Overview

overview

10

Static

static

3

bd18adae6b...18.exe

windows7-x64

10

bd18adae6b...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03-12-2024 11:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bd18adae6b699bb04ae20739dff72e53_JaffaCakes118.exe

  • Size

    10.3MB

  • MD5

    bd18adae6b699bb04ae20739dff72e53

  • SHA1

    f9a9499c116eb81161a60297a6b1d0b696247362

  • SHA256

    f7ee1a6fe7d3239bb32084612d65b5ee849d6c0302036fe4ce9be14866a41bf6

  • SHA512

    aaae67ddc43c4852dad220b2c7e1fba1ccaf6e0a1699c0c5aa026a21a5acbc1d93167556a692f5a2332e88a946d70199dc24d5ed7afa3e31d46379d894c94224

  • SSDEEP

    196608:Y1OQQqsHUJFdqAiip5E8dsl3Y8lFi6Ua5c35dkiY99OoAStJ3vUBEid4YhJ:Y11QqqkrFjdsZP5IFpStJMBx4YhJ

Score
10/10
ardamaxdefense_evasiondiscoverykeyloggerpersistencestealer

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax family
    ardamax
  • Ardamax main executable 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bd18adae6b699bb04ae20739dff72e53_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\bd18adae6b699bb04ae20739dff72e53_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2312
    • C:\Windows\system32RLUN.exe
      "C:\Windows\system32RLUN.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2892
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SYSTEM~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2784

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\system32RLUN.001
    Filesize

    532B

    MD5

    c5d7402eede30885cf7f99dff4e67485

    SHA1

    e63ede651cc09d797348ade1f5ae54bc4916f052

    SHA256

    9313d463d777f0ee4ea0a07b7262169043e3ac27d40637a61a13e96102c7d4cb

    SHA512

    68f25fc5191aee8654f70ad9db3f3b8a4d6b2029c85374fc2ed9651e8e12d01ed22b45c04889e87a6cd145ee8f7418cb40da7a5736a91fe57db8874b6086d38e

    Download Submit

  • C:\Windows\system32RLUN.006
    Filesize

    7KB

    MD5

    2d8899d22457e384673cce3b63402670

    SHA1

    ab40f16fa1f0b08558c0a10ccafcbac9c06a1a8d

    SHA256

    11cc0d9300590b212959683958b8229d2355d7c85d2e38015eec402d874b186c

    SHA512

    3d0df9b26095dc6aa0cfc09facb5974e2c0e43dda7fa664f3b4dfc8c078fdfe40667e72cca4f5cbd8e6f8c7560fb6cee908ec32d7a1e8a780caa635c7e78c432

    Download Submit

  • C:\Windows\system32RLUN.007
    Filesize

    5KB

    MD5

    f3f04376ece185d2013ded9f729e8223

    SHA1

    70414d3303011617e1072a3c603dc4b71aa947d0

    SHA256

    27b64907c64beddd86c9d2bb56c10ab8615099715fb1c4ca8f74c1037a18eb86

    SHA512

    45fa1094125b070f042210f291158004965fda6d1044f9de18ed18818a8d2ac02b61a9398daf701c864747900f8e5fcd36c0a10728a3c22994562a71fa5c22f0

    Download Submit

  • C:\Windows\system32RLUN.exe
    Filesize

    471KB

    MD5

    2f49bd1ee6d9e956ac8596992e0d187c

    SHA1

    1384e4dd2a5bd67aeb3783417674898426063563

    SHA256

    be1ce7b1c8a268570d4489557f3c73a1eef615500f4a2434e523cca2b31b4138

    SHA512

    163bf29766baff221fd028aedbf13238119d1a73b36d845eb422f136eaf8b695926ff13884f6b1d19d8cb6a049d00709d11b8b308b20d93d5c7baa26f3184ffc

    Download Submit

  • \Users\Admin\AppData\Local\Temp\@7FCA.tmp
    Filesize

    4KB

    MD5

    3ac6bd370bb5704c6a35018df54dbbe1

    SHA1

    880f5478e1de3d844ae17e89804b8f90cdafd4a6

    SHA256

    aea959dc52fa9796ffab042872f72fea127da6267d75fa781f690d2c9d96a8fc

    SHA512

    138d0e47fbb6b1d52add61ec8c38a2ab4056e9d1ee680c2d7dc1a8a0e2a0761537a1b756efaefa13ee19a7057a7ab56918cda4d53ad348f05040585eb6ade0fb

    Download Submit

  • memory/2312-21-0x00000000776CF000-0x00000000776D0000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2312-24-0x0000000002150000-0x0000000002156000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2312-23-0x0000000000850000-0x0000000000856000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2892-17-0x0000000000250000-0x0000000000251000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2892-25-0x0000000000250000-0x0000000000251000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2892-26-0x0000000010000000-0x0000000010006000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2892-27-0x00000000003F0000-0x00000000003F6000-memory.dmp

    Filesize

    24KB

    Download