Overview

overview

10

Static

static

3

JaffaCakes...81.exe

windows7-x64

10

JaffaCakes...81.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-01-2025 08:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_e114df75eb17b64345387c73e6116681.exe

  • Size

    1.2MB

  • MD5

    e114df75eb17b64345387c73e6116681

  • SHA1

    6aa249e0079b8e51d2571b60dc40d3e87dde0b14

  • SHA256

    195dc3e43e31cb38253d788b47fe5e4551f07fe90fda81c6aa9ad0b0a80fe7d6

  • SHA512

    972e4a053f4745f0587a734809f9ff72ee2e742fe616e013b9da1197357d1317274afc201af8bfddd9d363ca6003f5964c62a8a05ca87c1e8ffa5d92784d6e7b

  • SSDEEP

    24576:vITTD4J+e+yzzShDWxQCjTtw0b8HIAh5lyqLBkmXXUVXo8Qi15tzFo:v6TDO+hUzyDWxQCjdYo2BOGXi

Score
10/10
ardamaxdiscoverykeyloggerpersistencestealer

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax family
    ardamax
  • Ardamax main executable 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e114df75eb17b64345387c73e6116681.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e114df75eb17b64345387c73e6116681.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3160
    • C:\Windows\SysWOW64\UYNGQO\HUF.exe
      "C:\Windows\system32\UYNGQO\HUF.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2608
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:3484

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\UYNGQO\AKV.exe
    Filesize

    490KB

    MD5

    64a6cc55dc76d26448c30a8a1885f7cb

    SHA1

    149e467026647e080b4c69ab4f99b2d3c2b4dbe4

    SHA256

    5cbc0ec73c901be4ac182e13f6869f6f8cf0831b9603e542a3919f6a06087640

    SHA512

    de8cd7bea8113871ce8a36966fbaefd02b8ef7b09a8cbb631b4ac353bdf65b27d5630146ed700fd6edbc4276f4368ebad76b772d9b84349ddc2bd6f7127c377d

    Download Submit

  • C:\Windows\SysWOW64\UYNGQO\HUF.001
    Filesize

    61KB

    MD5

    bf311791d2f9ea9c82a8d4764a98c0d8

    SHA1

    405ba2bd110590abd0bf340d12e054405afb011f

    SHA256

    d720cf3d297743da7ab1da528f4c086a29d59ef553e1a96569b49a59831d583b

    SHA512

    8be092f068807767b0065de10f9da386b90d8e587356881ba3391380b953b199e818b527e74b305d7c714fc94cb6f8e66c76d89d1785fa9910aa4cb39c5cada8

    Download Submit

  • C:\Windows\SysWOW64\UYNGQO\HUF.002
    Filesize

    44KB

    MD5

    ce365878123962c3438e349621c10198

    SHA1

    5b861d9fc2923c61ef390a0b729a21078aa5fd59

    SHA256

    ba254f6675490a045d4c85a5f46681c175c1321692c20fc808c7c244173dd63f

    SHA512

    efc6f143d5e9244a6635562d7e9a9cea22ab7e7b304e933642a51d66da896e9038208b86c12f6da623a01b9175e73eeb40ab600e6625db3595144bfca1231a76

    Download Submit

  • C:\Windows\SysWOW64\UYNGQO\HUF.004
    Filesize

    1KB

    MD5

    87f577e263f5bd0add98bec1fd3e8cf6

    SHA1

    7952b160bed915462d17530652462703dd9bb8ab

    SHA256

    fd7102a122c5d5f9333810351a1e65b560bbd0f294907f8ba39ecaf187947aa8

    SHA512

    e12349b6ff345047ff90b600beb8acd10c4658a99632ab88b5a4a8ba7fe4c8ec9c5ec218a5d1ae0b00f674f8fc4a3bce367f014e39393a5b8cfba2b0bd2bb0d6

    Download Submit

  • C:\Windows\SysWOW64\UYNGQO\HUF.008
    Filesize

    327B

    MD5

    5d3acfa2d16297048bff04cb6b244e60

    SHA1

    2510d3f971ca64cd890b61cb34176886fbc10388

    SHA256

    24b11be86eea676920aa6d4fc798d1ea25dd959b7c6e7d40f983b77984a13788

    SHA512

    6948541b96f375783065c95a65166bf582623023b8876b2478cb6144f46b7eee1f6b9bd13e51fab401647b0b0c83115e7791b0c24e02473c42cc1ccf7a60e821

    Download Submit

  • C:\Windows\SysWOW64\UYNGQO\HUF.exe
    Filesize

    1.7MB

    MD5

    8f7590bbba70748e69612e9e2d5a9f2e

    SHA1

    f3ad9834bc38f33fe501b9076c65ac29d0410578

    SHA256

    2dec3a8fb4a5b198335e7f4a9b611194b0a081abf0c56f9df3f4e2697e69d9e4

    SHA512

    347e9ac793afd627e064ecdfea61c3e2b626ace0ea41928aad93a72567048b8e9bdf773f8a4a59a0d96ce8c08612c542c15982e8051828bef025fea6132838c6

    Download Submit

  • memory/2608-18-0x00000000006B0000-0x00000000006B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2608-29-0x00000000006B0000-0x00000000006B1000-memory.dmp

    Filesize

    4KB

    Download