Overview

overview

10

Static

static

3

JaffaCakes...b2.exe

windows7-x64

10

JaffaCakes...b2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-02-2025 12:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_ab346829a6928d63a8ab9d0f37e551b2.exe

  • Size

    548KB

  • MD5

    ab346829a6928d63a8ab9d0f37e551b2

  • SHA1

    2b1eaae67209ea87df3ef965d7d9b8b8b5c53e8a

  • SHA256

    bdd3814b01416d98afb92b704d388f392ef5405766419948337fc27bb56396e2

  • SHA512

    f59c3af1e8c7a07babb5b3bba9290cb6b5f0fb8f606405d79bf71426e0530c1e86e023e70bdf3607979c05c54f8bae2091c0a0823d4ba9a2d9d6d9a09d44c233

  • SSDEEP

    6144:2HHX+UD7g3XhqPmlcjFJbj8SlgvDr/2CRyper6S+es8pcHNkixuUIpMZ5VRYL4F/:Wx/x4c5dj8UgvHdYMc0YxuU+MAL4FwBi

Score
10/10
ardamaxdiscoverykeyloggerpersistencestealer

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax family
    ardamax
  • Ardamax main executable 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ab346829a6928d63a8ab9d0f37e551b2.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ab346829a6928d63a8ab9d0f37e551b2.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:468
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hit.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:736
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKCU\Software\Webzen\MU\Config" /f /v "Id" /t "REG_SZ" /d ""
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3964
    • C:\Users\Admin\AppData\Local\Temp\ardm_serv.exe
      "C:\Users\Admin\AppData\Local\Temp\ardm_serv.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1944
      • C:\Windows\SysWOW64\Sys32\OUCW.exe
        "C:\Windows\system32\Sys32\OUCW.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2492
    • C:\Users\Admin\AppData\Local\Temp\Pinnacle.exe
      "C:\Users\Admin\AppData\Local\Temp\Pinnacle.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:3596
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\FirewallControlPanel.dll,ShowWarningDialog "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ab346829a6928d63a8ab9d0f37e551b2.exe"
    1⤵
    • Modifies registry class
    PID:3232

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\@B026.tmp
    Filesize

    4KB

    MD5

    74ff002e34aadbe8a9f7d88d2532c5d5

    SHA1

    3c11c399973d2db9a94ad7a089870d026c8c859d

    SHA256

    57d3fc3ef8934afd806d28d705c05637c0bd2d64b91a1a3e87e9bfbbf95f6e8e

    SHA512

    704c6520a7c89e6432776ad31c3334d22db390474c141974fc189c03b84e4618a35707f70f7ab7337bb63775a3cc04c2f70e88d9e3f921cf9ab2116305ed1bde

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Pinnacle.exe
    Filesize

    56KB

    MD5

    3695122fdf4c13d32dc9bbd962b184db

    SHA1

    0cc310847e5a92e8c463c9d6c33a029a12c3f993

    SHA256

    9e2ea0ac3c425dc3b003093a82b1587dc98f285852d5a1cd9261877ffa9975dc

    SHA512

    857aa1c19c1c12fa7c0b5e429c07092868265afe0c6416b788957a0275fde683357c20dd1e58460a71d541f496062d9433c0eb80eec52f3ab29aaa103ed55f9a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ardm_serv.exe
    Filesize

    480KB

    MD5

    cd28d44962cee104b6873cf0834d1c1c

    SHA1

    65e66fef27740d395add739f1a81f8a3313fceb4

    SHA256

    18e6f4576fccc6846fcacabbcdf1bb20839f2a21032d1b08d2ec852c940f694a

    SHA512

    5d3468d61c4b5b2e9ce1fce2dda1513444a5a36e9425bdaaafd1e1d6614de6cbf0a107da1c9daea6b3b6cb032d13048c4529dc07a64e8bfb3651e5a4b1844aeb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\hit.bat
    Filesize

    112B

    MD5

    a9462bae83e7f8dcea82fceb2ecedfb3

    SHA1

    68431efa134e92052907ef47e36a866e21878559

    SHA256

    262dd81938d5d3611672c050244b7629e70bbbd93f0bd13e4e33c221027d2b06

    SHA512

    28afafca63aed98f8a6c1efb2111d7284a714d753d81d0ff2fe8970b4ab752c1cd06fa0dbfc703b97059632de9cb01ab0aae9d01cac048166160701d27a716ec

    Download Submit

  • C:\Windows\SysWOW64\Sys32\AKV.exe
    Filesize

    391KB

    MD5

    75e14e922eeea4674c45a00335c28777

    SHA1

    f3268f7a91e0cef3ac1b03877daa694655e79fa1

    SHA256

    e103b85edbafbacc8e4ac50378ee4812b68ceccd2b6f2066243ac03674030f68

    SHA512

    b2c5e09c041bc235bf1be0a808c92dc5b8256447be95a0fb4bcfe9160123c63d14a4979eea28f5286a0f3f354c59f032c9a24586dfb7067150dae7339314f6fa

    Download Submit

  • C:\Windows\SysWOW64\Sys32\OUCW.001
    Filesize

    488B

    MD5

    2085ba972166764ca02393d7870db96d

    SHA1

    f9c2a0e6e212b22d62943e111849e8ac6d9139f4

    SHA256

    301da4d5b175957e1eab0e423b07e868d7a1b7f976845fa4b5024699ce7136a4

    SHA512

    1fb4bb9294246b9398582fc23365e3defdb5c960c007dff33ef930602f50eb3dd1f29eb85ee159a9713604655575fa5239af8a6044ae7fc96026ec97d517c44a

    Download Submit

  • C:\Windows\SysWOW64\Sys32\OUCW.006
    Filesize

    7KB

    MD5

    5001bd93dc919785a830ab883eefb04e

    SHA1

    eb4e7b7d42bf4669c1f011fcd0119012cfb957c0

    SHA256

    2027d2ecaa78d0ffdd4234ce531be60f230b8258ae6c001af587f6d73dba771c

    SHA512

    20f6a8fa9e2188aa29d101100edae17d77b4983f3e1dd4696c6fbcd47ef0bbcce392a0733c330dd7a707b0f5bb92720f684b04cdd8c0f1a0b186012001c477d8

    Download Submit

  • C:\Windows\SysWOW64\Sys32\OUCW.007
    Filesize

    5KB

    MD5

    00c2e21155375b96338bf76afea81546

    SHA1

    9ec87a26f5a48db97c05b2e3990aedec0adaa999

    SHA256

    6f3c20f654f2f4aee0752b95d72d9f46ebf467422611b30e9baa5ad1d21a4534

    SHA512

    cbaf2efa919def1d351de8ad8b1e30af4bb754db833019f9d998f1c78a844b933b18c41e8764edd1632be2076fd23cd7f302cfaf3f8ed6538bc90db178db422a

    Download Submit

  • C:\Windows\SysWOW64\Sys32\OUCW.exe
    Filesize

    476KB

    MD5

    63ea07b550f22b1f5d5d6897f4d92894

    SHA1

    8107c9115d45c7857534f0e0b2d9837304f009f2

    SHA256

    729269e2ce40465fa2b512e2dfea0da818a2972070ae6fa57c92893a1276ea01

    SHA512

    c094235f36a1ecf1ce9082a22d34d33153595c91c941fb1e1bd9d3903e2142e6e7603db184dc19248258027e0b8377aa13f523b84a98c74c5645cd3e3c2cdf8c

    Download Submit