Analysis

  • max time kernel
    140s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    11-12-2024 08:43

General

  • Target

    e0ab2dcbb97c13383fcb3be56a6dbaf9_JaffaCakes118.exe

  • Size

    435KB

  • MD5

    e0ab2dcbb97c13383fcb3be56a6dbaf9

  • SHA1

    7872b2bc5f02cbf1be4f342c852ec9bf007c2144

  • SHA256

    ed3357b129c0585e56327515a38f9fdac091e9a0a8c0f2595889d79f3f970f0c

  • SHA512

    1a298f814f3465eb6d4938926007166aec674ceacec5ec87602491df72dd58c5ac0bf27ba1d7686eb88fe3369ac2a2e43c600626682b1e27032c1eaaca3ac3b2

  • SSDEEP

    6144:RLHEh7M7qGzXrhSaPp1lHKR381Z9aMhaaV6ksT62UkRGqP6eTyIorWgLi1O2:RDSythS01UZ81Z8M8NTfRxPl9lol2

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

  • Ardamax family
  • Ardamax main executable 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 8 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e0ab2dcbb97c13383fcb3be56a6dbaf9_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e0ab2dcbb97c13383fcb3be56a6dbaf9_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:752
    • C:\Windows\SysWOW64\NKM.exe
      "C:\Windows\system32\NKM.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1536
    • C:\Users\Admin\AppData\Local\Temp\Project1.exe
      "C:\Users\Admin\AppData\Local\Temp\Project1.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2828

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Project1.exe

    Filesize

    500KB

    MD5

    68c7de33ebf4abe5780891a9fe8b0dcd

    SHA1

    25b76ba4cde119d094348dde6343bd0ae929cf72

    SHA256

    1ed1280890b51956b2678ffef615ac3ad11cd8ee4bf1000f8a687ad5544bd027

    SHA512

    5e15435f1e35eaea67da9092bc3f3fcea78a6b5e912ce147346269d28f5aa33ee8e9cca5f468287e9d789af2cf397cae6213647ce58d9f1ef1585d41466e11d1

  • C:\Windows\SysWOW64\NKM.001

    Filesize

    1KB

    MD5

    702407da5bb8c06cf92c15a10828b2d6

    SHA1

    d41e37547b1832eaf8a7564ae605705b66360c16

    SHA256

    bcf5c002fb729759480bb89ce4232c4035140343c4ebd814f612dd927452c290

    SHA512

    20837b9785871ca6a98d2b93e58c4065205c337ad8791b6e1d642524f849212cf38c38c766b3cc49ce0cd6a0c7a714cd6843da622e64fab2e1d56800d73130ef

  • \Users\Admin\AppData\Local\Temp\@D2F8.tmp

    Filesize

    4KB

    MD5

    055d9be92c48b8dbd29370193b620776

    SHA1

    6366eb064050f9415837bfd853ee4a363a3a1baa

    SHA256

    25926f6f362c71844d2163d23f0b9955adb8a7e036bd834391f2eb7dbbfd6bb1

    SHA512

    af46d3da7d63872e768847829df6e9179c7d47c26be17ac4ea48f2e18618c03cad2ae2ff3af805ba6cc8e321bfa305cc2f0e2981d74f9b07e0beb0bffe8c170b

  • \Windows\SysWOW64\NKM.006

    Filesize

    4KB

    MD5

    cf2b6b38e667e7245a19fbd79016de0d

    SHA1

    ae11c687270a39199089f7fc5023271df5d9e4d7

    SHA256

    d97e4fc5143e090951fe1fae771e1edcf7bb01c589c8abd36d58a7d053f983a1

    SHA512

    417316a9f353250939dfd752c8734c1d67cea0f0825802c84ed9f368c370e17634f75ac3d3c7201ddac956e07c055c8df1da70e27365694d57ed64b14e166518

  • \Windows\SysWOW64\NKM.007

    Filesize

    6KB

    MD5

    a6a4100ecd5848e2c59b4564f544b065

    SHA1

    c966bf4b091cef9ce1ba7fbbfc71cd22b70f75d5

    SHA256

    6e69f705d707b8e2c1f4fb927468420660c91a1292b411b2555b738f0c9fac0b

    SHA512

    0d9f968665a68dfbff5331044f53e3c7a5fa50e1c3876fcce2c5c5538b66a093ce020507f866ee609b369d6ce7b6d30c43e5050a4c1b099f858c8ae252e2fb81

  • \Windows\SysWOW64\NKM.exe

    Filesize

    239KB

    MD5

    4f5c5fe12e61562705abc9ed53039f32

    SHA1

    fcd283219c4a765226bde9f38041dd1eaf866b0d

    SHA256

    ed679c963691e4c4eda0e94bc860ad78ca30f274219cf0c5adc468153985055d

    SHA512

    f53e6e7506e6a3ae226f0d085727a7df95b1ff050c96698233ae997ee59752b21a5973c0b13e47106ee945379b84d407ed8ac15065cfe582eb30a2a3f158b740

  • memory/1536-32-0x0000000076601000-0x0000000076602000-memory.dmp

    Filesize

    4KB

  • memory/1536-33-0x0000000076600000-0x000000007662A000-memory.dmp

    Filesize

    168KB

  • memory/2828-35-0x0000000076600000-0x000000007662A000-memory.dmp

    Filesize

    168KB

  • memory/2828-36-0x0000000000400000-0x0000000000483000-memory.dmp

    Filesize

    524KB