Overview

overview

10

Static

static

3

JaffaCakes...da.exe

windows10-2004-x64

10

JaffaCakes...da.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    105s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/04/2025, 00:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_bbd910ccf1ce3ce9387cb12e155906da.exe

  • Size

    481KB

  • MD5

    bbd910ccf1ce3ce9387cb12e155906da

  • SHA1

    bd4560936a47a8be0477ad71f2d57b23924ca1d6

  • SHA256

    91a3d0a27502ce767f46347ca27bb61a98e48a1fb0c46146032655614ee7dd1f

  • SHA512

    5872c3a08f7edd2ad0d6a76523bb986528842f8688a49a76d86a47d853f969041df725c31789b5b047a6b0432ff16df0c103cd5427845efe986debfd98cc656f

  • SSDEEP

    12288:SRhe2z/VgX5qSj1oe2xyLO2ohMMiQ3hV7uZTnjOI/0B8yIrV:nq+jjJ2xyb6DqZjjx/0jc

Score
10/10
ardamaxdiscoverykeyloggerpersistencestealer

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax family
    ardamax
  • Ardamax main executable 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd910ccf1ce3ce9387cb12e155906da.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd910ccf1ce3ce9387cb12e155906da.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3096
    • C:\Windows\SysWOW64\Sys32\NSSE.exe
      "C:\Windows\system32\Sys32\NSSE.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:4024
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\Sys32\NSSE.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2992
    • C:\Windows\SysWOW64\Sys32\NSSE.exe
      C:\Windows\SysWOW64\Sys32\NSSE.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2848

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\@45D3.tmp
    Filesize

    4KB

    MD5

    ce1db3d8d9e4b75ff749d38ca718a257

    SHA1

    5c7cc462e57f623c7d7a8c2a47467afc4927b4a4

    SHA256

    885d61204eff764496c6813967c4b4097cba7fcfb72e9571faabf1f4b5d473d9

    SHA512

    f6ee073336493f315b9644bf89526584a2aa9595626b51580faf1184e76f18718b696658288634737a9581d7ae27f36653243263ad35f0c9459001ba9892b160

    Download Submit

  • C:\Windows\SysWOW64\Sys32\AKV.exe
    Filesize

    391KB

    MD5

    d2a65f5bcd35a551de241ff7db55ee10

    SHA1

    4037d2c5d08dcf5e9dbad74b577cbab419335a99

    SHA256

    b6de4fd78f2f9ba6ab981d4edc5a820b8a23bd8a5fd7cf9188f18168d94154db

    SHA512

    492b078f31dd41b46a58fdc938d391e283e7a2f50a7a514497926ad2c68f426bda91459dcba5fddc07d18e2216c632d6561fa4deb28f1d570bd656d0c3b1c4b3

    Download Submit

  • C:\Windows\SysWOW64\Sys32\NSSE.001
    Filesize

    504B

    MD5

    5c47113f2148c39b0c319934c80c9c1a

    SHA1

    ec80004278baeaa046bef8cfa4b8a92458a0cd27

    SHA256

    e44603f7b357b13eb73d59206c20fdfad685a4ec9c6608f67709acdb81aeee8e

    SHA512

    522b1deb73f2c2a03c3f715a8c734b5550d8f419c013bad5df46e489906ac1b0058b0abd52195f94f23594af1c560d3197e2ca5ad956a20c3215b0b05bb81f26

    Download Submit

  • C:\Windows\SysWOW64\Sys32\NSSE.006
    Filesize

    7KB

    MD5

    f88c78041afe02325aaed6f171ef23cf

    SHA1

    7a502ed670e5148a3d43d90e6b225926e3455f0c

    SHA256

    f80f5ec2826fbcb1b7a0b40b77e520d00ce25be52fae068b947868bbe93a406e

    SHA512

    1370e3cdfaedfbaa4c9d4e58520e6242316a629b671fae0664944cbe40ca6ef22230e2ec5b06698f6f1a1464ce4a57881655b5358d987f578caf766ac7e8e75e

    Download Submit

  • C:\Windows\SysWOW64\Sys32\NSSE.007
    Filesize

    5KB

    MD5

    7073fbcfe75154326946919c8f86ebc2

    SHA1

    ba81cf37f06826ad6617e97b5a47538251024b4c

    SHA256

    89e3eb1103d75072346d3b454cde5efa92d7bb6f89f2d972b18fe0becf6db4e2

    SHA512

    7e9fcfd14460eebd02093f560d3fca6a198fc0b5592c3905be2efadd9bfafa24277a5155a54e4eaecfdf5829068e41969b0b97f70f5969fd1efafccfa870ae7b

    Download Submit

  • C:\Windows\SysWOW64\Sys32\NSSE.exe
    Filesize

    476KB

    MD5

    93285f6ebc9657feb0724435db46e246

    SHA1

    f7762091e7cc91e6007f273284a59f74c36ff104

    SHA256

    2d44177550adda3ae9d69e7f5bb51557a7d5b1c23902d84e5a2ce9c1fe079d15

    SHA512

    0992893a78a4a66eea62057207717f91154ea16ae140bc62878968703496106a953c55a35b6ece0d081d521ece62fa9607d56fcab28d33ffdea0e80f0aa76c8d

    Download Submit

  • memory/4024-23-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4024-27-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

    Filesize

    4KB

    Download