Overview

overview

10

Static

static

3

4ad09d2e3b...18.exe

windows7-x64

10

4ad09d2e3b...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    16-10-2024 01:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4ad09d2e3b24851316cdf96f4221cf26_JaffaCakes118.exe

  • Size

    1005KB

  • MD5

    4ad09d2e3b24851316cdf96f4221cf26

  • SHA1

    e400de946cb81953bddf439ea95fd0e535209eea

  • SHA256

    e2d86bbf7ad8127397c094465b1031249f91ee121be99c2cbfe45ed039b2cc92

  • SHA512

    5a48e2be5956b6d0e1893f2c656b01bc6080316bfb1545e6208d2eedea7d2af3b72a97648c388552ec3f8cddf8dd119ff284c935c4dc1e2f82d901742defa728

  • SSDEEP

    24576:bWwTucz5PcaTPJMb12YsEUFtFpfhd5TBTV:SwTuWHxMIY+FDpJxR

Score
10/10
ardamaxdiscoverykeyloggerpersistencestealer

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax main executable 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4ad09d2e3b24851316cdf96f4221cf26_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4ad09d2e3b24851316cdf96f4221cf26_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2796
    • C:\Windows\SysWOW64\9283\UMUF.exe
      "C:\Windows\system32\9283\UMUF.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2656
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 336
      2⤵
      • Loads dropped DLL
      • Program crash
      PID:2684

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\9283\AKV.exe
    Filesize

    486KB

    MD5

    2e451cf07d5556a2e5dec56484973795

    SHA1

    d4738db3a6f907de6971708d10682cfe227a701f

    SHA256

    7080859f952de87a0db34f7138fcd097c461d8d0b3757fa2a816553fd92533c0

    SHA512

    0a4a25b4712afe80d07530da18ea07bdcd4fe3e2a9e9feb844c36946b96840f3e91198243c4b6223d4968280f7c17635cdf8bbfa483a3c76c03f17e2714c87fa

    Download Submit

  • C:\Windows\SysWOW64\9283\UMUF.001
    Filesize

    774B

    MD5

    a2c9176f696ef39f3dc035fee0322789

    SHA1

    a2e0c6bce19e1f2fec4861087f542bfc0cce093e

    SHA256

    3c37fc367ac61dbc3e3731dcd7a61966987494c9501729d65b8ecc0229861706

    SHA512

    14c987a41c448c537046a9485c56e39cbd4e4210a64331c5c6f65c98dce6dbc710fae9b32394bae15fbd11bb268f45e2df111648b9cc045b6d82c8b3e9e7713f

    Download Submit

  • C:\Windows\SysWOW64\9283\UMUF.006
    Filesize

    60KB

    MD5

    8ca14e67822ef959b3934e6bc4caf5c4

    SHA1

    318d1a7b296bf7a9719160f55800fd4ed55fc458

    SHA256

    16ecec3e8e8fa9d72421e0823adc9811ecadee7ecd946bc14a24dffdd901e952

    SHA512

    5b26c6180d07b5c4b01d6207fe680f9443eda26a2a678d44a0c6f792549549b85adec1c09ab777f68bcd425d8e6b76b7f74bc25398eeae7ea4f3d652c2db95dd

    Download Submit

  • C:\Windows\SysWOW64\9283\UMUF.007
    Filesize

    42KB

    MD5

    2cafc86224d99e34614a97f55f0a051a

    SHA1

    660e25698426da6d4e9040d6a445915af0a88622

    SHA256

    a533cd921eb312f7b77415bcb17e174a79b03771b65ce883d0be109418a9d378

    SHA512

    e235665aef221e93cb2c4fbb853c76d8d0105c03f52d8f514e583058cfb849192ea0b30cf149e4ae665f820f181abf670f271298dac01e04b4b64fe88f5ac1a5

    Download Submit

  • C:\Windows\SysWOW64\9283\UMUF.exe
    Filesize

    1.2MB

    MD5

    c0e301bac810e4787b54a6fb3107fe6f

    SHA1

    146fc627271c7afa69fb14cd56f3ac53e0b06b54

    SHA256

    bd8bf5088c5e512e76a8be647925a434adc96d9add3afe3328a4df70b94cc2d0

    SHA512

    39c83705df36e43f2276070e1aae20da460919ab599b585e12af1ef6a8bd19cdd13fca18087665fe03016dcbc4aebd24ce03b439daa8b4ddfdfabd83786eb68d

    Download Submit

  • \Users\Admin\AppData\Local\Temp\@FFB3.tmp
    Filesize

    41KB

    MD5

    c103dd8cfc71e50400bb22e01cc90e74

    SHA1

    8e80d54d9927f351e557b99432af89dd4c5843ab

    SHA256

    647416d984740785203c48faea961dac06d5d465789a4764a68a3b7161ef0c99

    SHA512

    ea8f46086a542423cbbf90d9321e2bf2fa593e0aa7c3c40ca3fac22555caf7dca8d4ab30065860ad827d660e812f4b39cbe1dc05dadd1b71a56620170183444c

    Download Submit

  • memory/2656-20-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2656-23-0x0000000000550000-0x000000000055E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2656-26-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

    Download