Overview

overview

10

Static

static

3

732d417731...18.exe

windows7-x64

10

732d417731...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-10-2024 09:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    732d417731226c4b89e77bf962f2f981_JaffaCakes118.exe

  • Size

    1.1MB

  • MD5

    732d417731226c4b89e77bf962f2f981

  • SHA1

    77a30165c462f59ba834c588125bc87825323f4f

  • SHA256

    05bdfdd5b994970fee884f875b67b7c9dafac6bba1ae6d5ea5369d90b0ca91c9

  • SHA512

    ab5d8b74ab6e509d62aedc716d186a7d9e6088cc4e491f565502613408dea7aba05632985c9d399293457bf3f5d5fb9d186d57016ec2d66fd93912944100ec47

  • SSDEEP

    24576:AkKKTe3pTmXd/eawg9vKUXC4ZbE29w/u2SeA0i6e:AMTel5lg7XCME2shFiL

Score
10/10
ardamaxdiscoverykeyloggerpersistencestealer

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax main executable 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 42 IoCs
    adwarespyware
  • Modifies registry class 34 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\732d417731226c4b89e77bf962f2f981_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\732d417731226c4b89e77bf962f2f981_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:880
    • C:\Users\Admin\AppData\Local\Temp\Alex o Elemento.exe
      "C:\Users\Admin\AppData\Local\Temp\Alex o Elemento.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:232
      • C:\Windows\SysWOW64\28463\VIKP.exe
        "C:\Windows\system32\28463\VIKP.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:848
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\Untitled-1.gif
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1960
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1960 CREDAT:17410 /prefetch:2
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:4748
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\Untitled-2.gif
      2⤵
      • Modifies Internet Explorer settings
      PID:1744
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\FirewallControlPanel.dll,ShowWarningDialog "C:\Users\Admin\AppData\Local\Temp\732d417731226c4b89e77bf962f2f981_JaffaCakes118.exe"
    1⤵
    • Modifies registry class
    PID:2116

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    471B

    MD5

    5d2d00839f70c14209b37c09a2a98a04

    SHA1

    44461357fbf25b6e5f90b9fbfc6cf46bbe2d6a3c

    SHA256

    67e4d04e5ee1baa576d738cee65a0530a6060ce08fa87c24920ea93eab030067

    SHA512

    1030098f1dea89a3f6cb11a295e51a36d836b605be67bef561f3ca698a327eaf5105c2146f068df011907af210b3ee0444956904b4c9ba2f72d74f0b9ac7b75b

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    404B

    MD5

    7e86f644f800c3c6446aa221b5fe6e83

    SHA1

    9576cf36c11526e7aba7c5873dc4ccee1fe26ab4

    SHA256

    37cb4a6f605f8b0ec432836813108bb1cdde81e32e3fc871aa456d4d3d506e59

    SHA512

    70ba3b147c8e77b345301ddfa199b7d628e2e87552852ea317b61fd197b1804067b3703af33a26fcea4b5b7a720fec53b17c19a56b295a6a63de7f29e1a0ea3a

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XH3Z2ZON\suggestions[1].en-US
    Filesize

    17KB

    MD5

    5a34cb996293fde2cb7a4ac89587393a

    SHA1

    3c96c993500690d1a77873cd62bc639b3a10653f

    SHA256

    c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

    SHA512

    e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\@ABD0.tmp
    Filesize

    4KB

    MD5

    36400e746829504282eb26b364826aa9

    SHA1

    d39ea9da98be0c331fd71002645f4f40664288a2

    SHA256

    c7ab756437211f6e0e3dcd7482bc67cb910e504345902049eb8abe34a656deb0

    SHA512

    5fe8fae2f5fcbd42c72cc8f6dd70aeec0afd94af5cfd905441630755790dc6ed346823ee009c21537b9cdb3b7b7a39eeed933606726ffd891dae47b60465f640

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Alex o Elemento.exe
    Filesize

    813KB

    MD5

    43e74709fb87cd1448469bd9a098908a

    SHA1

    882f2760870db3d544e766b72dda35100e37ba93

    SHA256

    4735e6559c3274a6feb204101228d3642277ee8d0a47f31cc853699cd42b7f5b

    SHA512

    168ee9a75b9746120786fb97707a7d3f954137840e2db01514232bbf0d79a280b65a3db8cc8e9e3f928edb0310c031850d3ca8ed34678c53a40a49015288f354

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Untitled-1.gif
    Filesize

    180KB

    MD5

    91d0d1edb284641da87aee7e3f9fbd9e

    SHA1

    a2896fe30e392ec4c82eec62c7fd816d42e8b197

    SHA256

    0b7dbb494ab80b4718a7b9cc385e72f5d3b48e715a5dd6e287333085999b0ebc

    SHA512

    c2f79c34350435eccdb10136f8bc1b66b43f599a11449c93c095e51a3f30b905e5173d60c012897513ffd3225cdc78121b2bbd80c2618cec61e698879d87c0d3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Untitled-2.gif
    Filesize

    129KB

    MD5

    8140056234c661a542fc06b22b0c91c8

    SHA1

    9ef6eaea0841d2768555a205111a82c36d0941bb

    SHA256

    cd505ef7f4fa9320d925fae49fa3ac8f53d262e152b41cb1d8da88f8e8aeb630

    SHA512

    1b4b772e44733d7f7b6f7653b00fce2205e3b97849e0a5826b09ff323b79f6b5c1dbb58cdcb3b2a691b2d21ef36511dd2e0ed633cf92ad818312232eb035ae66

    Download Submit

  • C:\Windows\SysWOW64\28463\AKV.exe
    Filesize

    457KB

    MD5

    f34b87951e1a931e01df1bc9f1b98207

    SHA1

    f3cc94e72bf7e9bf2afa7d8dbfef0ca2087358a1

    SHA256

    e6cf7cdc5895da8a65f8c4a1a1d0d0583218a1c28f66d25dc56fa67f9c34ed5b

    SHA512

    c2438d88489b9ed7c6c875ecde07411a488eac9115358c73f72d7029874f75803ebead03a41692a900648fb2b2be63b7c8b4e3a71984261185b6d5d6d7201641

    Download Submit

  • C:\Windows\SysWOW64\28463\VIKP.001
    Filesize

    490B

    MD5

    4d6f9fbe0863b496f7815edccfaa4060

    SHA1

    0567060a2ae51ed25683d1b0428e7d065ba5f8da

    SHA256

    9deb04b61a22a0759bff4f8edfbe1a56bf87e5a8be662bfa447b2d3e9f4421a7

    SHA512

    b07ef6bfa0758a56fd44c57b5475309c59604c83138928ede41bd8dc71c4f1e780b5e8bd2592be53c170f7812bd899f9eb0bfcb7d8622bd923450f7405f837bf

    Download Submit

  • C:\Windows\SysWOW64\28463\VIKP.006
    Filesize

    8KB

    MD5

    98d22fb2035a26a6b9b7decc0c0ff2fa

    SHA1

    43a75cf59fc2f8b59b1d962b4e685249eef816d5

    SHA256

    fd5c03fd9ea47c1e820d19bd307ad7c4e53f4b65d288cb675b05cbe76c9b5c25

    SHA512

    3cb7f765d6f4d1dc08a0087086f3fe243bd8ff9e699607cf1e4177892576665c0c799307751cba16fd3f1482e5abb884090024431be2ce86d4080f1d1134d91f

    Download Submit

  • C:\Windows\SysWOW64\28463\VIKP.007
    Filesize

    5KB

    MD5

    15eb312db4b3e208b67082653acb8a02

    SHA1

    b0926b1e1733baa3d7f18d3806916f92704fccff

    SHA256

    72347b6d619bc7204a155486e4d09a62a4a494c35a8121349bfe2fecd5af99a8

    SHA512

    7e8d451bc9d1e83615db15d6cdf68230cdd333fa38362979f0408dc80bf680859a2bc3fc09c494805731317b0f136c3227226092f1bcc31c2c80cb73071aa443

    Download Submit

  • C:\Windows\SysWOW64\28463\VIKP.exe
    Filesize

    651KB

    MD5

    b181beaba4204ac3ce7bc8e6f0b74312

    SHA1

    4ab13763d2ecdf0968f15a39302aab2b1f0ab462

    SHA256

    f36bad234fd1599dd1398d20bc57499314fe96d5de20074536067b2d3c2b4f2d

    SHA512

    d1aaa2fd25e53986c8ea8213a8a02515927c9e9aa3e4d8077a138a29ba32c807ec81473b672a22ffb6ba26126ccd7e1d310e057ef964d3b21b1672a67af5fd7b

    Download Submit

  • C:\Windows\SysWOW64\28463\key.bin
    Filesize

    105B

    MD5

    27c90d4d9b049f4cd00f32ed1d2e5baf

    SHA1

    338a3ea8f1e929d8916ece9b6e91e697eb562550

    SHA256

    172d6f21165fb3ca925e5b000451fd8946920206f7438018c28b158b90cf5ffb

    SHA512

    d73dadb3cf74c647ce5bad5b87d3fb42a212defcba8afb8cf962020b61a0369c0a2b1005797583daf1f1ae88b29b7288bc544a53d643f3519cf604aa0ffd6dae

    Download Submit

  • memory/848-56-0x0000000000400000-0x00000000004E0000-memory.dmp

    Filesize

    896KB

    Download

  • memory/848-42-0x0000000000400000-0x00000000004E0000-memory.dmp

    Filesize

    896KB

    Download

  • memory/848-71-0x0000000000400000-0x00000000004E0000-memory.dmp

    Filesize

    896KB

    Download