Overview

overview

10

Static

static

3

811cbc2f3c...18.exe

windows7-x64

10

811cbc2f3c...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-10-2024 01:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    811cbc2f3c61d4bf7d009d00c15f1321_JaffaCakes118.exe

  • Size

    1.0MB

  • MD5

    811cbc2f3c61d4bf7d009d00c15f1321

  • SHA1

    775a085e2f4771ea67cd75a2b797dc6eedbdb32f

  • SHA256

    b40586092deaa8fa14ebb39802a20f2ebada997a075b75744274faa4a9735afe

  • SHA512

    4bfbeb25f004a4017a33d2b269893e2bea6ee718911dbc2a76ccb0784dffe16002cce8ce358d36f1bc98a44473a368bd31e01d339c83c07302f35526396ff80d

  • SSDEEP

    24576:EesT97/AE/wkXmv/fnwFY9cx0uxGCYyXK/no/HW2xBBqJp9RpY:E3T9f/bKPyY9cRs9wO+B8JpRY

Score
10/10
ardamaxdiscoverykeyloggerpersistencestealer

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax family
    ardamax
  • Ardamax main executable 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 44 IoCs
    adwarespyware
  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\811cbc2f3c61d4bf7d009d00c15f1321_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\811cbc2f3c61d4bf7d009d00c15f1321_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:112
    • C:\Windows\SysWOW64\VDFILS\ETI.exe
      "C:\Windows\system32\VDFILS\ETI.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:3104
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\playspan.gif
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3708
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3708 CREDAT:17410 /prefetch:2
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:4568

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    471B

    MD5

    ee4ada789158c1e5a14d597cf1d5edd0

    SHA1

    9593aee78d30d51ab93d6a29dc4dc873e0d466b6

    SHA256

    903a6d82bf2fe8951104cf90d9f64aab0fbded30a2246e678a80d07868569b4f

    SHA512

    a6214f62e5089512aeaabab7c4bb38e8663fb55d5f4129c57e726723dad10802ec40c3dc836087713b77c1874c12f177bf2b2998fd3e52f4210c1c5307885c16

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    404B

    MD5

    ac8ea12a9ed52ee2ec41932cd610bc9e

    SHA1

    9e3794b2249eec452c97f3aca34b9de18313b610

    SHA256

    fb89605d6c2cc7acaf81c078ebe4d9c3c59837e32a40f043f781dfe2a4b08838

    SHA512

    c4243b095aa057caed13e1dbdb1187ef4ea612f1bd5a8be3c785d18aeb417971590e94e4deeb537abf1ac8d24ac5c0bec98604bddd56406c869ca59fdd6f7128

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver1930.tmp
    Filesize

    15KB

    MD5

    1a545d0052b581fbb2ab4c52133846bc

    SHA1

    62f3266a9b9925cd6d98658b92adec673cbe3dd3

    SHA256

    557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

    SHA512

    bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6IJLDY7V\suggestions[1].en-US
    Filesize

    17KB

    MD5

    5a34cb996293fde2cb7a4ac89587393a

    SHA1

    3c96c993500690d1a77873cd62bc639b3a10653f

    SHA256

    c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

    SHA512

    e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\playspan.gif
    Filesize

    27KB

    MD5

    a728ee12275113e7b77a8378b90ce8ae

    SHA1

    db57240ff5808f63e9e177397666b856d1ec9464

    SHA256

    c8677d9ccafefaf06ba407de0c56748f318894a36ea7fe8ad1c5ffab6ae88723

    SHA512

    5498761864c90a172515fecff5ab529170a890197b330d2436fe33e739cadd4da49760f38403a60e5b4e777bf2f16d5281d9f0e68cd7a27e3a3a3616b8a08f63

    Download Submit

  • C:\Windows\SysWOW64\VDFILS\AKV.exe
    Filesize

    498KB

    MD5

    51c1f8be2696047a60425cf4e8370eeb

    SHA1

    c565f5f7ca1eae6af9c7e7d07092031975ddf356

    SHA256

    900f9e42b5157d485000517997655dea2b5a36b249295e16a650ea38a8992de4

    SHA512

    a25712fa2ca973a3d73fc9fd59bd4c4734cb31f1683d0960e86fb0d1f078f011c8c9aebd85b6513f434c4e96cc8dd4367620a9b5c55112b586187ee2fed96c9a

    Download Submit

  • C:\Windows\SysWOW64\VDFILS\ETI.001
    Filesize

    60KB

    MD5

    2bfb29b33b47a062d48c9ad462cc06c2

    SHA1

    1b39d2cb07740cfafe6809d30431952e2b7c2a5f

    SHA256

    f5b12e8464198b5c9cb2308e86942ef6d49ad0aeb844b47a385e90f0977d9001

    SHA512

    3521cca90074871f0e28706061e4a6ec8c0abca1c36ac73e860216be46df06c89ec8a5690677c4df0bf451ba2d2374351009a459101de459b71efa3889a043ee

    Download Submit

  • C:\Windows\SysWOW64\VDFILS\ETI.002
    Filesize

    42KB

    MD5

    afa4b981d51f73aaa544fac1a7108ab3

    SHA1

    8dd9f0811c98175b1cf9d73893e03283e020ada2

    SHA256

    456ed6eae6b31494b782f8786d28f22a96f38abcc81e93cc9802dac6bb1b9238

    SHA512

    4e0234d692b5eb91cfe5f2f2926a0b0f49dc43510c695dd6bff78071c86dfad91cbcde3428d4965026fd980c1a353b221b0a3fa35d223d678ef82cfb9e0294e5

    Download Submit

  • C:\Windows\SysWOW64\VDFILS\ETI.004
    Filesize

    502B

    MD5

    46abadb5eeed27330ace63144e5a180c

    SHA1

    8976e91b050aebcab3cb2b221e7b3251161590b9

    SHA256

    a770ee0b90f0e9cad9472cc41b3446ad20ea48b98bc54c4a3dc1276f2168bb26

    SHA512

    29cd3e9b0c440316ca9d498d089034a576af8d2e51fafb2c3bb339055583b0803987ea40cc8aa285745ff41ac364b46e523945d6d8556b4c148af2913f0bbe81

    Download Submit

  • C:\Windows\SysWOW64\VDFILS\ETI.exe
    Filesize

    1.3MB

    MD5

    93e6298315cf566b520382d6c701dc62

    SHA1

    ab5ee9810535cfee6fb1f751d63cc5a0ed0e256e

    SHA256

    035a7419c78813bae698ee98db9f48302d4de0bd011ac573eb457f65268b702b

    SHA512

    1c37c580578964ea00a3fd193ba04ca81ed2e5cf3e74395e90994b3dd0e22d3c55fb640eb8138af81eef6d88af37459dcc6bb6bd035fc1aaa71476ba4634a8ee

    Download Submit

  • memory/3104-17-0x0000000000630000-0x0000000000631000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3104-27-0x0000000000630000-0x0000000000631000-memory.dmp

    Filesize

    4KB

    Download