Overview

overview

10

Static

static

3

f79e4dcc14...18.exe

windows7-x64

10

f79e4dcc14...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    95s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-12-2024 05:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f79e4dcc14eb4a917e62b208f4a9abdc_JaffaCakes118.exe

  • Size

    195KB

  • MD5

    f79e4dcc14eb4a917e62b208f4a9abdc

  • SHA1

    0626cb3f5449e2c61656ef021a2c35915e990d5c

  • SHA256

    086f4688e82bf0a6dff1bb3495aff79b25153c33dadba8ea20bc17072ef20d40

  • SHA512

    99e9fd25cec80a83745977a1874c81dbdb190ad65001342953357ea8bdc4b30a2d5a439884c793628b36716781fc14254d5367f6950d234afd00aec576ea71f5

  • SSDEEP

    6144:cmpyGqIXypENwC9qKy+8Fs81In9gTK6NrZMVVd3ToOHCx:c6Cp4wC8KyLn1Iy6pT3HCx

Score
10/10
ardamaxdiscoverykeyloggerstealer

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax family
    ardamax
  • Ardamax main executable 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 4 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f79e4dcc14eb4a917e62b208f4a9abdc_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f79e4dcc14eb4a917e62b208f4a9abdc_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1860
    • C:\Windows\SysWOW64\Retro-Builder.exe
      "C:\Windows\system32\Retro-Builder.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:3808

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\@83C6.tmp
    Filesize

    4KB

    MD5

    683f1f1e72a9fd91018e379b0f45c646

    SHA1

    e715798afee630bca17bd35e382626399e608788

    SHA256

    0770043fa8f879787c32f97e915295320738b28dc5c7a07a033df6d9ac5b4e50

    SHA512

    490a8fcc256fb97bdaf0ef7a243998338b3796db448874ed85613a087e16a9e1b0105af3deb57e18db253e550e5c8a0fd02dba1e52f4959937ffb6c587e3b8f5

    Download Submit

  • C:\Windows\SysWOW64\Retro-Builder.001
    Filesize

    2KB

    MD5

    1e2945e1d4800c284939e90506d34372

    SHA1

    b6a93d662b1d2c608c8ebedaa4770c7b43deec73

    SHA256

    d5f9c3a71803320eea831b834e95d6fe328be321f6a4eb4f011ba3968640aca9

    SHA512

    8f63a194e9cae64bcfbf9ae71587b820375291d776b5e0a0dd2fcf050c910853694ed04b9f7bf278c90acbe09cd19a9adf34456919df56e29381849e3dd2c7a2

    Download Submit

  • C:\Windows\SysWOW64\Retro-Builder.006
    Filesize

    5KB

    MD5

    b8e130b146557e640cb3e198f3d9110e

    SHA1

    c1cbebfce4e3af8ced7d1019586e91c371432d78

    SHA256

    3dbca63a39382e4c25d0b02e668ba72c5c81071bb62937ec939325f1f89926a1

    SHA512

    bc858367e64188c3a365fff4c7986e86d6d666651b2421e3b96fe06836aede073f2228349f66f1836e6ef98bb8e5120354c54a0fb13059e5b875bbf34ed7868f

    Download Submit

  • C:\Windows\SysWOW64\Retro-Builder.007
    Filesize

    4KB

    MD5

    097c525e86f64364479227f1603a0221

    SHA1

    c84897900f59cbff5f607368ceba93bfc5273998

    SHA256

    1b62745c0181f36b7c0227225da12c0d357fd6f14ff8a0ea8484fd4a9c6bf766

    SHA512

    b52b9d51c3bb50fab292c8bf13d2d87694391481742830c266f4512b2e33a16b852cdbf3faea7f5945b60415a12d1d6a0e9319500cb769b12e0a03357f66ef12

    Download Submit

  • C:\Windows\SysWOW64\Retro-Builder.exe
    Filesize

    295KB

    MD5

    2b8def730c5bab9d9b58e117af9fb84a

    SHA1

    090c2c4f0309895bad639ba1c0af21d1eb70d987

    SHA256

    759f339edba9126cd77ee621e6852f281b9a3190bc4aa17711164bac5ece41a7

    SHA512

    809aa7300e4bef33489f4166fd5b8245a9b9523c9fd908a37b51a0384966f8f036ac09fbca3730bb04b98ff976c17380ddc4c2ed75dbda51350f049b3d0bf48a

    Download Submit

  • memory/3808-19-0x0000000000720000-0x0000000000721000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3808-25-0x0000000000720000-0x0000000000721000-memory.dmp

    Filesize

    4KB

    Download