Overview

overview

10

Static

static

3

JaffaCakes...50.exe

windows7-x64

10

JaffaCakes...50.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-01-2025 02:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_12f65bf4176aaaebb138c32e9e9d6250.exe

  • Size

    493KB

  • MD5

    12f65bf4176aaaebb138c32e9e9d6250

  • SHA1

    990768258a393a5a0dd4fe33062b7a66cea35d22

  • SHA256

    fa80356b76dad5e1ecff2b63c4e3b62da4fb8878d779db1eee4c9cff30df8ae9

  • SHA512

    fabe4a6b15e48250166c820cefb1451ec1e2ac602e2635a8fea39b6f450858f36ec66d1983f35f7f792cbdb34f1f746784f90c2081192c20bd1d000c2c9c4de2

  • SSDEEP

    6144:L92OjqlxnzU3uraQGtzVwSNxFTkmWv+oO3OZy8ggPjXl3j0+xvdx8NDTgTAZbdQg:L981zUeraQW1jhWcXojVj0+JgND71b

Score
10/10
ardamaxdiscoverykeyloggerpersistencestealer

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax family
    ardamax
  • Ardamax main executable 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 37 IoCs
    adwarespyware
  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_12f65bf4176aaaebb138c32e9e9d6250.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_12f65bf4176aaaebb138c32e9e9d6250.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:884
    • C:\Windows\SysWOW64\28463\LKJU.exe
      "C:\Windows\system32\28463\LKJU.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:544
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\123123.gif
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2908
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2908 CREDAT:17410 /prefetch:2
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1064

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    471B

    MD5

    2c48c73220d62a8faffe599e95896274

    SHA1

    452cd4222360fe7e881055d815ec65a2bbac564b

    SHA256

    35a3978f9dea3056b0c4a0a1945d785bb7a0022484782f414fa9ffa04f3d5967

    SHA512

    6547f2798297acc7ac11506328ef05f29074655f3e5a60adb188106c769806a2b1a8a15c7bd38c39da560df7df953798561398245667095536fc5748692cc9d8

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    404B

    MD5

    2bb7ce59f111299f1d12429614a96de6

    SHA1

    5ad906c8a7db56a6f4af0cae78c6d05ce3d5a980

    SHA256

    f5f6268aa35fda161d19fc8d59b1352afd84e4b9ca457f8120fbd8366cb3e3ac

    SHA512

    8dcb515be29fc1a2261328ffca14c229b5a6ca8d7a65771b5d14b4fb8f8742987cf1374747d0063e2f0fa8cf3562bd521eab619a54b18fad4bfaec76246f1e27

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0GUUC90F\suggestions[1].en-US
    Filesize

    17KB

    MD5

    5a34cb996293fde2cb7a4ac89587393a

    SHA1

    3c96c993500690d1a77873cd62bc639b3a10653f

    SHA256

    c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

    SHA512

    e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\123123.gif
    Filesize

    5KB

    MD5

    f341639d411f1a51d552c0036034a504

    SHA1

    cb211ca0313f50a12f24095d845c103b1b4b960e

    SHA256

    4fb4c3519ca37265062e74df92cef849f73d8c9a2fe8d0dab3b16e48cb1c2fd7

    SHA512

    bbef380ae304ba9cf33642bd20b306e4027eb2175a5e363e2d18918dd857257e657f40ee8dd02c2e14721b2479cbe75a6ed822a9cadd97dbc959c1d80e84d662

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\@9933.tmp
    Filesize

    4KB

    MD5

    908f7f4b0cf93759447afca95cd84aa6

    SHA1

    d1903a49b211bcb4a460904019ee7441420aa961

    SHA256

    3e6378164f9dc4148b86c9312b63c5a6b1fabcfebf9557f182d331e9cb32fc23

    SHA512

    958e0880565b008cdb045d6aba5103f0ba820ac037facf24b78924187a119258e3a8a97de4c3874694962114ef672d41a55feb71b92d5038e7d45bc3d91d6b0d

    Download Submit

  • C:\Windows\SysWOW64\28463\AKV.exe
    Filesize

    393KB

    MD5

    b0b09699ea39c0107af1c0833f07c054

    SHA1

    b730e2fb0bda9bf4a1b1f8768a00838e3ca9dcc1

    SHA256

    be63e3b5a6c3fbec11a737332d4e0040a23cc2d17182b4bc5e7d5dd41d930ee1

    SHA512

    55430e53058964961808f37d738c31f1502c3ec4a14b0296bef7bad22e468734bcd119eedba14cc87894d4acc81c9266572aff9919b18bd584823c47fa149796

    Download Submit

  • C:\Windows\SysWOW64\28463\LKJU.001
    Filesize

    376B

    MD5

    736f7118cb8d1fc54be7c74ba9454197

    SHA1

    997321229c43e7742006e6417bac27c4ee8986e5

    SHA256

    be95c78fa4fac0e4ef88f54a6e9d231b3861d7ebe1c8992317ead1695f25a129

    SHA512

    19216dd2367bb4073012544ab403d6e6f93dc13cf34ca73a6836f5c8647b50c0e43c31275eeb4487c4146b6df0943c1b265e0b1befacc7dd1ffec44236148a17

    Download Submit

  • C:\Windows\SysWOW64\28463\LKJU.006
    Filesize

    7KB

    MD5

    e0fcfa7cad88d1a8a462cee6b06cf668

    SHA1

    a7e49078517abc929a6da261df06556c8f5a8cf0

    SHA256

    340ff9f7f784e299030abb9982c88547e67251a6cca07d30ca8073d01a2840c4

    SHA512

    430fd640432769047de7bb4432f710193855a5121fe5944ef07f6b68749608312e7c22b29834967d429637fc9b285671cd10bbc9e1cfb43654695a206ba9cf82

    Download Submit

  • C:\Windows\SysWOW64\28463\LKJU.007
    Filesize

    5KB

    MD5

    ca72cd485d116033f1b776903ce7ee0a

    SHA1

    85b0b73a75b0498f56200dd1a5cf0de5371e42a3

    SHA256

    e583532d6b4d8cfc1def5e550674e9e1a4eef2a107adacddf729fddac64f49c4

    SHA512

    8dbf6920af64aac6a80c3da4a567473dc20c8d4e24078f7e66bb5aa1a08641e5081b0a1ee05f82fb1dd14218b62572c198ff39b1add5f19893008b3d8e54538f

    Download Submit

  • C:\Windows\SysWOW64\28463\LKJU.exe
    Filesize

    472KB

    MD5

    d7bd4739313a8e2fc9e080b7d0ba13b2

    SHA1

    808fcbe663bc02780b1d9962873a1e3066d55f05

    SHA256

    c9b47519386b1b7cd6dfecd42e586883d301b7a99c0c3d67a4beabc3ae3dcd6b

    SHA512

    d70e04444a2cc0f5b1fc5c81873b2c93582afa013f9aafe0e7c0eaaac36582b736b6ad8ef23a3d3aa4e3541fd478cbdcb8596dd4d233ada85f861c858c94b398

    Download Submit

  • memory/544-23-0x0000000000A70000-0x0000000000A71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/544-38-0x0000000000A70000-0x0000000000A71000-memory.dmp

    Filesize

    4KB

    Download