Overview

overview

10

Static

static

3

JaffaCakes...89.exe

windows7-x64

10

JaffaCakes...89.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    02-02-2025 10:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_7be3ff55bf3bb39b132474013d0d9b89.exe

  • Size

    504KB

  • MD5

    7be3ff55bf3bb39b132474013d0d9b89

  • SHA1

    ef45a43e3436f48bb6273b005778448d62c17ffa

  • SHA256

    cab442620da60810693db1b7b638872e8b9c6d6da95a47e4720f6992b2859e98

  • SHA512

    c7b3f93297a3c1034bcb2d8fe3962746289853c196d56866b7e1d67e56d5870a8935a373acaeb1694a3ca67f0fa333cb7966eb4d4c8e6358cd2213ff03d85bde

  • SSDEEP

    12288:8nQeD68whMUVzfb3vsw4qbByUPv3pCwxMdARNNDd/cB:tvMSfsw4sNX3LydSDdcB

Score
10/10
ardamaxdefense_evasiondiscoverykeyloggerpersistencestealer

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax family
    ardamax
  • Ardamax main executable 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in System32 directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7be3ff55bf3bb39b132474013d0d9b89.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7be3ff55bf3bb39b132474013d0d9b89.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:768
    • C:\Windows\SysWOW64\Sys32\PHXN.exe
      "C:\Windows\system32\Sys32\PHXN.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1788
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\Sys32\PHXN.exe > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1800

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\Sys32\AKV.exe
    Filesize

    390KB

    MD5

    b073e1c34193d3b1ae37dade3152eb45

    SHA1

    f0b627e8310be12c832d2e14b1818446ffb42dfc

    SHA256

    8f418775144b64508556ffdfa24a8b6263dcb353fba94872fe8c24391d9bde79

    SHA512

    0e13f5052e1bc892205366f69fa5262c5fb815f9a9809fd39eeb0787a4fb48328907456f30fece3db19c9a40d0d1cc75cfd430e0c2b9edbd462909c315b6846b

    Download Submit

  • C:\Windows\SysWOW64\Sys32\PHXN.001
    Filesize

    472B

    MD5

    83d4cb4598904d247334514811f073a8

    SHA1

    3e4f7c865679273154722bfec528becd38204dad

    SHA256

    6b6e2e5d483044e972a452dfaa9009fafa13f465d43ad612060b616112ab801f

    SHA512

    8ea7c633d39e82003c9902c05fa92d49f7c711294d3b709110ccc8006d534e11cc9a5deed09e77db2109831cbb9b94d40033b5e59f366ddf4dabdc81f51ef173

    Download Submit

  • C:\Windows\SysWOW64\Sys32\PHXN.006
    Filesize

    7KB

    MD5

    8f7b2a047e21e5168021c6b6c74b43d5

    SHA1

    86d6497fa6bfbc8d889479da1180d1b81c6dcf1c

    SHA256

    d18a1d8bd7bca221016a415a55034e6d47231b5561f3ecf4022c3caea52c00e8

    SHA512

    a15f0a4280b80db35e99b0a4c8e17fc63f49713b73fbd195ea2b5304bceb733cbfcf6673410dea2c6b83d617f8562fa18dd95574875caac71f81649fc95d2fd7

    Download Submit

  • C:\Windows\SysWOW64\Sys32\PHXN.007
    Filesize

    5KB

    MD5

    aef6e96d082b935073a8ae15ba537f63

    SHA1

    704af73246a277c552c3ed2f859a227413de1b31

    SHA256

    75e8ce0baa4ccc7249d3d8a594d55744dfb6b6d0d9c272903ba8285ac504ef06

    SHA512

    a14c6de30455112aa8c8489ad080822f52554e4da087861cc49723e2f24f5bc292723cd5c129cb79fa13534f510a47e7e81173066633cf3716d983f951fc1955

    Download Submit

  • \Users\Admin\AppData\Local\Temp\@9251.tmp
    Filesize

    4KB

    MD5

    c5c306d45c5b88d004a071941b12b030

    SHA1

    fcdd3d742203743514f195d6d1060a8475036632

    SHA256

    2e6181885f8cb215a7291d556100636a7fd2b409cb6df1f65f6c61d058521ec8

    SHA512

    fdc66e8a5338e60adda51b21bfc5a40b86293d16c5492c82cdbce3cf4f9743c8b49f5e2e4d31c5b827c50c257a08c6dc57d3266ae3eac60ac46ad14684802738

    Download Submit

  • \Windows\SysWOW64\Sys32\PHXN.exe
    Filesize

    477KB

    MD5

    489644a82021a8b7073ce20ff2ab34c9

    SHA1

    6384e2e97d957848d3a62af246f94e9c4a9e2f6e

    SHA256

    51fd851ac6c71b99feaa4d0222ba87e53363c4981f9727d054b97baaeca8eeaf

    SHA512

    95028425396879a03a003ae6e77f0567e13256a476ecc07779639b131091e206441e13d8a6aac99aef0135c065c6ccead9a9d5677fc63e70ec65f30e2509c872

    Download Submit

  • memory/1788-24-0x00000000002D0000-0x00000000002D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1788-27-0x00000000002D0000-0x00000000002D1000-memory.dmp

    Filesize

    4KB

    Download