Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-10-2024 09:56

General

  • Target

    73335537220bdfd701774177b09d94b0_JaffaCakes118.exe

  • Size

    543KB

  • MD5

    73335537220bdfd701774177b09d94b0

  • SHA1

    000c2db050d7d04567ca5150f52b85c484dc3aa0

  • SHA256

    fcb5a8b669aed84a2c97f1f2b3a90981f1a7701bc99e56409942d9aceef58da6

  • SHA512

    8753209bc479b0baea8ebd56c4041eda93f3ff9417ee2eca6998113ddc98386fb767bcb3f1540014de544cdd94d1b5c26456faa4875b8458c82bcd104222643e

  • SSDEEP

    12288:OIZsut4Cfk1B3Cb1KX4GKaOxYP3uA0JQiIBPrCeKIekAYn09+i:MuCCM1BCwXyaGyIQlJ2ws3

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

  • Ardamax main executable 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in System32 directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\73335537220bdfd701774177b09d94b0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\73335537220bdfd701774177b09d94b0_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:244
    • C:\Windows\SysWOW64\74638\DGYR.exe
      "C:\Windows\system32\74638\DGYR.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      PID:4884

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\@A901.tmp

    Filesize

    4KB

    MD5

    c88da5c55de230053bb94c597184e4ae

    SHA1

    7d7a4cf6466165c6c1c507f7910ecb27ad0da331

    SHA256

    64e12bb2b0fdeed4187cb4748a97b75379ff2c4e72c3655efe5b23eab8cd2869

    SHA512

    40f163ea795150dae74c6df09bff38d68b52d58b6ee9cf2aac873062588cc18f6e445c5ee9410a5060ecd2cc87c70be44a41b8b4f32250a6ce20bc6bf41bc623

  • C:\Windows\SysWOW64\74638\AKV.exe

    Filesize

    458KB

    MD5

    e28b8e6368b1a9edb3de05e8bedbda3d

    SHA1

    d219b27b16558a560cbdd568ab42a08adb7547be

    SHA256

    ce9cc662186b1f46448434150afcf521ff753077ccdddb03b9c5dfb56178fda5

    SHA512

    096f2e77303636fceba5e5abbfffc2949a9551ed44a0e34f9445544e8318854c4138d4313f99d7904b58ee567963bdc76d89ebb550637fd6841a00d74eb762fb

  • C:\Windows\SysWOW64\74638\DGYR.001

    Filesize

    426B

    MD5

    1b72c3de319a128482fc02c7d19d1595

    SHA1

    792c85f3be569eeea4cb763a8bcb7db848e04afd

    SHA256

    5aa46a1bdf9621942407bdc9aecb24317ec976f22d16d5e0f0e79576e2b3bb9b

    SHA512

    947ca12d5c1f72782554edc07fdb13f5436092420600809b6e687a63d2f202889b2e9afff05759bdd07fa00115c1bf1051815f3ee72fbbc7a34cf2e6d1f1e3f5

  • C:\Windows\SysWOW64\74638\DGYR.006

    Filesize

    8KB

    MD5

    8d093334c5c1ab69afff0e4322c3158b

    SHA1

    05c415e71e7dcacb78f49f25925f5177b02f0021

    SHA256

    e0e54c8f86327bcb48df4c803a2ebd7299f839e77b8ee77665210f4e33885a40

    SHA512

    20acde6e65c87b6dcbb44e48b12165bf9565dbf1f96f431d6b5367f61f1ae9ae20bf637f1f696078b7a7f3aaf078cbf7c4257d9d2a3fbebcbb165b0b941ca275

  • C:\Windows\SysWOW64\74638\DGYR.007

    Filesize

    5KB

    MD5

    f9fb0e65a3753ca6530eda233cf7fd3d

    SHA1

    3eee3da17c67440102371450791d4474f0d5d537

    SHA256

    4c1f344695d2a4773b0106a21e8b0bc97a7a88c04787420907afc3f14e9cf2a3

    SHA512

    97bc5e069c7e1ffdbfdd7379b91f3aedd1b2483196ee916ed7a737036d2e7dd3dc070a583391ac88456fa7e9c0e8c9edee81edd4f5ad3b9c6b972f0ec96ecf8d

  • C:\Windows\SysWOW64\74638\DGYR.exe

    Filesize

    568KB

    MD5

    9c04bcdac0f7fa9100cf3418eaac9ed1

    SHA1

    d1e566631886b2882e7ac0709d04e98f6d44de4a

    SHA256

    c82c2989bf19daf8d201dd25de7933488de98825257e549a8c7c2d21736a32c3

    SHA512

    2d3c39c3c249c58109e49b733cc68dbb5e2bed1749e0f90c0e7ae2995ec14d9ea36116abefb84ada0377d108a79f446d4fbbb4454c8f3ee7ad3446ada0be2aac

  • memory/4884-23-0x0000000000650000-0x0000000000651000-memory.dmp

    Filesize

    4KB