Overview

overview

10

Static

static

3

JaffaCakes...01.exe

windows7-x64

10

JaffaCakes...01.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    66s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    02-02-2025 22:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_8196260df13d0836acf9f156bdbbd301.exe

  • Size

    459KB

  • MD5

    8196260df13d0836acf9f156bdbbd301

  • SHA1

    6cb3531f12477e491bfc143a572c63d360dae555

  • SHA256

    e5428a80bdf896e482d0bf49f58b79c7b4a5d62c011dd7e86ba80c07df6dea32

  • SHA512

    4fb6fbb63e187a8986eee92adb60c8bf842f770acd3af3557111113a564e72f9bab7ac13ad4a2316715e7960ac17e9254fe3c4f1801079c4f280c35de1b39535

  • SSDEEP

    12288:X9TU4wk/uFP25o7D/qEyDXhtKV6igjSvL0wG:hU4wQuFP1/bojSvS

Score
10/10
ardamaxdefense_evasiondiscoverykeyloggerstealer

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax family
    ardamax
  • Ardamax main executable 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 7 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in System32 directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8196260df13d0836acf9f156bdbbd301.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8196260df13d0836acf9f156bdbbd301.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:816
    • C:\Windows\SysWOW64\Sys\QKJE.exe
      "C:\Windows\system32\Sys\QKJE.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2652
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\Sys\QKJE.exe > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2044
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:2932

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\zorro.jpg
    Filesize

    175KB

    MD5

    dee7fbbe3a163996b623428f2947f3f9

    SHA1

    5734419a3f2c2744c7ac436c63fc08b9d12bb3b5

    SHA256

    f3c2b9066420773829da704b66049b9055b1fb83161002e38142685e3990a153

    SHA512

    c9a13f610d62bafeb89306095179bbae767e594dc5657914632afbc813d07e947cfee8e0c462a24c82983df08d0df680081b7244793416a1b63c28eca81ae023

    Download Submit

  • C:\Windows\SysWOW64\Sys\QKJE.001
    Filesize

    3KB

    MD5

    36be37cc14c19a55a6a51ff99547c6d9

    SHA1

    b5c329ab95f2641e8bbcbd6376f1b3d23a2d6371

    SHA256

    d0d581dda42f33bb593f284a857ba0bb1f3bdb01950d8a581690e248a6e2d212

    SHA512

    f05933ec2b846f5452c25008119d36bd16b6bccd04da3e67734d2be306c8c299f8c8ac0af273a576439486ed019076bacc14863c6e5b1bf6a8255287d5e789a9

    Download Submit

  • C:\Windows\SysWOW64\Sys\QKJE.006
    Filesize

    5KB

    MD5

    2a970556e12272cb5120c41a01263e92

    SHA1

    3d1bbf48042a8752c22a1dd5d2aed1f0b324fecf

    SHA256

    8c0888fdce2b7978411fadd409c501a8cc16fe4d03534ec2ba3e98688150f558

    SHA512

    5beb75ffaa1e5008d554804bdee8c2389925eb1272f90a953247e0f03d110bd94894fa03082544b47f0cf7873b23fe76f53954a7bbc63f912151c24978cf0062

    Download Submit

  • C:\Windows\SysWOW64\Sys\QKJE.007
    Filesize

    4KB

    MD5

    04c70d6df53b4321e0a56e5d86d9a1b1

    SHA1

    8ec16da633caa3ea80b702faf5f5882b63c28e7c

    SHA256

    63d77f8aae9c3ebb251e090c65bbf0e3d4578198eeeef31e47c9d369390e3819

    SHA512

    5ad50712679630861bc0ae34d84047785f22d3b068a5fa305e34735c328e8ae8f85b9f179c80fa2f8d3a3792246e26768ec33b52c4211d0104cc86f724b2fb91

    Download Submit

  • \Users\Admin\AppData\Local\Temp\@B6C1.tmp
    Filesize

    4KB

    MD5

    b9c56fc56da3f3e10a842f6e78fe674d

    SHA1

    4bd97b320edf4a6498066800510cfc5bf845eb1c

    SHA256

    925326f170d367540ccfd434c7906ef840ca20083470b14b0a2333a772dc095c

    SHA512

    beb59ef6bff8a73863bcbd4438138b0d02e4ee2efdbb14932b3cb3272ed23413dce5b0447ddb8e85bac83c850579355eeeed2b75e6a45e24185400b046da9bb7

    Download Submit

  • \Windows\SysWOW64\Sys\QKJE.exe
    Filesize

    495KB

    MD5

    4d39b155617483976d10154a8f3f2b13

    SHA1

    a7f729fae62207eec31f1be0d50ddd03b4721841

    SHA256

    7c9feea8815ba1556e30704109512cfa793f1e3951195130eaf9abab8ef2613b

    SHA512

    23a52be53514c80ba845d45410cf4ec41008c2b1079d7aa8fb33eb579ec42b4614d0fa976eff8ab3950fd69b3fbe9e02f156b4ff4fa219d64b3f45058b71ccbb

    Download Submit

  • memory/816-25-0x0000000002840000-0x0000000002842000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2652-21-0x00000000001E0000-0x00000000001E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2652-24-0x00000000774DF000-0x00000000774E0000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2652-32-0x00000000001E0000-0x00000000001E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2932-26-0x0000000000160000-0x0000000000162000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2932-28-0x00000000774DF000-0x00000000774E0000-memory.dmp

    Filesize

    4KB

    Download