Analysis

  • max time kernel
    143s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2024 10:33

General

  • Target

    9af1276958721492f19d42ffd0358cba_JaffaCakes118.exe

  • Size

    756KB

  • MD5

    9af1276958721492f19d42ffd0358cba

  • SHA1

    67d837ecf326ba46f9120b8467bff11bdec78897

  • SHA256

    e3ca8a2d067d74c388de2bf37302d943b6d9030498c3642761cdd4d95ac7c368

  • SHA512

    b178f8cc4d5f1c3e7096ccfa2577baeca8e3caf9b6fa78f3e679b94e52f5c9360ea244cafee91a62dbd5a4af2ff24e8b2dae1685a14f77b997060f490ad8ac73

  • SSDEEP

    12288:P9JAq8RpxIjnOI2EigFKm0p8/FzGIc8u/dskrcRZca+XXQw865tDgASU6qnSH1DU:7Aq85sOI/iYa8tzGB8adaRuaP+rkHiAo

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

  • Ardamax family
  • Ardamax main executable 1 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 25 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9af1276958721492f19d42ffd0358cba_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\9af1276958721492f19d42ffd0358cba_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1096
    • C:\Windows\SysWOW64\28463\SPUY.exe
      "C:\Windows\system32\28463\SPUY.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1936
    • C:\Users\Admin\AppData\Local\Temp\Cópia de Cópia de TibiaBotNGCracker.exe
      "C:\Users\Admin\AppData\Local\Temp\Cópia de Cópia de TibiaBotNGCracker.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3228
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\sv.exe
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\sv.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1596
        • C:\WINDOWS\SVCHOST.EXE
          C:\WINDOWS\SVCHOST.EXE
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:4308
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\save05.plc
          C:\Users\Admin\AppData\Local\Temp\RarSFX0\save05.plc
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3316
          • C:\Users\Admin\AppData\Local\Temp\RarSFX1\crk.exe
            "C:\Users\Admin\AppData\Local\Temp\RarSFX1\crk.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of SetWindowsHookEx
            PID:4740

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\@AA2A.tmp

    Filesize

    4KB

    MD5

    908f7f4b0cf93759447afca95cd84aa6

    SHA1

    d1903a49b211bcb4a460904019ee7441420aa961

    SHA256

    3e6378164f9dc4148b86c9312b63c5a6b1fabcfebf9557f182d331e9cb32fc23

    SHA512

    958e0880565b008cdb045d6aba5103f0ba820ac037facf24b78924187a119258e3a8a97de4c3874694962114ef672d41a55feb71b92d5038e7d45bc3d91d6b0d

  • C:\Users\Admin\AppData\Local\Temp\Cópia de Cópia de TibiaBotNGCracker.exe

    Filesize

    311KB

    MD5

    4f071b4ba9e1c26ea66cbec5d5486ab6

    SHA1

    b8539f9ba1d58453b0ba9936e0ecdeeb0cc79ef1

    SHA256

    6a20afbe295ba89eeceac4e4f815c8a1941803f601135e48e9d61b4a55dc062a

    SHA512

    021cf79efa3d004695b155cedccabbcf35ebac6fc0bb322dfccc21c08823f0ba34f125f9f93f86edde6bdee3fc84e38acd6934f2444f5654884e5bff67ae20f2

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\save05.plc

    Filesize

    266KB

    MD5

    3f4f522fb5e1c047ab5fbae601828426

    SHA1

    00837fe2114de62150068f76b227b688a721085f

    SHA256

    ecdcbe1d308262a8094d69a73015d3553534d1e45c169f33c7537a879ca7edc8

    SHA512

    890fe8ad318b2c1674159a19899dfac661ef73e0cacf769efab94b03c73cf958fa5fd80d157673abb625fd88458d78f0c755395915301a73410e1530e9bbd58b

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\sv.exe

    Filesize

    32KB

    MD5

    38347f5835c791fe0ec3497faf75a847

    SHA1

    dfd1dae2583f9f0401e391203e79827919708388

    SHA256

    167163b62617dcdb69c6a1cf0bd07c6b9de316e2d99a32f8d2f6ac9e9c9eb7b2

    SHA512

    4fbde1da19f106fb9fc3d6951930104c72030a0b3b5d8bac85834cbfe1244b855c5bac6284e2998f512543c8fc88176c4007f43485bfb7c494fddce14a29497f

  • C:\Users\Admin\AppData\Local\Temp\RarSFX1\actskin4.ocx

    Filesize

    372KB

    MD5

    407c604d5499577d38c2f971e6902281

    SHA1

    f92e20ec70b6dd7d7bcbd75db8bb5f340d89cb55

    SHA256

    72b996fca5f843584333b3b9843806a590af6b1908d049ed2dcb2fbe54ff02bd

    SHA512

    e3d2bd95ece244fbafb6def535ed0acf3e269b631a883c45c7ed464e206d70ac85a6e23e2fb45a6279030c7f58864eda1a4cec6db2bc2e3ff0e815d1498428a8

  • C:\Users\Admin\AppData\Local\Temp\RarSFX1\crk.exe

    Filesize

    176KB

    MD5

    a5ecdb2a1dd6acf2a19200e9ef4144be

    SHA1

    b6ef0b37d34e5cfeac09abda493dcd49638d1de5

    SHA256

    302d338c993ed629a050eab03cd6959d97547ce9b5973b5db20f65da007fd1bf

    SHA512

    6151b5e1fe19e8551fc64301187523cc57090772de606580277e5d07aa559b0840d89974fe6b4368a80886c107e8ef8df95fbca3ee0f25d89f7b09b75a90708c

  • C:\Windows\SysWOW64\28463\AKV.exe

    Filesize

    393KB

    MD5

    b0b09699ea39c0107af1c0833f07c054

    SHA1

    b730e2fb0bda9bf4a1b1f8768a00838e3ca9dcc1

    SHA256

    be63e3b5a6c3fbec11a737332d4e0040a23cc2d17182b4bc5e7d5dd41d930ee1

    SHA512

    55430e53058964961808f37d738c31f1502c3ec4a14b0296bef7bad22e468734bcd119eedba14cc87894d4acc81c9266572aff9919b18bd584823c47fa149796

  • C:\Windows\SysWOW64\28463\SPUY.001

    Filesize

    532B

    MD5

    519f9f30e7d5f3262b80caee1e94c002

    SHA1

    26082fb4e6d2982449c3c16eb2ca1eeea5f2c1a7

    SHA256

    8a9b8a912db30295696ae519c04f9c2a567e7a7934b97789833b77e5aa500cfb

    SHA512

    e56f97c5d9e5240e8953a24b87766ca86b15b38f24b874308e8d8fd665a224228f5f0236c6ec6181097a6b8555a6240b8c98f06990f86dd49c45681a0e65e20b

  • C:\Windows\SysWOW64\28463\SPUY.006

    Filesize

    7KB

    MD5

    e0fcfa7cad88d1a8a462cee6b06cf668

    SHA1

    a7e49078517abc929a6da261df06556c8f5a8cf0

    SHA256

    340ff9f7f784e299030abb9982c88547e67251a6cca07d30ca8073d01a2840c4

    SHA512

    430fd640432769047de7bb4432f710193855a5121fe5944ef07f6b68749608312e7c22b29834967d429637fc9b285671cd10bbc9e1cfb43654695a206ba9cf82

  • C:\Windows\SysWOW64\28463\SPUY.007

    Filesize

    5KB

    MD5

    ca72cd485d116033f1b776903ce7ee0a

    SHA1

    85b0b73a75b0498f56200dd1a5cf0de5371e42a3

    SHA256

    e583532d6b4d8cfc1def5e550674e9e1a4eef2a107adacddf729fddac64f49c4

    SHA512

    8dbf6920af64aac6a80c3da4a567473dc20c8d4e24078f7e66bb5aa1a08641e5081b0a1ee05f82fb1dd14218b62572c198ff39b1add5f19893008b3d8e54538f

  • C:\Windows\SysWOW64\28463\SPUY.exe

    Filesize

    472KB

    MD5

    7ca78f42e7c88f01fb7fd88321b283ff

    SHA1

    8f6fb4e3f5b696cac4fd54490d5f8c1862d0bb6b

    SHA256

    2354f408b272232ea4bb74d17d22a4332b97f1003fb9bace174a9811f2b41729

    SHA512

    06e822f04a4657b492a485b5a542e5c8400060abf7e71020d17965fee11f1f7c0807e32b5f9426a4fb9b4d7dd05a68ae871e5fef0807e24204351ebe569eb4ca

  • memory/1936-22-0x0000000000780000-0x0000000000781000-memory.dmp

    Filesize

    4KB

  • memory/1936-104-0x0000000000780000-0x0000000000781000-memory.dmp

    Filesize

    4KB

  • memory/3228-103-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

  • memory/3316-105-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

  • memory/4740-97-0x0000000002AC0000-0x0000000002B1D000-memory.dmp

    Filesize

    372KB