Overview

overview

10

Static

static

3

JaffaCakes...fb.exe

windows7-x64

10

JaffaCakes...fb.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-02-2025 16:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_00c846b000c24ea51bc604584b9a97fb.exe

  • Size

    2.1MB

  • MD5

    00c846b000c24ea51bc604584b9a97fb

  • SHA1

    12164d27406c022ce32f44a79cc0f05f78baafbe

  • SHA256

    74e730caa09ff7493b473768edf26b9477ba6f7f2dfd9cd0d80749429c7dce52

  • SHA512

    71ad7eba90919613e96329bcdd3d7d5ea24f4e445a678d2e79945369bcd1f9ab841c5555528b62abccc89011bdfb665c1524f5f369747de589914df509c46a42

  • SSDEEP

    49152:w2y4cgp1vSmQG0Il3lvSIwcSa8zb8sitwSVo1au2kVLBws5dd:hpv10qlvSJcIim+o1aW53

Score
10/10
ardamaxdiscoverykeyloggerpersistencestealerupx

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax family
    ardamax
  • Ardamax main executable 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 6 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_00c846b000c24ea51bc604584b9a97fb.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_00c846b000c24ea51bc604584b9a97fb.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3132
    • C:\Users\Admin\AppData\Local\Temp\vc-mp_0.3x_installer.exe
      "C:\Users\Admin\AppData\Local\Temp\vc-mp_0.3x_installer.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4136
      • C:\Windows\svchost.exe
        "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\vc-mp_0.3x_installer.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3928
        • C:\Users\Admin\AppData\Local\Temp\vc-mp_0.3x_installer.exe
          "C:\Users\Admin\AppData\Local\Temp\vc-mp_0.3x_installer.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          PID:4708
    • C:\Users\Admin\AppData\Local\Temp\KL.exe
      "C:\Users\Admin\AppData\Local\Temp\KL.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2224
      • C:\Windows\SysWOW64\BDXTSX\AGE.exe
        "C:\Windows\system32\BDXTSX\AGE.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2404
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\FirewallControlPanel.dll,ShowWarningDialog "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_00c846b000c24ea51bc604584b9a97fb.exe"
    1⤵
    • Modifies registry class
    PID:1632
  • C:\Windows\svchost.exe
    C:\Windows\svchost.exe
    1⤵
    • Executes dropped EXE
    • Drops file in Program Files directory
    PID:4488

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\KL.exe
    Filesize

    1.1MB

    MD5

    ca1415556cd1f731c691397dd278020e

    SHA1

    4352374dd669b0ac19212faaf433089c593bc202

    SHA256

    90f36bc829003903e2c4c549512d18af14b91c6001f6c160f5e1aa90202c98d7

    SHA512

    1691e37c19ba00532613db56eaaa1658d5ec213d1221561a4b2e027be586160b19cb616de3828906eb8c53501b681c2e8c2122b5debd8aee1b895237de59f73f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\vc-mp_0.3x_installer.exe
    Filesize

    916KB

    MD5

    5453dc066f434e5c32666073fb29660c

    SHA1

    9edee7595fbd88ca82d3a542bb50656efbea5655

    SHA256

    9068400695ddbf4eb2e56fbb579a9ecb3ba38ba5cc03173ec95697e155152d8f

    SHA512

    6e452f56a9010119e5818267832659e01167e0dabf286773edfef01c9fb6fcdfd1063d55df2ffe49c2d7233932d1773444a7e88d4d25e702ef964b8118a50459

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\vc-mp_0.3x_installer.exe
    Filesize

    916KB

    MD5

    ced31ef928c4d07e86b984835ff53365

    SHA1

    4314f286cdf439fded902b9f9f13f385683990b0

    SHA256

    43be8c2d898cbbe28fb7b0bf0a2210839c5ff4d92b5dcdf93ff83deabbb48a7d

    SHA512

    eef956ed61a716d7681af84782a2d5b1735636ceac775e274f0433fbdd71068d07d3b6c9aca6286be3d2f7f5d1c18aefdc08f12123d67a150adff8529d823903

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\vc-mp_0.3x_installer.exe
    Filesize

    952KB

    MD5

    ea1f7ef5ee61a52c99fecdfd89b90cef

    SHA1

    7df65740b6b18ff3b27a3580262ef6c0e4e13271

    SHA256

    ad74bb0f8b65fe3213403f15b4985d1783f07b33bbe9054059f04814aa71f89d

    SHA512

    1325d5e5d65cafd21b693c30dab1d89937b2159afe5a72c866b4257b345175b9e3e44caca1105e328ddb01ff93c9681b712baadcd13b5d945a4468dafd6e69b7

    Download Submit

  • C:\Windows\SysWOW64\BDXTSX\AGE.001
    Filesize

    61KB

    MD5

    9c4ffd88e48548e4d16312bd91c317a9

    SHA1

    0e7bf403d4803af625576c71e9dc6c0534e84984

    SHA256

    2776e8682161ef789546837ff0d8bc2aa828f93409b9fd37f534b5ae72818040

    SHA512

    db95e1ac45b0c64fd0f5a3e74b8a9096afa2538035651551c48457aefdaa18d747c11f56aa4506ea71e2619307ec79c92998d8fa9ef29cb7d5fb840435172fb0

    Download Submit

  • C:\Windows\SysWOW64\BDXTSX\AGE.002
    Filesize

    43KB

    MD5

    7fd0b22a5c7360208b6861ee9d219d55

    SHA1

    6147665d86d49605d2ffc37950a16836b269d1b9

    SHA256

    bd7adf27da25406c9714536bf5724875a5d753ea8269df537ff4c0ac295b48c0

    SHA512

    23ab4b7609ba522652d6ff1e3b0e52d5e0c8d01150e3bcc4133133b724d7b22d4e4834b338e865c62df5959b76ed92194018cec1d73e17359116ba177f016704

    Download Submit

  • C:\Windows\SysWOW64\BDXTSX\AGE.004
    Filesize

    1KB

    MD5

    91cb5cf0aa13bd2a20ff141dd62858e4

    SHA1

    4167611c72079d6d6474167fd5f6f57abf5dde50

    SHA256

    ea0e038ec8368e34acd2c512bd72eb8250f093582db93ed7a79b0524a60bc9ea

    SHA512

    25389c4777964e2c37c0248b1d6aa04d8383ed9504492351ccf5a1964bb00f660737635402179d3fc74b80d49d41a56aac8c36e75f86ae10fc938c6f69e22fac

    Download Submit

  • C:\Windows\SysWOW64\BDXTSX\AGE.exe
    Filesize

    1.7MB

    MD5

    6192c0937d2475353ab65739bd44140d

    SHA1

    a8b2ae6b5ee330e815d052a0601224cbd5eaf07a

    SHA256

    bf73c24bd79abbcc4596dd8ec6a40b5b763a4006bcbe525b6680d5915055a0c6

    SHA512

    cb5c821dee9a626376629f8b3ce8348ab0e9e26e494df44dfc2a0996a06ba6e86c3e1cb9b58961159c14eb97e6224aadb499bcbbf05fe7ecdef0ebb33bce2f55

    Download Submit

  • C:\Windows\SysWOW64\BDXTSX\AKV.exe
    Filesize

    456KB

    MD5

    a626ea63014bb99b64c76f9170e91370

    SHA1

    62ceedb9dcc073d0ecefe5b741724c601ada5d9b

    SHA256

    248fd5fa06f81efb5d66d1be594dc01c6fb13f15aac9fd3d35a471838c21b851

    SHA512

    2d37163927d00e67ca242eec32ddf84dc7e298320b6c628d0e6e5a885152a70dfb575bc1a6f2765d91fdee8735dd3841edffd91ad7ed9195ffc0ae7bcd01238c

    Download Submit

  • C:\Windows\svchost.exe
    Filesize

    35KB

    MD5

    9e3c13b6556d5636b745d3e466d47467

    SHA1

    2ac1c19e268c49bc508f83fe3d20f495deb3e538

    SHA256

    20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

    SHA512

    5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

    Download Submit

  • memory/3928-37-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/4136-18-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/4488-83-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/4488-90-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/4488-55-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/4488-84-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/4708-54-0x0000000000400000-0x0000000000427000-memory.dmp

    Filesize

    156KB

    Download

  • memory/4708-80-0x0000000000400000-0x0000000000427000-memory.dmp

    Filesize

    156KB

    Download

  • memory/4708-78-0x0000000000400000-0x0000000000427000-memory.dmp

    Filesize

    156KB

    Download

  • memory/4708-56-0x0000000000400000-0x0000000000427000-memory.dmp

    Filesize

    156KB

    Download

  • memory/4708-33-0x0000000000400000-0x0000000000427000-memory.dmp

    Filesize

    156KB

    Download