ardamax | 538418d445ccd24e629a92b54ad3ccb5f26a3613f49aa5c3fc1c55bb5be9fb54

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
22/06/2024, 22:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04379be459799a744d466d76741e660b_JaffaCakes118.exe
Size

1.3MB
MD5

04379be459799a744d466d76741e660b
SHA1

aeaf6ad8104700c8d465bd5f3a6b5e6ba2c0dd2e
SHA256

538418d445ccd24e629a92b54ad3ccb5f26a3613f49aa5c3fc1c55bb5be9fb54
SHA512

460acd38cb943b0ad2407cb68be2d07b57380ef64f505ffbfafd5ea93570969a4f14ed9fa20146903c11a5e935f2339bbd04420fae397e42deb6ca4a879c2415
SSDEEP

24576:vk/ATNrHq0u2aejo5Lbh75S1958C0zym5NtVCZP2fcO2pIDnOMt8BSibXjt:8oTRnu2aaoBbh75g95hevpVCZPLqOTBj

Score

10^/10

ardamax discovery keylogger persistence stealer upx

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000016d01-6.dat	family_ardamax

Executes dropped EXE 2 IoCs

pid	Process
2936	XKK.exe
2760	X1nject.exe

Loads dropped DLL 5 IoCs

pid	Process
2012	04379be459799a744d466d76741e660b_JaffaCakes118.exe
2012	04379be459799a744d466d76741e660b_JaffaCakes118.exe
2012	04379be459799a744d466d76741e660b_JaffaCakes118.exe
2936	XKK.exe
2760	X1nject.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0009000000016d19-23.dat	upx
behavioral1/memory/2760-24-0x0000000000400000-0x00000000004BD000-memory.dmp	upx
behavioral1/memory/2760-29-0x0000000000400000-0x00000000004BD000-memory.dmp	upx
behavioral1/memory/2760-33-0x0000000000400000-0x00000000004BD000-memory.dmp	upx
behavioral1/memory/2760-36-0x0000000000400000-0x00000000004BD000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\XKK Start = "C:\\Windows\\SysWOW64\\CUDEYF\\XKK.exe"	XKK.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\CUDEYF\XKK.004	04379be459799a744d466d76741e660b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\CUDEYF\XKK.001	04379be459799a744d466d76741e660b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\CUDEYF\XKK.002	04379be459799a744d466d76741e660b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\CUDEYF\AKV.exe	04379be459799a744d466d76741e660b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\CUDEYF\XKK.exe	04379be459799a744d466d76741e660b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\CUDEYF\	XKK.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2760	X1nject.exe
2760	X1nject.exe
2760	X1nject.exe
2760	X1nject.exe
2760	X1nject.exe
2760	X1nject.exe
2760	X1nject.exe
2760	X1nject.exe
2760	X1nject.exe
2760	X1nject.exe
2760	X1nject.exe
2760	X1nject.exe
2760	X1nject.exe
2760	X1nject.exe
2760	X1nject.exe
2760	X1nject.exe
2760	X1nject.exe
2760	X1nject.exe
2760	X1nject.exe
2760	X1nject.exe
2760	X1nject.exe
2760	X1nject.exe
2760	X1nject.exe
2760	X1nject.exe
2760	X1nject.exe
2760	X1nject.exe
2760	X1nject.exe
2760	X1nject.exe
2760	X1nject.exe
2760	X1nject.exe
2760	X1nject.exe
2760	X1nject.exe
2760	X1nject.exe
2760	X1nject.exe
2760	X1nject.exe
2760	X1nject.exe
2760	X1nject.exe
2760	X1nject.exe
2760	X1nject.exe
2760	X1nject.exe
2760	X1nject.exe
2760	X1nject.exe
2760	X1nject.exe
2760	X1nject.exe
2760	X1nject.exe
2760	X1nject.exe
2760	X1nject.exe
2760	X1nject.exe
2760	X1nject.exe
2760	X1nject.exe
2760	X1nject.exe
2760	X1nject.exe
2760	X1nject.exe
2760	X1nject.exe
2760	X1nject.exe
2760	X1nject.exe
2760	X1nject.exe
2760	X1nject.exe
2760	X1nject.exe
2760	X1nject.exe
2760	X1nject.exe
2760	X1nject.exe
2760	X1nject.exe
2760	X1nject.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	2936	XKK.exe
Token: SeIncBasePriorityPrivilege	2936	XKK.exe
Token: SeIncBasePriorityPrivilege	2936	XKK.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2936	XKK.exe
2936	XKK.exe
2936	XKK.exe
2936	XKK.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 2936	2012	04379be459799a744d466d76741e660b_JaffaCakes118.exe	28
PID 2012 wrote to memory of 2936	2012	04379be459799a744d466d76741e660b_JaffaCakes118.exe	28
PID 2012 wrote to memory of 2936	2012	04379be459799a744d466d76741e660b_JaffaCakes118.exe	28
PID 2012 wrote to memory of 2936	2012	04379be459799a744d466d76741e660b_JaffaCakes118.exe	28
PID 2012 wrote to memory of 2760	2012	04379be459799a744d466d76741e660b_JaffaCakes118.exe	29
PID 2012 wrote to memory of 2760	2012	04379be459799a744d466d76741e660b_JaffaCakes118.exe	29
PID 2012 wrote to memory of 2760	2012	04379be459799a744d466d76741e660b_JaffaCakes118.exe	29
PID 2012 wrote to memory of 2760	2012	04379be459799a744d466d76741e660b_JaffaCakes118.exe	29
PID 2936 wrote to memory of 2920	2936	XKK.exe	32
PID 2936 wrote to memory of 2920	2936	XKK.exe	32
PID 2936 wrote to memory of 2920	2936	XKK.exe	32
PID 2936 wrote to memory of 2920	2936	XKK.exe	32

C:\Users\Admin\AppData\Local\Temp\04379be459799a744d466d76741e660b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\04379be459799a744d466d76741e660b_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Windows\SysWOW64\CUDEYF\XKK.exe
  "C:\Windows\system32\CUDEYF\XKK.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\CUDEYF\XKK.exe > nul
    3⤵
    PID:2920
- C:\Users\Admin\AppData\Local\Temp\X1nject.exe
  "C:\Users\Admin\AppData\Local\Temp\X1nject.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\X1nject.exe

Filesize
262KB

MD5
ed16b07449d0cd7e2d7c6f918878ab00

SHA1
7dd4b0ebafd2987041f4a18da74f3e562343843f

SHA256
b308449cdf6ec26d55138d6bbf147f86f09a45a87d142eadf3c65be58cc7a5a1

SHA512
09e8dacfbd6b8071ba52353ebdab7a3d05b774863152b3d398bc4b98dae1cad59331dea3abfefea3e160b05d475318e2a96910f1f1ae3e8c09beef251d661c90

Download Submit
C:\Windows\SysWOW64\CUDEYF\AKV.exe

Filesize
466KB

MD5
4c5711d8a02899113661bdff195d80d5

SHA1
263592abea6d60887defb4b1bcb47dbb383edfb6

SHA256
661eee852ace18c0fe63548e3ca276866b40dd0dce722f67976b8c4bfdb92195

SHA512
4b16ee6c75a169ad02c6b30d08efcd969ba8840adf49f6eeec3abbe8b9f5f288e1b1cfb4431711a74510a6973663335e43d256ae0dcd1a68f55331152a4f64ae

Download Submit
C:\Windows\SysWOW64\CUDEYF\XKK.001

Filesize
61KB

MD5
7a5612cc859be918c5767487f8a6815a

SHA1
a855d3a3e6336ac0508a8099e8ace14680394c36

SHA256
643419bc7e3a46ecdd7196858b3489c806c5edc486b513ce58519a109544c9d1

SHA512
31c541870dbc695c34d132c4232accc2fe511f30188a4db33d5c41758cf5af00a4906b55b0a208b5848436313fd3d8ccf6be7f1af62ecedd3a5c4c301dc5e11d

Download Submit
C:\Windows\SysWOW64\CUDEYF\XKK.002

Filesize
43KB

MD5
b2bcd668abf17ee408d232cc636614b2

SHA1
c354f941121515536c4f0d9ae49ed1a9b28534b4

SHA256
563f5e99f0beb961ecf6a8284bf41fee3e85d6f63cdff1669438f5a2168bfd99

SHA512
ba1be164de5919ae45f4bedfebe7e7799626b457f07b42fc43b8912f2932955833617b45e147e2e4d406f57f57f50c1869aa611db18a569919395e42fa53a702

Download Submit
C:\Windows\SysWOW64\CUDEYF\XKK.004

Filesize
1KB

MD5
b2bcf33057e316863de0d73d245d7394

SHA1
7139c2fa4f26f28ba20b8de91a43451313bf327d

SHA256
2856412732728b6a7cd3854ec8bd44bc96329b898e58c36d8eabda3d41d25edd

SHA512
f07b03ac7d238e4172fc7b24598e6b99c942943417a82e934247afedf013475ec5a239c0f2932e1927e7d96123b871a40fd52f4e41f8bae602627dba8a935972

Download Submit
\Windows\SysWOW64\CUDEYF\XKK.exe

Filesize
1.5MB

MD5
a9ea3f61a57b36cde9953afd91f18d34

SHA1
e7e931b96b6e39b64a2a38d704bbe9561a234cbc

SHA256
accbdc6de9b6b671e6dc5bda9f1f983fbfcaa07467fbf6eabd25b9d5314d82ec

SHA512
0a6a42a772a3afd66233d9d3abb962b3a8cbf3d6e0e719352795b6441a148617dbe788991f0cead29d4b1540726504c9c56bebd9836ae6263b82a121fafd89fc

Download Submit
memory/2760-27-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2760-24-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2760-29-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2760-31-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2760-33-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2760-36-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2936-26-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download