ardamax | a4e6526a357906ea3b7927e14a0666a617524a57802186df171036e2402a534d

Analysis

max time kernel
149s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
14/04/2025, 02:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_b6592e85618cb4980154afc48a772861.exe
Size

340KB
MD5

b6592e85618cb4980154afc48a772861
SHA1

2bd2465946bdd5bcd915b74f7c40b0e546eafcbf
SHA256

a4e6526a357906ea3b7927e14a0666a617524a57802186df171036e2402a534d
SHA512

83f892324315d4d2930200daac5ad6d42df0824e64bb71b09a9a6693ef3fd518883b5b715ac0d76dae8542abef6fb10ddab24deed27229a9d855250d0ec9d17d
SSDEEP

6144:UWEinW9CCIeFeiMtS2TO5XWCMax5vDiKBdbwyc2Gip7Sqi5lsXDxXH2PJFD:UWQ9CC/XeTDCBxN+KzLc2Dp7Sl6XFH2T

Score

10^/10

ardamax discovery keylogger persistence stealer upx

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000024302-12.dat	family_ardamax

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	JaffaCakes118_b6592e85618cb4980154afc48a772861.exe

Executes dropped EXE 24 IoCs

pid	Process
4120	AutoClicker.exe
3560	AutoClick.exe
4780	AutoClicker.exe
3136	AutoClicker.exe
5680	AutoClicker.exe
2492	AutoClicker.exe
1048	AutoClicker.exe
2376	AutoClicker.exe
3904	AutoClicker.exe
3812	AutoClicker.exe
3416	AutoClicker.exe
1348	AutoClicker.exe
1432	AutoClicker.exe
5408	AutoClicker.exe
3268	AutoClicker.exe
4324	AutoClicker.exe
4332	AutoClicker.exe
1720	AutoClicker.exe
3480	AutoClicker.exe
4736	AutoClicker.exe
1528	AutoClicker.exe
2232	AutoClicker.exe
5924	AutoClicker.exe
4424	AutoClicker.exe

Loads dropped DLL 1 IoCs

pid	Process
6056	JaffaCakes118_b6592e85618cb4980154afc48a772861.exe

Adds Run key to start application 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AutoClicker = "C:\\Windows\\SysWOW64\\AutoClicker.exe"	AutoClicker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AutoClicker = "C:\\Windows\\SysWOW64\\AutoClicker.exe"	AutoClicker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AutoClicker = "C:\\Windows\\SysWOW64\\AutoClicker.exe"	AutoClicker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AutoClicker = "C:\\Windows\\SysWOW64\\AutoClicker.exe"	AutoClicker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AutoClicker = "C:\\Windows\\SysWOW64\\AutoClicker.exe"	AutoClicker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AutoClicker = "C:\\Windows\\SysWOW64\\AutoClicker.exe"	AutoClicker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AutoClicker = "C:\\Windows\\SysWOW64\\AutoClicker.exe"	AutoClicker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AutoClicker = "C:\\Windows\\SysWOW64\\AutoClicker.exe"	AutoClicker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AutoClicker = "C:\\Windows\\SysWOW64\\AutoClicker.exe"	AutoClicker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AutoClicker = "C:\\Windows\\SysWOW64\\AutoClicker.exe"	AutoClicker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AutoClicker = "C:\\Windows\\SysWOW64\\AutoClicker.exe"	AutoClicker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AutoClicker = "C:\\Windows\\SysWOW64\\AutoClicker.exe"	AutoClicker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AutoClicker = "C:\\Windows\\SysWOW64\\AutoClicker.exe"	AutoClicker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AutoClicker = "C:\\Windows\\SysWOW64\\AutoClicker.exe"	AutoClicker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AutoClicker = "C:\\Windows\\SysWOW64\\AutoClicker.exe"	AutoClicker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AutoClicker = "C:\\Windows\\SysWOW64\\AutoClicker.exe"	AutoClicker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AutoClicker = "C:\\Windows\\SysWOW64\\AutoClicker.exe"	AutoClicker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AutoClicker = "C:\\Windows\\SysWOW64\\AutoClicker.exe"	AutoClicker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AutoClicker = "C:\\Windows\\SysWOW64\\AutoClicker.exe"	AutoClicker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AutoClicker = "C:\\Windows\\SysWOW64\\AutoClicker.exe"	AutoClicker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AutoClicker = "C:\\Windows\\SysWOW64\\AutoClicker.exe"	AutoClicker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AutoClicker = "C:\\Windows\\SysWOW64\\AutoClicker.exe"	AutoClicker.exe

Drops file in System32 directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\AutoClicker.001	AutoClicker.exe
File opened for modification	C:\Windows\SysWOW64\AutoClicker.001	AutoClicker.exe
File created	C:\Windows\SysWOW64\AutoClicker.006	JaffaCakes118_b6592e85618cb4980154afc48a772861.exe
File opened for modification	C:\Windows\SysWOW64\AutoClicker.001	AutoClicker.exe
File opened for modification	C:\Windows\SysWOW64\AutoClicker.001	AutoClicker.exe
File opened for modification	C:\Windows\SysWOW64\AutoClicker.001	AutoClicker.exe
File opened for modification	C:\Windows\SysWOW64\AutoClicker.001	AutoClicker.exe
File opened for modification	C:\Windows\SysWOW64\AutoClicker.001	AutoClicker.exe
File opened for modification	C:\Windows\SysWOW64\AutoClicker.001	AutoClicker.exe
File opened for modification	C:\Windows\SysWOW64\AutoClicker.001	AutoClicker.exe
File opened for modification	C:\Windows\SysWOW64\AutoClicker.001	AutoClicker.exe
File opened for modification	C:\Windows\SysWOW64\AutoClicker.001	AutoClicker.exe
File opened for modification	C:\Windows\SysWOW64\AutoClicker.001	AutoClicker.exe
File opened for modification	C:\Windows\SysWOW64\AutoClicker.001	AutoClicker.exe
File opened for modification	C:\Windows\SysWOW64\AutoClicker.001	AutoClicker.exe
File opened for modification	C:\Windows\SysWOW64\AutoClicker.001	AutoClicker.exe
File opened for modification	C:\Windows\SysWOW64\AutoClicker.001	AutoClicker.exe
File opened for modification	C:\Windows\SysWOW64\AutoClicker.001	AutoClicker.exe
File opened for modification	C:\Windows\SysWOW64\AutoClicker.001	AutoClicker.exe
File created	C:\Windows\SysWOW64\AutoClicker.001	JaffaCakes118_b6592e85618cb4980154afc48a772861.exe
File created	C:\Windows\SysWOW64\AutoClicker.007	JaffaCakes118_b6592e85618cb4980154afc48a772861.exe
File created	C:\Windows\SysWOW64\AutoClicker.exe	JaffaCakes118_b6592e85618cb4980154afc48a772861.exe
File opened for modification	C:\Windows\SysWOW64\AutoClicker.001	AutoClicker.exe
File opened for modification	C:\Windows\SysWOW64\AutoClicker.001	AutoClicker.exe
File opened for modification	C:\Windows\SysWOW64\AutoClicker.001	AutoClicker.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000024303-20.dat	upx
behavioral1/memory/3560-28-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral1/memory/3560-124-0x0000000000400000-0x0000000000470000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AutoClicker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AutoClicker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AutoClicker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AutoClicker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b6592e85618cb4980154afc48a772861.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AutoClick.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AutoClicker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AutoClicker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AutoClicker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AutoClicker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AutoClicker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AutoClicker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AutoClicker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AutoClicker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AutoClicker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AutoClicker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AutoClicker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AutoClicker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AutoClicker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AutoClicker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AutoClicker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AutoClicker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AutoClicker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AutoClicker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AutoClicker.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
5948	WINWORD.EXE
5948	WINWORD.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
5948	WINWORD.EXE
5948	WINWORD.EXE
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe
3560	AutoClick.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
5948	WINWORD.EXE
5948	WINWORD.EXE
5948	WINWORD.EXE
5948	WINWORD.EXE
5948	WINWORD.EXE
5948	WINWORD.EXE
5948	WINWORD.EXE
5948	WINWORD.EXE
5948	WINWORD.EXE
5948	WINWORD.EXE
5948	WINWORD.EXE
5948	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 6056 wrote to memory of 4120	6056	JaffaCakes118_b6592e85618cb4980154afc48a772861.exe	86
PID 6056 wrote to memory of 4120	6056	JaffaCakes118_b6592e85618cb4980154afc48a772861.exe	86
PID 6056 wrote to memory of 4120	6056	JaffaCakes118_b6592e85618cb4980154afc48a772861.exe	86
PID 6056 wrote to memory of 3560	6056	JaffaCakes118_b6592e85618cb4980154afc48a772861.exe	87
PID 6056 wrote to memory of 3560	6056	JaffaCakes118_b6592e85618cb4980154afc48a772861.exe	87
PID 6056 wrote to memory of 3560	6056	JaffaCakes118_b6592e85618cb4980154afc48a772861.exe	87
PID 1724 wrote to memory of 4780	1724	cmd.exe	112
PID 1724 wrote to memory of 4780	1724	cmd.exe	112
PID 1724 wrote to memory of 4780	1724	cmd.exe	112
PID 1132 wrote to memory of 3136	1132	cmd.exe	117
PID 1132 wrote to memory of 3136	1132	cmd.exe	117
PID 1132 wrote to memory of 3136	1132	cmd.exe	117
PID 1316 wrote to memory of 5680	1316	cmd.exe	120
PID 1316 wrote to memory of 5680	1316	cmd.exe	120
PID 1316 wrote to memory of 5680	1316	cmd.exe	120
PID 3824 wrote to memory of 2492	3824	cmd.exe	123
PID 3824 wrote to memory of 2492	3824	cmd.exe	123
PID 3824 wrote to memory of 2492	3824	cmd.exe	123
PID 4412 wrote to memory of 1048	4412	cmd.exe	129
PID 4412 wrote to memory of 1048	4412	cmd.exe	129
PID 4412 wrote to memory of 1048	4412	cmd.exe	129
PID 5052 wrote to memory of 2376	5052	cmd.exe	137
PID 5052 wrote to memory of 2376	5052	cmd.exe	137
PID 5052 wrote to memory of 2376	5052	cmd.exe	137
PID 4448 wrote to memory of 3904	4448	cmd.exe	140
PID 4448 wrote to memory of 3904	4448	cmd.exe	140
PID 4448 wrote to memory of 3904	4448	cmd.exe	140
PID 4344 wrote to memory of 3812	4344	cmd.exe	143
PID 4344 wrote to memory of 3812	4344	cmd.exe	143
PID 4344 wrote to memory of 3812	4344	cmd.exe	143
PID 452 wrote to memory of 3416	452	cmd.exe	146
PID 452 wrote to memory of 3416	452	cmd.exe	146
PID 452 wrote to memory of 3416	452	cmd.exe	146
PID 1956 wrote to memory of 1348	1956	cmd.exe	149
PID 1956 wrote to memory of 1348	1956	cmd.exe	149
PID 1956 wrote to memory of 1348	1956	cmd.exe	149
PID 6084 wrote to memory of 1432	6084	cmd.exe	153
PID 6084 wrote to memory of 1432	6084	cmd.exe	153
PID 6084 wrote to memory of 1432	6084	cmd.exe	153
PID 3596 wrote to memory of 5408	3596	cmd.exe	156
PID 3596 wrote to memory of 5408	3596	cmd.exe	156
PID 3596 wrote to memory of 5408	3596	cmd.exe	156
PID 3224 wrote to memory of 3268	3224	cmd.exe	159
PID 3224 wrote to memory of 3268	3224	cmd.exe	159
PID 3224 wrote to memory of 3268	3224	cmd.exe	159
PID 4596 wrote to memory of 4324	4596	cmd.exe	162
PID 4596 wrote to memory of 4324	4596	cmd.exe	162
PID 4596 wrote to memory of 4324	4596	cmd.exe	162
PID 3008 wrote to memory of 4332	3008	cmd.exe	165
PID 3008 wrote to memory of 4332	3008	cmd.exe	165
PID 3008 wrote to memory of 4332	3008	cmd.exe	165
PID 5320 wrote to memory of 1720	5320	cmd.exe	168
PID 5320 wrote to memory of 1720	5320	cmd.exe	168
PID 5320 wrote to memory of 1720	5320	cmd.exe	168
PID 244 wrote to memory of 3480	244	cmd.exe	171
PID 244 wrote to memory of 3480	244	cmd.exe	171
PID 244 wrote to memory of 3480	244	cmd.exe	171
PID 4836 wrote to memory of 4736	4836	cmd.exe	174
PID 4836 wrote to memory of 4736	4836	cmd.exe	174
PID 4836 wrote to memory of 4736	4836	cmd.exe	174
PID 5584 wrote to memory of 1528	5584	cmd.exe	177
PID 5584 wrote to memory of 1528	5584	cmd.exe	177
PID 5584 wrote to memory of 1528	5584	cmd.exe	177
PID 5592 wrote to memory of 2232	5592	cmd.exe	180

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b6592e85618cb4980154afc48a772861.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b6592e85618cb4980154afc48a772861.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:6056
- C:\Windows\SysWOW64\AutoClicker.exe
  "C:\Windows\system32\AutoClicker.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:4120
- C:\Users\Admin\AppData\Local\Temp\AutoClick.exe
  "C:\Users\Admin\AppData\Local\Temp\AutoClick.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3560

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n /f "C:\Users\Admin\Desktop\StartRepair.dot"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:5948

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n /f "C:\Users\Admin\Desktop\StartRepair.dot"
1⤵
PID:1416

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n /f "C:\Users\Admin\Desktop\StartRepair.dot"
1⤵
PID:4588

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n /f "C:\Users\Admin\Desktop\StartRepair.dot"
1⤵
PID:3644

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n /f "C:\Users\Admin\Desktop\StartRepair.dot"
1⤵
PID:4532

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n /f "C:\Users\Admin\Desktop\StartRepair.dot"
1⤵
PID:5176

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n /f "C:\Users\Admin\Desktop\StartRepair.dot"
1⤵
PID:636

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n /f "C:\Users\Admin\Desktop\StartRepair.dot"
1⤵
PID:3568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\AutoClicker.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Windows\SysWOW64\AutoClicker.exe
  C:\Windows\SysWOW64\AutoClicker.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:4780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\AutoClicker.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1132
- C:\Windows\SysWOW64\AutoClicker.exe
  C:\Windows\SysWOW64\AutoClicker.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:3136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\AutoClicker.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1316
- C:\Windows\SysWOW64\AutoClicker.exe
  C:\Windows\SysWOW64\AutoClicker.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:5680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\AutoClicker.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3824
- C:\Windows\SysWOW64\AutoClicker.exe
  C:\Windows\SysWOW64\AutoClicker.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\AutoClicker.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4412
- C:\Windows\SysWOW64\AutoClicker.exe
  C:\Windows\SysWOW64\AutoClicker.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:1048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\AutoClicker.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5052
- C:\Windows\SysWOW64\AutoClicker.exe
  C:\Windows\SysWOW64\AutoClicker.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:2376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\AutoClicker.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4448
- C:\Windows\SysWOW64\AutoClicker.exe
  C:\Windows\SysWOW64\AutoClicker.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:3904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\AutoClicker.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4344
- C:\Windows\SysWOW64\AutoClicker.exe
  C:\Windows\SysWOW64\AutoClicker.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:3812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\AutoClicker.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:452
- C:\Windows\SysWOW64\AutoClicker.exe
  C:\Windows\SysWOW64\AutoClicker.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:3416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\AutoClicker.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Windows\SysWOW64\AutoClicker.exe
  C:\Windows\SysWOW64\AutoClicker.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:1348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\AutoClicker.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:6084
- C:\Windows\SysWOW64\AutoClicker.exe
  C:\Windows\SysWOW64\AutoClicker.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:1432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\AutoClicker.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3596
- C:\Windows\SysWOW64\AutoClicker.exe
  C:\Windows\SysWOW64\AutoClicker.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:5408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\AutoClicker.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3224
- C:\Windows\SysWOW64\AutoClicker.exe
  C:\Windows\SysWOW64\AutoClicker.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:3268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\AutoClicker.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4596
- C:\Windows\SysWOW64\AutoClicker.exe
  C:\Windows\SysWOW64\AutoClicker.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:4324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\AutoClicker.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Windows\SysWOW64\AutoClicker.exe
  C:\Windows\SysWOW64\AutoClicker.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:4332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\AutoClicker.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5320
- C:\Windows\SysWOW64\AutoClicker.exe
  C:\Windows\SysWOW64\AutoClicker.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:1720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\AutoClicker.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:244
- C:\Windows\SysWOW64\AutoClicker.exe
  C:\Windows\SysWOW64\AutoClicker.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:3480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\AutoClicker.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4836
- C:\Windows\SysWOW64\AutoClicker.exe
  C:\Windows\SysWOW64\AutoClicker.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:4736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\AutoClicker.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5584
- C:\Windows\SysWOW64\AutoClicker.exe
  C:\Windows\SysWOW64\AutoClicker.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:1528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\AutoClicker.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5592
- C:\Windows\SysWOW64\AutoClicker.exe
  C:\Windows\SysWOW64\AutoClicker.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:2232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\AutoClicker.exe
1⤵
PID:4788
- C:\Windows\SysWOW64\AutoClicker.exe
  C:\Windows\SysWOW64\AutoClicker.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:5924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\AutoClicker.exe
1⤵
PID:2376
- C:\Windows\SysWOW64\AutoClicker.exe
  C:\Windows\SysWOW64\AutoClicker.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4424

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@952B.tmp

Filesize
4KB

MD5
bcd11f6196ccc341769ee0d9c0f6933c

SHA1
2750161468f9f1eb70ccdc0d49fc87ad0b84d946

SHA256
0f66f18e0fd835faa539780701814f7d1958451b83736db7bb657e83dd33fac1

SHA512
bef76f78bc195af8c8524d17f9ab149a7c1510146456cb758fd96114029860445885810094f616aa1d707183e9f0232b9006c71b83c24f3f6426e4fa75476474

Download Submit
C:\Users\Admin\AppData\Local\Temp\AutoClick.exe

Filesize
170KB

MD5
c8ce9e64203ff06f6b7314eea363d711

SHA1
34b2428a783a8dbc1c23c0124cd937885a870de6

SHA256
fb8b6f4d86fe444c1494eaa0ea907aa8c3a846e72d44ba25d676837b3a9e84c1

SHA512
b6ce6bea88c037b99c0ee1848c8d6354cbe48c96318310e13c525d06ea95e6af6cb9e920ea0d865ed97449cdf191d124ea7f6e88e7c8374fc8c32b3ceec91f7c

Download Submit
C:\Windows\SysWOW64\AutoClicker.001

Filesize
1KB

MD5
cbf87a9f32b8d89108c5f3b3f2694980

SHA1
8372ad4fda563e22335f27e834cae2465b41d73f

SHA256
eb345b8d75d103b634a2d13afe3c9049641b2721fb4f5a8b6b975ea43cee45ae

SHA512
d2ba85f7f9cb1cf9e848be02e33639764f3dc139318f45f151e568b2c9844436a1530955efb322b4bee8d0d6bdb24ebd4e074dc157b66d7bb586c92def7ff9e1

Download Submit
C:\Windows\SysWOW64\AutoClicker.exe

Filesize
239KB

MD5
430b9518a1cf51dacae03cc0602f945c

SHA1
774f001c3b537aaa230ef85cefda64a9e3f3640a

SHA256
58f3618151b37c60da1945dc27d4a20a7dd65d83ab3383ca9ccaff0504a1cc78

SHA512
6d21e4554121edc5ad991bdaec9e318f3dc8e8dc8951f7e45c5c4fe948d5876a772df4cd6b8e109df6594badda35076ca451f57ac031c15baf8c5916d9f85a46

Download Submit
memory/1416-45-0x00007FFB388D0000-0x00007FFB388E0000-memory.dmp

Filesize
64KB

Download
memory/1416-43-0x00007FFB388D0000-0x00007FFB388E0000-memory.dmp

Filesize
64KB

Download
memory/1416-44-0x00007FFB388D0000-0x00007FFB388E0000-memory.dmp

Filesize
64KB

Download
memory/1416-46-0x00007FFB388D0000-0x00007FFB388E0000-memory.dmp

Filesize
64KB

Download
memory/3560-28-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3560-124-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/5948-34-0x00007FFB388D0000-0x00007FFB388E0000-memory.dmp

Filesize
64KB

Download
memory/5948-41-0x00007FFB36080000-0x00007FFB36090000-memory.dmp

Filesize
64KB

Download
memory/5948-47-0x00007FFB36080000-0x00007FFB36090000-memory.dmp

Filesize
64KB

Download
memory/5948-35-0x00007FFB388D0000-0x00007FFB388E0000-memory.dmp

Filesize
64KB

Download
memory/5948-32-0x00007FFB388D0000-0x00007FFB388E0000-memory.dmp

Filesize
64KB

Download
memory/5948-33-0x00007FFB388D0000-0x00007FFB388E0000-memory.dmp

Filesize
64KB

Download
memory/5948-31-0x00007FFB388D0000-0x00007FFB388E0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads