Analysis

  • max time kernel
    119s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30/01/2025, 06:10 UTC

General

  • Target

    JaffaCakes118_5faa0dd84426f798a53c11c222d66e30.exe

  • Size

    321KB

  • MD5

    5faa0dd84426f798a53c11c222d66e30

  • SHA1

    40f0f035d0a1467f919e2a9b8c44682d3f85817a

  • SHA256

    c5612b17662ada258a7f49719dcb905be96f419054ab8858ec5835eb12118b8c

  • SHA512

    7a9e785de7d30379f3b265a06d9c0a3d264bef39e0c8362ffc519907d383b6487ea359178e8c122aa64803e8d6ce01cdc4b23404f1fa096c37b235dc796a7bcf

  • SSDEEP

    6144:/RXe6t5AN4uLpVWMRrtNAT7+vvun3mB4/SdYpSoehL:/RXeGDuLpVWMRpNq7wvu26/SkSoex

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

  • Ardamax family
  • Ardamax main executable 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in System32 directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5faa0dd84426f798a53c11c222d66e30.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5faa0dd84426f798a53c11c222d66e30.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2160
    • C:\Windows\SysWOW64\Sys32\JBLW.exe
      "C:\Windows\system32\Sys32\JBLW.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:2776
    • C:\Users\Admin\AppData\Local\Temp\Rmpg2011©.exe
      "C:\Users\Admin\AppData\Local\Temp\Rmpg2011©.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2588

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\Sys32\JBLW.001

    Filesize

    462B

    MD5

    6eb280ad991da09c2192333ea2e42122

    SHA1

    a04894e6465fb030d950e3414a775ebe7f3ba4a4

    SHA256

    897d1dcfb02f4f80e87b38c7d8935ec85a9c40b74d7489579ddc4d46de3b2412

    SHA512

    e649eaa0338ccc0ad72f30bc77ca3cacad97756d8456ddea7ba2715ab2b371c3eb83ad8ca5c65789c7cc377c402292aca35f3564ab10defd181ebb2c8fa0331e

  • C:\Windows\SysWOW64\Sys32\JBLW.006

    Filesize

    7KB

    MD5

    928cc65dc793834c709a054ca57c19c8

    SHA1

    a1e5d8407199c1bd6a4b274044de640fe0d9e99b

    SHA256

    e3473d81a02ed30e4236591384136f41f17b6a4aae24b5468789644ccd4bf192

    SHA512

    f7c8f7a75c4f8a418630e2ac15676740a902449d9a3c4baf3184409f8701c9caa3e82304d141362d95503f1af6b693eed7b77f690d92ca0162f7ea3ecbc80fdf

  • C:\Windows\SysWOW64\Sys32\JBLW.007

    Filesize

    5KB

    MD5

    3e1f5d5a06cf97b0495b8d129fbe02e4

    SHA1

    b0de258a813f5edde85004f6865b6ed91f6d6f8f

    SHA256

    f49448fc7c567e64eaeb9cc4dbd3c8021a82b5d9df0a622a439f7b42dc2f26d7

    SHA512

    b0e0b81cb5776d298e96346aa61027c9799a47191c94de50be2209c32747774959d002ddeb98fd15556ee893b0d7bd1f0c8a901469dce4e3acf94e2c4c3e2bfd

  • \Users\Admin\AppData\Local\Temp\@EEF.tmp

    Filesize

    4KB

    MD5

    33303ca8abef9221cb410b8a232e9fe4

    SHA1

    0cdfc25dbf0e9ad7d4585cd9037dc2e6604be00c

    SHA256

    5110301dee966f0f26307ab1b430279d1e4999c2c4a0ea924ff32f1a9ded869a

    SHA512

    da29821045773ba776def985966b62e09e69bb5bf1786b16c2fff6feb68a03b9e22c5f7d081e3dd58d1785cd7ac64736497c043b7cf6c7149c3a54f8ef111800

  • \Users\Admin\AppData\Local\Temp\Rmpg2011©.exe

    Filesize

    51KB

    MD5

    677b168330c9127d6f549740ba7d92fe

    SHA1

    58621cc7d55a7eeda8c8b39fefd405ef3263d651

    SHA256

    9639d46696884246e64ecc6781c6cb53026d1477515b07aacc6e0d8430da982b

    SHA512

    f81c96cee5e32256830336bc3d81f20ed1ef181210be8f8312485d85a96a9e0a285b95bc3c637b01fed83a5e9aa25618890de8a49513aa26abbf4960e93c2d5c

  • \Windows\SysWOW64\Sys32\JBLW.exe

    Filesize

    476KB

    MD5

    ef52b540cb404d908338e9cbf7cff283

    SHA1

    778765e1736c0a197685978c3fee7a44e7bde419

    SHA256

    39d8bdb975fbfcbcec8fe63be4e9fe6ce39ae5d23a005118aeffa07b17a3f815

    SHA512

    596b77bf5b15455c326a5a2efd66bc69685eb625e3e211ea0341ad4d8920ada7618a7107e42f2c0963fe6c2d92f2acf47b641ef33071a7c42004e5874d5219a6

  • memory/2588-31-0x0000000073F4E000-0x0000000073F4F000-memory.dmp

    Filesize

    4KB

  • memory/2588-33-0x0000000000F70000-0x0000000000F84000-memory.dmp

    Filesize

    80KB

  • memory/2588-35-0x0000000073F4E000-0x0000000073F4F000-memory.dmp

    Filesize

    4KB

  • memory/2776-21-0x0000000000250000-0x0000000000251000-memory.dmp

    Filesize

    4KB

  • memory/2776-34-0x0000000000250000-0x0000000000251000-memory.dmp

    Filesize

    4KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.