Overview

overview

10

Static

static

3

JaffaCakes...d1.exe

windows7-x64

10

JaffaCakes...d1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250129-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-01-2025 03:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_525909a79d04cb08ca4c0308e4ae77d1.exe

  • Size

    1.9MB

  • MD5

    525909a79d04cb08ca4c0308e4ae77d1

  • SHA1

    a846e6fd865ebc7f47eec52edf655b210524646e

  • SHA256

    9561dcb562b57c291811ffefaa8b3c95f98ec4655758b35947fd5113aa647eda

  • SHA512

    2bde24dede2b47f456680733ed9613c0befea260f1d4d975309cea2d7d66cf05879a3633d54430b05c8297c4b707c4c1f6936348ca6996b52ecaa7877bf7abf7

  • SSDEEP

    49152:eockOuOoRGkoatI0Mb7rQ/DweNFc7kmb4Ph4dd:eock38SB0rQ7weNFc14Ph4dd

Score
10/10
ardamaxdiscoverykeyloggerpersistencestealer

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax family
    ardamax
  • Ardamax main executable 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 33 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_525909a79d04cb08ca4c0308e4ae77d1.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_525909a79d04cb08ca4c0308e4ae77d1.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4724
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oLLY.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oLLY.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2620
      • C:\Windows\SysWOW64\28463\GALL.exe
        "C:\Windows\system32\28463\GALL.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:4728
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OLLYDBG.EXE
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OLLYDBG.EXE
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:3468

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\@9933.tmp
    Filesize

    4KB

    MD5

    d73d89b1ea433724795b3d2b524f596c

    SHA1

    213514f48ece9f074266b122ee2d06e842871c8c

    SHA256

    8aef975a94c800d0e3e4929999d05861868a7129b766315c02a48a122e3455d6

    SHA512

    8b73be757ad3e0f2b29c0b130918e8f257375f9f3bf7b9609bac24b17369de2812341651547546af238936d70f38f050d6984afd16d47b467bcbba4992e42f41

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OLLYDBG.EXE
    Filesize

    1.1MB

    MD5

    bd3abb4ac01da6edb30006cc55953be8

    SHA1

    b08e0b5f1a3633bd6d0a6a71b54c13477cd3c991

    SHA256

    1a651ddcc2c9997524c4eee89e73b0f97b43478286cf2249926d728cce390eb2

    SHA512

    aa997f4b9ae4476e5ec4b6f5d3c6a08ed63cd7eb35f5e44f2dea89c008535e3f54a2b0f532d54d6863319bf56d95a7512040232274f2b9acaf9504e74b41bb31

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dbghelp.dll
    Filesize

    1020KB

    MD5

    820baff3cda72e782dd621bfad8968f7

    SHA1

    4c852bbd88ea6a6d869b8b7a5c46976e94910de7

    SHA256

    14aabd8d926f626cef37f210e6d965f1201af4f07e71edc2bb0d8e661816d99c

    SHA512

    2ce34c8c91c9310972e44efd3310c3f9a8acc9764c8783ae40b5461556bf7df40a5d74aa2e46b6ae51001b1a9f5527f5aef332ee2b66c512756b16f3252376d6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oLLY.exe
    Filesize

    587KB

    MD5

    10cc9892e3246c3fba7a76c9e364f8a4

    SHA1

    8a672df77ecca991c76f257e4c0c15da20c934d4

    SHA256

    42f5f15a0906d2e90a8be3823954d664539c55eafdf368c80067fab49514b1da

    SHA512

    0b5f54c5783ef7ba6742a3be444e9b0a064e9c6ee8f055d680a1090bd04d324636d9d5ace9ea573db811050dfa177a2a10291d22f7f1991e917ae722c72dde5e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ollydbg.ini
    Filesize

    10KB

    MD5

    7f1047cd6bbfb67be39b4317d647ebd2

    SHA1

    cf17eaecaf6d801f994f95d8e607fcf1b778198a

    SHA256

    5cd1e6d05a2f0a043315ef4caf22e16b95c2832de4be954bbe69ab3e878d1bbd

    SHA512

    253182b60b163d8589bd5d06545a9f967d0e0093a37e3d0a3cdc24bc50d87197a1721626f49a1f3a74c6af9e0e9e1b31e716dd9331275c1c3732f05f2cc7edf1

    Download Submit

  • C:\Windows\SysWOW64\28463\GALL.001
    Filesize

    384B

    MD5

    1082124ac8a1f913385c940b2a620eb5

    SHA1

    69be3fe3d7a1a878ba970d48c3ecb51cd1032043

    SHA256

    e8d05fb311dcffccd746516af2d6673b0db5122337c697cac3c9f7a6be3ae836

    SHA512

    1e609c2851f22eb1f32763ec3d40277e2f0b332b27390151a343dee48b45c7c298d938af6095eebb492d8ff0b4776fb90f527a3efb51d930e18805fb4d69d414

    Download Submit

  • C:\Windows\SysWOW64\28463\GALL.006
    Filesize

    8KB

    MD5

    35b24c473bdcdb4411e326c6c437e8ed

    SHA1

    ec1055365bc2a66e52de2d66d24d742863c1ce3d

    SHA256

    4530fcc91e4d0697a64f5e24d70e2b327f0acab1a9013102ff04236841c5a617

    SHA512

    32722f1484013bbc9c1b41b3fdaf5cd244ec67facaa2232be0e90455719d664d65cae1cd670adf5c40c67f568122d910b30e3e50f7cc06b0350a6a2d34d371de

    Download Submit

  • C:\Windows\SysWOW64\28463\GALL.007
    Filesize

    5KB

    MD5

    a8e19de6669e831956049685225058a8

    SHA1

    6d2546d49d92b18591ad4fedbc92626686e7e979

    SHA256

    34856528d8b7e31caa83f350bc4dbc861120dc2da822a9eb896b773bc7e1f564

    SHA512

    5c407d4aa5731bd62c2a1756127f794382dc5e2b214298acfa68698c709fbbe3f2aa8dbdcbef02ed2a49f8f35969959946e9f727895bdca4500d16e84f4ef2e8

    Download Submit

  • C:\Windows\SysWOW64\28463\GALL.exe
    Filesize

    646KB

    MD5

    b863a9ac3bcdcde2fd7408944d5bf976

    SHA1

    4bd106cd9aefdf2b51f91079760855e04f73f3b0

    SHA256

    0fe8e3cd44a89c15dec75ff2949bac1a96e1ea7e0040f74df3230569ac9e37b0

    SHA512

    4b30c3b119c1e7b2747d2745b2b79c61669a33b84520b88ab54257793e3ed6e76378dea2b8ff048cb1822187ffdc20e921d658bb5b0482c23cfa7d70f4e7aa1a

    Download Submit

  • C:\Windows\SysWOW64\28463\key.bin
    Filesize

    106B

    MD5

    639d75ab6799987dff4f0cf79fa70c76

    SHA1

    be2678476d07f78bb81e8813c9ee2bfff7cc7efb

    SHA256

    fc42ab050ffdfed8c8c7aac6d7e4a7cad4696218433f7ca327bcfdf9f318ac98

    SHA512

    4b511d0330d7204af948ce7b15615d745e8d4ea0a73bbece4e00fb23ba2635dd99e4fa54a76236d6f74bdbcdba57d32fd4c36b608d52628e72d11d5ed6f8cde2

    Download Submit

  • memory/2620-28-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/2620-50-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/3468-79-0x0000000000400000-0x0000000000553000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/3468-87-0x0000000000400000-0x0000000000553000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/3468-97-0x0000000000400000-0x0000000000553000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/3468-70-0x0000000000400000-0x0000000000553000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/3468-95-0x0000000000400000-0x0000000000553000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/3468-73-0x0000000000400000-0x0000000000553000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/3468-75-0x0000000000400000-0x0000000000553000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/3468-93-0x0000000000400000-0x0000000000553000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/3468-77-0x0000000000400000-0x0000000000553000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/3468-91-0x0000000000400000-0x0000000000553000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/3468-81-0x0000000000400000-0x0000000000553000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/3468-83-0x0000000000400000-0x0000000000553000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/3468-85-0x0000000000400000-0x0000000000553000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/3468-89-0x0000000000400000-0x0000000000553000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/4728-54-0x00000000009C0000-0x0000000000A1A000-memory.dmp

    Filesize

    360KB

    Download

  • memory/4728-49-0x0000000000400000-0x00000000004DF000-memory.dmp

    Filesize

    892KB

    Download

  • memory/4728-76-0x0000000000400000-0x00000000004DF000-memory.dmp

    Filesize

    892KB

    Download

  • memory/4728-71-0x00000000009C0000-0x0000000000A1A000-memory.dmp

    Filesize

    360KB

    Download

  • memory/4728-68-0x0000000000400000-0x00000000004DF000-memory.dmp

    Filesize

    892KB

    Download