Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
-
submitted
08-02-2025 09:39
General
-
Target
JaffaCakes118_c1afd5d05b62a7b9fbbdf7935775c5c8.exe
-
Size
1.3MB
-
MD5
c1afd5d05b62a7b9fbbdf7935775c5c8
-
SHA1
641c7c01c6b93b72d761748a16c0fd416889fe40
-
SHA256
11f5b5ebfc2f25bf32e675728d4faa069311cefb66825f32106adf237d70a2e7
-
SHA512
5cd2d62ecbcc31f607e4139ea69a9a3d778d8f9f93e35eb9d3f669f1ea8a4f695fa6312090a502dc39353cdc143dfb8739fd6af8e745e3888e731041a7865992
-
SSDEEP
24576:bswyOQUyohQ9BO7Qtj6VUBYaff0Lo0Udkw/J8nPXJUF/8zhYWf:bpJQUt+UQtjOU2aff0c0Udkwnqm2
Malware Config
Signatures
-
Ardamax
A keylogger first seen in 2013.
-
Ardamax family
-
Ardamax main executable 1 IoCs
-
Adds policy Run key to start application 2 TTPs 4 IoCs
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 18 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 19 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
NSIS installer 4 IoCs
-
Modifies Internet Explorer settings 1 TTPs 36 IoCs
-
Modifies registry class 36 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of SetWindowsHookEx 11 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
-
C:\Windows\system32\wininit.exewininit.exe1⤵
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe4⤵
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵
-
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"3⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c1afd5d05b62a7b9fbbdf7935775c5c8.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c1afd5d05b62a7b9fbbdf7935775c5c8.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\silent_akl.exe"C:\Users\Admin\AppData\Local\Temp\silent_akl.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\POL\POL.exe"C:\Program Files (x86)\POL\POL.exe"4⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Program Files (x86)\POL\qs.html4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2180 CREDAT:275457 /prefetch:25⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\NEW.exe"C:\Users\Admin\AppData\Local\Temp\NEW.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\NEW.exeC:\Users\Admin\AppData\Local\Temp\NEW.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"5⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5b89311bdf4e6640cc9051e629476cbe4
SHA1ced30235482232b045cd5d8004e8ead01b30f9ca
SHA256db0e9d83d8a5309ae4ab4747ff6ce506a2f85b01a598caad697a69b3ddb557a1
SHA5128e71c2238e23cd793feb061736d00f8aea0002f79e2632093529ed6242f9af2a99baa598d58c04bbc9c02715d7f18955ae88334e39caa2978e88904cf27911d4
-
Filesize
14KB
MD5f8d18c97818ded4af98e1e6826e7678c
SHA1d306778e454f5dc3eb8d7bfdf434dbcd3cb4fb01
SHA256b1af1a31a22fb5a4eb5631526f1ad446ef5910c91987eb5c09be9935bdf23f33
SHA51295e24d6b6d8c7665965906629255de887358b53fcfd9b70b6cbdde09cace93665b5bb9332ea6e959be10d5458fc8e5167235fae4e6a6260f5b304fc3b5addc01
-
Filesize
5KB
MD52183e6a435b000fc6e85b712513c3480
SHA1c088b82494aaeca23a5acfaf83f55597bd0bdc6e
SHA2569a1a58cea0b0cfe3479d29bb39b0a5af0ee75fbd94254529ad28f2e54aec30e5
SHA51294ffbd46b10cf71ea59d3d44ceece691d7d50e8e111e330d44346f1e56e62d7a3b5c375917494fff89966d0ea5fc562d45b14b983269eba72b2831abce7a1afe
-
Filesize
33KB
MD58e4c5c3fee759991597ebc2d855ad4e4
SHA1b3da123c6300a330b8c869b1ba807115e42c6eab
SHA256e97a9f0dd54d6013280cbb032e63b9cfcc976886a46eeeac07a45af2fc545547
SHA51230a126b57b538f3429a66785521ce30e8dfe4e617d84381e9f5a0feae5956576aaf00253ea41170e12813f2637edd11c5ce643c08dd4920bf30d8bf94b95208e
-
Filesize
43KB
MD54bbbf32667e8d9aca25b74536c022802
SHA1128ce5fb0d058cc9126da94a2f9799b2275dfa22
SHA256df3a520beb7b22566981849512cfba209d108d65505b49f38ad054aad9940c17
SHA5125a850f7d6ef5293aba4594370eb59116d78b31f07f663dfc737bb35992e8c2fc351935f30af512f319af5f26f0538029624b442eca00a9f00409a23f263d9d72
-
Filesize
22KB
MD520fe009bce33b78dd40b48bc5f8accc6
SHA1cd614d9b9e088eecb7e63722f61a39a0cf0ec196
SHA256979c4b395172a53794b18d996df95c75c68d70ec3573aba66cdfe28c8d1cf0eb
SHA512f6be54be78bfdf770c7c131c5d108b0b33376886b9b4a66598e2c92543a2e83ffafdaea36b9d749784a978d4327cdf52ce0ac6feb9a28d683162b0b3f2f40a37
-
Filesize
1KB
MD540d00fa24b9cc44fbf2d724842808473
SHA1c0852aa2fb916c051652a8b2142ffb9d8c7ac87a
SHA25635b0f1bb808e1623ad534fbc1e72cea25ac28f71340e9c543f01d1bfdd094035
SHA5129eb750e08ca9750988290626ae8ed32a2ecfa7c8ca021b3e26b3da0a94de952b991a9a6a0ad5729d7d5ccf7b3b36fb36fd24047f705d0468ad04908ba8a7154c
-
Filesize
7KB
MD50ac69330c3b9181b8a109fddb91fa128
SHA1ef9698ccce041ce8ba3f4af37d0c2b577f19b375
SHA256e675fecb791ed568aae7f1c24b159f7c0f7e23fe8a7ce76f72b3dd1a4ac00e9d
SHA5123a74c04baf3e1e842c0a2568a6480e4ece05baef31171397763de638c6e5b0d26255cf1d7802ea53c355563b8e4b600d24d04afb5168fbc54f66414445327749
-
Filesize
950B
MD53e41cba6ce303745e622bf90f2894da4
SHA15af5787336a8ae1043c06183c2c74b8212312f13
SHA2568f72648468e270757ce852d1ab35d26a2c2184144915445f1ccfb89b785a93b9
SHA512e9bfc2c9062a7f88beae4da974a9798e992afdcbc1f64cfb3dec631c1e2e9434e9acf8ed4f0bfbe78af5412f46d98b88328caf6277ae0e13d6149ab42ede8cf8
-
Filesize
906B
MD5cf75aebc07aa9e5a409ff0b2e7cff831
SHA16186fc956e6ab5b2ba3854816af87886ea844c68
SHA256c805d24afd59560fc2981369051e39fc452fa6a7244e918d1cef077e2a0a1fe2
SHA512acd92881455e3bd4de12d8ead8802225cf44a617fccdf2555f806c2998019227a67a629dcd3e15b3aa189d742de0d737477ea324bdf776fbae64e1b98f573fae
-
Filesize
964B
MD50f504f667c99af680025be3da94e8f26
SHA1b81146e754ab765010bcea558de39d771bf44958
SHA2560e0397b1f52171eab433dd0318cc24fe330ecdef54f33c35f610eb389e8b199f
SHA51206970e797ebf05a79610313eed1386f4f097602a96c099081c2ddaf73757d535c3f8989d4d81e6baeeb26b50e3117578e4d3480e52aed0c9ed5798b4c53250c7
-
Filesize
342B
MD554f6f4099497ea675808cef9e69be5a7
SHA1cdc3716adb581f3d8f515171f425441e41cd540c
SHA256f669650db08d257f731b05060576a8587e691dfd28c8d21e488e5219b24e1267
SHA512be834ad67e51f3bfbdeffd3b5df13067165567d255cba8186b388b460095ff7afcbb60142d8d99022ac7ff25333336e201af6cd0cef07a6512208f2bf0bca54d
-
Filesize
342B
MD5a5568db106f21f851ca64f273e11a587
SHA1f2e08fc45918c97864a62d1851693cf4281cc108
SHA2569126f2b33bc6e8dadb64d1b5697e87acd1798d0873af6392811de4b48ae9f637
SHA512c1429642205e1d6a63f2023201a71a5c568ae3ab749d39f98dec582ca4d3920478d04e3d309e50de6d808b68d980d7ac82b0f85ff36541546b97d73bc7f90658
-
Filesize
342B
MD59fb7e702c1770b2ecc63ca414a162686
SHA143e6ac3bed0c0690a63199c3eae6b72d897fd4e3
SHA25620882ac51f938a8bf9c24dee76f7b8222e0a17bc8418c0461208178dea174a23
SHA512c5f309e77a0fc746e3f2a2b883b30e4d0ba12646abc42c03db683d9a338e8cca4368f6b3dd7ca7268f37517de1c50bd110da39be5676611f9cc0d4b77d4c21ee
-
Filesize
342B
MD5b3a627c39dca972775216eb3b58f24d6
SHA138ea956a059aa1fdee50bc569ab900a71b25ec94
SHA2566abbda3d53a46509b0c9c0907f1329dc9bf68841359a3f04a6d3d32c415272a7
SHA512d3dd39be660cd99e60eef3a0fa6f3f1a055e494c058988221da3eab0a1e92073879fb8f584028118020c8b8b8df78a4efed2917218d5ad368c2a9841d7ae75e7
-
Filesize
342B
MD5f7a5f4337c8e5211344fffbef623a0bf
SHA1c914aba77aa2271f1e0e3762efd2c7074dd22c04
SHA2568596c2cd030c503464b95b9b75af7a07d5157ff3b2ae4a02129d03a35fc91cc4
SHA512cdcfdd8c68d9f5326642c1d418ac31cabe8efb548facf374920596e095955c54ddbcb72cb2037422c8e6585c8cf0f7966543039a701f4c853f6558fcc4ae2a30
-
Filesize
342B
MD52057890f73a0722c5236f259d8c38283
SHA1436b0bf49ec016e07952b18decf99286436d9265
SHA25616b9e4cbdd7883249acbff0de82130197fa1c0dc7377299616f278abd4285f05
SHA512921834b5003a1e4d6da43a31137933603bd6cbf2ec88648c3708992e05a672b0671db1b30820bfdeca65e1ad7d280027dcb861ca6b1ab176d7efa37ff11653d2
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
596KB
MD526c11f7c1f70bc17bb73f3161837072e
SHA1688fcac954fa1da8f30a2573330bd6d26fc9a716
SHA2565f303338c34c661a18362ab3700513f4162c5b15cc3f54fde3df6f659e863939
SHA512bae88331f064d0dc7fc7e9b9fd26d1ea14cf6e5b4a206fbf23c240db2ae4d3ca9760a8fccefd7463bf609a2d43126e0036866386fb0ec1ca61f6a0645da523f8
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
719B
MD5f00584aa39ca5820c9df2b4e2545e805
SHA1c4d7063d33b198b7e63c7edf1dbeea70f5243742
SHA256b584afa91b76bc6727fab38c61fc4b2095103ad8659b86db0eb47c1d30dc849a
SHA5126dc7b27485c6596d46aba0b2874d0d2bbb83656ce3d6ff3599bbd411093f209f778e658a99df6ffb49f132ef48fff1a93d00663d444a930a89c821e402e5655c
-
Filesize
771B
MD53719e62aca9fd627d8c7feb192253d0c
SHA1d1d075b90309cbff18a094f7109c51cf26d294f5
SHA2566a21a8000295f8cca7f75c6d9c62e6ea9572953ba6ee3456d9e4e5eabd37b3a3
SHA512d9d5c1b22e0ba6eb0b39588ff840ebf82a4c5b3cc132fef2c6d10897b4b79a99cda87f5cf092b2249c79e3ef2c043572ab1ffbd33d8b6d3ed2b087f8fe2b37d1
-
Filesize
860KB
MD5a373fc95d538fec7894ed1b336c81ef2
SHA114c862baf3812688c6ff2cf324eb3a2e34627381
SHA25669593ad7cf2bc0fc3b384309f4e4e32fb81432f6fdffdda5c19b8469efb43b47
SHA5120a8a388971d802c7f56252b90af6261b690d7ca5aaf48bb5bee57ca9b0e2134ed7c8748f15eee27bf522cf801a43e335b6bce1d6038adb103dbfc6ebabc901fd
-
Filesize
457KB
MD5752e814c2a5d197b8065501e786683c9
SHA1c7b5840ab79ec308d0aca9a8f07d59730b31ad99
SHA2565b387c65f0c677d415a3ec75fc314ecf4825b85cc8316575267ece340810c3f7
SHA512af4bad6716f4f57e776145eb68f64d31c0fb2146b02ccb3dcda1a864215b9aeaa80abd5314d999a0bef721185c62f38463da6caba1eb7eb95c86c22691c510bf
-
Filesize
8KB
MD5911a5a213762001178a48b2ceefa1880
SHA1de9b25ac58e893397ab9ad3331bd922bbd5043ae
SHA256273375c7be87b6da793320ee25ea08967bf8cb43e6213e4af94955e565afabc9
SHA512cc4f95dc64085033a6f5308d61bce83991a8949ec89513fa0428527b6c20f40bc4ce0b323da3020f405f29bf3fcf703722082247f591568d39e8e355543f04c9
-
Filesize
647KB
MD5b314bd03990cf08f3ca04dd98ece3e9c
SHA1760dca4682edbefb1bb8636bf1011207b763a7b0
SHA256c6b1edc51c705e8f46ab7b2ddc03378e0f2bdcc4948578eff870aad6d421acd1
SHA512b331dff33995e4e2c7e926cd4f0ea2d40da972924d05d28fe0db2f8de92d0cad5a48ce95819f7243c7efadce11d1ecf17e093c1a7bed9497520123c8715fa47a
-
Filesize
14KB
MD53809b1424d53ccb427c88cabab8b5f94
SHA1bc74d911216f32a9ca05c0d9b61a2aecfc0d1c0e
SHA256426efd56da4014f12ec8ee2e268f86b848bbca776333d55482cb3eb71c744088
SHA512626a1c5edd86a71579e42bac8df479184515e6796fa21cb4fad6731bb775641d25f8eb8e86b939b9db9099453e85c572c9ea7897339a3879a1b672bc9226fcee
-
Filesize
4KB
-
Filesize
892KB
-
Filesize
892KB
-
Filesize
892KB
-
Filesize
892KB
-
Filesize
892KB
-
Filesize
600KB
-
Filesize
600KB
-
Filesize
600KB
-
Filesize
260KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
260KB
-
Filesize
40KB
-
Filesize
260KB
-
Filesize
4KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
892KB
-
Filesize
64KB
