Overview

overview

10

Static

static

3

JaffaCakes...87.exe

windows7-x64

10

JaffaCakes...87.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-01-2025 02:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_1d2adaabf198d26f9cb17e7afc873387.exe

  • Size

    2.3MB

  • MD5

    1d2adaabf198d26f9cb17e7afc873387

  • SHA1

    6d6501fa2475ccfaa049dea6b996dc757fdfc7b9

  • SHA256

    a51e91ac7de75fb3a814387fb5f45948fa6afd2468db975fcda24889eb99c8a0

  • SHA512

    0e9206e8c5e2adbdd9ee27f246cc951e96f4d3004501abbdcf6fa8ad88f7c2c055b73c4ffb5718b76f111d4bc9c1b5a5f35f7c45333eb87beaa1f793b495d4b9

  • SSDEEP

    49152:Ux6h57Kp1amL0VUCrTASC0xsPDkCpFW7EDlCDcRE0hZPBEvPS:3p6LtwTASCfPDkEdDWeBB9

Score
10/10
ardamaxdefense_evasiondiscoverykeyloggerpersistencestealerthemidaupx

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax family
    ardamax
  • Ardamax main executable 1 IoCs
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Adds policy Run key to start application 2 TTPs 4 IoCs
    persistence
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 5 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 9 IoCs
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion
  • Loads dropped DLL 21 IoCs
  • Themida packer 2 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 15 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1d2adaabf198d26f9cb17e7afc873387.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1d2adaabf198d26f9cb17e7afc873387.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5012
    • C:\Users\Admin\AppData\Local\Temp\PEncrypt4.exe.exe
      "C:\Users\Admin\AppData\Local\Temp\PEncrypt4.exe.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:1476
    • C:\Users\Admin\AppData\Local\Temp\hidden12.exe.exe
      "C:\Users\Admin\AppData\Local\Temp\hidden12.exe.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4688
      • C:\Windows\hide.exe
        "C:\Windows\hide.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:4372
      • C:\Windows\hidde2.exe
        "C:\Windows\hidde2.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Adds policy Run key to start application
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies WinLogon
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4820
        • C:\Windows\SysWOW64\fservice.exe
          C:\Windows\system32\fservice.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1640
          • C:\Windows\services.exe
            C:\Windows\services.exe -XP
            5⤵
            • Modifies WinLogon for persistence
            • Adds policy Run key to start application
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Loads dropped DLL
            • Modifies WinLogon
            • Drops file in System32 directory
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2320
            • C:\Windows\SysWOW64\NET.exe
              NET STOP navapsvc
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:544
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 STOP navapsvc
                7⤵
                • System Location Discovery: System Language Discovery
                PID:5096
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Windows\hidde2.exe.bat
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3696
      • C:\Windows\hide1.exe
        "C:\Windows\hide1.exe"
        3⤵
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • System Location Discovery: System Language Discovery
        PID:4320
      • C:\Windows\hidde1.exe
        "C:\Windows\hidde1.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2992
        • C:\Windows\SysWOW64\28463\GBKH.exe
          "C:\Windows\system32\28463\GBKH.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:932

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\@A2A8.tmp
    Filesize

    4KB

    MD5

    21bf01b083059e8d8e2e818816f48544

    SHA1

    660c20ce2e003509c55020a3b22de5e54a91bc3b

    SHA256

    f7ba1970c496eaf2c01ce65846c42be2d6d88fcfbcb7a861cf68b80a492b2abd

    SHA512

    91b945e5d957838a9c1f8e958fee19cdf939696af42e4bc742acb735daaaddb5fc984925cc7d5911d9693b6cc5469ebe758e58cfefdfa2c95c83441e08c49d10

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\PEncrypt4.exe.exe
    Filesize

    23KB

    MD5

    55c85bf992ce16f209a2e1893c2b2ee2

    SHA1

    bf9c0101fcd21d6f16c1dd46f9e1b66568097bb2

    SHA256

    f994de7b640f532a85c816b6414cd34d9460a01d1d134d01c7d9b331387edc8c

    SHA512

    8f3080d2dee92ae1190d6b8024ad7a9f9b18a908b14a44bd13572f902639bda4d2dc0338e46aceabb12b354f6967be81b749483344f6c64f7eaeb2f44d4ae7d6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\hidden12.exe.exe
    Filesize

    2.3MB

    MD5

    0a87e3f2a079e2502cec895fb79e3909

    SHA1

    4a9de8a3f380c51f4f2bfdca0ba51d98efdbd08b

    SHA256

    7f30df285b5b1d563e1cb9f4ed0d7448ea1761d8a1ee707498da4910876445bd

    SHA512

    333c9149809eb7b2e612cd51bca4b1725d4f3fbabe369a6600cb5360386937a9fc993cecad59a7e32b27ac099e898b28dfde5e363037cca85010336aabf95413

    Download Submit

  • C:\Windows\SysWOW64\28463\AKV.exe
    Filesize

    408KB

    MD5

    ad08929a229e743024d048bec43ffc8a

    SHA1

    84389d603539496c25e65d63a2e02ac6d1ef13e4

    SHA256

    e484efa1c7260628341bdce11b54c0efc0faa1d8a55e1f91af5e3b28157f018c

    SHA512

    fd4441396bf5d29dc64ef36f85a7884e9314100bff7e62282b8348c124e0e1eb0c500592d71b9d82d5922dc003fb7d0c4f82200bb39a3d2dfd54d2995f45db02

    Download Submit

  • C:\Windows\SysWOW64\28463\GBKH.001
    Filesize

    542B

    MD5

    5c1c8e2d8b9de49d4ec93e0ba64405f6

    SHA1

    37a5b0a115f7ddabeffe155b3decd9b121fc1a86

    SHA256

    be0438fb837349cdb2e2db23e59aab669563492ef900a103b5d0921b2886f802

    SHA512

    e8a4089b38d0c8ea2ac32e3e0882d00d0da3b8784b36eeac5076a4fa333d0234dbdad8240455d987d56770b39220359fd405d4e49d58eb4b823cd43d66edf6fe

    Download Submit

  • C:\Windows\SysWOW64\28463\GBKH.006
    Filesize

    8KB

    MD5

    05ebf0a4d6b0090a24263545e8ad88e9

    SHA1

    6869c5e9e952e635d4d22a26bce2d2e0eb18d6de

    SHA256

    8055524084fc20350f8080ac081b43ae2341ca8ca2cff1d8ca3aec1b703b9194

    SHA512

    97d50716d9342c2518a7bb087512cc25f1929708efde5952f7960c5ea45b9b97037a87b2018c1fca018a06ac10a935c4c060ffc0aa39361793ad6db44a308a53

    Download Submit

  • C:\Windows\SysWOW64\28463\GBKH.007
    Filesize

    5KB

    MD5

    cb3c0cb619462966b5dd1526451d9908

    SHA1

    eda5506554981c9743aeee2d7e45345c8ac883b0

    SHA256

    36caed1a17c7cd4686abb41081b37dd485ece7aeeeee082b6a77f6ba3c82a79e

    SHA512

    2425e3696ac5660dbd35d5be934b0d88dd9dfd671e9e74cb157741f790954031a40b157206c3b8bca4bb7c7f1692669b6cfd6d1165458eff08a63b739b676372

    Download Submit

  • C:\Windows\SysWOW64\28463\GBKH.exe
    Filesize

    513KB

    MD5

    530e09cf8bfe1005eb542001320e6928

    SHA1

    75b2ceffb570b100a7650f8e264796fa2227c0d7

    SHA256

    a7f8bf4748071dfc2667d4a329b4d6344c4d2994395b49cc59f88cfdd3e9e7af

    SHA512

    8dd5a756ce5aa9a36698a1631ae11ffbe51ff9d5f93a0916c9ba38c2d959a35a6435938693fc07ff25fe8909cd5ab3d82e410b312223d7c56a09f2fc2a12bbde

    Download Submit

  • C:\Windows\SysWOW64\reginv.dll
    Filesize

    36KB

    MD5

    d4a3f90e159ffbcbc4f9740de4b7f171

    SHA1

    0542f5d1e2c23dca8d90766b3a8537dc3880e5c9

    SHA256

    2200dd5f83d2fb8c5d3994206a4fa9ff34b4cbfe56ed39a9a03c954cf45d8f77

    SHA512

    5493beb50b5f7d8ec52f32718d01696916ae173456005d0c1294ce695161ce5004aff58ee3892bf5db0f9b23720146a6d3ae8ffbcbbd81f84d894fdc8cf75a94

    Download Submit

  • C:\Windows\SysWOW64\winkey.dll
    Filesize

    24KB

    MD5

    43e7d9b875c921ba6be38d45540fb9dd

    SHA1

    f22a73fc0d4aa3ea6c0b8f61d974b028f308acc4

    SHA256

    f1b2b0abe844e6ba812c7f8709a463a7f6c56fa6ac38d376a0739cc3469f795b

    SHA512

    2e74e23c0875b69b82319391c392132f28f4eb45aa412805130382498ae48969a06a2b3a7528b626fa7d7ddb6b006f19f0ef8d73cf73cb9a0c0df44a21077622

    Download Submit

  • C:\Windows\hidde1.exe
    Filesize

    526KB

    MD5

    f4f0f8788778ce33a110b63c3cc3aed5

    SHA1

    e68ed484c9ba6ca3d9e63c02f883f28a9e4c7084

    SHA256

    da9045309568c7c3f7145b6e56d2b54da57acebd260da2cdcb223529e14ee1e5

    SHA512

    84ff49719c627e2902b994b62344232f1ac30219d6cf42d4574d3022f0ec7ceeda366ad4333dfcfb0391c20e8e6c62bbef73946c296acf03ccd7377cc5d30567

    Download Submit

  • C:\Windows\hidde2.exe
    Filesize

    341KB

    MD5

    ee598948065b55dca1fc1450e831b719

    SHA1

    7aff17a44140e941dd87221f99d36b128bb6249f

    SHA256

    e06de14bef1baee65fa10753e587365b188704270ad5700d411f7296c814d6c3

    SHA512

    d3a56049c63e6f76bbf4da2cff0fca64f313a9f8946683c56f261ee5e04b085df58290b86b130afe5079fc59e526fd66cd9f0d200d99abfd0a8b1fed132c5767

    Download Submit

  • C:\Windows\hidde2.exe.bat
    Filesize

    83B

    MD5

    c8d6736898dc4a62d4aebe810f82e27a

    SHA1

    6274f6d891235f559011473efc352eba493eb3c3

    SHA256

    1558746e97298b6b9a5904aa52d09120b9161414c7ee13da5c4d4a96bf6e5e3c

    SHA512

    6c0c7b09124394e6efa03faf1df2e4099261be088909e018ab32149463bef7fb724abf30f88264ab7c5643183a6ba6fdd85ac0544c99dcc366092997b8ff4871

    Download Submit

  • C:\Windows\hide.exe
    Filesize

    182KB

    MD5

    663604b29d5bd47d8fd7e34843438bcf

    SHA1

    6900b29ddb35d207e1948880f21f6ef488f52ef5

    SHA256

    15c968cb99c6b9446616b73580233ea588e9177a86c7447ccbe5c2f49a9e457d

    SHA512

    b7efbde4e9ca4e54f482d502687cd6ed09c9b942091a5fdc657bde8f1b9add3eb9b421c38be3ebe1382be4f73869d9b6a255a27649fe2c76d97084c6d52c6527

    Download Submit

  • C:\Windows\hide1.exe
    Filesize

    1.3MB

    MD5

    09ec4a58b417703177292d891502f535

    SHA1

    31353621a588c7750e0d4dce5c15b3bcdbd5b82e

    SHA256

    136e9d5edb9ba603714f6e9dc02cb8c49c03e813d5c5f9481bd3d1a4be9c9cd6

    SHA512

    bb9ecbd84023fd729cb595a162365b52f4ca2d441644e6a2ece208455f96ae1d6631d21dd0f9f1efb8bd444d6da75f4c490a87df2d53d5c5405e92a36315cbd8

    Download Submit

  • memory/1476-100-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1640-91-0x0000000000400000-0x00000000005FF000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2320-142-0x0000000000400000-0x00000000005FF000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2320-136-0x0000000000400000-0x00000000005FF000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2320-75-0x0000000000400000-0x00000000005FF000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2320-103-0x0000000000400000-0x00000000005FF000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4320-50-0x0000000000400000-0x00000000006A2000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/4372-31-0x000000000046E000-0x000000000046F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4372-30-0x0000000000400000-0x000000000046F000-memory.dmp

    Filesize

    444KB

    Download

  • memory/4372-96-0x0000000000400000-0x000000000046F000-memory.dmp

    Filesize

    444KB

    Download

  • memory/4372-150-0x0000000000400000-0x000000000046F000-memory.dmp

    Filesize

    444KB

    Download

  • memory/4372-153-0x0000000000400000-0x000000000046F000-memory.dmp

    Filesize

    444KB

    Download

  • memory/4372-156-0x0000000000400000-0x000000000046F000-memory.dmp

    Filesize

    444KB

    Download

  • memory/4372-159-0x0000000000400000-0x000000000046F000-memory.dmp

    Filesize

    444KB

    Download

  • memory/4688-61-0x0000000000400000-0x0000000000659000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/4820-44-0x0000000000400000-0x00000000005FF000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4820-95-0x0000000000400000-0x00000000005FF000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/5012-16-0x0000000000400000-0x000000000065BFBC-memory.dmp

    Filesize

    2.4MB

    Download