Analysis

  • max time kernel
    149s
  • max time network
    133s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-10-2024 18:29

General

  • Target

    4399d5c5913aef60bc2245669f36b7b1_JaffaCakes118.exe

  • Size

    553KB

  • MD5

    4399d5c5913aef60bc2245669f36b7b1

  • SHA1

    edc091624e7928d45b9a5f6a1d75576e02e686dd

  • SHA256

    19db7102c31302f10d02116d3656183b02604b821cbd18efa456c9191d11f190

  • SHA512

    1c71288cead4d78ea735dc3fade8cbcfe7fea08106fe16bf350f1b5edccdbe72c8911ae8b83b295655a10cc1a8f186f3f063347d62178c20881148d7fa71a322

  • SSDEEP

    12288:phaCEJNB7Yn82wZIASOK50GcL1CSZcBuOzdsudtax/wqmhdcydK1F5:pwCINBMHwZIHOGM1ChhNfaxb0pKR

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

  • Ardamax main executable 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 7 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4399d5c5913aef60bc2245669f36b7b1_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4399d5c5913aef60bc2245669f36b7b1_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3664
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bt8453.bat
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3208
      • C:\Users\Admin\AppData\Local\Temp\setup.exe.exe
        setup.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2012
        • C:\Users\Admin\AppData\Local\Temp\6664545.exe
          "C:\Users\Admin\AppData\Local\Temp\6664545.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1128
          • C:\Windows\SysWOW64\NIH.exe
            "C:\Windows\system32\NIH.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:2632
          • C:\Users\Admin\AppData\Local\Temp\aimb0Yd.exe
            "C:\Users\Admin\AppData\Local\Temp\aimb0Yd.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            PID:3124

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\6664545.exe

    Filesize

    378KB

    MD5

    0dc17f724007acda1ca2f36d1be745d5

    SHA1

    312b8319e2c2e1040447136865d26d68d9c3d8b2

    SHA256

    cff7d83527fc620cf1424d28b5670719a8fe2687cade5e14e9a05434407f0840

    SHA512

    896c18db0807ca4daf70d7299dbcdbf14b184295593c921d879fa5f281115f09fb16fe16a380348b86587fc7545e8b4b1a67e15063a9b263c463bfa6301326bf

  • C:\Users\Admin\AppData\Local\Temp\@98B6.tmp

    Filesize

    4KB

    MD5

    3e52aef4a9e1bbf25dc611e0f5c45934

    SHA1

    91862bee5ac57eb719cf9bc14c69f9ef5affcbbf

    SHA256

    1b881b4299a8555f785088bd0e1b6969e76dc470f1f67429678a678c5f8b349d

    SHA512

    e4bc9fab4d1c555a896936927ff5866634885401a41f2eade5a976311dad3cdc40c0c7229c61925a8b32ae7b69c4c99537dc10baf292375a82a885a7a908a807

  • C:\Users\Admin\AppData\Local\Temp\aimb0Yd.exe

    Filesize

    213KB

    MD5

    876a61a3cd4c2fd90eb4d78a3f6c3eb8

    SHA1

    23b6f19f7d50f9025e7e870ab71e0e98090a0870

    SHA256

    0eb717a3ade04361acf91d7298fa545071983f428eb8ef3a012cb89f63045a5f

    SHA512

    f6807249ee72d0b5048ef53ea9881708230ed178a26750a2ad0ad58928b4770c4cc0c4285dd3c1bcc4cdd0a889edcbee8658d9ffa65f831494ea77427fd79ae8

  • C:\Users\Admin\AppData\Local\Temp\bt8453.bat

    Filesize

    54B

    MD5

    fdff9afa334dff40aee26e75f5dec8a1

    SHA1

    228e95eeecab9dce4402b24e18a256813c250dbc

    SHA256

    8a7a48c2cb589b60e920926b6ae0383d13677715b73686834d55b518b1a2849c

    SHA512

    12df0fe63837818ec5163e08439369efe6ca25bec7113be11430732d208000a8f40cda79a63be3f6605768895e70b29d4511a9936d1d501d4d27253dff45e0c6

  • C:\Users\Admin\AppData\Local\Temp\setup.exe.exe

    Filesize

    429KB

    MD5

    26e73604896ab321d6c8f3439f7c06d6

    SHA1

    c07b53562f470149ee90f114933aafb9c05c4122

    SHA256

    7756976b7f34c5a43308f4716e4414e5bd301cc20d04156a73a45f01d56ad8ae

    SHA512

    ebee06050208e4431fe97bd46c4a1e91cf516d18f23c2110cc534a223bdd01f5617bf0d368927617c9f44c952b4fe34d83bca33b679f08ebabbae2411e94cfaa

  • C:\Windows\SysWOW64\NIH.001

    Filesize

    2KB

    MD5

    abe1ed4b26798069d1c28f8f1b8d8b7d

    SHA1

    83c2f8de213866740dc6ed6a11a27e3c50a8d5bc

    SHA256

    f395e35395efb1a3be72850f27f8d701a6dba118987f9779bf0a6df77f2e3924

    SHA512

    de63ce8a7f5fe03815fd6313860eaf03c0240505282ae452ab0ae61422950f1f8f89c0ab0552e15b2d04fd3e81026f1675c13c08949e1aac32dc07f8706a4b06

  • C:\Windows\SysWOW64\NIH.006

    Filesize

    5KB

    MD5

    e98ae645054f00269eaad44b95c4e37c

    SHA1

    59bcfb291cb15f521e6e5982c12913052b5755b1

    SHA256

    028e4ef0ed6a7d9792ad2694c56b41ba247e72ef690089142c47bb6e1a693221

    SHA512

    ae4b1316c9785623944a0bc1884648f1382f3f8fb494927e7c872a72b0786fb5a1d090ebc2d5e468b91c8eef7663b43f73be4a1f65f7d8dd9bdaa6dfc694a35e

  • C:\Windows\SysWOW64\NIH.007

    Filesize

    4KB

    MD5

    ea32497496dd6b80be1c47fe5fac1fcf

    SHA1

    2bf9bee8e0f83b6785188a91047695ebcdf342da

    SHA256

    370a94fec91220668a370c2dcd0d2ac10c3f0a1d1befc7fee50db6f5e0b99676

    SHA512

    353d11071b695fe23080bc6d5cb5dc557b59b152b42921daec6f4124f9e8bb58555ac30c5ec96dae31871ff3d2416e91690b5f862d4feb5e7b038a996c8a1ff3

  • C:\Windows\SysWOW64\NIH.exe

    Filesize

    295KB

    MD5

    decf3769c920a9b642f56e24933cdf81

    SHA1

    930ddaf6b310fa2b3569580ff671e91d80b8b11b

    SHA256

    46a451f14816a0dc46d392158d1507f5806fe76e9fc9f0080d00d0b3dd26183b

    SHA512

    2807345e5ae0438c0bd41c3d0b6b09e3d1c04d0397e5e990d614125a14b6100de3c3f5bebab168f5654d6823eef5dbfd5a878aa0de64eec13bb546c8c32b8cb2

  • memory/3124-51-0x0000000000400000-0x0000000000447000-memory.dmp

    Filesize

    284KB

  • memory/3124-63-0x0000000000400000-0x0000000000447000-memory.dmp

    Filesize

    284KB

  • memory/3664-10-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB