ardamax | cf8b2e8f90edbc63bab426283d9e08cc24bd62b065cb60bda90ebc5d32e4ce7b

Reason

Machine shutdown: "{\"level\":\"info\",\"time\":\"2024-04-20T19:13:25Z\",\"message\":\"Dirty snapshot: /var/lib/sandbox/hatchvm/win7-20240221-en/instance_27-dirty.qcow2\"}"

General

Target

fd717ce62af73cbe27ec333ff1a05d39_JaffaCakes118.exe
Size

1.7MB
MD5

fd717ce62af73cbe27ec333ff1a05d39
SHA1

e42b23378a9b23e4b1e9d112698e468176050629
SHA256

cf8b2e8f90edbc63bab426283d9e08cc24bd62b065cb60bda90ebc5d32e4ce7b
SHA512

0991e1e6aee0eec3e73418e7ccfb7298472db0c8b461915a1034475c93829a951ae15839e3ce0a3d0cbe134a765c32629a1714915b1cd1590b3d34008a1bf030
SSDEEP

49152:KQLYLYNji4HtyQK+51c6jvAoGmuqGNLaqo:KYY6jrI+boZmuqGUh

Score

10^/10

ardamax discovery keylogger persistence stealer themida

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x00060000000149ea-40.dat	family_ardamax

Executes dropped EXE 2 IoCs

pid	Process
2576	Install.exe
860	BYRL.exe

Loads dropped DLL 15 IoCs

pid	Process
2112	fd717ce62af73cbe27ec333ff1a05d39_JaffaCakes118.exe
2576	Install.exe
2576	Install.exe
2576	Install.exe
2576	Install.exe
2576	Install.exe
2576	Install.exe
860	BYRL.exe
860	BYRL.exe
860	BYRL.exe
860	BYRL.exe
2112	fd717ce62af73cbe27ec333ff1a05d39_JaffaCakes118.exe
860	BYRL.exe
2904	DllHost.exe
2904	DllHost.exe

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2112-3-0x0000000000400000-0x0000000000654000-memory.dmp	themida
behavioral1/memory/2112-69-0x0000000000400000-0x0000000000654000-memory.dmp	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BYRL Agent = "C:\\Windows\\SysWOW64\\28463\\BYRL.exe"	BYRL.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\BYRL.006	Install.exe
File created	C:\Windows\SysWOW64\28463\BYRL.007	Install.exe
File created	C:\Windows\SysWOW64\28463\BYRL.exe	Install.exe
File created	C:\Windows\SysWOW64\28463\AKV.exe	Install.exe
File opened for modification	C:\Windows\SysWOW64\28463	BYRL.exe
File created	C:\Windows\SysWOW64\28463\BYRL.001	Install.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 10 IoCs

evasion

pid	Process
2088	taskkill.exe
2444	taskkill.exe
2484	taskkill.exe
788	taskkill.exe
2184	taskkill.exe
1600	taskkill.exe
2900	taskkill.exe
2228	taskkill.exe
1564	taskkill.exe
2300	taskkill.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2112	fd717ce62af73cbe27ec333ff1a05d39_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2484	taskkill.exe
Token: 33	860	BYRL.exe
Token: SeIncBasePriorityPrivilege	860	BYRL.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2112	fd717ce62af73cbe27ec333ff1a05d39_JaffaCakes118.exe
860	BYRL.exe
860	BYRL.exe
860	BYRL.exe
860	BYRL.exe
860	BYRL.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 2280	2112	fd717ce62af73cbe27ec333ff1a05d39_JaffaCakes118.exe	28
PID 2112 wrote to memory of 2280	2112	fd717ce62af73cbe27ec333ff1a05d39_JaffaCakes118.exe	28
PID 2112 wrote to memory of 2280	2112	fd717ce62af73cbe27ec333ff1a05d39_JaffaCakes118.exe	28
PID 2112 wrote to memory of 2280	2112	fd717ce62af73cbe27ec333ff1a05d39_JaffaCakes118.exe	28
PID 2112 wrote to memory of 2576	2112	fd717ce62af73cbe27ec333ff1a05d39_JaffaCakes118.exe	30
PID 2112 wrote to memory of 2576	2112	fd717ce62af73cbe27ec333ff1a05d39_JaffaCakes118.exe	30
PID 2112 wrote to memory of 2576	2112	fd717ce62af73cbe27ec333ff1a05d39_JaffaCakes118.exe	30
PID 2112 wrote to memory of 2576	2112	fd717ce62af73cbe27ec333ff1a05d39_JaffaCakes118.exe	30
PID 2112 wrote to memory of 2576	2112	fd717ce62af73cbe27ec333ff1a05d39_JaffaCakes118.exe	30
PID 2112 wrote to memory of 2576	2112	fd717ce62af73cbe27ec333ff1a05d39_JaffaCakes118.exe	30
PID 2112 wrote to memory of 2576	2112	fd717ce62af73cbe27ec333ff1a05d39_JaffaCakes118.exe	30
PID 2280 wrote to memory of 2484	2280	cmd.exe	31
PID 2280 wrote to memory of 2484	2280	cmd.exe	31
PID 2280 wrote to memory of 2484	2280	cmd.exe	31
PID 2280 wrote to memory of 2484	2280	cmd.exe	31
PID 2576 wrote to memory of 860	2576	Install.exe	33
PID 2576 wrote to memory of 860	2576	Install.exe	33
PID 2576 wrote to memory of 860	2576	Install.exe	33
PID 2576 wrote to memory of 860	2576	Install.exe	33
PID 2576 wrote to memory of 860	2576	Install.exe	33
PID 2576 wrote to memory of 860	2576	Install.exe	33
PID 2576 wrote to memory of 860	2576	Install.exe	33
PID 2280 wrote to memory of 2900	2280	cmd.exe	35
PID 2280 wrote to memory of 2900	2280	cmd.exe	35
PID 2280 wrote to memory of 2900	2280	cmd.exe	35
PID 2280 wrote to memory of 2900	2280	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\fd717ce62af73cbe27ec333ff1a05d39_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fd717ce62af73cbe27ec333ff1a05d39_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\avkill.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2280
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ashwebsv.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2484
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ashdisp.exe
    3⤵
    - Kills process with taskkill
    PID:2900
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ashmaisv.exe
    3⤵
    - Kills process with taskkill
    PID:788
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ashserv.exe
    3⤵
    - Kills process with taskkill
    PID:2184
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ashwebsv.exe
    3⤵
    - Kills process with taskkill
    PID:2228
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im aswupdsv.exe
    3⤵
    - Kills process with taskkill
    PID:1600
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgemc.exe
    3⤵
    - Kills process with taskkill
    PID:1564
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgcc.exe
    3⤵
    - Kills process with taskkill
    PID:2088
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgamsvr.exe
    3⤵
    - Kills process with taskkill
    PID:2300
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im avgupsvc.exe
    3⤵
    - Kills process with taskkill
    PID:2444
- C:\Users\Admin\AppData\Local\Temp\Install.exe
  "C:\Users\Admin\AppData\Local\Temp\Install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Windows\SysWOW64\28463\BYRL.exe
    "C:\Windows\system32\28463\BYRL.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:860

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Loads dropped DLL
PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\avkill.bat

Filesize
18KB

MD5
6f2eb168957a9522665743fcc11ab233

SHA1
bae61be84250ae15e2bfb6a224a38b5da954cd2f

SHA256
501317c3ec035cc058b3a2617225da69f8615ef0246524bda3ff6bcbd4440244

SHA512
fad25b8a4c7bb1857a21f83796b7b71e0666e9e507d0e7fef57d5d8463135cc367287676faa9b3d4b1be7bd97fd7a6a534d54d0c2cec972fd5a5546a0a810cd7

Download Submit
C:\Windows\SysWOW64\28463\AKV.exe

Filesize
395KB

MD5
adabb1cc5c00784846c6f082f7e95f21

SHA1
0d1bf1674cd5b077e7e601874f3f438d2bcbc690

SHA256
9797854eb963309d21e33e4edb092c01859d00465d7da76aa26d28da54a5f0ed

SHA512
29ca5369514f53721099fd94d4cc50cd02b2815f255026611358c75e9161826fa17ba1043db6aae886adcd45be9616c19e706e405a14a11b24522e5278ca6f5f

Download Submit
C:\Windows\SysWOW64\28463\BYRL.001

Filesize
380B

MD5
ed3f55d311e63baa2deb7b6aac12bc0e

SHA1
09f0534ac81501376dc94c1c2793e2f0eab59b7b

SHA256
d4c70e29d39ce019841ee4bf9b28dbc2ccb60913502e2b51e51975070d3956eb

SHA512
457437a59bff33d40be13c8fb3aad237352d646457263a4e5299d12a83026b6ba92672a26b3f2f910a992b2d08d8adf0905b631e951d5add3db39e142cc3e032

Download Submit
C:\Windows\SysWOW64\28463\BYRL.006

Filesize
8KB

MD5
20efb1eb38ad96b4b5e85ed073e21883

SHA1
b2680fe3698d768d1b72eab5afdd2d8b50a89c69

SHA256
dd8045ef5d36c1b053806cef96c77dd2a9ebe4d9e3dcd6c480ef3ec16ff1894f

SHA512
0f5fbe07a3a79f904456d3c112a8508cc2f37a328938b6fd2cef29c5183a404563a8fe21906d48318b5fef4f7326e48afe3d1213a4c913306070e5ebf263ad98

Download Submit
C:\Windows\SysWOW64\28463\BYRL.007

Filesize
5KB

MD5
84dd6324b3dce57f35d7c1d2d1a80492

SHA1
d332d0076613ef7c15f74a3a105b2249654855d3

SHA256
036a3db0118139b5e3767cb3a3714af80e508264ad97fbdeac7f4edf8c9561a9

SHA512
659bb8ed05760b159bef3f587b5c4bcd37dd5e492225a3e7199456381889bf30d0659c36deb4f49fa19347769e3ad9ef75331f300724d39df8fd2ef98c24d6cc

Download Submit
\Users\Admin\AppData\Local\Temp\@1065.tmp

Filesize
4KB

MD5
8ec77ec0a37da46ea4cfe747c450babd

SHA1
cbcdb4fae0aca8a33dae7c4639e1bdfe8480353d

SHA256
366e2c9fc249f38d5f0dda163488dc7c165def62421b34dfbe1c7a39d6bf0453

SHA512
14e7946d352baa8fe8cbacefb267d1de9d0c00af7361d712923bb67c66acc6ac28d4c1be30871676a9a7b1750f17db6ee4df203370b413ab4551faa7a8cc1eeb

Download Submit
\Users\Admin\AppData\Local\Temp\Install.exe

Filesize
480KB

MD5
27f263eec4d66ed808374bde68d55365

SHA1
7485f42d2b918a821707fbdb0fd5b8106150e0c8

SHA256
735198fb6d680dc85ff63b6218b77528a125b4394cd47e6df235f51be933b6ce

SHA512
7baac69f50c9cee5b197cdfe17e909c52b4ac477a8491a8fa1b4d748799673b659a576951164bdca46871969c50d29feb6c53d013e7c8fa0dbf12f7c99bb1872

Download Submit
\Windows\SysWOW64\28463\BYRL.exe

Filesize
473KB

MD5
4d1b16621c0698cc15407296046c5f13

SHA1
895ad41339a41718bd8a7b49fe5f9df5861a5f62

SHA256
2e17c5b2ee80ea87344c586a2049fd96a5a69ef53d9211399f503c62743c181c

SHA512
5c2e431be346dd72e53b37817320f9c2df69823741e3b53313ffbe686266d4903633155f63812e81f605511320ec3b12b87b586bc930393716382af0be474ff8

Download Submit
memory/2112-9-0x00000000041E0000-0x00000000041E1000-memory.dmp

Filesize
4KB

Download
memory/2112-54-0x0000000006240000-0x0000000006242000-memory.dmp

Filesize
8KB

Download
memory/2112-8-0x00000000041D0000-0x00000000041D1000-memory.dmp

Filesize
4KB

Download
memory/2112-0-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2112-7-0x00000000040E0000-0x00000000040E1000-memory.dmp

Filesize
4KB

Download
memory/2112-5-0x0000000004100000-0x0000000004103000-memory.dmp

Filesize
12KB

Download
memory/2112-6-0x00000000006E0000-0x00000000006E1000-memory.dmp

Filesize
4KB

Download
memory/2112-3-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/2112-1-0x0000000001FB0000-0x0000000002090000-memory.dmp

Filesize
896KB

Download
memory/2112-10-0x00000000040F0000-0x00000000040F1000-memory.dmp

Filesize
4KB

Download
memory/2112-71-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2112-67-0x000000007783F000-0x0000000077840000-memory.dmp

Filesize
4KB

Download
memory/2112-69-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/2112-70-0x000000007783F000-0x0000000077840000-memory.dmp

Filesize
4KB

Download
memory/2904-68-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download
memory/2904-65-0x000000007783F000-0x0000000077840000-memory.dmp

Filesize
4KB

Download
memory/2904-60-0x0000000000260000-0x0000000000262000-memory.dmp

Filesize
8KB

Download
memory/2904-72-0x000000007783F000-0x0000000077840000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads