ardamax | 98de622142d6f8c1f99bb6f6fb89286e35406f6739f35c0c53b0a5b9c3f5ca94

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07/04/2024, 01:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e3c672e80f94ae85831acf7ab311fbc9_JaffaCakes118.exe
Size

1.6MB
MD5

e3c672e80f94ae85831acf7ab311fbc9
SHA1

d19f5ad650830283693e82c6c66a3c6935abb214
SHA256

98de622142d6f8c1f99bb6f6fb89286e35406f6739f35c0c53b0a5b9c3f5ca94
SHA512

63278480397eb0fc9ffa076244a65f266a2af405892203e6ce9c58ba5adb645dd66f7de22bdf753ab736fb0d7d203ac310a0f965c3e8c4543c5590c3afe00637
SSDEEP

24576:zMR2IoM3NBQxlR3O7bC8P5Ndx9dyZueQLMpZCFcxvqSC/MrNajt0D347sEbmucnB:Af9BQyBHdUu9LsZC6xvayGU4ARIIliM

Score

10^/10

ardamax discovery evasion keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023216-34.dat	family_ardamax

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	lsassxp.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\lsassxp.exe = "C:\\WINDOWS\\lsassxp.exe:*:Enabled:lsassxp"	lsassxp.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	lsassxp.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	lsassxp.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	e3c672e80f94ae85831acf7ab311fbc9_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	Install.exe

Executes dropped EXE 3 IoCs

pid	Process
4720	lsassxp.exe
3500	Install.exe
828	JXKY.exe

Loads dropped DLL 7 IoCs

pid	Process
3500	Install.exe
828	JXKY.exe
4720	lsassxp.exe
828	JXKY.exe
828	JXKY.exe
4720	lsassxp.exe
4720	lsassxp.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JXKY Agent = "C:\\Windows\\SysWOW64\\28463\\JXKY.exe"	JXKY.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lsassxp = "C:\\WINDOWS\\lsassxp.exe"	lsassxp.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 59 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\Apr_07_2024__01_41_11.jpg	JXKY.exe
File created	C:\Windows\SysWOW64\28463\Apr_07_2024__01_41_13.jpg	JXKY.exe
File created	C:\Windows\SysWOW64\28463\JXKY.001	Install.exe
File opened for modification	C:\Windows\SysWOW64\28463\JXKY.009	JXKY.exe
File created	C:\Windows\SysWOW64\28463\Apr_07_2024__01_41_25.jpg	JXKY.exe
File created	C:\Windows\SysWOW64\28463\Apr_07_2024__01_42_12.jpg	JXKY.exe
File created	C:\Windows\SysWOW64\28463\Apr_07_2024__01_41_07.jpg	JXKY.exe
File created	C:\Windows\SysWOW64\28463\Apr_07_2024__01_41_09.jpg	JXKY.exe
File created	C:\Windows\SysWOW64\28463\Apr_07_2024__01_41_21.jpg	JXKY.exe
File created	C:\Windows\SysWOW64\28463\Apr_07_2024__01_41_52.jpg	JXKY.exe
File created	C:\Windows\SysWOW64\28463\Apr_07_2024__01_41_54.jpg	JXKY.exe
File created	C:\Windows\SysWOW64\28463\Apr_07_2024__01_42_04.jpg	JXKY.exe
File created	C:\Windows\SysWOW64\28463\Apr_07_2024__01_42_25.jpg	JXKY.exe
File created	C:\Windows\SysWOW64\28463\Apr_07_2024__01_42_27.jpg	JXKY.exe
File created	C:\Windows\SysWOW64\28463\Apr_07_2024__01_41_27.jpg	JXKY.exe
File created	C:\Windows\SysWOW64\28463\Apr_07_2024__01_41_31.jpg	JXKY.exe
File created	C:\Windows\SysWOW64\28463\Apr_07_2024__01_41_42.jpg	JXKY.exe
File created	C:\Windows\SysWOW64\28463\Apr_07_2024__01_42_10.jpg	JXKY.exe
File created	C:\Windows\SysWOW64\28463\Apr_07_2024__01_42_35.jpg	JXKY.exe
File created	C:\Windows\SysWOW64\28463\Apr_07_2024__01_41_15.jpg	JXKY.exe
File created	C:\Windows\SysWOW64\28463\Apr_07_2024__01_41_29.jpg	JXKY.exe
File created	C:\Windows\SysWOW64\28463\Apr_07_2024__01_42_06.jpg	JXKY.exe
File created	C:\Windows\SysWOW64\28463\Apr_07_2024__01_42_33.jpg	JXKY.exe
File created	C:\Windows\SysWOW64\28463\Apr_07_2024__01_41_01.jpg	JXKY.exe
File created	C:\Windows\SysWOW64\28463\Apr_07_2024__01_42_02.jpg	JXKY.exe
File created	C:\Windows\SysWOW64\28463\JXKY.009	JXKY.exe
File created	C:\Windows\SysWOW64\28463\Apr_07_2024__01_41_36.jpg	JXKY.exe
File created	C:\Windows\SysWOW64\28463\Apr_07_2024__01_42_37.jpg	JXKY.exe
File created	C:\Windows\SysWOW64\28463\JXKY.006	Install.exe
File created	C:\Windows\SysWOW64\28463\Apr_07_2024__01_41_17.jpg	JXKY.exe
File created	C:\Windows\SysWOW64\28463\Apr_07_2024__01_41_40.jpg	JXKY.exe
File created	C:\Windows\SysWOW64\28463\Apr_07_2024__01_41_48.jpg	JXKY.exe
File created	C:\Windows\SysWOW64\28463\Apr_07_2024__01_41_19.jpg	JXKY.exe
File created	C:\Windows\SysWOW64\28463\Apr_07_2024__01_41_46.jpg	JXKY.exe
File created	C:\Windows\SysWOW64\28463\AKV.exe	Install.exe
File created	C:\Windows\SysWOW64\28463\Apr_07_2024__01_41_44.jpg	JXKY.exe
File created	C:\Windows\SysWOW64\28463\Apr_07_2024__01_42_16.jpg	JXKY.exe
File created	C:\Windows\SysWOW64\28463\Apr_07_2024__01_41_33.jpg	JXKY.exe
File created	C:\Windows\SysWOW64\28463\JXKY.exe	Install.exe
File created	C:\Windows\SysWOW64\28463\JXKY.009.tmp	JXKY.exe
File created	C:\Windows\SysWOW64\28463\Apr_07_2024__01_41_50.jpg	JXKY.exe
File created	C:\Windows\SysWOW64\28463\Apr_07_2024__01_41_56.jpg	JXKY.exe
File created	C:\Windows\SysWOW64\28463\Apr_07_2024__01_41_58.jpg	JXKY.exe
File created	C:\Windows\SysWOW64\28463\Apr_07_2024__01_42_08.jpg	JXKY.exe
File opened for modification	C:\Windows\SysWOW64\28463	JXKY.exe
File created	C:\Windows\SysWOW64\28463\Apr_07_2024__01_40_57.jpg	JXKY.exe
File created	C:\Windows\SysWOW64\28463\Apr_07_2024__01_40_59.jpg	JXKY.exe
File created	C:\Windows\SysWOW64\28463\Apr_07_2024__01_41_23.jpg	JXKY.exe
File created	C:\Windows\SysWOW64\28463\Apr_07_2024__01_42_20.jpg	JXKY.exe
File created	C:\Windows\SysWOW64\28463\JXKY.007	Install.exe
File created	C:\Windows\SysWOW64\28463\Apr_07_2024__01_41_05.jpg	JXKY.exe
File created	C:\Windows\SysWOW64\28463\Apr_07_2024__01_41_03.jpg	JXKY.exe
File created	C:\Windows\SysWOW64\28463\Apr_07_2024__01_41_38.jpg	JXKY.exe
File created	C:\Windows\SysWOW64\28463\Apr_07_2024__01_42_00.jpg	JXKY.exe
File created	C:\Windows\SysWOW64\28463\Apr_07_2024__01_42_14.jpg	JXKY.exe
File created	C:\Windows\SysWOW64\28463\Apr_07_2024__01_42_18.jpg	JXKY.exe
File created	C:\Windows\SysWOW64\28463\Apr_07_2024__01_42_29.jpg	JXKY.exe
File created	C:\Windows\SysWOW64\28463\Apr_07_2024__01_42_22.jpg	JXKY.exe
File created	C:\Windows\SysWOW64\28463\Apr_07_2024__01_42_31.jpg	JXKY.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\lsassxp.exe	lsassxp.exe
File opened for modification	C:\WINDOWS\lsassxp.exe	lsassxp.exe
File created	C:\WINDOWS\Config.exe	lsassxp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	828	JXKY.exe
Token: SeIncBasePriorityPrivilege	828	JXKY.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
828	JXKY.exe
828	JXKY.exe
828	JXKY.exe
828	JXKY.exe
828	JXKY.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4164 wrote to memory of 4720	4164	e3c672e80f94ae85831acf7ab311fbc9_JaffaCakes118.exe	85
PID 4164 wrote to memory of 4720	4164	e3c672e80f94ae85831acf7ab311fbc9_JaffaCakes118.exe	85
PID 4164 wrote to memory of 4720	4164	e3c672e80f94ae85831acf7ab311fbc9_JaffaCakes118.exe	85
PID 4164 wrote to memory of 3500	4164	e3c672e80f94ae85831acf7ab311fbc9_JaffaCakes118.exe	86
PID 4164 wrote to memory of 3500	4164	e3c672e80f94ae85831acf7ab311fbc9_JaffaCakes118.exe	86
PID 4164 wrote to memory of 3500	4164	e3c672e80f94ae85831acf7ab311fbc9_JaffaCakes118.exe	86
PID 3500 wrote to memory of 828	3500	Install.exe	88
PID 3500 wrote to memory of 828	3500	Install.exe	88
PID 3500 wrote to memory of 828	3500	Install.exe	88

C:\Users\Admin\AppData\Local\Temp\e3c672e80f94ae85831acf7ab311fbc9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e3c672e80f94ae85831acf7ab311fbc9_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4164
- C:\Users\Admin\AppData\Local\Temp\lsassxp.exe
  "C:\Users\Admin\AppData\Local\Temp\lsassxp.exe"
  2⤵
  - Modifies firewall policy service
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  PID:4720
- C:\Users\Admin\AppData\Local\Temp\Install.exe
  "C:\Users\Admin\AppData\Local\Temp\Install.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3500
- - C:\Windows\SysWOW64\28463\JXKY.exe
    "C:\Windows\system32\28463\JXKY.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@3623.tmp

Filesize
4KB

MD5
25530555085337eb644b061f239aa9d4

SHA1
8d91e099aba5439d4bfa8bce464c94e3e1acf620

SHA256
3fb6b438ad1530abdd068bffb303fb8a4de51430e0e18ddb6b1a0469ffab8325

SHA512
b1f9de0c276533a5a7070aeb2b6415cc1c0bdd2baf5e0645c6ac5ba767cab0d76e5b4461800d89724992af2c863294ada3c1eb2e4516183fe2010c33d47d6a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe

Filesize
503KB

MD5
006d88086f8796bdd154c4f46d1fbe2e

SHA1
9610dc0bb465152b7cb459718e6a015e44b49c67

SHA256
5dd86268046821111a51f0f27ded1ada6cfb9015a07ab4de938e67655922efca

SHA512
4ddd4b6b4bf8b7000e89e2e0e27164947a39759f3d8631b6fd23566644e62436132f6d7c61624472e8c2aa75eaec0e6809f26d9cc5f823919f9939814a3c7b79

Download Submit
C:\Users\Admin\AppData\Local\Temp\lsassxp.exe

Filesize
1.1MB

MD5
8c4938586bcf6d1ad1b239a2db71c5f4

SHA1
3a18d76a306d70c4b3650c71bb3dff2f4270c040

SHA256
271a2649e121871f7c6b2703eb9ddde8472223c5028574521df646dc21c7a9b3

SHA512
f1058db4a13463a726d8e4a045ae2f1d1992ddc513dc6a9e38b91a279089667def02996b50b1053347252988c02643a44f0e9c93922394c380755dc8384ec31c

Download Submit
C:\Windows\SysWOW64\28463\AKV.exe

Filesize
395KB

MD5
d63cc8679a63448db1c64252e14e4ab5

SHA1
10b3a9ac4bc16e8ac1cd05e50b4d540fa3ef223e

SHA256
29b3646a556879a4a48e4f2f81e09179c34ac2051ed3e4f4c28e293092470d3d

SHA512
cb1911e1a77fb9be560aa4fd8bbef65e181b6d4438d65657501dbcd8dbf488ba01738a7222f35f8d4317e8df8c6f307d9e3623d6e3e45753e138b80fb68ff768

Download Submit
C:\Windows\SysWOW64\28463\Apr_07_2024__01_41_05.jpg

Filesize
120KB

MD5
27a797b5bbaa63e1f9890a9b16e5b4fe

SHA1
a82aad858ed344c719bfcb754ac8524b28b57de2

SHA256
45f31b2e146bfbdef7b20d500db7a0b5ea44cd323cda3774aabeb3051cf3aaa7

SHA512
6babbdd9cfba6528cae4bc2deca1c341a315ea705f51a6246d72cad0457cb8d669230a44538a0aaeb3024f812a952c8488ce48963b90d1f5d2e485779cc15601

Download Submit
C:\Windows\SysWOW64\28463\JXKY.001

Filesize
570B

MD5
a624e6022a8dddb2842840c8bad1cf1e

SHA1
f190d839c7815ea8567665acd8450a208e472e3c

SHA256
2918b624439985db89785df6f3c00d52f79dea4c92ae479ceef99f0a1845a5b3

SHA512
3ec8657240353a7df356bbea41ad3abbd22f987721bd0cb039cb5062435ceb07de340d4f3aa403331301db28a8df7fc5557beb98fcc1f1231adf3e548a0e4d78

Download Submit
C:\Windows\SysWOW64\28463\JXKY.006

Filesize
8KB

MD5
81e20f4361cf8f5a57812871c24d945e

SHA1
5d7877d6959ab26599b05795a71633f00c37a3da

SHA256
e6e8b4a29dccb3531f58c75b754caf7f26afe3e7043239305fd0ae7ab2f7571d

SHA512
69b1d75ab7123054bf98cf3a0f2cc7a0749cda8d85ebdef85be7d89f1454154ce29070907b934727a6c5276ff430e94810b87a5634d25d8529df9ee36fd20818

Download Submit
C:\Windows\SysWOW64\28463\JXKY.007

Filesize
5KB

MD5
e9fbdcc2f5fb657fa519b3f5c69fc52d

SHA1
c49cca77b46a59d620711de7564d43e5dafcd2b5

SHA256
cc440cfc4ce1a1ff503cc9e8937c59aae64bfce4daa3e7dc757220a25cadc2e4

SHA512
913759967e16b99d8ea66433e5dc99d5ddbf737be6784306e67c2b23a525b7a578fcae1028221d3209abc452ff30508eb750c62113c3868a7af36b544e525fb1

Download Submit
C:\Windows\SysWOW64\28463\JXKY.009

Filesize
1.6MB

MD5
c6f1a8231fd940e9cf73e81ddc60e355

SHA1
e6cf489fb2e4d2cd1262135273253eb89421db5f

SHA256
a9bf1ce9cd94ab06222a96efedf7224e1f0ca6e821eb5d6966dfb500c9bf8c4a

SHA512
4e7083b899e0c9e7d092084e86af79cfecac024372604e9a01701666cbe827d08aaa90bbc6133fb5982ef3f2339ed9fd773058a0dc5708693b9b17f67542c1ee

Download Submit
C:\Windows\SysWOW64\28463\JXKY.exe

Filesize
473KB

MD5
97d8ad45f48b4b28a93aab94699b7168

SHA1
8b69b7fd7c008b95d12386f6da415097e72151de

SHA256
661df22a66b2062b233eb0bd9665de924cfe0ac9c6ba29e20ffef24f817f9331

SHA512
3351eac970bab391de410fcf1937da75d2e4722b808f10332f487ddfe469544e32e7d4ed0e5bdc19bd5f472cffcc55ca1498c95945b4e9c4ceff6ff5cc521c8a

Download Submit
memory/828-45-0x0000000000A70000-0x0000000000A71000-memory.dmp

Filesize
4KB

Download
memory/828-67-0x0000000000A70000-0x0000000000A71000-memory.dmp

Filesize
4KB

Download
memory/4164-16-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4720-58-0x0000000000400000-0x0000000000519000-memory.dmp

Filesize
1.1MB

Download
memory/4720-65-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/4720-13-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads