Overview

overview

10

Static

static

3

JaffaCakes...dd.exe

windows7-x64

10

JaffaCakes...dd.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250129-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-02-2025 12:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_ab3c16012840596c832cf1ab604d55dd.exe

  • Size

    300KB

  • MD5

    ab3c16012840596c832cf1ab604d55dd

  • SHA1

    5dbcccb5ad176f76de058e264dbff27d50847801

  • SHA256

    e56349f72c18fa8725401eb92b8fa561b2643854076ee8f5e545e2ea8167dd6e

  • SHA512

    2fccecf3b43cb9f05a0ac8f122c5000461e8446ebe2649682ee10d9aa4021123aa227d4f90b2475501fa445a03b49b536eefedd535815bec80d184c2f6fdd1a3

  • SSDEEP

    6144:ANbh6TZ87AfqVYVqMgwCkKSyrQ5fdEvu+O3JdwPtE7E+f8I0BeFX:+6TVqVspge0vuJOy0uX

Score
10/10
ardamaxdiscoverykeyloggerpersistencestealer

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax family
    ardamax
  • Ardamax main executable 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 4 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ab3c16012840596c832cf1ab604d55dd.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ab3c16012840596c832cf1ab604d55dd.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3040
    • C:\Windows\SysWOW64\svchosts.exe
      "C:\Windows\system32\svchosts.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:4364
    • C:\Users\Admin\AppData\Local\Temp\R&R aim-bot versão 1.exe
      "C:\Users\Admin\AppData\Local\Temp\R&R aim-bot versão 1.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2904
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 320
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:2500
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2904 -ip 2904
    1⤵
      PID:3792

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\@75EB.tmp
      Filesize

      4KB

      MD5

      ccfd350414f3804bbb32ddd7eb3f6153

      SHA1

      e91d270b8481d456a3beabf617ef3379a93f1137

      SHA256

      1dabedfe9c7cda2d8aa74c95ba57fb832a4066b20f4051c0330b4422de237eb3

      SHA512

      328e069aaced9217eb9f4b4f20e27cd7ef933427e3388b3a0829089d694ea2280a2e5511a9eb577cec2a7b409cf367b0f17d8654076931648e152936fad810bd

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\R&R aim-bot versão 1.exe
      Filesize

      159KB

      MD5

      b3516ecbdbb7813d5721056cc1390d0c

      SHA1

      4f51baa53ddfd3b32500ea6fb577fbbad243a144

      SHA256

      621f4c983270b0eb5f45343a772ecd1efd373baebfaace23c0b515e6ea583b1e

      SHA512

      086f53843022e0dfba5fd8cdad2c1367b7c609437da3de7fb9fead99ef0969d18365c0ac2e1bca6e1e290fc0f459b30b38fdc1e8b0630d72d2423a3f633d9c99

      Download Submit

    • C:\Windows\SysWOW64\svchosts.001
      Filesize

      1KB

      MD5

      decd9d0073e4586fd173968d51a3313d

      SHA1

      ab9216b9236a20499a67bb269e5271824c997ecd

      SHA256

      5558e8ad3baf260046322c9c9a98e56a0563cec47ec9e39da0823a4c6400ce3c

      SHA512

      35eccffa17bf98f567c2730492cd61cf85a97f70887f2d19d939f856ef7a540ebd2c0b90081f68cccd5ccc223700196463a5f687da26fe343d294cd352ac23a5

      Download Submit

    • C:\Windows\SysWOW64\svchosts.006
      Filesize

      4KB

      MD5

      0868167c8915fb3d87d4e5a775a57ffd

      SHA1

      5f223134e003382fd8c191a1f4ca94922f1d802e

      SHA256

      6a28449ee15745e772f877b6133913325400a2ca3dbf829d76cf42e0c8d6da4c

      SHA512

      d9f82239d6990b3dcc261f99f5acf20d71965b08146821575f830698fa07a5ec7ba0553494bb779e427692ada39ed5973489d1077aeec5ddfdf5a73d9c91b058

      Download Submit

    • C:\Windows\SysWOW64\svchosts.007
      Filesize

      6KB

      MD5

      5e023770dfb9d9068706facc958c7d66

      SHA1

      9cf95074a78239da000452362c2167991970e972

      SHA256

      f16ca7e5533eb28fa882eb500add2a936f8d0a705cfc9f4e6c8f4c522a2cf6db

      SHA512

      a9621e77fe22b054686924cebee3c9a5c448b2f60bd1d4c8a6d6bda161ec270d9a5c76cbe07dcd1d0ee59fdc071de1d271344c629181e14c2c0a54cbac7831af

      Download Submit

    • C:\Windows\SysWOW64\svchosts.exe
      Filesize

      239KB

      MD5

      2bada91f44e2a5133a5c056b31866112

      SHA1

      9fbe664832d04d79f96fa090191b73d9811ef08d

      SHA256

      c742feab59b4e1b7b188b02ed91ab34eaeb83c87ac6babfb5f08649ed2b8cd02

      SHA512

      dc797a06061937f8dd657a34d4373d3069c9c1a6752752516042e5d135fc41257c7a3a6738b3accd626a02f1887476197eca0ab28cf568daf57269cbe9c8eb41

      Download Submit

    • memory/2904-33-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download