Overview

overview

10

Static

static

3

87f4271ae8...18.exe

windows7-x64

10

87f4271ae8...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    136s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-11-2024 21:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    87f4271ae8d5c67a7211d57c5e1ff1a2_JaffaCakes118.exe

  • Size

    480KB

  • MD5

    87f4271ae8d5c67a7211d57c5e1ff1a2

  • SHA1

    613cf83a84e324b3c04adf44e21f51dedbf5877d

  • SHA256

    e9813b538392c27b58741b0bedc381d4681d414596eb33c4a2aed8f4e5bbc723

  • SHA512

    fd03fa91ad489534654c4d6827c879958dea2e0936586df72b26c65ab59ff3b9eefe1ce71a72d46726578509116310678eecebf2f3204972f312b5d403b81139

  • SSDEEP

    12288:u1QEAPL0LCySQ0Q1JoyTEYwfqEmQZ1uxrSgtgXq4peHb7gR77:BEAT0izfdnfqEvTuxTd77Yv

Score
10/10
ardamaxdefense_evasiondiscoverykeyloggerpersistencestealer

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax family
    ardamax
  • Ardamax main executable 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in System32 directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\87f4271ae8d5c67a7211d57c5e1ff1a2_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\87f4271ae8d5c67a7211d57c5e1ff1a2_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4856
    • C:\Windows\SysWOW64\Sys32\JNKW.exe
      "C:\Windows\system32\Sys32\JNKW.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4524
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 1112
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:880
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\Sys32\JNKW.exe > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3964
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4524 -ip 4524
    1⤵
      PID:2196

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\@B12F.tmp
      Filesize

      4KB

      MD5

      74ff002e34aadbe8a9f7d88d2532c5d5

      SHA1

      3c11c399973d2db9a94ad7a089870d026c8c859d

      SHA256

      57d3fc3ef8934afd806d28d705c05637c0bd2d64b91a1a3e87e9bfbbf95f6e8e

      SHA512

      704c6520a7c89e6432776ad31c3334d22db390474c141974fc189c03b84e4618a35707f70f7ab7337bb63775a3cc04c2f70e88d9e3f921cf9ab2116305ed1bde

      Download Submit

    • C:\Windows\SysWOW64\Sys32\AKV.exe
      Filesize

      391KB

      MD5

      75e14e922eeea4674c45a00335c28777

      SHA1

      f3268f7a91e0cef3ac1b03877daa694655e79fa1

      SHA256

      e103b85edbafbacc8e4ac50378ee4812b68ceccd2b6f2066243ac03674030f68

      SHA512

      b2c5e09c041bc235bf1be0a808c92dc5b8256447be95a0fb4bcfe9160123c63d14a4979eea28f5286a0f3f354c59f032c9a24586dfb7067150dae7339314f6fa

      Download Submit

    • C:\Windows\SysWOW64\Sys32\JNKW.001
      Filesize

      536B

      MD5

      5ec6050d273da18b39bdb9f33cae5bc3

      SHA1

      9b20dfbb24b0adc7c30ec7cceffb373de6141ef4

      SHA256

      7b2801e8677f1615edd005b6a1e77e843fab84b2779e226eb1de82cedeb92aae

      SHA512

      fad7de77bdea94c31bb871380c558e72adf2e8bae5782d0978d0b2fa2cb54cc23747b6b677ea2b496457fac0d5be863fbaf09c5d09f5aac3ff79a98cd0322d20

      Download Submit

    • C:\Windows\SysWOW64\Sys32\JNKW.006
      Filesize

      7KB

      MD5

      5001bd93dc919785a830ab883eefb04e

      SHA1

      eb4e7b7d42bf4669c1f011fcd0119012cfb957c0

      SHA256

      2027d2ecaa78d0ffdd4234ce531be60f230b8258ae6c001af587f6d73dba771c

      SHA512

      20f6a8fa9e2188aa29d101100edae17d77b4983f3e1dd4696c6fbcd47ef0bbcce392a0733c330dd7a707b0f5bb92720f684b04cdd8c0f1a0b186012001c477d8

      Download Submit

    • C:\Windows\SysWOW64\Sys32\JNKW.007
      Filesize

      5KB

      MD5

      00c2e21155375b96338bf76afea81546

      SHA1

      9ec87a26f5a48db97c05b2e3990aedec0adaa999

      SHA256

      6f3c20f654f2f4aee0752b95d72d9f46ebf467422611b30e9baa5ad1d21a4534

      SHA512

      cbaf2efa919def1d351de8ad8b1e30af4bb754db833019f9d998f1c78a844b933b18c41e8764edd1632be2076fd23cd7f302cfaf3f8ed6538bc90db178db422a

      Download Submit

    • C:\Windows\SysWOW64\Sys32\JNKW.exe
      Filesize

      476KB

      MD5

      63ea07b550f22b1f5d5d6897f4d92894

      SHA1

      8107c9115d45c7857534f0e0b2d9837304f009f2

      SHA256

      729269e2ce40465fa2b512e2dfea0da818a2972070ae6fa57c92893a1276ea01

      SHA512

      c094235f36a1ecf1ce9082a22d34d33153595c91c941fb1e1bd9d3903e2142e6e7603db184dc19248258027e0b8377aa13f523b84a98c74c5645cd3e3c2cdf8c

      Download Submit

    • memory/4524-23-0x0000000000A50000-0x0000000000A51000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4524-27-0x0000000000A50000-0x0000000000A51000-memory.dmp

      Filesize

      4KB

      Download