Overview

overview

10

Static

static

3

JaffaCakes...9f.exe

windows7-x64

10

JaffaCakes...9f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    09-02-2025 21:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_d3e58c76f566bf84668b2c2007bf529f.exe

  • Size

    183KB

  • MD5

    d3e58c76f566bf84668b2c2007bf529f

  • SHA1

    2db36af360f44f6a68d869fbbc8a1d1c3fea788f

  • SHA256

    bcc583721f5034f8f04624167a63fdc0aefc4d9ad80e1f960d2c544ac29ebf8a

  • SHA512

    d6ea553d9bb8871e374c2d07f42c4209ec01b68606fe15532d703d1380f9eb4b8aa0c8ff62b91b8a1c85dd5b98ed2cb3adb8f16e9a016e2e05d3e356d4617e33

  • SSDEEP

    3072:8CNmpyGHjyHDcofcfLbJAq2aWCGut6qOJT78qyHns0QwBsUU9gYa1IS4huryDBJ3:NmpyGH6cofMJAq2aIH/TyytUka1nGfjD

Score
10/10
ardamaxdiscoverykeyloggerstealer

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax family
    ardamax
  • Ardamax main executable 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 4 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d3e58c76f566bf84668b2c2007bf529f.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d3e58c76f566bf84668b2c2007bf529f.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3008
    • C:\Windows\SysWOW64\STT.exe
      "C:\Windows\system32\STT.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2540

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\STT.001
    Filesize

    2KB

    MD5

    193b5f2a1d5cd4aa9b11a548ce3cfb43

    SHA1

    fc24798df1a129751e355c4f606de289cae14145

    SHA256

    57c97b2d62fef9b9712ba84f4e6ee047ec6b1f4acb2974ee1a051adff90a06d4

    SHA512

    48af1fb95a184fd97fabc0ef40c934feac80521afd15511af542be6ca4ceaef85452398ce3b872b513b796f7c82ee96e49fa9199c8280eac10bb801d54dae364

    Download Submit

  • C:\Windows\SysWOW64\STT.007
    Filesize

    6KB

    MD5

    7a33b9dca6783fb5711472e98513a8c1

    SHA1

    52c7aae5982a574ab41c6b3e82cc7c419ce4a442

    SHA256

    19235752f09ce0836023f2ba01ec7f5e392db01e7d779074b6797999c8c4ea4c

    SHA512

    b66a2a20b2d743e14f69546bc8fb0a04792ce339f1173a45d2f54b596f4a5afadacd9dafcbc8dc25a782fe79352974c88c49f04fa678fdcb0f3db5902f3821ee

    Download Submit

  • \Users\Admin\AppData\Local\Temp\@9F5B.tmp
    Filesize

    4KB

    MD5

    5863c3b7bec6372f367c3f42cc1105ec

    SHA1

    9c9414a3cf1504b28d936973b8147df84983b59d

    SHA256

    3449494fdd3daaac63495df4cf73cc27086ccd152ece659133067e5e6eee436c

    SHA512

    12e1bb1209a58de8c60746a7d574ea2f3b4277193a81fd9026b5ac1d552a2edd4b4a773cd133be0da709fa0b8088783001b27bac3c1217ea1407cead333e750c

    Download Submit

  • \Windows\SysWOW64\STT.006
    Filesize

    4KB

    MD5

    019d10bc430fd84e3f223bfac3faa5b4

    SHA1

    0f37138332bcc89eaeb46d6c976fbc69f9148692

    SHA256

    6cd95259be1dbc9f31024c483b467c43f21beea2b993bc8aeca9840ceecfdfee

    SHA512

    7fa34c7568962b2d119fb2ed88fb7e039958d40aee46557f36c9f15353fc8b4708a6e3740335722b4097082df6017857f12f4fa7956e7157ddc69f11f0f04e94

    Download Submit

  • \Windows\SysWOW64\STT.exe
    Filesize

    274KB

    MD5

    f3f89e6c7d3a945925c96aec2e31713c

    SHA1

    531c392af29754db7001d3bfe121c4bf8f13ed6a

    SHA256

    1678576aa51c7560b18a759bf610e1387c11b353b1af42026eabf217a371f2e6

    SHA512

    1de6b8f6bae5403b5c746b3e3ef9c6d6bad7aaddd6940c46820bc62f27cfc3628f95d105385c7a8c8d0b8f1f11eb534517ec3efcbafd81ecec895e00a63a92f3

    Download Submit

  • memory/2540-22-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2540-27-0x00000000761A1000-0x00000000761A2000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2540-28-0x00000000761A0000-0x00000000761CA000-memory.dmp

    Filesize

    168KB

    Download

  • memory/2540-29-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

    Download