Overview

overview

10

Static

static

3

2add35a7d7...18.exe

windows7-x64

10

2add35a7d7...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-10-2024 04:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2add35a7d7aacf40f18eed6686986236_JaffaCakes118.exe

  • Size

    537KB

  • MD5

    2add35a7d7aacf40f18eed6686986236

  • SHA1

    6c2756c45c67bb453a699910d5328d114b2036f0

  • SHA256

    ce3a14b420e511b4fb745c2e0d30dfbc2e7425f89ad9ec9e6955eb8f424a44fa

  • SHA512

    a0c169d0503037193b534d05cbb2e1b7f9a143976b7893ac6d35cdf1d123952304e1b085c1ab725102fae787c81559ea6ef32c78d1aa793768c48be712d54941

  • SSDEEP

    12288:IIMZIrjSacyH/xFgtlyDvjg2aTuVmI7mSB7hFq:XSacyfrMyDLgBuR7Jjq

Score
10/10
ardamaxdiscoverykeyloggerpersistencestealer

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax main executable 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2add35a7d7aacf40f18eed6686986236_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2add35a7d7aacf40f18eed6686986236_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:464
    • C:\Windows\SysWOW64\28463\HUAV.exe
      "C:\Windows\system32\28463\HUAV.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      PID:5028

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\@F05B.tmp
    Filesize

    4KB

    MD5

    19cf467919727d52844f6526ef495371

    SHA1

    107b53f43c923db816c3743896cad71b3795ad5c

    SHA256

    e75ac29f8ac2c921ad6bebc70e53eb462ba2860aca514d9a3ef09ac49007b5b9

    SHA512

    2cd6093b1b78670f1e6ff074de818acaceffcbf94a32d6875c1e42fa980570cf9f3f3d7de53800111503bf7a505fd7b238170095158c5c7bc631781e02ce2095

    Download Submit

  • C:\Windows\SysWOW64\28463\AKV.exe
    Filesize

    458KB

    MD5

    b32fec1ef63f9c2c4c2eacdf439163ed

    SHA1

    541f11ef53115aeb1ee214beb505a7254824de87

    SHA256

    15e4d7edda2c9e41794d7cdf43c735604fbe4c4e7135a9b5efd58f9825d2e078

    SHA512

    0af6fb805634944ead3618617887581d313d4817e26a9990271bfd6f615387ceb31ffa0c4145ce9b59cb3bfe6fdb3b8224f2230e552581734d26e15a79a63a18

    Download Submit

  • C:\Windows\SysWOW64\28463\HUAV.001
    Filesize

    498B

    MD5

    b43fdb51d8b4cc0de41eefb1f8922c24

    SHA1

    b53f06d5a6a1c9c66d8102799c88351916243e35

    SHA256

    2658cd28ad1e9e0b9011bea2d72daa74d0d8a984f906123677121bdc35d0b2b1

    SHA512

    9bdc4c2578058c5226020f47d722d92f9bb34cb1bd5181d305e3b06c361b68a502ccead8a32110c10192a0000dfca68a81c43365363d812788ee88866ef601e5

    Download Submit

  • C:\Windows\SysWOW64\28463\HUAV.006
    Filesize

    8KB

    MD5

    9a45af5044d301aacf2928ea47cb3b6a

    SHA1

    35bfa3bd42dfd0a1cf97a56d992a3ca47577bc9d

    SHA256

    71b69ce0cfaa58eb4c9742111b2dfd8fe0f5e1a4b6c38e26121a43eaf18f222b

    SHA512

    52b7ec0f6e9595be59ea3866c71cb5b2f92fb18924bf6860776bc4e8512944bd11e663908c76796f7c18ad7f074bae11c58205b4c8fde750de7a6e88f850a9a5

    Download Submit

  • C:\Windows\SysWOW64\28463\HUAV.007
    Filesize

    5KB

    MD5

    9d4055a18afc0de43f275f196748ec9f

    SHA1

    b4078c0569d80c0020f658b727b877ebb0d38838

    SHA256

    bb45a2069543808f0bb8ee15d46efb4476e7ec906b6999acc46f2e0453d25ff4

    SHA512

    229d3e6481e0c1ea9e04c92c177c84380608fceb74f969b56c3d4e8ba2e3525103cdeb46ad1b6d9fd8dbeb4795ca503aefb9327f44af1b8e66a19723d85e621b

    Download Submit

  • C:\Windows\SysWOW64\28463\HUAV.exe
    Filesize

    567KB

    MD5

    568f7447183c41c3c9263924e52a4822

    SHA1

    e9e4b24af15d174cd9e3af989d3b3deca98725ee

    SHA256

    5ebddc2b4757c9650a51531203ea4ca28b6a145cade7cc4905c6bc23ae62e88f

    SHA512

    a3d155d5e92771652603a228e140b6aef029d3f99dd6d0da2a05c0d4dd42026dfbb6069f97e904bd6516d1a7752666ded8796f63dcb255451ccbc9a3d17d882d

    Download Submit

  • memory/5028-23-0x0000000000580000-0x0000000000581000-memory.dmp

    Filesize

    4KB

    Download