Overview

overview

10

Static

static

3

5edbc0d65e...18.exe

windows7-x64

10

5edbc0d65e...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-10-2024 21:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5edbc0d65e572e932f3365d7e020c7ac_JaffaCakes118.exe

  • Size

    503KB

  • MD5

    5edbc0d65e572e932f3365d7e020c7ac

  • SHA1

    450bcd21344d552e9d66dd6793667cd75be226f5

  • SHA256

    2923ede9ba1b549f01dec7ec2cb0504b09914f99dd8d31578ffb2835711f786d

  • SHA512

    5a0b11d1f4404c266a4dcb178aa277729b113c9768137d6fb5ed30267afcdcce228e022690597443aac2e02ca18221dceb50e58c8994282d2fb84c55336108d2

  • SSDEEP

    12288:PWj6dF7cqnrA+e29Au27Uvp32SarIB/wL28WGKTmGfG10tUm/sz2wnZBg:+OdFcq8MeY5ZYC4y8MqGfm0tONnZBg

Score
10/10
ardamaxmodiloaderdiscoverykeyloggerpersistencestealertrojan

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax main executable 1 IoCs
  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • ModiLoader Second Stage 16 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5edbc0d65e572e932f3365d7e020c7ac_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\5edbc0d65e572e932f3365d7e020c7ac_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4048
    • C:\Users\Admin\AppData\Local\Temp\Result.exe
      "C:\Users\Admin\AppData\Local\Temp\Result.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3688
      • C:\Users\Admin\AppData\Local\Black Keylogger.exe
        "C:\Users\Admin\AppData\Local\Black Keylogger.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        PID:2484
    • C:\Users\Admin\AppData\Local\Temp\Install.exe
      "C:\Users\Admin\AppData\Local\Temp\Install.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4276
      • C:\Windows\SysWOW64\Sys32\FLAT.exe
        "C:\Windows\system32\Sys32\FLAT.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        PID:2096

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\@AE03.tmp
    Filesize

    4KB

    MD5

    2bbb6ffc878515a79478917c5af03a9c

    SHA1

    52532ea393f3a623c05b2cd72a205da41f152c29

    SHA256

    23c8cc69783ab663e036fb0d15c01b3863ff898d5534fa1d02f16c291863f3a5

    SHA512

    be8846674af43f20501e6fe59fbd369d7393e79970ab1a4fc7c516c491939f575c5e07a1cd284287e8663d1ca2f4e6663839a79f798a7453ecd30bb0fbdcc464

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Install.exe
    Filesize

    479KB

    MD5

    fdd10e6e06fa9d7c450160353c143156

    SHA1

    9a9da2c1f26c7fb1dbce98c29294611a9d6693b5

    SHA256

    9d915b7062d4987e1d9bf08d84e34df8403e455c3f83e09497ed765310e38129

    SHA512

    a3edb43835ae04f5052f38a0c881bc0d880d5474af8e8242d9147617d0aff853b825c35cda7d2aaf6f5e21e6ee8f94da847d8df29443069d1376866ab8664784

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Result.exe
    Filesize

    33KB

    MD5

    745b78bdcaa276d7cf0aa6c44539ae5d

    SHA1

    5b48daea62c0e6f7584454a0f3980734b493fe33

    SHA256

    9e7c98afdbf826d629351d77f7f95ac01281b84a79c39fc27fb5b2c5c9866742

    SHA512

    47aa8a43d9e52cb7bfd439803ec5f1e696c846b44bcea51b5160dda22a7ec91f6c067260291599390f0eec0017c9df36ac8015443ece91ac5ff44418f49c7a00

    Download Submit

  • C:\Windows\SysWOW64\Sys32\AKV.exe
    Filesize

    390KB

    MD5

    5ac8fe2c346b4e69ee80ad2f4bf43be8

    SHA1

    2829276ab92288b959f2ae92e9618e75443477d2

    SHA256

    94cbf88aca6f061118a7c38a34d1d08a9e78e870924f60270ef6d5be318f9f50

    SHA512

    9406a0cc7342ceb5ecab8e1ab32b325be0bd21e22bdc446f1d36d049463888592a415c424bb44c2e6ab5a92644c73f4a555e3cf7e5fc2feacdb86ea1ca4d501e

    Download Submit

  • C:\Windows\SysWOW64\Sys32\FLAT.001
    Filesize

    384B

    MD5

    e5b47ac4a69c8800058782fad381c5f7

    SHA1

    92c1597370efa9b054e0447506f861641a8e6b82

    SHA256

    7a4aab5060b0b08eda65bc72442183307aefc75505cfab693a572337991e2ff6

    SHA512

    6926a5146a69342f07c7df955caf5991172ca562db76094c3818570aed9487fa7cb7d4e8c53def8a10f141a461dfdad6ab94e3fce9c3315e49dc983a7f194903

    Download Submit

  • C:\Windows\SysWOW64\Sys32\FLAT.006
    Filesize

    7KB

    MD5

    a08026db7b86f2ba69f6317a4a66778b

    SHA1

    6afe5979a1ef3ee8b94b6ef4a6bf8a70d641bf62

    SHA256

    90c1300aaa05d24a32f9d01824c611742a10c2bb3e0450504b62282ab658e2f5

    SHA512

    059d6abdb37800f7673d116a0e9a4d2f3e8e7d955a402ef91ca97cf24f3c29121dc36c54599511ac0e04cd2b1467e30fb7b2563e42e2fe43e71560816902207e

    Download Submit

  • C:\Windows\SysWOW64\Sys32\FLAT.007
    Filesize

    5KB

    MD5

    49e240cd2e8fe880e177e208aaf8feea

    SHA1

    54e9ee5a7523148542113ee654f00ea13d3ca3d7

    SHA256

    f1b86ba7a2c3aa753966cc67bc5efb4e4badb670b6a0e56ffcfdcbbc379108fc

    SHA512

    e92efd1d0ab3249d6c93b32af0885e22726421055bff36dcf64d307ef2f8aaf2dd06c221342bd5e2a1fadb5d61ac284cd39750cdf1134fd530ba9ff1744d965f

    Download Submit

  • C:\Windows\SysWOW64\Sys32\FLAT.exe
    Filesize

    477KB

    MD5

    db4d88b22f173a37c34477abeea6a789

    SHA1

    11c42d2d445c01a408ad947d48927fe2b370aa8c

    SHA256

    251cd62057ee822ad0139fddadd88945ef0951af715eea17ac5faa4b25e17a55

    SHA512

    67501ecf3b474536c3ae0cf68d49672b108b3b509a229f2a8bd4126e2f67228c93e2bbb78379de7dac3bbff6f7495d1d1aeffebb3fa5f8c7a0e29eaac4bce23e

    Download Submit

  • memory/2096-56-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2096-41-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2484-58-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2484-64-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2484-73-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2484-59-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2484-60-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2484-61-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2484-63-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2484-57-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2484-65-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2484-66-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2484-67-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2484-68-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2484-71-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2484-72-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/3688-53-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download