Overview

overview

10

Static

static

3

JaffaCakes...89.exe

windows7-x64

10

JaffaCakes...89.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15/03/2025, 20:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_77d740397b9113c8d0993c89a23b3189.exe

  • Size

    969KB

  • MD5

    77d740397b9113c8d0993c89a23b3189

  • SHA1

    f4458842259a0204929280377b03d41c5fac3929

  • SHA256

    22e46774f6aa325bbf3cf484ac39084fc2ba38811d893391cff5dccb4e478099

  • SHA512

    6ebe238f162a46de9ae1743364e17187f0509e22ccf3cf18d8056ac179cd6c8bdbb63a5a1a5dc5f6c044ff4ce84d54c46973ba62975afaece8e667085ea50677

  • SSDEEP

    24576:5qxUfyvlzN7gvAO4XujGCVZR+THWNIrjl3f+ZAW4HM/mKTz1:5qxhtzNVO4XujGCvsTHDfl3RW4s/mKP1

Score
10/10
ardamaxdiscoverykeyloggerpersistencestealer

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax family
    ardamax
  • Ardamax main executable 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 13 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Windows directory 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_77d740397b9113c8d0993c89a23b3189.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_77d740397b9113c8d0993c89a23b3189.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1704
    • C:\Users\Admin\AppData\Local\Temp\sxeAB3F.tmp
      "C:\Users\Admin\AppData\Local\Temp\sxeAB3F.tmp"
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2532
      • C:\Windows\installkk.exe
        "C:\Windows\installkk.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2064
        • C:\Windows\Sys32\AMBV.exe
          "C:\Windows\Sys32\AMBV.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:2740
      • C:\Windows\installkk.exe
        "C:\Windows\installkk.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2884
        • C:\Windows\Sys32\AMBV.exe
          "C:\Windows\Sys32\AMBV.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:2880

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Sys32\AKV.exe
    Filesize

    391KB

    MD5

    d2a65f5bcd35a551de241ff7db55ee10

    SHA1

    4037d2c5d08dcf5e9dbad74b577cbab419335a99

    SHA256

    b6de4fd78f2f9ba6ab981d4edc5a820b8a23bd8a5fd7cf9188f18168d94154db

    SHA512

    492b078f31dd41b46a58fdc938d391e283e7a2f50a7a514497926ad2c68f426bda91459dcba5fddc07d18e2216c632d6561fa4deb28f1d570bd656d0c3b1c4b3

    Download Submit

  • C:\Windows\Sys32\AMBV.001
    Filesize

    482B

    MD5

    e69a0d597eae785162c26456af08c484

    SHA1

    e70757b6359d974b9bacfd5cada6465fbd8a4799

    SHA256

    f3d5919ec1f91240d71f6847cb42049c6e10f5e2f47e8c8c7d203da37ccfc9a9

    SHA512

    a0610c43e3a265dc4c83a6908c52f4774068951e730a4ee92374dc12b5e835746b0f308cb90a6cacf5b080f9a70050c3a438477cbda442764a25303224fa576f

    Download Submit

  • C:\Windows\Sys32\AMBV.006
    Filesize

    7KB

    MD5

    f88c78041afe02325aaed6f171ef23cf

    SHA1

    7a502ed670e5148a3d43d90e6b225926e3455f0c

    SHA256

    f80f5ec2826fbcb1b7a0b40b77e520d00ce25be52fae068b947868bbe93a406e

    SHA512

    1370e3cdfaedfbaa4c9d4e58520e6242316a629b671fae0664944cbe40ca6ef22230e2ec5b06698f6f1a1464ce4a57881655b5358d987f578caf766ac7e8e75e

    Download Submit

  • C:\Windows\Sys32\AMBV.007
    Filesize

    5KB

    MD5

    7073fbcfe75154326946919c8f86ebc2

    SHA1

    ba81cf37f06826ad6617e97b5a47538251024b4c

    SHA256

    89e3eb1103d75072346d3b454cde5efa92d7bb6f89f2d972b18fe0becf6db4e2

    SHA512

    7e9fcfd14460eebd02093f560d3fca6a198fc0b5592c3905be2efadd9bfafa24277a5155a54e4eaecfdf5829068e41969b0b97f70f5969fd1efafccfa870ae7b

    Download Submit

  • C:\Windows\Sys32\AMBV.exe
    Filesize

    476KB

    MD5

    93285f6ebc9657feb0724435db46e246

    SHA1

    f7762091e7cc91e6007f273284a59f74c36ff104

    SHA256

    2d44177550adda3ae9d69e7f5bb51557a7d5b1c23902d84e5a2ce9c1fe079d15

    SHA512

    0992893a78a4a66eea62057207717f91154ea16ae140bc62878968703496106a953c55a35b6ece0d081d521ece62fa9607d56fcab28d33ffdea0e80f0aa76c8d

    Download Submit

  • C:\Windows\installkk.exe
    Filesize

    490KB

    MD5

    6f55b6f7280bca191ce8ab94e850186d

    SHA1

    6c770f96b76c8779fe91e6ba9b258e769cbbdade

    SHA256

    9c094f079ba90131b2c2e394c7c4b8be283cda5170ece4489eb81bbf932f688d

    SHA512

    07f4013041af78a685705478eafd65ed3b890a101cd40636c550e4c95d6668e423b7380dfe2784aff2219e0bac936928bee99cab93550ff197bb4a09586159f7

    Download Submit

  • \Users\Admin\AppData\Local\Temp\@ABD9.tmp
    Filesize

    4KB

    MD5

    ce1db3d8d9e4b75ff749d38ca718a257

    SHA1

    5c7cc462e57f623c7d7a8c2a47467afc4927b4a4

    SHA256

    885d61204eff764496c6813967c4b4097cba7fcfb72e9571faabf1f4b5d473d9

    SHA512

    f6ee073336493f315b9644bf89526584a2aa9595626b51580faf1184e76f18718b696658288634737a9581d7ae27f36653243263ad35f0c9459001ba9892b160

    Download Submit

  • \Users\Admin\AppData\Local\Temp\sxeAB3D.tmp
    Filesize

    15KB

    MD5

    bd815b61f9948f93aface4033fbb4423

    SHA1

    b5391484009b39053fc8b1bba63d444969bafcfa

    SHA256

    b018bf9e9f8b6d945e6a2a25984970634884afabc580af2b4e855730520d5d76

    SHA512

    a363abe97b5a44e5d36af859e8d484daffe1d8e321c87969a75d1bfaa4288a5e6be1922a02c6d72937c84e81a79a1c7f6c9f2a44a995cac3f993ed5608afcd71

    Download Submit

  • \Users\Admin\AppData\Local\Temp\sxeAB3F.tmp
    Filesize

    990KB

    MD5

    07c1dd4fe401e0814b238ea1d5d049bc

    SHA1

    29efe6906f9abf1f9fc365b3c9a7d734e07d8e51

    SHA256

    0a6fd2fe467293885bca2595f0e53059b0c229ce4f5d73ab1c77d0ab4b3c869f

    SHA512

    45252c944d98cce61118af602fb4ef1905b22120766c36b784210994b43298d9c2f1c867ac35b803e39c3b67e5368cf61c69cd3f2e1e67ae5344f66325da3cb7

    Download Submit

  • memory/2532-23-0x0000000000400000-0x00000000004FF000-memory.dmp

    Filesize

    1020KB

    Download