Malware Analysis Report

2024-10-18 23:04

Sample ID 240116-tjf9qseedq
Target 604d424543bc2eb56442f007b79c3ce4
SHA256 c6a86f2c27b1250d7dbdabeedfa5edd5e6b3baf1d66955fbe08dec8821864103
Tags
ardamax keylogger persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c6a86f2c27b1250d7dbdabeedfa5edd5e6b3baf1d66955fbe08dec8821864103

Threat Level: Known bad

The file 604d424543bc2eb56442f007b79c3ce4 was found to be: Known bad.

Malicious Activity Summary

ardamax keylogger persistence stealer

Ardamax

Ardamax main executable

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-16 16:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-16 16:05

Reported

2024-01-16 16:07

Platform

win7-20231129-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\604d424543bc2eb56442f007b79c3ce4.exe"

Signatures

Ardamax

keylogger stealer ardamax

Ardamax main executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\install.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\JVTB.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\install.exe N/A
N/A N/A C:\Windows\install.exe N/A
N/A N/A C:\Windows\install.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\JVTB.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\JVTB.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\JVTB.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JVTB Agent = "C:\\Windows\\SysWOW64\\28463\\JVTB.exe" C:\Windows\SysWOW64\28463\JVTB.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\28463\JVTB.001 C:\Windows\install.exe N/A
File created C:\Windows\SysWOW64\28463\JVTB.006 C:\Windows\install.exe N/A
File created C:\Windows\SysWOW64\28463\JVTB.007 C:\Windows\install.exe N/A
File created C:\Windows\SysWOW64\28463\JVTB.exe C:\Windows\install.exe N/A
File created C:\Windows\SysWOW64\28463\AKV.exe C:\Windows\install.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\madruga.jpg C:\Users\Admin\AppData\Local\Temp\604d424543bc2eb56442f007b79c3ce4.exe N/A
File opened for modification C:\Windows\madruga.jpg C:\Windows\SysWOW64\DllHost.exe N/A
File created C:\Windows\install.exe C:\Users\Admin\AppData\Local\Temp\604d424543bc2eb56442f007b79c3ce4.exe N/A

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1476 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\604d424543bc2eb56442f007b79c3ce4.exe C:\Windows\install.exe
PID 1476 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\604d424543bc2eb56442f007b79c3ce4.exe C:\Windows\install.exe
PID 1476 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\604d424543bc2eb56442f007b79c3ce4.exe C:\Windows\install.exe
PID 1476 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\604d424543bc2eb56442f007b79c3ce4.exe C:\Windows\install.exe
PID 1476 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\604d424543bc2eb56442f007b79c3ce4.exe C:\Windows\install.exe
PID 1476 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\604d424543bc2eb56442f007b79c3ce4.exe C:\Windows\install.exe
PID 1476 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\604d424543bc2eb56442f007b79c3ce4.exe C:\Windows\install.exe
PID 2068 wrote to memory of 2704 N/A C:\Windows\install.exe C:\Windows\SysWOW64\28463\JVTB.exe
PID 2068 wrote to memory of 2704 N/A C:\Windows\install.exe C:\Windows\SysWOW64\28463\JVTB.exe
PID 2068 wrote to memory of 2704 N/A C:\Windows\install.exe C:\Windows\SysWOW64\28463\JVTB.exe
PID 2068 wrote to memory of 2704 N/A C:\Windows\install.exe C:\Windows\SysWOW64\28463\JVTB.exe
PID 2068 wrote to memory of 2704 N/A C:\Windows\install.exe C:\Windows\SysWOW64\28463\JVTB.exe
PID 2068 wrote to memory of 2704 N/A C:\Windows\install.exe C:\Windows\SysWOW64\28463\JVTB.exe
PID 2068 wrote to memory of 2704 N/A C:\Windows\install.exe C:\Windows\SysWOW64\28463\JVTB.exe

Processes

C:\Users\Admin\AppData\Local\Temp\604d424543bc2eb56442f007b79c3ce4.exe

"C:\Users\Admin\AppData\Local\Temp\604d424543bc2eb56442f007b79c3ce4.exe"

C:\Windows\install.exe

"C:\Windows\install.exe"

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}

C:\Windows\SysWOW64\28463\JVTB.exe

"C:\Windows\system32\28463\JVTB.exe"

Network

N/A

Files

memory/1476-0-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/1476-1-0x0000000001DA0000-0x0000000001E90000-memory.dmp

C:\Windows\install.exe

MD5 2138a4744abfbf2dcffcc1aa1514c039
SHA1 437bf7f0390bbf99804302c9ce985a8125a85acb
SHA256 dfa1f661c89797162e7451f66deea89ec5c9556f6b47b2e0a8292310f95f5156
SHA512 d8dd6225d426234c5bc288c00a70d92ffc63e44d156502ff3e567677415e76aa4ad8d5fb0729d312c9a63c093beb9a9cece348a2df08f0c4dbff7f5521f3c22b

C:\Windows\install.exe

MD5 450ad0eeca53eba0cd3451646aa61da9
SHA1 26f4ff824275f10d5ee813d578f204113cc17789
SHA256 2c915bd282ad880dd1bba9481873f5766f0957d54738074067a0a26c734b8aad
SHA512 ace65b899231f6bcbd71be4de6572c93ad0d58fbf38ce80e0579e16ce6b048fe8793e95f1a3d3373e40ae366fdd40ceec1df3a7314b555be7db79b3d19f16a1c

memory/1476-4-0x0000000000400000-0x00000000005C4000-memory.dmp

\Users\Admin\AppData\Local\Temp\@780.tmp

MD5 c3679c3ff636d1a6b8c65323540da371
SHA1 d184758721a426467b687bec2a4acc80fe44c6f8
SHA256 d4eba51c616b439a8819218bddf9a6fa257d55c9f04cf81441cc99cc945ad3eb
SHA512 494a0a32eef4392ecb54df6e1da7d93183473c4e45f4ac4bd6ec3b0ed8c85c58303a0d36edec41420d05ff624195f08791b6b7e018419a3251b7e71ec9b730e7

\Windows\SysWOW64\28463\JVTB.exe

MD5 07034b11a4001a920987d931d0c6a94f
SHA1 45e5e68cd0bef3546b2bdd9269d8cf2adbc1f399
SHA256 8d815ffbe30876c212c46dcd26e29d4102551122112c9f490e3b188b0af16b9b
SHA512 85b05b69e104efbb7f6ec14f1a42e45611c91938818d82915919988136817a82f950322e7e301f43ff8d468fe703c73d616e8913ad75d96d887d761ff3df21c5

\Windows\SysWOW64\28463\JVTB.exe

MD5 7448dbc3b83583d885fd17642d2ab00a
SHA1 85ea4bf9f997f6658288608943dc8b8101eefeb7
SHA256 5698f9510aa39d82085e6badbfcd7d418257eca45937f117b5cbd386df9bb912
SHA512 314c85b07fc24b91677118da6ae32058889e5f7603b5cc256b55cec7af85e29b67b8dd10513bb518f9224b60527a61e4fc965b8bca36e469a5b49b47fe94245e

\Windows\SysWOW64\28463\JVTB.exe

MD5 1e6059008388a3072a3f820d341fa570
SHA1 4eb940e1a7c5293cc0b412bc8c635852fece7b65
SHA256 ac34b4bbcd4b8f2600cde6ccc74ca46752998efcfb52164ae4dfc0fe91814963
SHA512 e599bd6e378b767096c285796219e00b0db18956b16b40ed0463232f82f1a6561cd5b62eceb9e9743ab5b1b9e733f02a007495bf3b796f1a22ad6536a684a574

C:\Windows\SysWOW64\28463\JVTB.007

MD5 b5a87d630436f958c6e1d82d15f98f96
SHA1 d3ff5e92198d4df0f98a918071aca53550bf1cff
SHA256 a895ad4d23e8b2c2dc552092f645ca309e62c36d4721ebfe7afd2eee7765d4b2
SHA512 fd7bae85a86bdaa12fec826d1d38728a90e2037cb3182ad7652d8a9f54c4b322734c587b62221e6f907fce24fcf2e0ae4cce1f5e3d8861661064b4da24bd87ce

C:\Windows\SysWOW64\28463\JVTB.006

MD5 43f02e9974b1477c1e6388882f233db0
SHA1 f3e27b231193f8d5b2e1b09d05ae3a62795cf339
SHA256 3c9e56e51d5a7a1b9aefe853c12a98bf246039aa46db94227ea128f6331782ba
SHA512 e22d14735606fe75ee5e55204807c3f5531d3e0c4f63aa4a3b2d4bb6abda6128c7e2816753f2e64400ac6dae8f8ef1e013a7a464dff2a79ad9937c48821a067f

C:\Windows\SysWOW64\28463\JVTB.001

MD5 55c6ac0a5aa9ab07f821d91ebf7fb606
SHA1 e3ceaf3558959bf3d67913f9c45f0faf42a08ed6
SHA256 6b04dacf865c83a6fabe617459c09d32fb995793852106e9cc0c3e46f2def478
SHA512 56d765bef180964060e2237d5b3bc24f4ec41cc6db4e8b1cf77dcbf629122cb8ec51ac41fafcd74b03cff815b8edd6c8ed951795400ca1dced8f366b030bb6f7

C:\Windows\SysWOW64\28463\AKV.exe

MD5 c704d029abebad025ce01ff09ab2e315
SHA1 110fc7f9cfaf13df9e4b7fa010f38951a817bab2
SHA256 d7d3afce72387ab03d8606db30fec04d1075fc291def952040979d797d14bec2
SHA512 dc697ece6e5c7c347cdfaddb37a9d602a1377c298efd279e872053587f1a54bd5cb047643dbea7a9f6698863a360f67b41573d667836fd8d6837c9352b92aa82

C:\Windows\SysWOW64\28463\JVTB.exe

MD5 e0134e5733c7b82849233b07d90a1b52
SHA1 95cb9b7f93cbf485b2da1f16f7f4167ebec27fb6
SHA256 40b390a59d372327232fdc75792b1e1ba4f0f9da58a3f37112319e90d7e15879
SHA512 b30713dcab51eb2605f350c0739cf2b5b3ab3a430459b36f3ee2b9b814b115ab628ff790c575c18ff4316fd227a72d18406c5a9efa04daeeacde8378a87ca8ce

memory/1476-42-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/2832-39-0x0000000000200000-0x0000000000201000-memory.dmp

memory/2068-38-0x0000000002BC0000-0x0000000002BC2000-memory.dmp

memory/2832-37-0x00000000000C0000-0x00000000000C2000-memory.dmp

memory/1476-36-0x0000000004CE0000-0x0000000004CE2000-memory.dmp

C:\Windows\SysWOW64\28463\JVTB.exe

MD5 17535dddecf8cb1efdba1f1952126547
SHA1 a862a9a3eb6c201751be1038537522a5281ea6cb
SHA256 1a3d28ac6359e58aa656f4734f9f36b6c09badadcf9fb900b9b118d90c38a9dd
SHA512 b4f31b552ab3bb3dafa365aa7a31f58674ae7ee82ce1d23457f2e7047431430b00abb3b5498491725639daf583b526b278a737168cfdc4e9ec796dfbc14a53d8

C:\Windows\madruga.jpg

MD5 e0989f1fe0c33462a62ad52ab2df079c
SHA1 f6197379ab77debe93fb0d5ea2d85505bb8474d9
SHA256 b37a6b128b6d597b56b2ed2cdd7c284e33dc2b57a9b4e3fcd8e483f3f0b9f285
SHA512 e84b9ec66e8cfc8f0ebac80174161b4460bbbfe91e719f277c73a1165cb79a6d7643744f97df3e55f9beff74013b44395866ec4a04ec93decb3efd13b044f924

C:\Users\Admin\AppData\Local\Temp\madruga.jpg

MD5 32946b57633bf8f0be7ed3b405036a6d
SHA1 11d943452dfad1cfb80970cd510abab8a1c6545d
SHA256 b2040666cd2a7d3b463c3868d215b69460f0503bedb7bba28509319084df0b4a
SHA512 5dc0ab44b14dcf4950d219fea7532da2cb7ce1a94842427ddc626273dbbb6eb6649c628fa2b121d444d9e838c08ce6fb2e79a27f20539c4b1051fd86055d05dd

memory/2832-45-0x0000000000200000-0x0000000000201000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-16 16:05

Reported

2024-01-16 16:07

Platform

win10v2004-20231215-en

Max time kernel

143s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\604d424543bc2eb56442f007b79c3ce4.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\604d424543bc2eb56442f007b79c3ce4.exe

"C:\Users\Admin\AppData\Local\Temp\604d424543bc2eb56442f007b79c3ce4.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1004 -ip 1004

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 280

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 204.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 16.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 172.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
GB 96.16.110.41:443 tcp
US 192.229.221.95:80 tcp
US 8.8.8.8:53 26.178.89.13.in-addr.arpa udp

Files

memory/1004-0-0x0000000000770000-0x0000000000771000-memory.dmp

memory/1004-1-0x0000000000A80000-0x0000000000B70000-memory.dmp