Overview

overview

10

Static

static

3

6e2e461add...18.exe

windows7-x64

10

6e2e461add...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-10-2024 09:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6e2e461add2ab4077e204f6de8cc8428_JaffaCakes118.exe

  • Size

    1.1MB

  • MD5

    6e2e461add2ab4077e204f6de8cc8428

  • SHA1

    44808bb38b5df224fa9ab2ad763d9d1a6f6308ef

  • SHA256

    a7460898a0b55f5f4b8d892767301ea61d88e3925d0021523ed483363f9cf142

  • SHA512

    eff93c2346252fc59064e1dc67158995eb3003188c18449caf207cdd31fb0192256e254997a26722b5ac9ef45caeb14060a23d7633eabfd29aebf0c0c9a93c5a

  • SSDEEP

    24576:K/4EUWxjPeFSUzS74VbIeldUHn8dNysJSnRgSH0lMBdJw:K40jcSUzS74FFoHzslSH0++

Score
10/10
ardamaxdiscoverykeyloggerpersistencestealer

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax main executable 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 5 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6e2e461add2ab4077e204f6de8cc8428_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\6e2e461add2ab4077e204f6de8cc8428_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4204
    • C:\Users\Admin\AppData\Local\Temp\6e2e461add2ab4077e204f6de8cc8428_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\6e2e461add2ab4077e204f6de8cc8428_JaffaCakes118.exe"
      2⤵
      • Checks computer location settings
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:880
      • C:\Windows\SysWOW64\FJMUOI\JYK.exe
        "C:\Windows\system32\FJMUOI\JYK.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:1676

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\FJMUOI\JYK.001
    Filesize

    61KB

    MD5

    93c2eac6b4d476a04730266ec1523f8a

    SHA1

    d53544650a95769d90c89fa90039399cb8d7e054

    SHA256

    898d4ed4dc6b52db670bf57bd859ae6e1c25230b28a69e7d0e548bae6941cba8

    SHA512

    9dc516552c08af9600ebabb025bfed1b9a8f16aafbf1cb7530af7254847264399a118a3bbf980e54ad01542fb4c0df55699d207ac44d85bd0eb94067b1a0bae0

    Download Submit

  • C:\Windows\SysWOW64\FJMUOI\JYK.002
    Filesize

    44KB

    MD5

    92fc2d978e3dcc66dbbe6ddde516dd75

    SHA1

    2e31d1a209193872fc7f494274b17f582bb137c0

    SHA256

    a89bebf2e88c1055b1d38bb715a7efeef93c18d5ec1d32a171ae354ccba4087c

    SHA512

    50d859f3abaf2d2bcf563a0bf0f47b3be0d1ea0f345fc69f5c9a3635d359798c068e4516803c7b8bd0a61b01b3bb1ece0a4703a278144acfa877311317a959ba

    Download Submit

  • C:\Windows\SysWOW64\FJMUOI\JYK.004
    Filesize

    1KB

    MD5

    2cb43a32ba11c3280e46455cb80cc8ef

    SHA1

    06594be031b8e29122987b6e9a27b27f97fb708b

    SHA256

    21f92538c8e3ec71d45c000a992db54cea6fd2d8dcb8b1bec03a2205cf3c6c15

    SHA512

    f9c8610f6d5a53cdc441e9177c9a07541ddd623b324fe5cacc1919d9afd4f566cfcef3afe9ed26652b0fee02a535a5f7092913f4371e7f26ea1560d8be0b55b6

    Download Submit

  • C:\Windows\SysWOW64\FJMUOI\JYK.exe
    Filesize

    1.7MB

    MD5

    851f20b20b52b01ee3e1000c89b47c93

    SHA1

    f46b94a834d6ba980b096747d725bd975d5d0dbc

    SHA256

    10b92386e4d23ae4fecbe8f5114bf494cf6012d379a1dd694b5130d5900e7651

    SHA512

    0eedbd7be28f504c87308552c780b9597d19b9cf220e3995f0d6f351ce21cf2a16f9969d4ed22170151373b5e0c8b9fa62b5b3feb7ecf335606d5d0e7ca6761e

    Download Submit

  • memory/880-22-0x0000000000400000-0x00000000004F4000-memory.dmp

    Filesize

    976KB

    Download

  • memory/880-37-0x0000000000400000-0x00000000004F4000-memory.dmp

    Filesize

    976KB

    Download

  • memory/880-28-0x0000000000400000-0x00000000004F4000-memory.dmp

    Filesize

    976KB

    Download

  • memory/880-24-0x0000000000400000-0x00000000004F4000-memory.dmp

    Filesize

    976KB

    Download

  • memory/880-23-0x0000000000400000-0x00000000004F4000-memory.dmp

    Filesize

    976KB

    Download

  • memory/1676-45-0x0000000000400000-0x00000000005C1000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/1676-43-0x0000000000400000-0x00000000005C1000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/4204-11-0x0000000002560000-0x0000000002570000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4204-5-0x0000000002500000-0x0000000002510000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4204-12-0x0000000002570000-0x0000000002580000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4204-0-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/4204-7-0x0000000002520000-0x0000000002530000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4204-4-0x00000000024F0000-0x0000000002500000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4204-2-0x0000000000590000-0x00000000005A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4204-17-0x00000000025D0000-0x00000000025E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4204-3-0x00000000005A0000-0x00000000005B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4204-14-0x00000000025A0000-0x00000000025B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4204-29-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/4204-6-0x0000000002510000-0x0000000002520000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4204-8-0x0000000002530000-0x0000000002540000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4204-9-0x0000000002540000-0x0000000002550000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4204-10-0x0000000002550000-0x0000000002560000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4204-13-0x0000000002590000-0x00000000025A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4204-18-0x0000000002AF0000-0x0000000002B00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4204-16-0x00000000025C0000-0x00000000025D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4204-15-0x00000000025B0000-0x00000000025C0000-memory.dmp

    Filesize

    64KB

    Download