Overview

overview

10

Static

static

3

JaffaCakes...27.exe

windows7-x64

10

JaffaCakes...27.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250129-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-02-2025 12:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_aaf4e8fe62a649f972b3c84f7580fb27.exe

  • Size

    571KB

  • MD5

    aaf4e8fe62a649f972b3c84f7580fb27

  • SHA1

    87a14c937a2b0b8c5554c4a91acc7884e9fa4b9c

  • SHA256

    a97c5efc61f35a22fa05e9c730ca0d3af93242e24dbeac768191e86f66eef220

  • SHA512

    26c5ffed5e9dbf3b9c4350a5529dd8b52b5efcdc99832f4b8b949f0329175ec867611d455c0a49c150c32300043117c26fe452c8238dc0ce056424787212c3b6

  • SSDEEP

    12288:5l0/jEepRqOSiCmQOm7ruKZmNCWGZYKpna65YQ+:47E8RqckmLKLd+

Score
10/10
ardamaxdiscoverykeyloggerpersistencestealer

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax family
    ardamax
  • Ardamax main executable 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_aaf4e8fe62a649f972b3c84f7580fb27.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_aaf4e8fe62a649f972b3c84f7580fb27.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4032
    • C:\Windows\SysWOW64\YOF\HWRB.exe
      "C:\Windows\system32\YOF\HWRB.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1116
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:3392

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\@B342.tmp
    Filesize

    4KB

    MD5

    0850d0451f7b387627be1d8448d4e8cc

    SHA1

    f7f346dbb9399a5f3c1e783c66bc82b7110d6f32

    SHA256

    d0f4b9b1c98c68a583e99af328f25220072bf99350407f4d8168cc15714ed9e1

    SHA512

    bb403196ff80b8971486d4a71246de4d4e4b1bbea4505940574ce2d375bc1d55a5ba7606bba9d4b726ad3ef3fe89a1ed377d6d984f2f08fa1f938694fb2f6535

    Download Submit

  • C:\Windows\SysWOW64\YOF\AKV.exe
    Filesize

    416KB

    MD5

    753eed6ba7bca7e1b625d352a5230f6d

    SHA1

    db4bf56b23cbbd41d7f95d5f06ea8b062ba4b3cd

    SHA256

    68d90fb1c165caa1c6c04d1dd9a29e81a83d52952d608c17284b7215aafcb859

    SHA512

    abf78a8018039cfc5e7dd6ec4f71bfa58ff16f15e8758a9ed04c026c941cef6da14ac057d955778a4190f1116b42088aef9c87634f94d5014db6a5401d64fc60

    Download Submit

  • C:\Windows\SysWOW64\YOF\HWRB.001
    Filesize

    408B

    MD5

    6bcd31006f14e045489ab24133e288e1

    SHA1

    5c23541f71b71a95079eeaa607460951db8ad1fc

    SHA256

    9610abd506177426e6a582b1663073cdf530ac9afdeb85da2cc37907c9b41de3

    SHA512

    857e42cbaa69bd21d0dc4aa91b81507a197b000c4d9bbddbcf008031a87da471e89ddda3b538dab7018e274e6a8c8cc068d2cff02bf762744a67c7f65f31deb3

    Download Submit

  • C:\Windows\SysWOW64\YOF\HWRB.006
    Filesize

    8KB

    MD5

    1acf05c81017fb2a272d9c10caeb67f9

    SHA1

    e782df7f04a0146cec392f2200379fc42a4a74ad

    SHA256

    fa5e1d9a2240a678a99a0a11b1d49d6c692bc3ef24a0a1f2cc8f85c1d4e5a894

    SHA512

    c64e5b9c43af483c551b2fd4e143517c79cdef5b4144258f8964695dae3d0e3689194f0be5500369b19d666d0a08b46e15662bc8f1c51e314eee8af54cccb1c3

    Download Submit

  • C:\Windows\SysWOW64\YOF\HWRB.007
    Filesize

    5KB

    MD5

    1f154a8e3d92b44b66de52ea426c772d

    SHA1

    5cca6e4b88dafa2caae56ad98df6ca4bdabbd92f

    SHA256

    6e08d5b0986bd2f6a9f7a981a6d951b9e6b71616ec894a9a3b40a0c12ceb3b95

    SHA512

    06501a567500a05082d03818d33d49f3bf7afcdd5ea6e68ed37f09ed4fe6a945f2e86ce418a86a98d42d436d4b76ffaef2434642c8f2fb24f2f445797e5e8c55

    Download Submit

  • C:\Windows\SysWOW64\YOF\HWRB.exe
    Filesize

    540KB

    MD5

    3fcec6436ceefe496759d5d95a72946d

    SHA1

    90741b60963323ccff6aacc4f9a4e947967f3c65

    SHA256

    e9f4f9a93da9c4977f330450aa485665789b5f0d422ede2e67237c64eb975434

    SHA512

    44c675bc06b036c64f364db3198db29a8affce246006f8d51cd8de45c131de575ded4d5e1aefeeccd8c82d52529a3b312379ea524b7e49d662249a61c71aab06

    Download Submit

  • memory/1116-22-0x0000000000A70000-0x0000000000A71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1116-33-0x0000000000A70000-0x0000000000A71000-memory.dmp

    Filesize

    4KB

    Download