Overview

overview

10

Static

static

3

JaffaCakes...1f.exe

windows7-x64

10

JaffaCakes...1f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    133s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250207-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-02-2025 15:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_e7930aa3119849de70ac9cd5f974211f.exe

  • Size

    359KB

  • MD5

    e7930aa3119849de70ac9cd5f974211f

  • SHA1

    19de0ae686e69e1563b865797b00f7e3d209b263

  • SHA256

    48d08800b37074bfb617173dfff1abee3d8af2a15822151653af8d25442966a2

  • SHA512

    b1028a86477a64c4a1f98bbed9f5a1789cbb337df1bb47fac7c25d5d72201a7679e061856fdff94e72706fe8efc222d72eeecb781bc8720f31a4c0c2586f4835

  • SSDEEP

    6144:Kb99ZwNPbgI/ZpVCF0nkYMdZCZkN5I0LfGClTDZVbFmdJROewS6A/g2oQEW:OfZw/plkY2C6DI0zlB6jOep5R

Score
10/10
ardamaxdiscoverykeyloggerstealer

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax family
    ardamax
  • Ardamax main executable 1 IoCs
  • Downloads MZ/PE file 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 4 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e7930aa3119849de70ac9cd5f974211f.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e7930aa3119849de70ac9cd5f974211f.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5008
    • C:\Users\Admin\AppData\Local\Temp\Cidade dos anjos.exe
      "C:\Users\Admin\AppData\Local\Temp\Cidade dos anjos.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1708
      • C:\Windows\SysWOW64\iexplore.exe
        "C:\Windows\system32\iexplore.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:984
      • C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
        "C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "C:\Users\Admin\AppData\Local\Temp\Cidade dos anjos.pps" /ou ""
        3⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        PID:4472
  • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NkY5NkU3NzQtRkNCMi00QkU5LUJCMTgtOUI0MTUyQUFDOERDfSIgdXNlcmlkPSJ7RDAwRDk5RTAtQzk3RS00RkRGLTk1QzItQjBDMDU2MDYyQjg5fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7QTY4QjA1MkQtNTQxRC00ODU5LUJCQjEtNEY5M0E5ODYzRUU1fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIzIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU5ODUiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODQ0NDQzNjAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MDk1MTM0MDk3Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
    1⤵
    • System Location Discovery: System Language Discovery
    • System Network Configuration Discovery: Internet Connection Discovery
    PID:4748

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\@8C23.tmp
    Filesize

    4KB

    MD5

    683f1f1e72a9fd91018e379b0f45c646

    SHA1

    e715798afee630bca17bd35e382626399e608788

    SHA256

    0770043fa8f879787c32f97e915295320738b28dc5c7a07a033df6d9ac5b4e50

    SHA512

    490a8fcc256fb97bdaf0ef7a243998338b3796db448874ed85613a087e16a9e1b0105af3deb57e18db253e550e5c8a0fd02dba1e52f4959937ffb6c587e3b8f5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cidade dos anjos.exe
    Filesize

    327KB

    MD5

    e53bcefe67ef4c07fbc68571aeed16bb

    SHA1

    ac43508e3195525348518e43c4514de1023bff2e

    SHA256

    ea6e1cd7b54a6abca274cea4aca81c1d6a3e199c42c417089a6e1a9de655cfd0

    SHA512

    129c2fb2cbdf3e87375ee82342e169cd025b6fa5adef0083fa3f60ddd8e9377f1bc4a7ae57c2727e10f3666bba194191eb5d9fec41196e397cd3aea5f52460db

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cidade dos anjos.pps
    Filesize

    135KB

    MD5

    0a14b8ccf3374fb94c2bde7438cedc94

    SHA1

    40704ffc1f37cc819b32dbfa9360ba8b1a694eb4

    SHA256

    78a070c66b86759cb46db93ad6bfff5518a2435ce5fd0695e2130a8b9a049f39

    SHA512

    319b63a8171f073e32b65498584218e736264af03128a6cb1d5ff2ef2a89b67478cb6d3822b17b42397437e033ae4b984f24ce156e9fff23c4b064b9f2807801

    Download Submit

  • C:\Windows\SysWOW64\iexplore.001
    Filesize

    2KB

    MD5

    c960dc2c2ee28c2cd292445bb603dda9

    SHA1

    a736c2b77ef13a059d87158e07d89f46e9ab988e

    SHA256

    a43d34f1374c8d6b0e5ff04711a9cdfe38714147e75ffaa85a19c73e897652fd

    SHA512

    97b5e686557d4dee78c824bbe642c4b6e08db807dfb892c76ddd42c978fcbba4c390745ebf70e9858afbc3e59f3df07f976d61e76e7d43496fb6152f0b174f97

    Download Submit

  • C:\Windows\SysWOW64\iexplore.006
    Filesize

    5KB

    MD5

    b8e130b146557e640cb3e198f3d9110e

    SHA1

    c1cbebfce4e3af8ced7d1019586e91c371432d78

    SHA256

    3dbca63a39382e4c25d0b02e668ba72c5c81071bb62937ec939325f1f89926a1

    SHA512

    bc858367e64188c3a365fff4c7986e86d6d666651b2421e3b96fe06836aede073f2228349f66f1836e6ef98bb8e5120354c54a0fb13059e5b875bbf34ed7868f

    Download Submit

  • C:\Windows\SysWOW64\iexplore.007
    Filesize

    4KB

    MD5

    097c525e86f64364479227f1603a0221

    SHA1

    c84897900f59cbff5f607368ceba93bfc5273998

    SHA256

    1b62745c0181f36b7c0227225da12c0d357fd6f14ff8a0ea8484fd4a9c6bf766

    SHA512

    b52b9d51c3bb50fab292c8bf13d2d87694391481742830c266f4512b2e33a16b852cdbf3faea7f5945b60415a12d1d6a0e9319500cb769b12e0a03357f66ef12

    Download Submit

  • C:\Windows\SysWOW64\iexplore.exe
    Filesize

    295KB

    MD5

    2b8def730c5bab9d9b58e117af9fb84a

    SHA1

    090c2c4f0309895bad639ba1c0af21d1eb70d987

    SHA256

    759f339edba9126cd77ee621e6852f281b9a3190bc4aa17711164bac5ece41a7

    SHA512

    809aa7300e4bef33489f4166fd5b8245a9b9523c9fd908a37b51a0384966f8f036ac09fbca3730bb04b98ff976c17380ddc4c2ed75dbda51350f049b3d0bf48a

    Download Submit

  • memory/984-31-0x0000000000A60000-0x0000000000A61000-memory.dmp

    Filesize

    4KB

    Download

  • memory/984-58-0x0000000000A60000-0x0000000000A61000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4472-35-0x00007FFEA3310000-0x00007FFEA3320000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4472-36-0x00007FFEA3310000-0x00007FFEA3320000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4472-38-0x00007FFEA3310000-0x00007FFEA3320000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4472-39-0x00007FFEA3310000-0x00007FFEA3320000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4472-37-0x00007FFEA3310000-0x00007FFEA3320000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4472-43-0x00007FFEA10C0000-0x00007FFEA10D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4472-44-0x00007FFEA10C0000-0x00007FFEA10D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-9-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download