Overview

overview

10

Static

static

3

39d64dc22f...18.exe

windows7-x64

10

39d64dc22f...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12-10-2024 11:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    39d64dc22fe4e4c221f0cdb5efabc767_JaffaCakes118.exe

  • Size

    1.3MB

  • MD5

    39d64dc22fe4e4c221f0cdb5efabc767

  • SHA1

    2fc5e956b3d6cdb9b17f40b3edd547ffcc17859d

  • SHA256

    1de545d46ee31e37d2fb6686a1ce9896cc7d46d1b29484ac771c64cb80ee3c63

  • SHA512

    a350aea72f5634dcefd94832b0dd0dc9ba5eae3c17263472cf402f62a41db924934da92dd31e6b52f454a661e7d738f2f67646ed02a99f59fbed814da41e62e8

  • SSDEEP

    24576:tbPTVJrfUUwlkHiuh55B1hE/yW9OQZ5R79cR+/A8UJurlCziR0DwkwDdph:t7TVJr86Cut+/yWlJ7f4Upk+dp

Score
10/10
ardamaxdiscoverykeyloggerpersistencestealerupx

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax main executable 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 6 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\39d64dc22fe4e4c221f0cdb5efabc767_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\39d64dc22fe4e4c221f0cdb5efabc767_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2372
    • C:\Windows\SysWOW64\RCBYOB\PKL.exe
      "C:\Windows\system32\RCBYOB\PKL.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2800
    • C:\Users\Admin\AppData\Local\Temp\Perx.exe
      "C:\Users\Admin\AppData\Local\Temp\Perx.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2108

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\RCBYOB\AKV.exe
    Filesize

    448KB

    MD5

    c49125a39e0ae69b1cc77040ba8a9441

    SHA1

    92941e9559d9b1a0a944595377b6c5d44b53a6a4

    SHA256

    f7e3d70532b7a0b04bde2fc3a9439b8a95ba7b89eff5f214ef53041a58c97524

    SHA512

    f61f42e500ebdd0559c420f05849265964e58aba7bb2be1095d41dddc1393ccf2191de0ed61d5fefd3957c4890c61fced1497481b76f158a12f7d95e626224c6

    Download Submit

  • C:\Windows\SysWOW64\RCBYOB\PKL.001
    Filesize

    61KB

    MD5

    29136121b1c0307a02a8826477995613

    SHA1

    4dffe908036a21be56a9caa739ec1bf1cf9bd0ca

    SHA256

    f9dd403e696d2128cafe9a4bab54a28161745934df6d3479a066083a61515402

    SHA512

    2c7077ff82e948b9a9b6b16214dfdd11e222f07fb0a75aec59a9dafc29906907f24e0c625cefd5032321cc7883c00fd0abc7801f185983190f353b6dff2774c7

    Download Submit

  • C:\Windows\SysWOW64\RCBYOB\PKL.002
    Filesize

    43KB

    MD5

    d977f26d7f7ffcb0f002813b55ff032d

    SHA1

    7e17b642dc1286908c18caba6fedb890de8fcc86

    SHA256

    2ce6c66843f0d0f156ae523f25d2cf4c9886fcae7b4f69deefbde4bc5328bf29

    SHA512

    e291f6acf5df88c52eb9232d55eb43fc08cbd423b7ae46148f710de909db49c04fc1d64e05b8e307ddd880134c525188109b94182ca99ea5934b66b9316e9e25

    Download Submit

  • C:\Windows\SysWOW64\RCBYOB\PKL.004
    Filesize

    624B

    MD5

    568a7c764cc278e8dc80800bc1dba916

    SHA1

    4ee3e4a18cec40defee2d30c5f836d2e093ce46b

    SHA256

    ff07e47058de1728a69c4b03612b5a3378e3fe63bb677ec1c9b44339fd0fec13

    SHA512

    9489ef10d5e1989d5f97605c49ac89380b37c66733b7e6503cf376e7c38d6685a0bff7a46540a0fbbd87422801672a5b58228004c4236c71633973ea9ebd85d3

    Download Submit

  • \Users\Admin\AppData\Local\Temp\Perx.exe
    Filesize

    262KB

    MD5

    e974a7ed7fa0c096aa1f59ae6d8cce72

    SHA1

    24b215e712fa745ac94d033ee7c5a556a5df0dab

    SHA256

    d042a6add7b1547e5165d0c0c0f0eb21ee778b44c27e0a2bbce9f02b79156c0b

    SHA512

    156cfa7b252d8737a4d3fdc3f8095353051d7f15e1293d6c1213de36ea44d526fd94e75765b3a1f75ed83f9b02dd4329b9eab466e9188fea107e622d0c1d6ba4

    Download Submit

  • \Windows\SysWOW64\RCBYOB\PKL.exe
    Filesize

    1.4MB

    MD5

    27a49221ba75a90934342bbe70f6c954

    SHA1

    751e322d6f7e46c132f0f97c56d60344248f1959

    SHA256

    946611f5091452aa46310d3ba8a885e808617b8ae9c57a468f7fe3abda4b052d

    SHA512

    9476f49d2e3c10f3e5cd91313e03405f944bc9887fd65e6c2236caab3a42e2c9a5392d7c34f6c5787a7dc8c3cfd43a3a90a6e052176aa60a43da0327d7ff78d6

    Download Submit

  • memory/2108-30-0x00000000001B0000-0x00000000001B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2108-32-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

    Download

  • memory/2108-34-0x00000000001B0000-0x00000000001B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2372-27-0x0000000000A00000-0x0000000000AB5000-memory.dmp

    Filesize

    724KB

    Download

  • memory/2372-26-0x0000000000A00000-0x0000000000AB5000-memory.dmp

    Filesize

    724KB

    Download

  • memory/2800-16-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2800-31-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

    Download