Overview

overview

10

Static

static

3

JaffaCakes...48.exe

windows10-2004-x64

10

JaffaCakes...48.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250313-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/04/2025, 11:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_bdd2a3840b3c1f63e435e67cbe2de348.exe

  • Size

    585KB

  • MD5

    bdd2a3840b3c1f63e435e67cbe2de348

  • SHA1

    30e1e8cb31fb87e8430dd6acdf2777c0878fb784

  • SHA256

    94d8f9fbe794f971bb2769418981c2a7b5af78afe340f92dafbb2ad1eb71b91e

  • SHA512

    2fce83239ae6a87759b6f80ea4b7a7b0f920525382a21262fb84663f9c8c7e714a5930f8eb035854d711ba7e0781e035dda9b664f9dec9c9eea474ec43f636ae

  • SSDEEP

    12288:5deoUab7FwNHF45cDVLZp5y3CX2P9y8AuN6P0vBT0iT2yiHadb:m+9wVF42Zp09g8AcBThqyiH2b

Score
10/10
ardamaxaspackv2discoverykeyloggerpersistencestealer

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax family
    ardamax
  • Ardamax main executable 1 IoCs
  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdd2a3840b3c1f63e435e67cbe2de348.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdd2a3840b3c1f63e435e67cbe2de348.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5796
    • C:\Windows\SysWOW64\Sys32\HLUK.exe
      "C:\Windows\system32\Sys32\HLUK.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:212
    • C:\Users\Admin\AppData\Local\Temp\CounterStrike.exe
      "C:\Users\Admin\AppData\Local\Temp\CounterStrike.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1876
  • C:\Users\Admin\AppData\Local\Temp\CounterStrike.exe
    C:\Users\Admin\AppData\Local\Temp\CounterStrike.exe -s2
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:5456
    • C:\Users\Admin\AppData\Local\Temp\CounterStrike.exe
      "C:\Users\Admin\AppData\Local\Temp\CounterStrike.exe" -s3
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:6100
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\Sys32\HLUK.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1036
    • C:\Windows\SysWOW64\Sys32\HLUK.exe
      C:\Windows\SysWOW64\Sys32\HLUK.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:4160

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\@7659.tmp
    Filesize

    3KB

    MD5

    e6d3a1562e0a2d9230e4bfd7e477dffd

    SHA1

    ef5d510e60caef4924eced60c092a63e9233b375

    SHA256

    49ee7df841542ff4fc5232bd8244f06683cc70f8af5f861b94497b504208b3ab

    SHA512

    e6d866daf96ad912d4ad69324d9f89820d15dd2a8d34aba5b3392aa5f6a67931f988080a25fa09067f81024180a3a4c0e211a80405b56e6663481fce7ffa1177

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CounterStrike.exe
    Filesize

    99KB

    MD5

    f625450cf75852ad70c5af340a7b4ce5

    SHA1

    fd84c67c8210e5e20ab8da4e08e737c5982a9a6f

    SHA256

    ede4384d22a131ac41a2da8edbb2bcd2955ad3e0148f75655a865faf475db5c2

    SHA512

    45112f496dd1b5530c9edfdd4cf2c5f5b0feda24604b3fe8c71284fbd85426f38fb5dbfb84f8b7f6cd028820c59ff4397b715b773fcb42a42c03d6ecfb6fd90d

    Download Submit

  • C:\Windows\SysWOW64\Sys32\AKV.exe
    Filesize

    389KB

    MD5

    f567d932480c03ab1de08b1b72aada97

    SHA1

    92c60c8971cf6aa88baf945c61c3a40709c03e02

    SHA256

    565e67c1959c0dec7be32b308681ec7106cde58b1b409cc21cbc642b7a6d627f

    SHA512

    2c9bac11470c2ff211054df00f252c312d6d2e0aea4349b03072934f8ce2623fb365c64c0eb56a08440e4daabd11799e03b158733a9922fc05ebc7782c67b3fe

    Download Submit

  • C:\Windows\SysWOW64\Sys32\HLUK.001
    Filesize

    344B

    MD5

    7b0655ab55d86d84ef351d88789b2286

    SHA1

    89bb9ae5add291a27c577d97d953fca0b467933b

    SHA256

    273cec2540a25884694da0e396512a048dadd37767dd3c9aa39dfd35c02c111b

    SHA512

    5b369e70ba081fbe82138d017d948ea96ac03121da9bf753bc20901bc20d8e53fe51b8d3103b6d431a7f1ac0d7e079bcfb9d432a3426843e6202779a06459f43

    Download Submit

  • C:\Windows\SysWOW64\Sys32\HLUK.004
    Filesize

    14KB

    MD5

    17437b1e961ada6ed473bd960736d61d

    SHA1

    0f49c62938be0087de14ccdaeaedb0564431aa66

    SHA256

    10ef4031b616ca402c6262ac4d5beb9b1e1ac7575bfcc9fa28fcad0d9e9daa80

    SHA512

    beb7d0d2965e6443bd34d8e5e83ee4048075d5b69076f6d2b5547bc110d2ac3a8c17967e5a8f315a0dc32293e5ee7b384f77a27971c56461036d223704a5ac6e

    Download Submit

  • C:\Windows\SysWOW64\Sys32\HLUK.006
    Filesize

    7KB

    MD5

    02d9f210aac7049c13f026ba9898a9bd

    SHA1

    b6aae5e7fae29934042af5f6a6d51a52b51265a1

    SHA256

    43b9f2d721ec6e419b865639dead7ba29202839f967ba172f479977db8ea4e9b

    SHA512

    dda86da60ab27f2c05ebd8e7d4b709771da0edb22ba406336898e4e7e5c2febbfe9d81fb946d6440f6393e0f8c25ae61125e4ff3e8aa168c1e36a63e89999466

    Download Submit

  • C:\Windows\SysWOW64\Sys32\HLUK.007
    Filesize

    5KB

    MD5

    5b9bf404722eac0ff29f1609f4e938ac

    SHA1

    4a0dc9cf5f7cb6855b4f2745646c4a3dcf995ba2

    SHA256

    45e39c6673b2e580e6cc01f2213dcc4d93da2eb561c94066506d90ceea8c3522

    SHA512

    50b6689db1e052d39ee1abf3ddab19b64f99ba48460fa75abf5e467d79d99958aa0a9524f3ad0d91d48cfd429ed09cfca068446287d8373974b7583eafc0fd29

    Download Submit

  • C:\Windows\SysWOW64\Sys32\HLUK.exe
    Filesize

    475KB

    MD5

    d0c5feb812ca765b00a3ca0e974fabd2

    SHA1

    c5a4b5aee6b92019552f811d3ceb4fdcee0105fa

    SHA256

    cd2de8b54a5de630e03177a736a35f85a1f8d8367a392ed833fb6fee29c96440

    SHA512

    fb4e5bda23453484f0d0c4cc3bdc1f29a36be56281f558f356b579996bde15290a9dfbbc018ffe86e2304832a2898710f0331b7f3cd181d16930e2abbdfaafe8

    Download Submit

  • memory/212-52-0x0000000000A40000-0x0000000000A41000-memory.dmp

    Filesize

    4KB

    Download

  • memory/212-41-0x0000000000A40000-0x0000000000A41000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1876-32-0x0000000000400000-0x0000000000441000-memory.dmp

    Filesize

    260KB

    Download

  • memory/1876-44-0x0000000000400000-0x0000000000441000-memory.dmp

    Filesize

    260KB

    Download

  • memory/5456-46-0x0000000000400000-0x0000000000441000-memory.dmp

    Filesize

    260KB

    Download

  • memory/5456-40-0x0000000000400000-0x0000000000441000-memory.dmp

    Filesize

    260KB

    Download

  • memory/6100-53-0x0000000000400000-0x0000000000441000-memory.dmp

    Filesize

    260KB

    Download