Overview

overview

10

Static

static

3

JaffaCakes...8c.exe

windows10-2004-x64

10

JaffaCakes...8c.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    102s
  • max time network
    103s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250410-en
  • resource tags

    arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    18/04/2025, 12:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_be07a720580439a01a424365e8affd8c.exe

  • Size

    503KB

  • MD5

    be07a720580439a01a424365e8affd8c

  • SHA1

    0d945279bb72a7442e9580911e4e32d414fa91a4

  • SHA256

    9f82904640952b0aa0d1a8bbf24a6a325c81490fd12bcab98fcee939baa21e22

  • SHA512

    477175802b353f34143ea685b776ed73071771826b48f41da5375e089c09cf7e61e50bccd53e7bea175fc36b580ae6b9482ad7c3d2cb7b6460d6b1c168aeb552

  • SSDEEP

    12288:Q1QTRUTV5nfX/Hg8A1lq9RMfNuxkkrqK+B5sXcHu/mTUd:r2TV5nfXAnq9RMFuxPqvO3d

Score
10/10
ardamaxdiscoverykeyloggerpersistencestealer

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax family
    ardamax
  • Ardamax main executable 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_be07a720580439a01a424365e8affd8c.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_be07a720580439a01a424365e8affd8c.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1876
    • C:\Windows\SysWOW64\Sys32\CKCS.exe
      "C:\Windows\system32\Sys32\CKCS.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:3440
    • C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Novo(a) Documento de texto (2).txt
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:1672
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\Sys32\CKCS.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1884
    • C:\Windows\SysWOW64\Sys32\CKCS.exe
      C:\Windows\SysWOW64\Sys32\CKCS.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:4868

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\@7D00.tmp
    Filesize

    4KB

    MD5

    74ff002e34aadbe8a9f7d88d2532c5d5

    SHA1

    3c11c399973d2db9a94ad7a089870d026c8c859d

    SHA256

    57d3fc3ef8934afd806d28d705c05637c0bd2d64b91a1a3e87e9bfbbf95f6e8e

    SHA512

    704c6520a7c89e6432776ad31c3334d22db390474c141974fc189c03b84e4618a35707f70f7ab7337bb63775a3cc04c2f70e88d9e3f921cf9ab2116305ed1bde

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Novo(a) Documento de texto (2).txt
    Filesize

    36B

    MD5

    9200cc2125721a31c5cc5a4fc42ff00a

    SHA1

    ba52f94fb1909641ff428d68c6cf9808276989a0

    SHA256

    c102f97688aaafb6a46a103ab57820b909792e691592cd5f151c6408c64fc61e

    SHA512

    22cc64ddc614f73f77bfaebac5d19489f4376c265a493fffd9496625c9c6ac2976aaf28e2531af1cb9df41215126fd7f75595d44c479c24870a0e32945d6a9a5

    Download Submit

  • C:\Windows\SysWOW64\Sys32\AKV.exe
    Filesize

    391KB

    MD5

    75e14e922eeea4674c45a00335c28777

    SHA1

    f3268f7a91e0cef3ac1b03877daa694655e79fa1

    SHA256

    e103b85edbafbacc8e4ac50378ee4812b68ceccd2b6f2066243ac03674030f68

    SHA512

    b2c5e09c041bc235bf1be0a808c92dc5b8256447be95a0fb4bcfe9160123c63d14a4979eea28f5286a0f3f354c59f032c9a24586dfb7067150dae7339314f6fa

    Download Submit

  • C:\Windows\SysWOW64\Sys32\CKCS.001
    Filesize

    498B

    MD5

    5c7d3806ac134afe8db4bb42d164f7be

    SHA1

    ef1eabbf6b1b7bfd70a77b23e5404f4d15265bad

    SHA256

    f50b4d612877014fc8c50f66cdfeb8be93ff548c17c3d7853adfe3eb4136c691

    SHA512

    23c632ac16c2386051a8fe2aeae66f1ee822f4cef80f0fe68d27eb198df8c225d105eba1a57009ccc50d43a9f7f0b18c3473b549ecfdd4a59c3aa329fb8e1b08

    Download Submit

  • C:\Windows\SysWOW64\Sys32\CKCS.006
    Filesize

    7KB

    MD5

    5001bd93dc919785a830ab883eefb04e

    SHA1

    eb4e7b7d42bf4669c1f011fcd0119012cfb957c0

    SHA256

    2027d2ecaa78d0ffdd4234ce531be60f230b8258ae6c001af587f6d73dba771c

    SHA512

    20f6a8fa9e2188aa29d101100edae17d77b4983f3e1dd4696c6fbcd47ef0bbcce392a0733c330dd7a707b0f5bb92720f684b04cdd8c0f1a0b186012001c477d8

    Download Submit

  • C:\Windows\SysWOW64\Sys32\CKCS.007
    Filesize

    5KB

    MD5

    00c2e21155375b96338bf76afea81546

    SHA1

    9ec87a26f5a48db97c05b2e3990aedec0adaa999

    SHA256

    6f3c20f654f2f4aee0752b95d72d9f46ebf467422611b30e9baa5ad1d21a4534

    SHA512

    cbaf2efa919def1d351de8ad8b1e30af4bb754db833019f9d998f1c78a844b933b18c41e8764edd1632be2076fd23cd7f302cfaf3f8ed6538bc90db178db422a

    Download Submit

  • C:\Windows\SysWOW64\Sys32\CKCS.exe
    Filesize

    476KB

    MD5

    63ea07b550f22b1f5d5d6897f4d92894

    SHA1

    8107c9115d45c7857534f0e0b2d9837304f009f2

    SHA256

    729269e2ce40465fa2b512e2dfea0da818a2972070ae6fa57c92893a1276ea01

    SHA512

    c094235f36a1ecf1ce9082a22d34d33153595c91c941fb1e1bd9d3903e2142e6e7603db184dc19248258027e0b8377aa13f523b84a98c74c5645cd3e3c2cdf8c

    Download Submit

  • memory/3440-22-0x0000000000A60000-0x0000000000A61000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3440-35-0x0000000000A60000-0x0000000000A61000-memory.dmp

    Filesize

    4KB

    Download