Overview

overview

10

Static

static

3

JaffaCakes...35.exe

windows7-x64

10

JaffaCakes...35.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-01-2025 02:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_131b3d06b3d908fd213f3342f26fef35.exe

  • Size

    543KB

  • MD5

    131b3d06b3d908fd213f3342f26fef35

  • SHA1

    cfae94aafbe13a007b8d096796584f9e258edbca

  • SHA256

    7dea928296025d7fc390623eea366a420f1518fc3dac903fbc2c1de5542b2d3f

  • SHA512

    ee00448faedb5a69d62094ce8ea24f63b7e9ea72317dcf2ff0f36123427799a82f870fbebf9765555b101dc8b95b2717daeb32ca4b6a934a203d905741bfadd9

  • SSDEEP

    12288:OI6Kb77/0JoLqrtu+8sc+GYK07XL0GeqxRWdz68lKW/Elb:Oc3swKtl8z+GYpb0uxMdVlKWCb

Score
10/10
ardamaxdefense_evasiondiscoverykeyloggerstealer

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax family
    ardamax
  • Ardamax main executable 1 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in System32 directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_131b3d06b3d908fd213f3342f26fef35.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_131b3d06b3d908fd213f3342f26fef35.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4700
    • C:\Users\Admin\AppData\Local\Temp\Exporer32.exe
      "C:\Users\Admin\AppData\Local\Temp\Exporer32.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4312
      • C:\Windows\SysWOW64\Sys\DTYM.exe
        "C:\Windows\system32\Sys\DTYM.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4208
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\Sys\DTYM.exe > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1832
      • C:\Users\Admin\AppData\Local\Temp\pbweb.exe
        "C:\Users\Admin\AppData\Local\Temp\pbweb.exe"
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        PID:1436

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\@B6EC.tmp
    Filesize

    4KB

    MD5

    7d0fa2c93ab4e5ec218a2b3372eced35

    SHA1

    c8c319b328aea486ecb7c89af66c07ed240a1464

    SHA256

    32be4a8ec658f1bb27fd2aef1ecfe0523ffd8b430c8acd41821c2a3c71959a40

    SHA512

    929a30b6f5bb3dac62d6e30dd1d70844654dc23e92a6d36d32a84c1f866aead1d57f4ec8f12b468131f7b3efefce3bd6c74652149d7a65b3c534f96f221ea5b9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Exporer32.exe
    Filesize

    523KB

    MD5

    fe821bc793379443dcf9f9479fed7f3c

    SHA1

    8a498dc911d7d9770a796965a4365f6bf2905193

    SHA256

    f2f65c572815293cbefddfbdf912e2997b369918e8edb7847907dd6edc9cbe75

    SHA512

    3a1e1425a5cd040b2364a22f7949eea4cf55d84056034bc2cde379e0cde7f478c23d614dc139ae6330d597637f12574fa6df671a60b4fd4c69df699ff9abee9e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\pbweb.exe
    Filesize

    112KB

    MD5

    be12fc2e193d022d855f5ca0e3d63454

    SHA1

    4fab6cc1d6c1e6fce61a2a493abbeb0c2664d7de

    SHA256

    5cf267164db126e32185388c29e50386c6b88b1bb0ea53c06c4c5a786fa75770

    SHA512

    3141ce32d95b161f82cba53a0396a22b8a0b6eb34b4a8b993ebcd800d652db8e633bd46dd3bc01afc7fba01deff22b683ad2bcb190083f00371cb1e852c9de23

    Download Submit

  • C:\Windows\SysWOW64\Sys\AKV.exe
    Filesize

    387KB

    MD5

    f8452c5ccc72af74cdfa34b1fd160e00

    SHA1

    3cbb1e5294406d23914be29a29a65df5208462c6

    SHA256

    14d63d007e8a1b4f640dd9ce33088ff6ac2c02802563d924c98f160ff057d60f

    SHA512

    85a25ab3abe010867bd8973d4ac69595302249c12aa740274ad38e2eb16260a4c926043efa3b1ff9d5a888554421b1ed84ba78b3a04adf3779e64feb7554ab2f

    Download Submit

  • C:\Windows\SysWOW64\Sys\DTYM.001
    Filesize

    4KB

    MD5

    aa372de84df6940bf44cb08d661c6099

    SHA1

    5815ec4610c1ac0d34ab2b6d23f5a75c5754829b

    SHA256

    eacd8a641d27eaabfdeaf88201f4cfa229912aff04932327197ee18499554a22

    SHA512

    b8a343d8e22093259bd6025a0c2b10f3846e06907c5c9293d245391f8a6b473307de064de1364cbb38ca270dd646de9102ff5aec8bb838ff133988531de31d89

    Download Submit

  • C:\Windows\SysWOW64\Sys\DTYM.006
    Filesize

    5KB

    MD5

    8b20ee4ef305728ccab05c071db218d2

    SHA1

    754cdfa5d595d040b9ec54d68803a109c2c979b2

    SHA256

    b9028fdd1f0b5c349d20088ba694a0e1d0a4b100c058da42d2d816d942b42888

    SHA512

    233b915673fe76db860c57ec1554bc7174d5040c205b6d03d92b55415278596ad61fb6916f9aa43a21689b93b0a2db0078557ec52529ad1149264142a9989146

    Download Submit

  • C:\Windows\SysWOW64\Sys\DTYM.007
    Filesize

    4KB

    MD5

    86a5c08403b37ae1117206bfac5c184b

    SHA1

    3c526d0bd92782d682cc1a14760ab87cf6da9351

    SHA256

    f06751c5072868ab3f8cbc7ad24594aa34ef6e85c5e10b902b0d51017fc15f40

    SHA512

    bd92e24f4ec2e115ded79c454d4f6f9850cca047425aad8db580e7aee5b642ac23e0e398608266c1abe80c29a0a729401b0e8bcff178e6a17d2ea911c6e46242

    Download Submit

  • C:\Windows\SysWOW64\Sys\DTYM.exe
    Filesize

    468KB

    MD5

    ad696e3a354fd2816f0930732f7f0153

    SHA1

    cbb43eb9c8df87be92fafca6e461a205f8bfc4c3

    SHA256

    1fd2932edbd59bd33e321fbbce797f785bcada08dcd4f5a12c6dec2c746abf62

    SHA512

    c0f87046ad7cd508ae9b68a335ed6f55497375f36147618ce0ace2f17cc24d162804f23caafde8673e442a8c928217207cddec57eaac318809341f2fbba6b82b

    Download Submit

  • memory/4208-40-0x0000000000A50000-0x0000000000A51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4208-51-0x0000000000A50000-0x0000000000A51000-memory.dmp

    Filesize

    4KB

    Download