Analysis
-
max time kernel
134s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
06-10-2024 18:54
General
-
Target
19471f98e68f19bce203dfc964eaaadb_JaffaCakes118.exe
-
Size
1.2MB
-
MD5
19471f98e68f19bce203dfc964eaaadb
-
SHA1
c2f4eeb37a05f4e43b6ea825df5afb96bb0dbf5b
-
SHA256
73a92df3abe0565f65eb72f7d82999007741bb1eff7ca081dd6e784b346bb976
-
SHA512
d96396ccfd4002d46106b769883f7dba4a1a3a09a6c489b1ee703c73137817bfd5c1361e1a1afdc55de99b42f4727f4b9568f2da0af899da5a3c8959730dad3c
-
SSDEEP
24576:euIIABU/pT/luS5EEdbb40C82oX3PWcy/4PMn7S+06/FDJU5ve:euINuRT/ltHZbV2oWcy/97SH2DQe
Malware Config
Signatures
-
Ardamax
A keylogger first seen in 2013.
-
Ardamax main executable 1 IoCs
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 7 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 13 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\19471f98e68f19bce203dfc964eaaadb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\19471f98e68f19bce203dfc964eaaadb_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\iexpIore.exe"C:\Windows\system32\iexpIore.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\CTOGAA\HSA.exe"C:\Windows\system32\CTOGAA\HSA.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\event 30-04.doc" /o ""2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
154KB
MD50401d564ef74d730cffbaaca249dce70
SHA14287c7f00ef70b4acd8d05f808cdadc8786fbf21
SHA256b71f365fef94334e7893288c3a5fbc3bf2510eb6f549d62679f370fccafcd55b
SHA5121e0613829bc121d18917d7f261f3d0b9b465149c27a4d7432087b5af2ee7eb63ebb2ce2079f41542d58ff50c7f9aebef0a524a9f1bbc53dcde49497df705febf
-
Filesize
2KB
MD520945a697499f0c3b186ea8a2e870c86
SHA1274a0e1005bfda021c8be4a9137d20251d8a4590
SHA256c1333798720a623e39050a451c935c77bb369dc35e090c0e78a7c3dc46832175
SHA512dd080307e20fa278c070f0d283c9ee17440527aa307f503c4fe7c58f4b631498ef7697d2be0d828f9cddb31ed8e63d5d5c3eddbaded176f7cd786adf8e23c08b
-
Filesize
61KB
MD54eb04b9187bbf3e3c33bf95e74eb6262
SHA1ca5dcaea5ef4ba48c0bb06635c0b5abed4f0f342
SHA256cf84d5704b350beaf1f2b46dc44bd372141d7554a8958ce22c0a84a3f21f2fe7
SHA512aeaa608cd4f66ba817a7e8698d17f9801c9cedf99875decff39bc18cebdec3947f02566bdf21d9096e5a6a6b740717ab06d46a2a9605bf8e8fa0fee12fe17e81
-
Filesize
43KB
MD51aed6fee0870288cdb607393fc2f33a1
SHA1584fd8d5ffbced19dd09b8b71cee9026c0ac65c6
SHA25602c4eef7045896258d00077e123719aa256c606f4e38c417965ba5f64d48e180
SHA51215e5b7843b07bcb4a638057b05712c66b285d70ace24ab3a4c125d24d538ace20cfac179accefa417d7790f7a095327affd3cd73d9eacaa632356f95a9fde3b8
-
Filesize
1KB
MD5779ff99404e8b8d81c658a4e22e677c2
SHA133482d87aff5e13f8d03994cc7b75111fdc4ef48
SHA2565b9e83a776ae17d5c5feeb695aa7d73e9cf50ef44edb7803e2ef0caf7303366d
SHA5122f1526f051d8094610af780cfd93b1b9868bc7bc7a7e68f0ee73131c9e656cdab5d30bea0329277a59e5a51cdd6314591ea28508fbad9e6ff4b6de64e1861df0
-
Filesize
1.5MB
MD5865b02aa4fb68ac150953986e6f63f1c
SHA1214190642d67f02c349e68f3f3c6ef0e9c2212d7
SHA256fac58547e80a1b9598261b6d2aa5175653831e507c57b6860bc5d04d2e754dff
SHA512473dc55a8a8f11d8445cef9cd8cabf8a9b227a6e47994ecfe9c86d41062641668d858e61b7ade1ad2801c5daa13d0630159b7ad241379e111c83564030c0a40e
-
Filesize
900KB
MD51fa7d6fb2e718e5e86ae5779270652da
SHA1d04d45dec75b82464959221ef7fa090e06983b84
SHA2569078e7e373e46910c806e2783504e3bf423dc3b71252e72c16487388ff804342
SHA512ca4ca291ebf63f3dd1a73f8c2d3b6144ef056a3d8a4489d3d56151828912f51db306273b04ceccedcb21a51a286980199b98da83c2c88944d26f930de57ed545
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
176KB