Analysis

  • max time kernel
    95s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-12-2024 10:01

General

  • Target

    d1ddf3043d7e818ecdc49a916bcca0ec_JaffaCakes118.exe

  • Size

    385KB

  • MD5

    d1ddf3043d7e818ecdc49a916bcca0ec

  • SHA1

    7cb2cfe49c16f75b97ecae782dba897e02f87cc5

  • SHA256

    11c9cb9bbd091436fb485626d94f0e8098533d4a96358fb3bf15e763e68de9bd

  • SHA512

    81f8475aa7cd555a4455cd74c4cf59a6f75234eb93680e1046fa2fc6701914bc19718f5e4ac7264654bdfb3b3f47def484a82c207a382c5d1fe0dbf18af55bbf

  • SSDEEP

    6144:YAHNj9eotSOL0xB1vNGcDc768ytK1RcTCXiC6+ywakKd2dIFmJEY6DV:YANGxNNc7rD1KTPznQdIwEV

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

  • Ardamax family
  • Ardamax main executable 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in System32 directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d1ddf3043d7e818ecdc49a916bcca0ec_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d1ddf3043d7e818ecdc49a916bcca0ec_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2524
    • C:\Windows\SysWOW64\NSK.exe
      "C:\Windows\system32\NSK.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      PID:4852
    • C:\Users\Admin\AppData\Local\Temp\TTaimbot unpatched.exe
      "C:\Users\Admin\AppData\Local\Temp\TTaimbot unpatched.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2376
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 312
        3⤵
        • Program crash
        PID:832
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2376 -ip 2376
    1⤵
      PID:2756

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\@8695.tmp

      Filesize

      4KB

      MD5

      ccfd350414f3804bbb32ddd7eb3f6153

      SHA1

      e91d270b8481d456a3beabf617ef3379a93f1137

      SHA256

      1dabedfe9c7cda2d8aa74c95ba57fb832a4066b20f4051c0330b4422de237eb3

      SHA512

      328e069aaced9217eb9f4b4f20e27cd7ef933427e3388b3a0829089d694ea2280a2e5511a9eb577cec2a7b409cf367b0f17d8654076931648e152936fad810bd

    • C:\Users\Admin\AppData\Local\Temp\TTaimbot unpatched.exe

      Filesize

      235KB

      MD5

      fba2a6d4fdb061ad0069ab811d39d868

      SHA1

      46bd1a1af3e6a7f8d5fcca320e93082880707a7d

      SHA256

      3c29c08ea6b529eeb3f47b757646f59f191236d6edfe53dd3174e620a6a09881

      SHA512

      3635c563856d3927e4dcffb0c7997a76fd8a457e1ea1eb16aea55317080796421fe9582494922806d02a339c4141078cc3f1df42c7a46b8ff4f88f4c5bd4902a

    • C:\Windows\SysWOW64\NSK.001

      Filesize

      1KB

      MD5

      1629ed2fe828bc2480af878053772c5e

      SHA1

      22c254d5f3f889732ee766199ecbfc4300575b9c

      SHA256

      2af1d9c3da29d64c6275608693e52ccc949d3e442b6c646dfb525c81e281564a

      SHA512

      25ce7f73d6ec8d3255c96d2b366893ab2736d6496d3dc9f77cb9f2f1412badbe9c588149882e87d144fcb6b2f7d1453f9a10af7710df63264fcd1e30475f0692

    • C:\Windows\SysWOW64\NSK.exe

      Filesize

      239KB

      MD5

      2bada91f44e2a5133a5c056b31866112

      SHA1

      9fbe664832d04d79f96fa090191b73d9811ef08d

      SHA256

      c742feab59b4e1b7b188b02ed91ab34eaeb83c87ac6babfb5f08649ed2b8cd02

      SHA512

      dc797a06061937f8dd657a34d4373d3069c9c1a6752752516042e5d135fc41257c7a3a6738b3accd626a02f1887476197eca0ab28cf568daf57269cbe9c8eb41

    • memory/2376-26-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

    • memory/2376-29-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB