Overview

overview

10

Static

static

7

ba3b625f48...18.exe

windows7-x64

10

ba3b625f48...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    141s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    02-12-2024 21:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ba3b625f480b272b7b471a53b9916a76_JaffaCakes118.exe

  • Size

    1.5MB

  • MD5

    ba3b625f480b272b7b471a53b9916a76

  • SHA1

    bcfd209e49b2276be46db460c7458ca880342795

  • SHA256

    dada9edc3e28c4d5aa642c0d4a050729991c1cbfa680f832e96666b6386b0a3a

  • SHA512

    ba2d2b1b845eab52ce4b74bb3b607fff882559719c89fca9da977129431cc415b6b403d6ed3e3936ebb6d6082e0bdbaa2976f5d38d7f85a4ad009a41d207b609

  • SSDEEP

    24576:SZERA/xwzKoC5A5mjkHh6knDU9YwC/u+eBjx94VrZ7mM5a0pYUA:SB6zm5JjkB/KYwC/Ct94Vrpm4Gf

Score
10/10
ardamaxdiscoveryevasionkeyloggerpersistencestealerthemida

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax family
    ardamax
  • Ardamax main executable 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 12 IoCs
  • Themida packer 4 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 7 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 32 IoCs
  • Runs .reg file with regedit 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ba3b625f480b272b7b471a53b9916a76_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ba3b625f480b272b7b471a53b9916a76_JaffaCakes118.exe"
    1⤵
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2536
    • C:\Windows\av-kill_by_ang.exe
      "C:\Windows\av-kill_by_ang.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1960
      • C:\Users\Admin\AppData\Local\Temp\Kill1.exe
        "C:\Users\Admin\AppData\Local\Temp\Kill1.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:2644
      • C:\Users\Admin\AppData\Local\Temp\Kill2.exe
        "C:\Users\Admin\AppData\Local\Temp\Kill2.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:2668
    • C:\Windows\crackerng488.exe
      "C:\Windows\crackerng488.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2752
      • C:\Windows\SysWOW64\28463\LOSM.exe
        "C:\Windows\system32\28463\LOSM.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2856
      • C:\Windows\SysWOW64\regedit.exe
        "regedit.exe" "C:\Users\Admin\AppData\Local\Temp\CRACK_NG_4.8.2.reg"
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Runs .reg file with regedit
        PID:2732

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\CRACK_NG_4.8.2.reg
    Filesize

    24KB

    MD5

    8978623e9f4b85e742377d79ad53f0a8

    SHA1

    1db868e19cd4ff239c8b3cb9f84931a093fa6817

    SHA256

    149da912aa8e2067917f86d9e942eca0a0e09408b7c5ad83e6a0de77ebd20d1a

    SHA512

    de2e0f3571b21f1dfb56bc7cfb3d3d15fcb1440f586fe1d625d2136428238209ce93a3a5ad945abe271d9446aa9f67181cced9b585b94cda64a14c3847ca9663

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Kill2.exe
    Filesize

    32KB

    MD5

    89a6d01576dce0c344f78f980dd77d93

    SHA1

    cfaf3a9e081316f7c9bf8c3eb90ca18692d4483e

    SHA256

    49a7a2527a6da35b942995921ca257ffffd925e852176fc339e6fe46b12037d7

    SHA512

    3ccd745a820a1def59d03c3f9acd029ed6b956d32868017fed82e304183ee42f1adaa239326c18447b0bb09e11ddee09d97fc181c5cfd99689ed5526a214574b

    Download Submit

  • C:\Windows\SysWOW64\28463\AKV.exe
    Filesize

    457KB

    MD5

    9541a795c17a4721ab78c1f70503c5e2

    SHA1

    cd9d0803946b3a667eb78f5e54135afe3bd48c92

    SHA256

    959c36c7f96fd91cdfa2c383b98f57d57ced65a191d1972a8d0c1647c987522f

    SHA512

    08d824199e941bb7ce7ae2d3607efaca9a4cc3e64f227f0df8d3f395a827552d44f8ca6936f5ec7fb9c56aa73531b85825ac0242e01fcbff342add52cb1c6a73

    Download Submit

  • C:\Windows\SysWOW64\28463\LOSM.001
    Filesize

    424B

    MD5

    704a804683645a308df7afe3b27016d1

    SHA1

    5c02fc5d1ba656c641b76ae3a4e279ea9e5e46da

    SHA256

    2b75b7a2f38d0f5dcaadcfa324743e90b4a2a4749f01aa7b2c96c7b6b0f12827

    SHA512

    88346caed5d8e2202aac83c0d03f9c9ba28eebdb8335103b9cfa168ab6e8bc7c67ed62db7ccc692d9b4480874689ce7a21034564cf89c4daea0026320ece183e

    Download Submit

  • C:\Windows\SysWOW64\28463\LOSM.006
    Filesize

    8KB

    MD5

    700b38a2436cc970f6fce66052b49440

    SHA1

    5517dd5f52130da84ca0c51e5196f879ec03e032

    SHA256

    530c2a4775a7bc65defbc42b677e25debdba0ed9cd889103e8da3d6971937e43

    SHA512

    3f35a2a321a6c5a3afe886d97aefcf90bf84162204dc568655352f22ff06d9bdc0e48db4d9aebad0f1b9701dd258821d51a5760e3254e3c216a2cd0399ceca19

    Download Submit

  • C:\Windows\SysWOW64\28463\LOSM.007
    Filesize

    5KB

    MD5

    fe36b634de34cc0dffac14affda16947

    SHA1

    c4c7fead2391fa9ecac96f5b59bab1ccfa3a8c20

    SHA256

    c226f64becf1c51ccaa1765e23a6701966e89862f3103b32557f06fb829a1d82

    SHA512

    4ff13fef053b14aa3054c51a960f72a75f9128877cc4c79dc289a091d048b23cf8d7a2962a989efc4aa5082090be911a6cfdb25de0e4c2eaadd2a31a16143f85

    Download Submit

  • C:\Windows\SysWOW64\28463\key.bin
    Filesize

    105B

    MD5

    27c90d4d9b049f4cd00f32ed1d2e5baf

    SHA1

    338a3ea8f1e929d8916ece9b6e91e697eb562550

    SHA256

    172d6f21165fb3ca925e5b000451fd8946920206f7438018c28b158b90cf5ffb

    SHA512

    d73dadb3cf74c647ce5bad5b87d3fb42a212defcba8afb8cf962020b61a0369c0a2b1005797583daf1f1ae88b29b7288bc544a53d643f3519cf604aa0ffd6dae

    Download Submit

  • C:\Windows\av-kill_by_ang.exe
    Filesize

    76KB

    MD5

    47f5c8d6227a3a3beceba22b765248f1

    SHA1

    206ad171187d8750b1afa56617932513ec1c10a9

    SHA256

    a2acff0da6dfe284c9d72ddf1c0389d6c37a0957cc0380f606fcfa786b883df6

    SHA512

    958a1d774d5f9fa7368b9254e1c13f7862a871745785d5e7d0c667cdca6024147c09a9af640c4092c4294487b5d0d004e334c6e0a8cd280a0aeacdec12aa72ce

    Download Submit

  • C:\Windows\crackerng488.exe
    Filesize

    812KB

    MD5

    f46cfac831ef32d4af2be13113ec8012

    SHA1

    8d371575df6afebbaa186034444d9916265925fa

    SHA256

    ac4db48601a087e75468a011b27e3dfe702d3c8a342c73b8d6842e89034a6bb1

    SHA512

    11d2a463743197230a330ac31896ba4c57b1a8c7fa6282b2df03985e27aa38eb85a99d908fff00f464edc570b1df706bd8abaaa847d659c70cae859a5fcf5642

    Download Submit

  • \Users\Admin\AppData\Local\Temp\@AC17.tmp
    Filesize

    4KB

    MD5

    213cd80ec887a3a0a995d6f3f4989b7e

    SHA1

    67552f164cd92c5a8dd760bdfdea25da8a552f48

    SHA256

    4cfb72ae33817890fc6979f2ba4258f59c01eaa4dec50ee8dc58ce95dc7c40a9

    SHA512

    40d7782b17168f5e00d735c3eaa83df5e1e976664d9182ee6f3408bf284a878dcfb514b7c0c14842c988511e29a806f19fb9f1fab1addb0b49b3e1017e7efc88

    Download Submit

  • \Windows\SysWOW64\28463\LOSM.exe
    Filesize

    647KB

    MD5

    d2a3e3bdc583c5a93323c3ce8ca8759e

    SHA1

    01084b3c016dd46cf83cfdb862d2ac7a4b0df832

    SHA256

    697b14a4a7cf6175e22103b29d4a7c430f3db6fe687f8dd9c8494ffe3ecbc16b

    SHA512

    c2dbbc0105c0fcceac89a6a0da06ad2c00fb205c7cac9b16a4874c5b2fc742aba0e750d9d8e153978260b3c2c01ce8978bd1ff448c593b2e75e2216c01b160a6

    Download Submit

  • memory/2536-13-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2536-20-0x0000000000400000-0x0000000000653000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/2536-0-0x0000000000400000-0x0000000000653000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/2536-11-0x0000000000400000-0x0000000000653000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/2536-3-0x0000000000400000-0x0000000000653000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/2536-2-0x0000000000401000-0x0000000000404000-memory.dmp

    Filesize

    12KB

    Download

  • memory/2752-43-0x00000000028B0000-0x000000000298F000-memory.dmp

    Filesize

    892KB

    Download

  • memory/2856-51-0x0000000000400000-0x00000000004DF000-memory.dmp

    Filesize

    892KB

    Download

  • memory/2856-81-0x0000000000400000-0x00000000004DF000-memory.dmp

    Filesize

    892KB

    Download

  • memory/2856-84-0x0000000000400000-0x00000000004DF000-memory.dmp

    Filesize

    892KB

    Download