Overview

overview

10

Static

static

3

d5de340019...18.exe

windows7-x64

10

d5de340019...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    95s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-12-2024 07:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d5de340019d8687637ad99a160f19b69_JaffaCakes118.exe

  • Size

    169KB

  • MD5

    d5de340019d8687637ad99a160f19b69

  • SHA1

    4daa9e192d7f822b0d69e6c205bb68cb35b5fc7f

  • SHA256

    eb1e406d4298da84b08caee6c2043a581e050d5273fe2f0316500cef44f7e9bc

  • SHA512

    849bb2b33d5193afba408a237c18e60bd0a30a1ef500c0031b0435c4eb552ff69d200f298e39fe223e7de0f347f79c52b6237482d8f4898720f540bc6e221ce7

  • SSDEEP

    3072:JCNmpyGimw1HinXctHBfa6iAiRfAv/Go7l9zRuptV5B:WmpyGk1HmstHJa6ouOcNRwtfB

Score
10/10
ardamaxdiscoverykeyloggerpersistencestealer

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax family
    ardamax
  • Ardamax main executable 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 4 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d5de340019d8687637ad99a160f19b69_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d5de340019d8687637ad99a160f19b69_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4012
    • C:\Windows\SysWOW64\FKG.exe
      "C:\Windows\system32\FKG.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:3660

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\@A0B4.tmp
    Filesize

    4KB

    MD5

    fd71f3155b019ef091d8bd102852dd6c

    SHA1

    5d6026dc53c171d732f024b6062587626cd5cac3

    SHA256

    6c96e9ef2f5ce2e712dc74904f660239b649bc348d75a3a1b31424d4934fd66c

    SHA512

    f4a8868b98c5c8e8a0eab0a07029831f43fc88525c3a329fe1601c3f2921f1bf360f5007d1018cd5f43d3eb919155e992c8be58e08e1f24366e978a2642c20a2

    Download Submit

  • C:\Windows\SysWOW64\FKG.001
    Filesize

    2KB

    MD5

    d1f6776bdc48b2500df8ce445d40a57c

    SHA1

    d095246c61bb2060f630fbfd02e190914c4b96ee

    SHA256

    6514fdcdd8e62584476086c78a41bb6888333527575d85dc5d51231536ba6160

    SHA512

    0f1b26b94e84a0ce6c2e29b9ca01b7d94a587e311a39f6ae6e19f8404760b02bb998ec59083b2bd46a28d454b6ef016f4d7015edc91f27c0a7f904645d4e352f

    Download Submit

  • C:\Windows\SysWOW64\FKG.006
    Filesize

    5KB

    MD5

    5b4fa20c178ac0796ce5a60dfacc7ae4

    SHA1

    3d616c05d54330d11892a47677e64634f7ae173a

    SHA256

    8e4b71d307ccb5de05614d325049913a41b7cf0049730bf9bcd0fdb418365fec

    SHA512

    9bf5c47d701904b1cbfa2bdf6c3717c6e280d1a9e89735eeaa902f160efb16771e9164425f2f6e5796e935b1598c64e0451d6a048682dcd2530167f32cead3c4

    Download Submit

  • C:\Windows\SysWOW64\FKG.exe
    Filesize

    286KB

    MD5

    b1fee1a0a26a8b490df859f74e4da284

    SHA1

    9deef453906d6e30d345534236d9bad705fe1043

    SHA256

    77f81037ce80d418a67b2bc86584bb33cec4b49cc7a6810f4a0036e08ff7eee7

    SHA512

    63d1762c71cb406d63fe1b30f6d33228f561ece65cae089f7be303252829dddf2d46873c3d57d5fae97af467183cb97b598f96666f4ce04b4defd6d569cfe622

    Download Submit

  • memory/3660-19-0x0000000000610000-0x0000000000611000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3660-22-0x0000000000610000-0x0000000000611000-memory.dmp

    Filesize

    4KB

    Download