Analysis

  • max time kernel
    141s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-11-2024 12:25

General

  • Target

    a1ebd31cca0808cef68bb396c1c1c56d_JaffaCakes118.exe

  • Size

    1.8MB

  • MD5

    a1ebd31cca0808cef68bb396c1c1c56d

  • SHA1

    00405eaed613be4e596c203913ba2b7f880e94c8

  • SHA256

    e787ef308f760af58ff6611390c0de24b3e62f71f7012326c2a04679223a2c88

  • SHA512

    eac9f9bc05713a0ba533b8b9e4131b415ffa87e2eebb7af4abe158af2bb9f6e5a73f547383aad82826477a6716ab7ce33db4c499f90361cbec3c903a3394eced

  • SSDEEP

    49152:xQcXy/RF6ZWpmcYbZtxPsxc6iFyVkaner:xQcXyNpmZbZty+/0kIer

Malware Config

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.drivehq.com
  • Port:
    21
  • Username:
    slslasher

Signatures

  • Ardamax

    A keylogger first seen in 2013.

  • Ardamax family
  • Ardamax main executable 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 10 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a1ebd31cca0808cef68bb396c1c1c56d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a1ebd31cca0808cef68bb396c1c1c56d_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3784
    • C:\Windows\SysWOW64\28463\VFRY.exe
      "C:\Windows\system32\28463\VFRY.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:4988
    • C:\Users\Admin\AppData\Local\Temp\IconChanger38.exe
      "C:\Users\Admin\AppData\Local\Temp\IconChanger38.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1924
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        PID:572

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\@9470.tmp

    Filesize

    4KB

    MD5

    d73d89b1ea433724795b3d2b524f596c

    SHA1

    213514f48ece9f074266b122ee2d06e842871c8c

    SHA256

    8aef975a94c800d0e3e4929999d05861868a7129b766315c02a48a122e3455d6

    SHA512

    8b73be757ad3e0f2b29c0b130918e8f257375f9f3bf7b9609bac24b17369de2812341651547546af238936d70f38f050d6984afd16d47b467bcbba4992e42f41

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Admin_IconChanger.exe

    Filesize

    40KB

    MD5

    c2a51c40ba01e063c47e38653f987558

    SHA1

    2ea2a98a3b7869e540f5846dfe4741bf91c440ed

    SHA256

    7640da75e2c4226091ef1360e0ba83013c66fbe79ac4fda66f6b1999accb5a53

    SHA512

    660ddd4c88c0fe962d0a486b4ab1af0ec9080d80809d5d4fdf0ec61c90b3a7533c07ca398dae8cc6aeb434f908e0c76bb8b6e2d6a9256bed057b34ee2427a93e

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IconChanger.chm

    Filesize

    266KB

    MD5

    ffbb8cc01a348c3e3d75df86ba138eb5

    SHA1

    abbc2826a78da26f02ee3e2ab561a02668c2a895

    SHA256

    896d7d7007dbac099315f28ed2ce4c85f65a04581e0ec2ce112b215e331a088b

    SHA512

    72b63cece2c47c8c0656c6d2fe3c3dfe3b502ffaaa642efbbf398d33a15295b497ee81110eb4fe5cf3228f2f96d42745b6d3ba59c4048b13cf35ac088aef6251

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IconChng.dll

    Filesize

    292KB

    MD5

    4f81b8ded878fd4011f4e1a64766d8d2

    SHA1

    0496e4bc13b3fafb2f206188091f83b9b8febc88

    SHA256

    fa4fb70cf67eb9c2be24132cc10d150f0b4eee9e0d89d290d90dd5042405bafc

    SHA512

    7a5f53e0fd515f271adec9544a15e34aa50058a279625c5ea2c61fdde9d29f80af54d3b237795161b87c7d57ebbd9092f4df6a6dd1a5d5dfae2d5dd0dc28a9b9

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IconChng.exe

    Filesize

    916KB

    MD5

    5cc6646d965dd24198052f5030fe187e

    SHA1

    55d087f8ea38a1252cc350e889713b0f1a428412

    SHA256

    ec3629904b0189dd939337bd7eb8f8eb1c05acaa3b16d52a4f7d3ccae6f9778a

    SHA512

    fe703ae141bde3734f6c0d0cbaba3a387e498265e15ecfb8210264bc2af182ead70e2deb2c2ae4ca8673b1029239c1a99321a18f49dade2322c70054e7df3a3e

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IconChng.ich

    Filesize

    8KB

    MD5

    4cf5637adb05be37e8a0bf32b9e64c1a

    SHA1

    d697c9a0ade926816901d90e274829a5f8476d53

    SHA256

    a47182da07fc84d86ce1dc0c1c843d16183fcea92a7a6b6d484867f3a1b94fac

    SHA512

    e8eef9ef35b6f6b93e51d3f7dc6c4170642ce745c1a95e0c305133a929cf1a93a61a8cd9e78d9ed447098868b35a91d2d1208e5090b325d3066866d12b840bc0

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IconChng.sys

    Filesize

    40KB

    MD5

    2e95639b460d6b2cc350ab339466c487

    SHA1

    9d84ff37b6d2bf94183ffcab6de78bccb87b28bc

    SHA256

    9d8d3d79a2eedb17677d5c48e8dbe5ba0fbdb6eab2690c0bd05b998ca7fcaa40

    SHA512

    2ccea3776d66107ab26ce49c55c2011e20dfac04109403032e13a36cfff119a8fbfb7b49a75fe32f260f0ba092c8a0ab26af75e980d5385d89dd054440125286

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe

    Filesize

    144KB

    MD5

    b2dbe169afe0e6060a4b85a9813a6f23

    SHA1

    9a3ba3bb20bc3a240d4e1bd1c0758c4f50001b6f

    SHA256

    539a1d4bd44fb87e6a1b78393206e923b33b7f6e4df6dc5a2be93757de8f119b

    SHA512

    a291c86342d2f44e6bd8113f849ce1773e53f130c47f75b67f298e19d178d31b01a0f75e02a615cd639d261c44e55aa54778769d38ffc59f0086352c6f648116

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ichnrest.dll

    Filesize

    48KB

    MD5

    5ea4715b208ca99c41e205d818ca0aa9

    SHA1

    18d28002a6a6ebb5df1deb06b1478f989da2da2a

    SHA256

    890bcaad297dd2eda5b28998537a9ac953fe3cc1b1af20d797c54877e73dae2f

    SHA512

    04a57e87f02b2b59532fe1553a30012473a9c5ef7e352b02a8c0d3062c519514b5e5bf174bf8ebdfc4cec1277be1442afa599b165ef23750d6f1be95d056dec0

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\license.txt

    Filesize

    4KB

    MD5

    8700f7ae68723f3f31adccdccc0bfd6b

    SHA1

    eff9db7b42e03b20df0d5dcaf28fc1906a811996

    SHA256

    0533612feed6bdca335041c80a7e12249760e8883e0acdd78265e774a2775e22

    SHA512

    8252539e2d45ff2f6e1d3d644dd0d52f3f93083425e29fd93193f3bb8433486f69f6fdb984416cc17eee749c6c756ca21c40cb954a06f00bf7a679b1cae57458

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\readme.txt

    Filesize

    3KB

    MD5

    be87138f56180f5e9f2e527003121743

    SHA1

    6310e4703f7e9c501908fc8c22e3100a212c3390

    SHA256

    78ee952aaaf5a84aaa80052b94139f9655dab11ff020e032619a160f6b0280f2

    SHA512

    ef69e345b697abc9697b7ef57849ce82bc0921c6a22a8b78d7b67c6bab023b3e39805e891397ef033f57cbc87400302bdc5fcbbdfcc32d4aea9472463d35ab57

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unicows.dll

    Filesize

    239KB

    MD5

    e1102cedf0c818984c2aca2a666d4c5f

    SHA1

    d8d88ea7083aee9c40f6fdc6c56451a018d21a83

    SHA256

    22f23cc65698741184ec34f46e6f69717644e0b5aabf5d5bd015101f2d72e56e

    SHA512

    e58b35815801d6d3797f95c986834d2ca5450ccc3f1fa1d27d127a8d1d36f8e21279173715a00686c9c831d22d7c5b5b9cc5874170223a4d78f09c4eefa390a2

  • C:\Users\Admin\AppData\Local\Temp\IconChanger38.exe

    Filesize

    1.1MB

    MD5

    714fec58517cf8ec758106f9e92cb4cd

    SHA1

    b1b03ba2dd2f94ce07b055854687fe5853324309

    SHA256

    a4ec43ad30c758d0a1737edcedd29934a442e0dc8b5ff95cb593b150becfad82

    SHA512

    7eba6963e166e92992208587e11f20992f6166101708dee47282e405a393002266e098f6e7d2aade9c5edd6887c8192bf4eac3f5f797134beef334c81f459c3a

  • C:\Windows\SysWOW64\28463\AKV.exe

    Filesize

    457KB

    MD5

    97eee85d1aebf93d5d9400cb4e9c771b

    SHA1

    26fa2bf5fce2d86b891ac0741a6999bff31397de

    SHA256

    30df6c8cbd255011d80fa6e959179d47c458bc4c4d9e78c4cf571aa611cd7d24

    SHA512

    8cecc533c07c91c67b93a7ae46102a0aae7f4d3d88d04c250231f0bcd8e1f173daf06e94b5253a66db3f2a052c51e62154554368929294178d2b3597c1cca7e6

  • C:\Windows\SysWOW64\28463\VFRY.001

    Filesize

    366B

    MD5

    c4e794ea172c3a9e0e6fd0cbe1130f6e

    SHA1

    884c4621f6bb03e6a5b23fa8d2e6f6192113dd03

    SHA256

    eb8d170f146a3a004bfeb4fd9b49edefdd8468d06069a7c306d68946f4713437

    SHA512

    763c8051e0689e8323e3666ed8c0cf11e7dfb980b0c8285ac4fe03691576a4009e3a806d4104111d9367a23903acaf41649a5ebcad2d9c268ef457eb42e4f1fc

  • C:\Windows\SysWOW64\28463\VFRY.006

    Filesize

    8KB

    MD5

    35b24c473bdcdb4411e326c6c437e8ed

    SHA1

    ec1055365bc2a66e52de2d66d24d742863c1ce3d

    SHA256

    4530fcc91e4d0697a64f5e24d70e2b327f0acab1a9013102ff04236841c5a617

    SHA512

    32722f1484013bbc9c1b41b3fdaf5cd244ec67facaa2232be0e90455719d664d65cae1cd670adf5c40c67f568122d910b30e3e50f7cc06b0350a6a2d34d371de

  • C:\Windows\SysWOW64\28463\VFRY.007

    Filesize

    5KB

    MD5

    a8e19de6669e831956049685225058a8

    SHA1

    6d2546d49d92b18591ad4fedbc92626686e7e979

    SHA256

    34856528d8b7e31caa83f350bc4dbc861120dc2da822a9eb896b773bc7e1f564

    SHA512

    5c407d4aa5731bd62c2a1756127f794382dc5e2b214298acfa68698c709fbbe3f2aa8dbdcbef02ed2a49f8f35969959946e9f727895bdca4500d16e84f4ef2e8

  • C:\Windows\SysWOW64\28463\VFRY.exe

    Filesize

    646KB

    MD5

    b863a9ac3bcdcde2fd7408944d5bf976

    SHA1

    4bd106cd9aefdf2b51f91079760855e04f73f3b0

    SHA256

    0fe8e3cd44a89c15dec75ff2949bac1a96e1ea7e0040f74df3230569ac9e37b0

    SHA512

    4b30c3b119c1e7b2747d2745b2b79c61669a33b84520b88ab54257793e3ed6e76378dea2b8ff048cb1822187ffdc20e921d658bb5b0482c23cfa7d70f4e7aa1a

  • C:\Windows\SysWOW64\28463\key.bin

    Filesize

    106B

    MD5

    639d75ab6799987dff4f0cf79fa70c76

    SHA1

    be2678476d07f78bb81e8813c9ee2bfff7cc7efb

    SHA256

    fc42ab050ffdfed8c8c7aac6d7e4a7cad4696218433f7ca327bcfdf9f318ac98

    SHA512

    4b511d0330d7204af948ce7b15615d745e8d4ea0a73bbece4e00fb23ba2635dd99e4fa54a76236d6f74bdbcdba57d32fd4c36b608d52628e72d11d5ed6f8cde2

  • memory/3784-0-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/3784-48-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/4988-33-0x0000000003260000-0x0000000003261000-memory.dmp

    Filesize

    4KB

  • memory/4988-93-0x0000000003260000-0x0000000003261000-memory.dmp

    Filesize

    4KB

  • memory/4988-50-0x00000000009B0000-0x00000000009B1000-memory.dmp

    Filesize

    4KB

  • memory/4988-49-0x0000000000650000-0x0000000000651000-memory.dmp

    Filesize

    4KB

  • memory/4988-52-0x0000000003270000-0x0000000003271000-memory.dmp

    Filesize

    4KB

  • memory/4988-25-0x00000000023B0000-0x00000000023B1000-memory.dmp

    Filesize

    4KB

  • memory/4988-26-0x0000000002400000-0x0000000002401000-memory.dmp

    Filesize

    4KB

  • memory/4988-27-0x00000000023F0000-0x00000000023F1000-memory.dmp

    Filesize

    4KB

  • memory/4988-61-0x0000000000400000-0x00000000004DF000-memory.dmp

    Filesize

    892KB

  • memory/4988-62-0x0000000000A10000-0x0000000000A6A000-memory.dmp

    Filesize

    360KB

  • memory/4988-28-0x0000000002420000-0x0000000002421000-memory.dmp

    Filesize

    4KB

  • memory/4988-51-0x0000000003230000-0x0000000003231000-memory.dmp

    Filesize

    4KB

  • memory/4988-29-0x00000000023D0000-0x00000000023D1000-memory.dmp

    Filesize

    4KB

  • memory/4988-30-0x0000000002390000-0x0000000002391000-memory.dmp

    Filesize

    4KB

  • memory/4988-31-0x0000000003220000-0x0000000003221000-memory.dmp

    Filesize

    4KB

  • memory/4988-32-0x0000000003210000-0x0000000003213000-memory.dmp

    Filesize

    12KB

  • memory/4988-34-0x0000000003260000-0x0000000003261000-memory.dmp

    Filesize

    4KB

  • memory/4988-35-0x0000000003260000-0x0000000003261000-memory.dmp

    Filesize

    4KB

  • memory/4988-36-0x0000000003260000-0x0000000003261000-memory.dmp

    Filesize

    4KB

  • memory/4988-37-0x0000000003260000-0x0000000003261000-memory.dmp

    Filesize

    4KB

  • memory/4988-21-0x0000000000A10000-0x0000000000A6A000-memory.dmp

    Filesize

    360KB

  • memory/4988-20-0x0000000000400000-0x00000000004DF000-memory.dmp

    Filesize

    892KB

  • memory/4988-128-0x0000000000400000-0x00000000004DF000-memory.dmp

    Filesize

    892KB