Overview

overview

10

Static

static

7

JaffaCakes...00.exe

windows7-x64

10

JaffaCakes...00.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    91s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    10-02-2025 16:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_dd7697a332318969cdbd244db0d07e00.exe

  • Size

    3.4MB

  • MD5

    dd7697a332318969cdbd244db0d07e00

  • SHA1

    866f17817ef2c73d0f22f8531f95193e5a48d3ea

  • SHA256

    f87fb215a4a40b819e4b5f4649c3c8d16a1967d74d37605e4b8ae4ed9b3dd645

  • SHA512

    d0eb46f7e61a97b90f5918172db4137416002ee4f879b169f4921bd159fd68376887af155d618671a462d221d6c5dc6b1c5473c03bb483d98cd0c0d5dfaf04cc

  • SSDEEP

    98304:CRvzDoTBuzt0NnfBJe63tzua39N7xdLKXKmT7EWlzZf/2WPhmIJ1xlo:EDotuzt0Uvf/2WPhy

Score
10/10
ardamaxdefense_evasiondiscoverykeyloggerpersistencestealerthemida

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax family
    ardamax
  • Ardamax main executable 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion
  • Loads dropped DLL 16 IoCs
  • Themida packer 2 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Kills process with taskkill 4 IoCs
    defense_evasion
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dd7697a332318969cdbd244db0d07e00.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dd7697a332318969cdbd244db0d07e00.exe"
    1⤵
    • Identifies Wine through registry keys
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2188
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im egui.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2688
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im ekrn.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2564
    • C:\Users\Admin\AppData\Local\Temp\nwHook.exe
      "C:\Users\Admin\AppData\Local\Temp\nwHook.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2576
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im egui.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2548
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im ekrn.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2580
    • C:\Users\Admin\AppData\Local\Temp\Install.exe
      "C:\Users\Admin\AppData\Local\Temp\Install.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3020
      • C:\Windows\SysWOW64\28463\XRBT.exe
        "C:\Windows\system32\28463\XRBT.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2596

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nwHook.exe
    Filesize

    2.3MB

    MD5

    79e4a64321b363408a7f90178022fa45

    SHA1

    82fe22ec347e4ac5b2c63de6e3a2037de3a0837b

    SHA256

    437d8490a68859abd7a8bd440a5e8d46368b94a8ef11d08799435306e7cae2c5

    SHA512

    c83b8f5b11e88798375232455ba8c9f1333c1bf25686938cd71b35fe807007e8f07c9521a94e9b496afd585384ca6f0623c61d5429164b64898beef9f347adea

    Download Submit

  • C:\Windows\SysWOW64\28463\AKV.exe
    Filesize

    395KB

    MD5

    b8fa30233794772b8b76b4b1d91c7321

    SHA1

    0cf9561be2528944285e536f41d502be24c3aa87

    SHA256

    14116fa79ccc105fabd312b4dff74933f8684c6b27db37e5e3a79d159092d29a

    SHA512

    10ce8b18e7afb8c7e30bb90b0a1f199ef0b77873fa7a9efc596606e151be6b516c0ec6222a9032bdcc527e80964f53d20a28fa1881a08b4df303b2e28204549d

    Download Submit

  • C:\Windows\SysWOW64\28463\XRBT.001
    Filesize

    538B

    MD5

    106a87fa99d0aabba84586a7c72e2fc6

    SHA1

    bc983dc2f251fde08c9d5b36ef02b6d5ad73d678

    SHA256

    03ae6c2b041e48cbfcaea63cc867ddf2b1bf5f956efa35e4bb5c1b08c022e16b

    SHA512

    82f8fd90d39490b0a6c077241c1ba8a5ce20b61f5340d041a6e2de48816b33a706fd75244ab1cf4c2e99dcaf1fc8bfd7aee91ab5e526ac909c464b0d5120adcd

    Download Submit

  • C:\Windows\SysWOW64\28463\XRBT.007
    Filesize

    5KB

    MD5

    b5a87d630436f958c6e1d82d15f98f96

    SHA1

    d3ff5e92198d4df0f98a918071aca53550bf1cff

    SHA256

    a895ad4d23e8b2c2dc552092f645ca309e62c36d4721ebfe7afd2eee7765d4b2

    SHA512

    fd7bae85a86bdaa12fec826d1d38728a90e2037cb3182ad7652d8a9f54c4b322734c587b62221e6f907fce24fcf2e0ae4cce1f5e3d8861661064b4da24bd87ce

    Download Submit

  • C:\Windows\SysWOW64\28463\XRBT.exe
    Filesize

    473KB

    MD5

    17535dddecf8cb1efdba1f1952126547

    SHA1

    a862a9a3eb6c201751be1038537522a5281ea6cb

    SHA256

    1a3d28ac6359e58aa656f4734f9f36b6c09badadcf9fb900b9b118d90c38a9dd

    SHA512

    b4f31b552ab3bb3dafa365aa7a31f58674ae7ee82ce1d23457f2e7047431430b00abb3b5498491725639daf583b526b278a737168cfdc4e9ec796dfbc14a53d8

    Download Submit

  • \Users\Admin\AppData\Local\Temp\@580F.tmp
    Filesize

    4KB

    MD5

    c3679c3ff636d1a6b8c65323540da371

    SHA1

    d184758721a426467b687bec2a4acc80fe44c6f8

    SHA256

    d4eba51c616b439a8819218bddf9a6fa257d55c9f04cf81441cc99cc945ad3eb

    SHA512

    494a0a32eef4392ecb54df6e1da7d93183473c4e45f4ac4bd6ec3b0ed8c85c58303a0d36edec41420d05ff624195f08791b6b7e018419a3251b7e71ec9b730e7

    Download Submit

  • \Users\Admin\AppData\Local\Temp\Install.exe
    Filesize

    480KB

    MD5

    35bcfc4516f908e03f9c081d52fad185

    SHA1

    af1a8849375acd1ba29cb262e60a8a2285d967ef

    SHA256

    ebcd0a5124134fc9cfa850e979d678e68d11819cb8830cb895de43a77b979d85

    SHA512

    3edd418f37f3ad764c16b7cd1575c9a66ae83bdac251865feb9d91450e1689a976af0135bf1bfa02d938436d4d1bf95d35e93ed2ab12735df95ce649c5112f1e

    Download Submit

  • \Windows\SysWOW64\28463\XRBT.006
    Filesize

    8KB

    MD5

    43f02e9974b1477c1e6388882f233db0

    SHA1

    f3e27b231193f8d5b2e1b09d05ae3a62795cf339

    SHA256

    3c9e56e51d5a7a1b9aefe853c12a98bf246039aa46db94227ea128f6331782ba

    SHA512

    e22d14735606fe75ee5e55204807c3f5531d3e0c4f63aa4a3b2d4bb6abda6128c7e2816753f2e64400ac6dae8f8ef1e013a7a464dff2a79ad9937c48821a067f

    Download Submit

  • memory/2188-0-0x0000000000400000-0x00000000004AD000-memory.dmp

    Filesize

    692KB

    Download

  • memory/2188-22-0x0000000000401000-0x0000000000407000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2188-21-0x0000000000400000-0x00000000004AD000-memory.dmp

    Filesize

    692KB

    Download

  • memory/2188-1-0x0000000000401000-0x0000000000407000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2576-25-0x0000000010000000-0x0000000010025000-memory.dmp

    Filesize

    148KB

    Download

  • memory/2576-24-0x0000000010000000-0x0000000010025000-memory.dmp

    Filesize

    148KB

    Download

  • memory/2576-59-0x0000000000400000-0x0000000001F72000-memory.dmp

    Filesize

    27.4MB

    Download

  • memory/2576-60-0x0000000010000000-0x0000000010025000-memory.dmp

    Filesize

    148KB

    Download

  • memory/2576-61-0x0000000000400000-0x0000000001F72000-memory.dmp

    Filesize

    27.4MB

    Download

  • memory/2576-62-0x0000000000400000-0x0000000001F72000-memory.dmp

    Filesize

    27.4MB

    Download

  • memory/2576-63-0x0000000000400000-0x0000000001F72000-memory.dmp

    Filesize

    27.4MB

    Download