Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    26-11-2024 15:16

General

  • Target

    a2a5e09f8ab3e116a51e1e6b968e1ec9_JaffaCakes118.exe

  • Size

    494KB

  • MD5

    a2a5e09f8ab3e116a51e1e6b968e1ec9

  • SHA1

    3df06912a734a1a883b558e926ac478499be59aa

  • SHA256

    ce3a44c2e4e03c465ea022d6b8b28b680088d0dcf899934da94da894eae42750

  • SHA512

    23f39124321faf71830823051c7ccda43332dc05cd5a11244e98ae5dc157ac129335e72bf42b2b5e450f61472c6917d5b8e6d520148ef8b00ded6b4c75655028

  • SSDEEP

    12288:RbezHjnVySxaWOIxZESa4NbZEAahLn53xWQc6qt9N:wntZrxJa4nol3xWQc6qtz

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

  • Ardamax family
  • Ardamax main executable 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Drops file in System32 directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a2a5e09f8ab3e116a51e1e6b968e1ec9_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a2a5e09f8ab3e116a51e1e6b968e1ec9_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2068
    • C:\Windows\SysWOW64\Sys32\AUFP.exe
      "C:\Windows\system32\Sys32\AUFP.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1712
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\Sys32\AUFP.exe > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2360
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:1740

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\P2K.jpg

    Filesize

    27KB

    MD5

    fd3740a2eff7c52711ab0c0d24679f36

    SHA1

    fdb47235d09c8d6ca62a86417baad55d4d6fdf4e

    SHA256

    cb9ce1811d72d2622131005f34e3bd41a6ef71bce248e64216bd69e9312765a5

    SHA512

    65de09aebf1c97d7390498f383175348f131583fe232c7c730b071626d383ca56764af07ed53fc51edc39363ce87823dba9bc1fa7a324d7938b1d2bba175f718

  • C:\Windows\SysWOW64\Sys32\AKV.exe

    Filesize

    389KB

    MD5

    40f15729e871733ee4e3b526a72f0725

    SHA1

    43f4f1bb97a6e722ec796027aebd219199136833

    SHA256

    4ab6592bff060a990b7820e9ee412b4318fb47e85eb01c069fa797399991b472

    SHA512

    0f8b4bb24813334941d8cdcf137bdc7f4904648b97e5b92c448c053005a29d63c5ddfc6a7fdf1d3a7c1185b8c9dea15d13668bad963b651df6088dcfc32b7967

  • C:\Windows\SysWOW64\Sys32\AUFP.001

    Filesize

    390B

    MD5

    41c04f9466c6d2d50a640fe34033bee8

    SHA1

    e0d60726ea3953f0223039d36ae9d2317b61aca2

    SHA256

    2adba05a9143a08bba7cb48114947b6fde23bf4d1d19942a3fc32e28ae3bf95c

    SHA512

    9dc17a0d90fb1e4dac6af029996b154f1054a4a01f20ea70f7f7a99998c937234a85395388a88f64c228c6cc982d839fd53bf6e0f8752ee04c2e70d0dc0a30f9

  • C:\Windows\SysWOW64\Sys32\AUFP.006

    Filesize

    7KB

    MD5

    489d664845e0e001de7e6a87fb355366

    SHA1

    c0b339c9b8d18dad3b6f425b0eba2833ed313202

    SHA256

    aab3b216ae3c1415739d487c3d6df9af2b5d055959c289cd803e872b835d55fd

    SHA512

    7e403f33d0717a3e30664f9702de589c8065690dc423cf69245122e96db346c8112ed15ba53d6ab26c538a1fea9e63dd29a01e2f18be8c1ad439a5466d066be3

  • C:\Windows\SysWOW64\Sys32\AUFP.007

    Filesize

    5KB

    MD5

    8148ef191adcb3a30fbf777b1642dd06

    SHA1

    79027d2c6b2b14da631a133eeba2a0a102914e39

    SHA256

    ce5f8b7b0c338711fbc5359ed79c12139c6cdce2a5cdbb53797287800239c2e0

    SHA512

    8b285260652ce586fc4c8dd8ab26f726634fd50208e9278767461c37f9f4d98857a867322e312ee3b5bcbb9b33d9ff9cb055af7ec9318c2419244c2efcbb2153

  • \Users\Admin\AppData\Local\Temp\@CBE7.tmp

    Filesize

    3KB

    MD5

    1af114b264a783148f112ae8a4392450

    SHA1

    bf5493d1c7794cc9e44f219a5038990215494fd4

    SHA256

    3071cfecb4af30dbfef855370ed538f332338c35b5f6d5d14045c144796f7ff9

    SHA512

    b9c833cca0adfad35cbe4392b170cb4820c50874f7b6cf1717a67007c95878e1980c2cbd283ffa671feec0c8794ac229551c5f0b38700d932840a7073f562355

  • \Windows\SysWOW64\Sys32\AUFP.exe

    Filesize

    475KB

    MD5

    f7f2f0d8ed270a51c6bce37645b0e8dc

    SHA1

    3f48aff739c3add1bd951e28c4d11ec24e345adf

    SHA256

    fa0921f68dec9797bff50e5f3e466c01702eeeff254070c1705ced427edc725b

    SHA512

    a9c948ad52df9cd83cb4972938b1e1a1751e316d61303eb571ea47e3175d823545ec15951701173f40f1577cc644d1f612e477376730a5fb5d375f2683cc9092

  • memory/1712-23-0x00000000002E0000-0x00000000002E1000-memory.dmp

    Filesize

    4KB

  • memory/1712-34-0x00000000002E0000-0x00000000002E1000-memory.dmp

    Filesize

    4KB

  • memory/1740-28-0x00000000000B0000-0x00000000000B2000-memory.dmp

    Filesize

    8KB

  • memory/2068-27-0x0000000002BE0000-0x0000000002BE2000-memory.dmp

    Filesize

    8KB