Analysis

  • max time kernel
    121s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-11-2024 13:34

General

  • Target

    a81604d0c7b6350b40bd0635ce4328d0_JaffaCakes118.exe

  • Size

    3.5MB

  • MD5

    a81604d0c7b6350b40bd0635ce4328d0

  • SHA1

    3622fe4c275e411a46b2554a8a7ee7a2396963aa

  • SHA256

    e8a799c07a4b4beabe65eb402c920a8492b4738d2ff2b41f925912d0c7371c84

  • SHA512

    1f0e960e1b7b6f9d6b8106f0e20e19247d99764095c58a4d37728e1d23b65b264b198452ca8f18365d91ff9315e3c5e09404e436e8d8fbbed12583ac8b332613

  • SSDEEP

    24576:vjX2TdqIQz+gdNvpmeryhm1iXhPD93arPRQQlMErsv3kMQyLU0w8kU7x7vFqWDfD:Qm16nWRPlnrs4dj8pw6YannJWkdoHC

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

  • Ardamax family
  • Ardamax main executable 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in System32 directory 6 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a81604d0c7b6350b40bd0635ce4328d0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a81604d0c7b6350b40bd0635ce4328d0_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1240
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      2⤵
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5012
      • C:\Windows\SysWOW64\VKVXBC\LOU.exe
        "C:\Windows\system32\VKVXBC\LOU.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:1684

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\VKVXBC\AKV.exe

    Filesize

    459KB

    MD5

    3a96acb4dc45307f05fc177cf07742aa

    SHA1

    f8d198305383ac8c1ef2c359a898d1d4f431576b

    SHA256

    14a550138c38cb91d2b9967dfd607bc4a46c6fa6d267a6f5e1c0131162d1527d

    SHA512

    3cba04fc5e3b85c4a7a33bda3ef96091e9763b1db6a76c2ad50a809ebc2232752c331807074b6ab1490182f97d052d24b6e550a74991f65c0b4cea557db87a0f

  • C:\Windows\SysWOW64\VKVXBC\LOU.001

    Filesize

    61KB

    MD5

    661dbca8402ba82c0700f0adfa8a3ce5

    SHA1

    f90fb758a2b76335be66497cd173fb0ef059516f

    SHA256

    d8924592792dbc41ada0741375bf5960417676491a2696c9c1bffc5eea9c9d22

    SHA512

    774c35ec0938e1658f30c523babf5c393a1d4d3733f4b974ae734824b3afd690621c5a8be4541bd769c7181bd1468f86fe31a30a60445cc4897033f60459a4ca

  • C:\Windows\SysWOW64\VKVXBC\LOU.002

    Filesize

    43KB

    MD5

    76a1d9ae4d761069b795d6e891855aa5

    SHA1

    1540e9abb812497007aee9885d1ea35e810defff

    SHA256

    02a1f41970ded0a4fb834db6ced2f54b432a29048831de7793bc0aa459970567

    SHA512

    4dc3af04fa7494ea67ef4f44bdb3c681d01ef8cd2ad37c98e5a1b41d7ef10efff1bf55c167f7faac9b0298773a5864d06fb860fee5724463f8eef2c1a978bbfa

  • C:\Windows\SysWOW64\VKVXBC\LOU.004

    Filesize

    1KB

    MD5

    09f571f7a3fa4051039ec104aa6d3909

    SHA1

    6a003cf47e8a472a8094d98aafa3cdd356227dbd

    SHA256

    fc43a94e90cde34f9ad906e203b5cc13e58e77ae1c937e49c716255e9c4cccd4

    SHA512

    0729beb496a0c88db5562c05620912c43e7d749609e73283ee4b8821c7d9c11147a6b8bde4c5b64cbec8a296b7693b3ac71589ff3586b1ee558bd2fd55b1c8fd

  • C:\Windows\SysWOW64\VKVXBC\LOU.exe

    Filesize

    1.7MB

    MD5

    9be3091aa81569ce6ae396c39a4bdd9e

    SHA1

    805d6fa574027836c13bdd1fae956fd55c0002e9

    SHA256

    74d1f43449380ab7960d9655d897d413010a2171e201ea7c8039a3c9a671fd46

    SHA512

    e1627ecb79a5e4a5fafa1f31fe4c22c5f899eb4f0ea2887da9090b42d3ecba1a0540829b42064aad2779346dad493e25ad428703b932448c1d5973d46b6ba4e0

  • memory/1240-13-0x0000000074760000-0x0000000074D11000-memory.dmp

    Filesize

    5.7MB

  • memory/1240-0-0x0000000074762000-0x0000000074763000-memory.dmp

    Filesize

    4KB

  • memory/1240-2-0x0000000074760000-0x0000000074D11000-memory.dmp

    Filesize

    5.7MB

  • memory/1240-1-0x0000000074760000-0x0000000074D11000-memory.dmp

    Filesize

    5.7MB

  • memory/1684-28-0x0000000000400000-0x00000000005B6000-memory.dmp

    Filesize

    1.7MB

  • memory/1684-30-0x0000000000400000-0x00000000005B6000-memory.dmp

    Filesize

    1.7MB

  • memory/5012-5-0x0000000000400000-0x000000000053C000-memory.dmp

    Filesize

    1.2MB

  • memory/5012-11-0x0000000000400000-0x000000000053C000-memory.dmp

    Filesize

    1.2MB

  • memory/5012-22-0x0000000000400000-0x000000000053C000-memory.dmp

    Filesize

    1.2MB

  • memory/5012-4-0x0000000000400000-0x000000000053C000-memory.dmp

    Filesize

    1.2MB

  • memory/5012-3-0x0000000000400000-0x000000000053C000-memory.dmp

    Filesize

    1.2MB