Overview

overview

10

Static

static

3

JaffaCakes...19.exe

windows7-x64

10

JaffaCakes...19.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250129-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-02-2025 10:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_929f5fff507cae7a0113b9b541458919.exe

  • Size

    503KB

  • MD5

    929f5fff507cae7a0113b9b541458919

  • SHA1

    072a6d0c56832b4bdaa832b70bfd47bc5cc3aefa

  • SHA256

    ae805331e321bcd06072c7a247a43d01471d5defcb4b22b761aa9beb8be4b7f0

  • SHA512

    ca17033b36f22a94bcf73e122516f3c020b03b7b25cc081334078aac0e0db30958fc3c3b352a16bf5da6608c8aaaf6f00d8a4ea131e791c098c148b3cd87bb71

  • SSDEEP

    12288:yneV4LgGw2Hsb2La4ckJssVr8BnD9HQ0PuYpi6o:PV4h7MOHcIdx8Zq6o

Score
10/10
ardamaxdiscoverykeyloggerpersistencestealer

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax family
    ardamax
  • Ardamax main executable 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_929f5fff507cae7a0113b9b541458919.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_929f5fff507cae7a0113b9b541458919.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2012
    • C:\Windows\SysWOW64\Sys\TXBB.exe
      "C:\Windows\system32\Sys\TXBB.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2532

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\@AF4B.tmp
    Filesize

    4KB

    MD5

    ff0ccec859a89e516c12d8538531da83

    SHA1

    46950d1e2f2690991e2e9196003004073acf46ff

    SHA256

    a9a136b7c0e9e5edd1596e667375ff0f8bee11e28be7d9267bc1ee135cad0124

    SHA512

    e2cd9169d73916b20a00ac7aadf0848917964807eae1c75cb2bc03878a8ffa9e10970d0f2c7617c6df0690e0d45f230675b4b82aa9cc865552867838712c0d6e

    Download Submit

  • C:\Windows\SysWOW64\Sys\AKV.exe
    Filesize

    390KB

    MD5

    bd30c9210bf4512a09ad14e2611be7ce

    SHA1

    b2ec87b8596673696b5a354f38a48bb0d4195949

    SHA256

    4e097b8cafbe87f638c362fb9bfaa60236c2aab8857accec92ba2f6d62aa69cd

    SHA512

    6957dc068a570c1b523839be348b71ac905e5f2ba15ba499121854ba1ea0d973a98760471dfc3ef766820913c781df5d7b2c9f109a7f0864260afe1c110671b9

    Download Submit

  • C:\Windows\SysWOW64\Sys\TXBB.001
    Filesize

    438B

    MD5

    66b733d04eaed6b7b4135b51d456ea2c

    SHA1

    672ad80fa799e76532842ffccbe669683dbfb191

    SHA256

    3e2e7cc87c52cc2a422d0e1a858f0a930eda12ae01186a891df51633a40dcf7e

    SHA512

    ce129cafe92c31c7bba1c85ef53c97d5d47895805c79d728ed823c0ec28c8d43aa64c1a8a4423700e71126f117bc7b51fd50b2a2f9122a05e11c8b925a8db511

    Download Submit

  • C:\Windows\SysWOW64\Sys\TXBB.006
    Filesize

    7KB

    MD5

    cf441326576f2dc52f33a630109026d8

    SHA1

    bdde913634082b35f9cac6b4d5ac17c7e211a767

    SHA256

    2fd8ec3785c3c8c7271cea13e7035faef0d8a91e1799e42388ef8ddf90ac3dd7

    SHA512

    54e7a9f2ddd4ee1e7138515b112384b9a60089333484b2f5d0f73b0c3609f3c63c3f3113824c4fa7a6b2690462536eefab8a5f7b6a64d7d55922ddc94d098926

    Download Submit

  • C:\Windows\SysWOW64\Sys\TXBB.007
    Filesize

    5KB

    MD5

    9a822796da34ecdab5338ea850fe8522

    SHA1

    331c3ba89dfbafb6437e3090924c01a46df5f378

    SHA256

    d322696c444e52317ebc5149d13269a92f3a66cd115b45adcd36e198e7754baa

    SHA512

    e048a36bd04bec3a2b1bbce2bc5a36d165439eb4d06089c268b53c15e36321de67be18bf867f7556bb9774ea0cabc102a46e43e10445df5a1c3b881f9a748e8b

    Download Submit

  • C:\Windows\SysWOW64\Sys\TXBB.exe
    Filesize

    476KB

    MD5

    a409426df11edfbd0c2fc63f6d753667

    SHA1

    51cde140ed8b887c5e88337ce14614106230a20b

    SHA256

    9bfbe286206d5275a2739506a2299415fc74d961d81ea7860c73cbef0f8f1455

    SHA512

    818d23f0257f071f22297e3a8c7df4d8244b2c85aad4287261daef54ecc61a51386ca9cd4a6b56e5d99e5ff7310744df298ff55cd16a96c1808999ec3ea049d2

    Download Submit

  • memory/2532-23-0x00000000005F0000-0x00000000005F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2532-27-0x00000000005F0000-0x00000000005F1000-memory.dmp

    Filesize

    4KB

    Download