Overview

overview

10

Static

static

3

56e5ef2eb4...18.exe

windows7-x64

10

56e5ef2eb4...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    136s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-10-2024 10:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    56e5ef2eb4001b992bde0c406a69b059_JaffaCakes118.exe

  • Size

    952KB

  • MD5

    56e5ef2eb4001b992bde0c406a69b059

  • SHA1

    8201517a8f5f90d8f278bba84e3e7dc4f1082a07

  • SHA256

    1f870144603d776ce4514b3c745a7b1a0b04d17482b59d98f43b2a5d325c601e

  • SHA512

    69b950db5b6287ae662a8eac68be2cb8024b17fcd5927d219230627bf3897462d1d126c0b4eb7aac020b5752a943c3180c45a329f68aa412001291b6a14edd7a

  • SSDEEP

    12288:tYYKXuEe/OernBZ9yhoBSR5gO5g26u3SfLyHNlb2u6lAXEh5YaYmpUzgASAGi0hl:+pkmezBTyTNsLytlbZ0AXEv2hGiJtp+

Score
10/10
ardamaxdefense_evasiondiscoverykeyloggerpersistencestealer

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax main executable 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in System32 directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 57 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\56e5ef2eb4001b992bde0c406a69b059_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\56e5ef2eb4001b992bde0c406a69b059_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4996
    • C:\Users\Admin\AppData\Local\Temp\SHACO.exe
      "C:\Users\Admin\AppData\Local\Temp\SHACO.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2944
      • C:\Windows\SysWOW64\28463\XIHF.exe
        "C:\Windows\system32\28463\XIHF.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4208
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 1136
          4⤵
          • Loads dropped DLL
          • Program crash
          PID:3104
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\28463\XIHF.exe > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4960
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 212 -p 4208 -ip 4208
    1⤵
      PID:3440

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\@73D8.tmp
      Filesize

      4KB

      MD5

      cb07753c45624238b4403480372be5db

      SHA1

      10af5bfbed599165d996470278f011728e866df7

      SHA256

      63c3ed8cbe11314a2f2cd6ff50305bad98075be9e09d22e45b47af557a3388e7

      SHA512

      2c72cca45ef924104c6892dd96f2e27a5d43bacc9f3eb0eeee24c871cc1bd1642d77734822d9d934f93a77c884fa1c682cf1ceddffe157a613978d9edd184312

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\SHACO.exe
      Filesize

      809KB

      MD5

      18fc1c9ac123d7b8149bec150a7e1b84

      SHA1

      e1cb8425b3406bd487917dbd87f76f23f3d38c85

      SHA256

      d6b40332e006014758c0356b9875d14237c1e69cb9c14db55e2d11bebce2c2b9

      SHA512

      4b9d47b01206139692a3c05018b5144ce134fdaa92b7563cc2f9923c88b208073a797d0df95488938e392f3678513000984f82a020482cd3d0eed307375b2778

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\mandarin.jpg
      Filesize

      26KB

      MD5

      5360862be8e10d223cabb8d5165b3219

      SHA1

      b57da0070559eabd3691d6fe64cad182591a82e9

      SHA256

      0611f2850ecede61614e81a55f9f1e7989486934723f7d7479cc9d46cca79e9d

      SHA512

      03b7d25745c6871073b34d347751ec18ea18a5dcd26112ffa6c6f2bba7bf3df9af69c1593f4cbce3f622f16cd8233a631d2137138ba3df5b58f3079a0641f3d3

      Download Submit

    • C:\Windows\SysWOW64\28463\AKV.exe
      Filesize

      457KB

      MD5

      42e2202ac32edb39ccf9979515018d85

      SHA1

      c1e07fbe2fa759e2775d4dcf7de23a66d2422a1a

      SHA256

      367b4028baf3df4a5f77169bd64c9ef8fd7968a4d6c852ae3f81a726f4b37222

      SHA512

      a97d9e968b1f63dedba74999aabe6fd150aae985c1143d29b183cc0d663a45252c57494c3457136c5e500050c6af6c819f9ba7070b7d62300ede2e9a7c792768

      Download Submit

    • C:\Windows\SysWOW64\28463\XIHF.001
      Filesize

      452B

      MD5

      7793385cc452a9d24ced45b11f390fe4

      SHA1

      0fe360d954d7fca719779f5a09a6038a008edaf0

      SHA256

      066898cd05ecd5121d5c3cd4931e62d2acaa3ba21d26bee7d0ce439682f04ce6

      SHA512

      81e938f69cd762eccba7ad0f9ffb1a58e43185ed132add77112c03e3f0a9be33b45b40a2eafbb1001788b72314e4dc21f038d31b8ddbb52c5b39d1d59f5bf40e

      Download Submit

    • C:\Windows\SysWOW64\28463\XIHF.006
      Filesize

      8KB

      MD5

      3da3041787b72a7909d9f6184ce6bc5e

      SHA1

      fc7f00b8a1341b5341e2ba6f94ba85364bc90843

      SHA256

      18e06896cc71e99b717cff8d68cba86fea3eba5087b93734f6418e53cadab5b3

      SHA512

      150fa3f8eeec3621ac61eab0da3f2692dd776887ec0c1791404df3dd8784982563496e1e990217a99c4fd53c5d5d68e0574737879b72d78ab737033f1b08560a

      Download Submit

    • C:\Windows\SysWOW64\28463\XIHF.007
      Filesize

      5KB

      MD5

      50d0bcf6b5a6b11d9e274ccefba3f02e

      SHA1

      57acf2a1236b7534f2db661a9d95aeadcd41aa2a

      SHA256

      a5e5cf8b3133031f25db37fd13b029cdfc9d1588ca7f68041e52349f46cbbf5c

      SHA512

      c0288f92c75f4a6ea45434e3960a3c5d8ed3d890121a3fd6da2449e1313db523224e301451d85a15ea8ee9b5c2fb3bf294ee90869a4d5608bcf48fa94458e938

      Download Submit

    • C:\Windows\SysWOW64\28463\XIHF.exe
      Filesize

      647KB

      MD5

      a7b322839cedf8d56cb0a7dcdb50ab59

      SHA1

      d27855e65f5d9e87666f39d2af694a0d75330a75

      SHA256

      ba7362315c0608c9203c9d607fd85695fbc15f034ea40b3de7dd1abebd5859a3

      SHA512

      86a416ae639ca458e56093d5c04f3406ac0389cf9a1047f714424ba89ffd047ca58e6927bc941d285d4db9e8a95e91e0d578be3038a83945b6af90586ea9f649

      Download Submit

    • C:\Windows\SysWOW64\28463\key.bin
      Filesize

      105B

      MD5

      27c90d4d9b049f4cd00f32ed1d2e5baf

      SHA1

      338a3ea8f1e929d8916ece9b6e91e697eb562550

      SHA256

      172d6f21165fb3ca925e5b000451fd8946920206f7438018c28b158b90cf5ffb

      SHA512

      d73dadb3cf74c647ce5bad5b87d3fb42a212defcba8afb8cf962020b61a0369c0a2b1005797583daf1f1ae88b29b7288bc544a53d643f3519cf604aa0ffd6dae

      Download Submit

    • memory/4208-53-0x0000000003260000-0x0000000003261000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4208-38-0x00000000023C0000-0x00000000023C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4208-51-0x0000000003260000-0x0000000003261000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4208-50-0x0000000003260000-0x0000000003261000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4208-49-0x0000000003260000-0x0000000003261000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4208-48-0x0000000003260000-0x0000000003261000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4208-47-0x0000000003260000-0x0000000003261000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4208-46-0x0000000003260000-0x0000000003261000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4208-45-0x0000000003210000-0x0000000003212000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4208-42-0x00000000023E0000-0x00000000023E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4208-41-0x0000000002420000-0x0000000002421000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4208-40-0x0000000002400000-0x0000000002401000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4208-39-0x0000000002410000-0x0000000002411000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4208-52-0x0000000003260000-0x0000000003261000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4208-54-0x0000000003260000-0x0000000003261000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4208-56-0x00000000009B0000-0x00000000009B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4208-57-0x0000000003230000-0x0000000003231000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4208-55-0x0000000000580000-0x0000000000581000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4208-43-0x00000000023A0000-0x00000000023A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4208-44-0x0000000003220000-0x0000000003221000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4208-36-0x00000000009D0000-0x0000000000A2A000-memory.dmp

      Filesize

      360KB

      Download

    • memory/4208-33-0x0000000000400000-0x00000000004DF000-memory.dmp

      Filesize

      892KB

      Download

    • memory/4208-65-0x0000000000400000-0x00000000004DF000-memory.dmp

      Filesize

      892KB

      Download

    • memory/4208-66-0x00000000009D0000-0x0000000000A2A000-memory.dmp

      Filesize

      360KB

      Download

    • memory/4208-67-0x0000000003260000-0x0000000003261000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4208-71-0x0000000000400000-0x00000000004DF000-memory.dmp

      Filesize

      892KB

      Download

    • memory/4208-77-0x00000000009D0000-0x0000000000A2A000-memory.dmp

      Filesize

      360KB

      Download

    • memory/4208-76-0x0000000000400000-0x00000000004DF000-memory.dmp

      Filesize

      892KB

      Download