Overview

overview

10

Static

static

5

JaffaCakes...99.exe

windows7-x64

10

JaffaCakes...99.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250129-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-01-2025 15:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_6b5991fe1c54e2dee8efb0a6752a1099.exe

  • Size

    2.2MB

  • MD5

    6b5991fe1c54e2dee8efb0a6752a1099

  • SHA1

    73735a5b949d0175156c7234787a452b6d0d50c9

  • SHA256

    f6a427e78f0905ac2b8cfd882bf4c409e567c67163cdcef6fdbe9277d4a5f283

  • SHA512

    9a7336946325e0105b28025da2d05a111dafdbfaf58420b84bb365393043510a3ac5fa21ed39c90f31a02ac8f7b2d37ea5454f4b98718429d226b0b175e15b62

  • SSDEEP

    24576:fOkeXzdpiaeS6wbvusjfssaalU8dRlde688c9O75qbFv8f5p24scaOdJS:fcqq6qGiEaU8dRlf8f9D0xO

Score
10/10
ardamaxdiscoverykeyloggerpersistencestealerupx

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax family
    ardamax
  • Ardamax main executable 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 5 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6b5991fe1c54e2dee8efb0a6752a1099.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6b5991fe1c54e2dee8efb0a6752a1099.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4552
    • C:\Users\Admin\AppData\Local\Temp\signature.exe
      "C:\Users\Admin\AppData\Local\Temp\signature.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4140
      • C:\Windows\SysWOW64\28463\QHEJ.exe
        "C:\Windows\system32\28463\QHEJ.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:1776
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4100
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4240

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\@AF6A.tmp
    Filesize

    4KB

    MD5

    27092ec75c1839f36bfe900a38acc484

    SHA1

    fe14b750a0ed653246c5f358891f8c1241913bb2

    SHA256

    e6e29699840ae26c452227f9a1c9fd0e3cda0c2413c4255df9fc066c47af0e07

    SHA512

    815477e8681e38dd3110171adbaf06738eb9d63839671a959a296ec1a1fb17d788682dde5e6a1f0bffa3b4deda4577292ffa37ce10b95ad14276ffcd0795ac0b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\header.psd
    Filesize

    1.3MB

    MD5

    ee7f7f35162af67150038a6b083648e9

    SHA1

    32758528efca36d45dead82da990ffaaf4465866

    SHA256

    2e8e8dd204d47749b588b3e3c6af15e08b8e9545bc2f6ac6dd8962328a0391e4

    SHA512

    f3ec99fef186b1914b0aa840b15a8c511207486f1f664fd6f9d1eea14ff515957c1c66650c7af30f9b997b0b5f7fce995842a235ba19f64195790902b98438e8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\signature.exe
    Filesize

    894KB

    MD5

    8a30bd816fce0f7f30570f74de041f43

    SHA1

    88320c6c902ad73e041c4fa9deea532e5a13df87

    SHA256

    dc42d8978c71c2a79b12a2ad07489e455121546e924c5513afe5a1219ea3e289

    SHA512

    aa67ec8988a4f2035b0301eb4a3007be7404e7c6f9dc0b7b7a2678f0fcce40e9556b1ee9dc967b52e1346612f3d11cfdaaf4d3892d0ff5fd074835af61d3ee54

    Download Submit

  • C:\Windows\SysWOW64\28463\QHEJ.001
    Filesize

    422B

    MD5

    3a5ff6b2528a10f5097dc335c20413e8

    SHA1

    12c54771b8ad4016716a32972c62296579d32ff3

    SHA256

    82e0b8349d72ec3e0e7a607ad0913a8f3a507f04c1cffaaf951b2f15d72ad13b

    SHA512

    058376e1fee27fdcfd0c8dfbecc17155d0c7d69a637a04fb41b5cb8bf9bc0c46d58e7a5a58e8dd1199b42ae6fd7915fd8f4e9fde3492c5a4b6048e3a911af4ef

    Download Submit

  • C:\Windows\SysWOW64\28463\QHEJ.006
    Filesize

    8KB

    MD5

    aae8ccee5d5eed5748d13f474123efea

    SHA1

    6da78da4de3b99a55fad00be2ec53a3ad3bd06ae

    SHA256

    10c464d1675774e0282171555d59fb8975ed6c0e6a781182490f48e66823a5b8

    SHA512

    d370e1ffeeb81b3f07b83a9cf1e3b44635fde7aa6ac999bccafece8091dbf96f0a78257bb0e03b3689dc47fb4e96ec7deac7848a43ddef62afc9b8cc665ee8bd

    Download Submit

  • C:\Windows\SysWOW64\28463\QHEJ.007
    Filesize

    5KB

    MD5

    40685d22d05d92462a2cfc1bba9a81b7

    SHA1

    f0e19012d0ed000148898b1e1264736bed438da8

    SHA256

    cdca1e5bc4c5129caa8eeddf637c820b6241c8790ce1a341e38e8324ae95afa0

    SHA512

    21961d2dd118b45bde4cf00b4570712791a22769d05afb5b6c54355b0aaee9b7f7de00b357845349ef957807452365134d51e11181d2d45f98ed0cc9402de90b

    Download Submit

  • C:\Windows\SysWOW64\28463\QHEJ.exe
    Filesize

    473KB

    MD5

    339ae4ce820cda75bbb363b2ed1c06fd

    SHA1

    62399c6102cc98ed66cbcd88a63ff870cf7b2100

    SHA256

    1e4a463ac0d463cee1f52f9529474484157c85d671aea1ab5f4173df12de01b6

    SHA512

    5da8b333a839c4b169c6f4c9a1929918f166a895af7818c8223df7ed22279aac3b6ef88f89ee083a4f475f82ec6078f8e9800a9afc9547712245d090636a284a

    Download Submit

  • memory/4552-0-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/4552-19-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

    Download