Overview

overview

10

Static

static

3

JaffaCakes...37.exe

windows7-x64

10

JaffaCakes...37.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/01/2025, 10:18

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_206d3feff992b73f942faf61a3feb937.exe

  • Size

    389KB

  • MD5

    206d3feff992b73f942faf61a3feb937

  • SHA1

    2d094207dabd70dca35d1d26ee9482cf3aeda949

  • SHA256

    d84527c17d545b9b10fb4b8bcb7bcc179f6f2d046e928c2cd3ed3940de8ad4df

  • SHA512

    b1d95397bab9347c330404d58d0ca1f39311b75026da9a7ae07bcafa41ea5509c508a72071f4584c2a02ec34a7d872c86a02cf8ae83d91277b7908493de28fcc

  • SSDEEP

    12288:DP6JTxHHaVFoHmr9x70L41wC3OIOeWsr/iJJ3:2xnlHmrf0s1XGePkJ

Score
10/10
ardamaxdiscoverykeyloggerpersistencestealerupx

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax family
    ardamax
  • Ardamax main executable 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 5 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_206d3feff992b73f942faf61a3feb937.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_206d3feff992b73f942faf61a3feb937.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4616
    • C:\Windows\SysWOW64\UIB.exe
      "C:\Windows\system32\UIB.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:740
    • C:\Users\Admin\AppData\Local\Temp\pinnacle.exe
      "C:\Users\Admin\AppData\Local\Temp\pinnacle.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2784

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\@270E.tmp
    Filesize

    4KB

    MD5

    e5fb7457989a4bce5e8b24219b516c6f

    SHA1

    580ba07dc5c71115cad40fcda27a03f6605464d2

    SHA256

    5c34a7520cace89cc3b6a1c800e36817462e92ee628c9c1dd2ee34cbd379859b

    SHA512

    3ddfda190aae244a6a84ae7468b5946db4464e30d48f3db0de67e9bf5c3dadbff05cfb539577083c51bf8efd2098a95bf430278f5430f66691bc785329a0eca2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\pinnacle.exe
    Filesize

    204KB

    MD5

    1c51397708fcefb812b4f8eb59952800

    SHA1

    29cb838da1caae86d7c87296747701b73abfabc4

    SHA256

    92a22d4e3b7d847e5bc5ff94256013bc8f8c08f65220006a6046e90165115b0e

    SHA512

    e6371a89217b8b7d30b60e7f32fa022719860f37ec7f2862c9f5ae1583c195692ef6295edeb70117e40fb45822df8559a4d349dda44d91e824119a8ee671ede6

    Download Submit

  • C:\Windows\SysWOW64\UIB.001
    Filesize

    2KB

    MD5

    67ee78d82d910f2bbe235d1b32d36572

    SHA1

    cf7a3a465d1736c4013144bd50d6c31ebc5de397

    SHA256

    c818611e70f42fd56f1a7d83272731f37e4b2bf77de382707cce98f70fc422c4

    SHA512

    166d5f220d6926d13a2b129ef21e65da90b85eb85214d82cf6a75ac28b856dd38abe5bd9fe6db8a1be9384f0dbf6339ef59d6b0d1e829226727c2f75f110d6e2

    Download Submit

  • C:\Windows\SysWOW64\UIB.006
    Filesize

    5KB

    MD5

    db98486706de28b2f52ef5b74feacb47

    SHA1

    c3298decb5d15adb02016a7c14f39fcf179e33db

    SHA256

    d74d932e2e6833928a42c8ffa69132758b832f8d3eafef727e3690b441d972cb

    SHA512

    1d722b668d35b12637c8c427aca422dba828f17b9eb297fef63c3f7d03a4ba2d164fee825dee450208e1fbe2ce830b62060cc8be1b1dd7c41551efcdeb53f1b3

    Download Submit

  • C:\Windows\SysWOW64\UIB.exe
    Filesize

    286KB

    MD5

    47d45da7bc718cef809ecec470987248

    SHA1

    9137c8c0e84516bc08daf6b7e08192c7b9e17959

    SHA256

    d47237c917f006acc443546e338c68bad94c5cfa54eaabaffde0ad2dfbcdaa4e

    SHA512

    c8f39999ea258021318821a3336125fe1e41993572ec8264885437c689d080b2c606fbeecb72f0c6702e562f9598820d0105fee539cde51d8cf1b17119f4ffe9

    Download Submit

  • memory/740-31-0x00000000008E0000-0x00000000008E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/740-38-0x00000000008E0000-0x00000000008E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2784-30-0x0000000000400000-0x000000000047C000-memory.dmp

    Filesize

    496KB

    Download

  • memory/2784-36-0x0000000000400000-0x000000000047C000-memory.dmp

    Filesize

    496KB

    Download