Overview

overview

10

Static

static

3

JaffaCakes...eb.exe

windows7-x64

10

JaffaCakes...eb.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    28/01/2025, 06:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_47c21973fda5301450767e76749e60eb.exe

  • Size

    1.0MB

  • MD5

    47c21973fda5301450767e76749e60eb

  • SHA1

    da8f804fe4d4408c267daffb0521b0086f2188f5

  • SHA256

    7de3391da2c70b2de085a81c48fb8a06fbbfba363ca85ab8d61b06ac3ed0be73

  • SHA512

    8ab74850c8ad5cc894e5ca38c88f31d771f31dfdf2f8a9e16b3547fbba76c8f4f280498dde9722de0eda21692331a60a180be2fbe2bddd17ce98bf33e4367363

  • SSDEEP

    24576:Oa6eoHNIRBQzoMHhHlwEohJPTkHzWpNMzE7EU6pfk8od:OeAOGPhFHohZTkTpzEBEknd

Score
10/10
ardamaxdiscoverykeyloggerpersistencestealerupx

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax family
    ardamax
  • Ardamax main executable 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • UPX packed file 33 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 32 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_47c21973fda5301450767e76749e60eb.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_47c21973fda5301450767e76749e60eb.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2344
    • C:\Windows\AUTOBUFF V9.2A.EXE
      "C:\Windows\AUTOBUFF V9.2A.EXE"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2588
    • C:\Windows\AUTOBUFF.EXE
      "C:\Windows\AUTOBUFF.EXE"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2600
      • C:\Windows\28463\LDYM.exe
        "C:\Windows\28463\LDYM.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        PID:2856
      • C:\Users\Admin\AppData\Local\Temp\AutoBuff v9.2a.exe
        "C:\Users\Admin\AppData\Local\Temp\AutoBuff v9.2a.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2816

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\28463\AKV.exe
    Filesize

    457KB

    MD5

    828586f5f9fd7e6bd99401fe7cece954

    SHA1

    8eb70f4af2cec3c3dd3ec1491913369e99b7b874

    SHA256

    02b8379b1838ea70f7f17e0785aaaedb7c721d9b6e262577723bba9492748d0c

    SHA512

    16b64be59cf9ae403fb3b7e1fc8da98cb2a5db84aef0e352910172796ecf96dcf86a7e16afe78fa7e22b7b6948e8a1fa027da7161d5a0ad98e76175d764ed6a7

    Download Submit

  • C:\Windows\28463\LDYM.001
    Filesize

    424B

    MD5

    27d4226eafe18fe9bd5a11578f3f3687

    SHA1

    85b5a43d7a6e65f60b5ad2c06ca4b2b049c33153

    SHA256

    65d1feb134d1b750ebf8038d0390efd12e16ede36ff61b9977e00cb754b9e68e

    SHA512

    7a025258e0ee734a86f41068cd0898461a3d575accf162c66ca3233780c4227f23f572253740c76f041bad6f478dc619a7c18337c2d3e1a870b79094e886da8c

    Download Submit

  • C:\Windows\28463\LDYM.006
    Filesize

    8KB

    MD5

    69db8c925f2dd8136d956a086ed1ee41

    SHA1

    9d0f653cc7ab881eb45fe93490a9c096f2dec6cf

    SHA256

    984da5476c2c69a779bc99d0901569347cc605a36499e2284706cda3ed6e13f3

    SHA512

    fa5cedd539dca3631511488aea8bcb7821db1d53452c1b61ee663cb5700bb9919b092593a7f5eb7a3c3a75f801b2980f817de4a66bf8aa51093ced4b30ffd068

    Download Submit

  • C:\Windows\28463\LDYM.007
    Filesize

    5KB

    MD5

    9e9da4c851850726c789bb4b94a41bb3

    SHA1

    1e2fd71f1d1a3ac15d3c820d8459635cd775cf24

    SHA256

    94f6502a4e94de0301ae07befd63767a4de35d9b2d2d00687a3130e883ab1963

    SHA512

    4c60e951056c5773d769a9c88245fc4a597949deb72a1a7546991488e85ffc4ff2a34840ad227595bcdc105cf187207721b57c457ac832ee0159dd0e1d9be063

    Download Submit

  • C:\Windows\28463\LDYM.exe
    Filesize

    648KB

    MD5

    c5ca2c96edc99cf9edf0f861d784209a

    SHA1

    6cb654b3eb20c85224a4849c4cc30012cabbdbaa

    SHA256

    0ca27dfe22971bfb19c7f3d6fe03cd398816a88fc50943ba9821fa6b91be7807

    SHA512

    aeb36bbbf68c7b733ddd856f8f0cdd9548ff597843a22611757c98f69a589035410fecfa692bb83c740823ddae6432d3be5cb66f4309a9d0f5fedeb7b017ff36

    Download Submit

  • C:\Windows\28463\key.bin
    Filesize

    106B

    MD5

    639d75ab6799987dff4f0cf79fa70c76

    SHA1

    be2678476d07f78bb81e8813c9ee2bfff7cc7efb

    SHA256

    fc42ab050ffdfed8c8c7aac6d7e4a7cad4696218433f7ca327bcfdf9f318ac98

    SHA512

    4b511d0330d7204af948ce7b15615d745e8d4ea0a73bbece4e00fb23ba2635dd99e4fa54a76236d6f74bdbcdba57d32fd4c36b608d52628e72d11d5ed6f8cde2

    Download Submit

  • C:\Windows\AUTOBUFF V9.2A.EXE
    Filesize

    119KB

    MD5

    a68ea136f590340037304255d9616445

    SHA1

    d96bd96af5b02f433698a99e74b0f3d2bc6bd164

    SHA256

    e30a5c9fee0a32748f2da34f91c22260b65947273545a617ac50889c8b463916

    SHA512

    ac7e963b31f50c2b813cd8076bc37ec17badc42d10b3020adb8137e53bae2046c5be29bb6f7ba158fa6d627e67ad427dad814e199528e7fc4588c7eef8f5d78a

    Download Submit

  • C:\Windows\AUTOBUFF.EXE
    Filesize

    904KB

    MD5

    17db762990f259a8609581bb10718df9

    SHA1

    db6769899f633d32651efce0d2bc805414482f51

    SHA256

    c265fd005707a6e18e58fbea90f77e19b5ad266a08e50cb7eaff5d399c5c97b0

    SHA512

    726f120600d63136953c2e26a02ff800e7f2d8c3d2a7e7276b07dc33807a63a5d1c448ffae6eb13873dafcdb182aa5abcf1934a41b82a7eb8f8a9f54f0ffc335

    Download Submit

  • \Users\Admin\AppData\Local\Temp\@9AE8.tmp
    Filesize

    4KB

    MD5

    ccf39f70a662f70e7cae4cfc81255c44

    SHA1

    00177d41252c2a5322be8e54567a845217072e2c

    SHA256

    4c9cca81f2f2d91b636c0ec747e96821749788368c48981bf04accfeb5c2e5d0

    SHA512

    2cc006d3bd6af737f31707b457caaa267ee1361cfd0afab0be8b74be8587d02b20909962d138e137fe79252e0d112bd3be091a98ba50863520b5bbf21bb9501d

    Download Submit

  • memory/2344-6-0x0000000002C80000-0x0000000002CD7000-memory.dmp

    Filesize

    348KB

    Download

  • memory/2344-20-0x0000000000400000-0x000000000050F000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2588-74-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB

    Download

  • memory/2588-71-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB

    Download

  • memory/2588-80-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB

    Download

  • memory/2588-107-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB

    Download

  • memory/2588-65-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB

    Download

  • memory/2588-104-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB

    Download

  • memory/2588-101-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB

    Download

  • memory/2588-68-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB

    Download

  • memory/2588-98-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB

    Download

  • memory/2588-83-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB

    Download

  • memory/2588-95-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB

    Download

  • memory/2588-32-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB

    Download

  • memory/2588-92-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB

    Download

  • memory/2588-77-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB

    Download

  • memory/2588-89-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB

    Download

  • memory/2588-86-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB

    Download

  • memory/2600-38-0x00000000029F0000-0x0000000002ACF000-memory.dmp

    Filesize

    892KB

    Download

  • memory/2816-82-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB

    Download

  • memory/2816-73-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB

    Download

  • memory/2816-85-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB

    Download

  • memory/2816-109-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB

    Download

  • memory/2816-88-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB

    Download

  • memory/2816-79-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB

    Download

  • memory/2816-91-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB

    Download

  • memory/2816-76-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB

    Download

  • memory/2816-94-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB

    Download

  • memory/2816-55-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB

    Download

  • memory/2816-97-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB

    Download

  • memory/2816-70-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB

    Download

  • memory/2816-100-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB

    Download

  • memory/2816-67-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB

    Download

  • memory/2816-103-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB

    Download

  • memory/2816-106-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB

    Download

  • memory/2856-66-0x0000000000400000-0x00000000004DF000-memory.dmp

    Filesize

    892KB

    Download

  • memory/2856-39-0x0000000000400000-0x00000000004DF000-memory.dmp

    Filesize

    892KB

    Download

  • memory/2856-78-0x0000000000400000-0x00000000004DF000-memory.dmp

    Filesize

    892KB

    Download