293ba5aafb1853103defa4e2eb61b248f73

    Download Submit

  • C:\Windows\Sys\HJB.007
    Filesize

    4KB

    MD5

    23102ea19f993634a2be0323d3bccc96

    SHA1

    d2ad81ce0ac3c68d12b1de7e9a3c0be71880ba35

    SHA256

    5c817691e5b2f42445d925c3cfe789af6348694673d86160c340ac4daf6ea4d9

    SHA512

    68e6d5f5de297257fc91c43e015be9bb5dba8d1ff995797008b0610e8169a2d43a2c8f44aa97b7257427275dfc8cea1b4906d626dea262ce1f43a920a1807e0c

    Download Submit

  • \Users\Admin\AppData\Local\Temp\@C31.tmp
    Filesize

    4KB

    MD5

    81e1a78e928b9cec43099488f565dfa8

    SHA1

    dddd7219b67e7ee6bd44ea5581e941e1d9d58f8e

    SHA256

    23b8a7ca336d17843a34a90b9f1991fadb2f69cc82e705f7b860e55e36b9b949

    SHA512

    2d738d349bd14bd160f4361b506b3b1f84a1b939ee6d95f8da3ead240f4ed63684e66491fd8cc6c633305d07bc02bfa491e50d8c49609ff053cf8295cd641568

    Download Submit

  • \Windows\Sys\HJB.exe
    Filesize

    297KB

    MD5

    0c28402a6dd2e98530dc7b642b47101b

    SHA1

    cd294e50cbe42596f9ce2b3de5cd82c566a3cf34

    SHA256

    72b0044dad7d489ebfc47b98805a8e40016e62f0d9558601e0a21bfa61ad0747

    SHA512

    330ebecc0bedea9fbdfe6e18fcb98e3ed9611c311d1b6aa0cb8722cf2e7d2352a911abc9faa9fcbb5e70a753b2fc2e3a07a87997393853e146131d011fb1ee6b

    Download Submit

  • memory/1976-24-0x0000000002CD0000-0x0000000002CD2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2716-25-0x0000000000120000-0x0000000000122000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2780-21-0x0000000000450000-0x0000000000451000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2780-29-0x0000000000450000-0x0000000000451000-memory.dmp

    Filesize

    4KB

    Download