Overview

overview

10

Static

static

3

JaffaCakes...d4.exe

windows10-2004-x64

10

JaffaCakes...d4.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    105s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250410-en
  • resource tags

    arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    18/04/2025, 09:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_bd7d3c280ad0ef7f34dd3828e72b00d4.exe

  • Size

    534KB

  • MD5

    bd7d3c280ad0ef7f34dd3828e72b00d4

  • SHA1

    626bc847a865666c23f0d2da004be5ae52e1d573

  • SHA256

    969429401a7dfa0eaae80438f340ca74060c60076144937291ebe9a1a0cdef53

  • SHA512

    8dc4211d09ec26e807cde4a63834f0c0b91131b244cab2bec0999e8478516e7e8ffab2f84e11b73436df100cc12910f9fd3969459b62acd48d60c59d5ccaf774

  • SSDEEP

    12288:oIE7Ix3qDYI+XzREE5c278iTG6jvU8BKnN685lwtC:z3qQXzR1780G6J4nN685lwtC

Score
10/10
ardamaxdiscoverykeyloggerpersistencestealerupx

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax family
    ardamax
  • Ardamax main executable 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 12 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 7 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bd7d3c280ad0ef7f34dd3828e72b00d4.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bd7d3c280ad0ef7f34dd3828e72b00d4.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3596
    • C:\Windows\SysWOW64\Sys\IPUF.exe
      "C:\Windows\system32\Sys\IPUF.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:5736
    • C:\Users\Admin\AppData\Local\Temp\Patch09c.exe
      "C:\Users\Admin\AppData\Local\Temp\Patch09c.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      PID:5064
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\Sys\IPUF.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4220
    • C:\Windows\SysWOW64\Sys\IPUF.exe
      C:\Windows\SysWOW64\Sys\IPUF.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:428
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x0000000000000448 0x00000000000004D0
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4596

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\@6E5A.tmp
    Filesize

    4KB

    MD5

    730e7e458c7770fd80947b6ce9f7109a

    SHA1

    ef07be19ec55590ffce101951d12e7c6c5b7aaca

    SHA256

    70033d7c8520fb53a247b355559c3a156e22719e52cf55102edbbcfabc5ad096

    SHA512

    12f141144761e880af6567048036c7c482e6306158454f4c3a7821c1a5f5526771e3c473ddcc9cbe0860d4e61a5d5f092a59567222d0a995cdd1aeda5667a596

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Patch09c.exe
    Filesize

    57KB

    MD5

    180751cebbcefeafa80976033e077367

    SHA1

    f08e27c40e28cca5ce6bed6d59045e8e551a9905

    SHA256

    6a062798c39dd29322e215c593b2dc6b07db9ee152ec2e705dc105a4e5594065

    SHA512

    21a0565bfb2950a6cff3c597a709408455ae8cbbc96ab1eaad4c0a467759b01fee47137bd364722d3ee33a70e582f2b0294d362b9a1d8ab9876a28c4e6f9dacd

    Download Submit

  • C:\Windows\SysWOW64\BASSMOD.dll
    Filesize

    15KB

    MD5

    048c336274723710201a3ab5ce7af260

    SHA1

    c72d1d72b9cc49e11fa3d2cd3d9366bc9be19277

    SHA256

    454deb7962edbeb3260decec8b51a8c2febb9226ebaf627859c02f455af5bcd3

    SHA512

    acd01168b04dd528f583239cc9b2ddf6411a74da0da8e4ab332a8d03cd32381cbf8931e13e027f4a69c0a1a4abe8472f163d33f03b22b76df7d2ef66ad9c7c95

    Download Submit

  • C:\Windows\SysWOW64\Sys\AKV.exe
    Filesize

    390KB

    MD5

    5255e3bd1037d42bbba2365412623a3b

    SHA1

    b473061ee152172ba5e33cae18f55774467a070f

    SHA256

    8e7e780b484bf5a5edce3dbdee2374ace11214b122560146b5859d8359c93655

    SHA512

    86af1d593b480622dcb4835d5f10045452eb20a01a04eba13734fd5bfec2515321072747c8fd4c95714022058e891f7cd55efee00b95d7e51c845aaabf4a793e

    Download Submit

  • C:\Windows\SysWOW64\Sys\IPUF.001
    Filesize

    422B

    MD5

    77f1742aee4a12bac61003faf8dc684b

    SHA1

    21e0273eda131753cc07e175bea9d80385c3a697

    SHA256

    573c4653551a6c6e241800347dac07d661d2050911f48fa6cb4e053239bfcdeb

    SHA512

    a624fcf4b19bd56ffd5f2e72331e7a135524a9156c1fed403debf1a072b490a81a7d87d079dc59a4ee37b195c20ef6b5f7535531966e0d6e75fcb55d5d8ae24d

    Download Submit

  • C:\Windows\SysWOW64\Sys\IPUF.006
    Filesize

    7KB

    MD5

    385d77949ecf6cfdb4f3d15bf29dfbe4

    SHA1

    09bd106320e68a5a14aeb2a34e4f0a6a627c0d36

    SHA256

    39659a7497354c9329be266683ae28be650b7639bca1def42af5d351e265762c

    SHA512

    b9baea0afb78944080598fc11c5f6c76b3adde37838f4fe3c9371fb9508fea03b7ec6775e9fdc65f39a94103cb061970ea8c51ded113701eede00d4a2fda0db9

    Download Submit

  • C:\Windows\SysWOW64\Sys\IPUF.007
    Filesize

    5KB

    MD5

    f50daad1c62b3af9daceddc982d3a28c

    SHA1

    8519625cc16fac60381ea27b3339e62cef15c629

    SHA256

    246af3478a40b10bb54bbfb2aab8fb9965e702836f049dd9db714da8873b42d5

    SHA512

    8451a35d6a037f0224f292baf151e1c367df394bdca0c7c4c90f43c6b275f1f8173af1bf1791005398ca36678b76df3e8e49f51438f9deec86a529a9c81925fc

    Download Submit

  • C:\Windows\SysWOW64\Sys\IPUF.exe
    Filesize

    476KB

    MD5

    b22ecd38fb2828478a5ff60e7a255e16

    SHA1

    078d9e7d975a2769e8c2ad40279e265eff89b033

    SHA256

    c2280b3b99486452228dd51dbd61db2afeb98d3cc5e8e48c5fb314c5af1a913a

    SHA512

    336de2a0a9975a254dad2e87b3c5388e6fd5560fd5d47d0f4f882f216a4e23dc3d8cb894161587d6a1d0d8845fce92589afc41a6db7947de81ffd023764762cd

    Download Submit

  • memory/5064-26-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

    Download

  • memory/5064-48-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

    Download

  • memory/5064-49-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

    Download

  • memory/5736-32-0x0000000000B50000-0x0000000000B51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5736-50-0x0000000000B50000-0x0000000000B51000-memory.dmp

    Filesize

    4KB

    Download