ardamax | f7087b3bcd630098e4978b1c964d53dcbfe146d19f99c4c71a698722c009b299

Analysis

max time kernel
140s
max time network
121s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
04/07/2024, 09:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25739f4366e73e0c5f3fb31e8a14feec_JaffaCakes118.exe
Size

2.6MB
MD5

25739f4366e73e0c5f3fb31e8a14feec
SHA1

c191ae8c4225899acdcb5f25b423c71df7bdeaac
SHA256

f7087b3bcd630098e4978b1c964d53dcbfe146d19f99c4c71a698722c009b299
SHA512

a02d4d4163ec6bff350685f021faead19b63acfe21db22a526e9f7b4cd69613c4bee28d1ddef160fda5fe408ea7594b8bf57e90aa35062cdd9fd1641515c8539
SSDEEP

49152:3aPQbgW0hZA6ZiTZ4FE/ZHx1qZ4lC37ovKnMkIzTIxCYWWyDMiIwGqs:TbniOt/MF4KKXMCNDMi8

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0006000000016cd1-40.dat	family_ardamax

Executes dropped EXE 4 IoCs

pid	Process
2024	setup-4.5.9.exe
2256	setup-4.5.9.tmp
1260	Moja Focia.exe
2680	RAXD.exe

Loads dropped DLL 16 IoCs

pid	Process
1248	25739f4366e73e0c5f3fb31e8a14feec_JaffaCakes118.exe
1248	25739f4366e73e0c5f3fb31e8a14feec_JaffaCakes118.exe
2024	setup-4.5.9.exe
1248	25739f4366e73e0c5f3fb31e8a14feec_JaffaCakes118.exe
1260	Moja Focia.exe
1260	Moja Focia.exe
1260	Moja Focia.exe
2680	RAXD.exe
2680	RAXD.exe
2256	setup-4.5.9.tmp
2256	setup-4.5.9.tmp
2556	DllHost.exe
2556	DllHost.exe
1260	Moja Focia.exe
2256	setup-4.5.9.tmp
2256	setup-4.5.9.tmp

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RAXD Agent = "C:\\Windows\\SysWOW64\\Sys32\\RAXD.exe"	RAXD.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Sys32\AKV.exe	Moja Focia.exe
File opened for modification	C:\Windows\SysWOW64\Sys32	RAXD.exe
File created	C:\Windows\SysWOW64\Sys32\RAXD.009	RAXD.exe
File opened for modification	C:\Windows\SysWOW64\Sys32\RAXD.009	RAXD.exe
File created	C:\Windows\SysWOW64\Sys32\RAXD.001	Moja Focia.exe
File created	C:\Windows\SysWOW64\Sys32\RAXD.006	Moja Focia.exe
File created	C:\Windows\SysWOW64\Sys32\RAXD.007	Moja Focia.exe
File created	C:\Windows\SysWOW64\Sys32\RAXD.exe	Moja Focia.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2256	setup-4.5.9.tmp

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2680	RAXD.exe
Token: SeIncBasePriorityPrivilege	2680	RAXD.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2556	DllHost.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2680	RAXD.exe
2680	RAXD.exe
2680	RAXD.exe
2680	RAXD.exe
2680	RAXD.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1248 wrote to memory of 2024	1248	25739f4366e73e0c5f3fb31e8a14feec_JaffaCakes118.exe	28
PID 1248 wrote to memory of 2024	1248	25739f4366e73e0c5f3fb31e8a14feec_JaffaCakes118.exe	28
PID 1248 wrote to memory of 2024	1248	25739f4366e73e0c5f3fb31e8a14feec_JaffaCakes118.exe	28
PID 1248 wrote to memory of 2024	1248	25739f4366e73e0c5f3fb31e8a14feec_JaffaCakes118.exe	28
PID 1248 wrote to memory of 2024	1248	25739f4366e73e0c5f3fb31e8a14feec_JaffaCakes118.exe	28
PID 1248 wrote to memory of 2024	1248	25739f4366e73e0c5f3fb31e8a14feec_JaffaCakes118.exe	28
PID 1248 wrote to memory of 2024	1248	25739f4366e73e0c5f3fb31e8a14feec_JaffaCakes118.exe	28
PID 2024 wrote to memory of 2256	2024	setup-4.5.9.exe	30
PID 2024 wrote to memory of 2256	2024	setup-4.5.9.exe	30
PID 2024 wrote to memory of 2256	2024	setup-4.5.9.exe	30
PID 2024 wrote to memory of 2256	2024	setup-4.5.9.exe	30
PID 2024 wrote to memory of 2256	2024	setup-4.5.9.exe	30
PID 2024 wrote to memory of 2256	2024	setup-4.5.9.exe	30
PID 2024 wrote to memory of 2256	2024	setup-4.5.9.exe	30
PID 1248 wrote to memory of 1260	1248	25739f4366e73e0c5f3fb31e8a14feec_JaffaCakes118.exe	29
PID 1248 wrote to memory of 1260	1248	25739f4366e73e0c5f3fb31e8a14feec_JaffaCakes118.exe	29
PID 1248 wrote to memory of 1260	1248	25739f4366e73e0c5f3fb31e8a14feec_JaffaCakes118.exe	29
PID 1248 wrote to memory of 1260	1248	25739f4366e73e0c5f3fb31e8a14feec_JaffaCakes118.exe	29
PID 1260 wrote to memory of 2680	1260	Moja Focia.exe	31
PID 1260 wrote to memory of 2680	1260	Moja Focia.exe	31
PID 1260 wrote to memory of 2680	1260	Moja Focia.exe	31
PID 1260 wrote to memory of 2680	1260	Moja Focia.exe	31

C:\Users\Admin\AppData\Local\Temp\25739f4366e73e0c5f3fb31e8a14feec_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\25739f4366e73e0c5f3fb31e8a14feec_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1248
- C:\Users\Admin\AppData\Local\Temp\setup-4.5.9.exe
  "C:\Users\Admin\AppData\Local\Temp\setup-4.5.9.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Users\Admin\AppData\Local\Temp\is-MOM5B.tmp\setup-4.5.9.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-MOM5B.tmp\setup-4.5.9.tmp" /SL5="$400F4,1816456,54272,C:\Users\Admin\AppData\Local\Temp\setup-4.5.9.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2256
- C:\Users\Admin\AppData\Local\Temp\Moja Focia.exe
  "C:\Users\Admin\AppData\Local\Temp\Moja Focia.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1260
- - C:\Windows\SysWOW64\Sys32\RAXD.exe
    "C:\Windows\system32\Sys32\RAXD.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2680

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2.jpg

Filesize
38KB

MD5
eb8ca4edcb5ee897fae5349add745971

SHA1
e3ba51912ea4a3ec91a4834a4ad1578e8f6b18bc

SHA256
6a6761d00993efafa86b38dacdcde65e1a0b51d2314098519e2cf6e09922d230

SHA512
f21484122ddfd54f2af1d17e5f12eb04c578d4ec194b278318a7918068e3aef5cee9b2d7dda6d7684d686bccf2fc4fa28084de64bbe0e2cc730527f7db6334eb

Download Submit
C:\Windows\SysWOW64\Sys32\AKV.exe

Filesize
391KB

MD5
869461e168a87283a8782e70f5d5a3a8

SHA1
ab189b5f2682ae66162226b4f646b1e80486c653

SHA256
992cb5ea845b2d24c02f4e40873bf4ebd7b58b57ae2e001907228af4879e575b

SHA512
e4e77e07eb0ef2adb6d5ebdb9629f4632c417cf3d1a22e4c414b806bfbd259df13f6c88265f9346ed2b22bf67eb3d63924d86767c8508be4abdc9067f15a82ae

Download Submit
C:\Windows\SysWOW64\Sys32\RAXD.001

Filesize
450B

MD5
3ba31e7c390f9227cd882ea667d21eb1

SHA1
3583fae57cea336609015ec6d19da7498063fb19

SHA256
4d5cf2f088085e33b72ee9b23cf4658b1ed5360baadbb887368673668e7be9c8

SHA512
c731a80169c7bc1cdac4a30f27ee497d50dcf12656cb6e36308d07495142bd9821b2f36f1db96306525c337d5624dedd598603538eb7cb2743e8b782733b9add

Download Submit
C:\Windows\SysWOW64\Sys32\RAXD.006

Filesize
7KB

MD5
928cc65dc793834c709a054ca57c19c8

SHA1
a1e5d8407199c1bd6a4b274044de640fe0d9e99b

SHA256
e3473d81a02ed30e4236591384136f41f17b6a4aae24b5468789644ccd4bf192

SHA512
f7c8f7a75c4f8a418630e2ac15676740a902449d9a3c4baf3184409f8701c9caa3e82304d141362d95503f1af6b693eed7b77f690d92ca0162f7ea3ecbc80fdf

Download Submit
C:\Windows\SysWOW64\Sys32\RAXD.007

Filesize
5KB

MD5
3e1f5d5a06cf97b0495b8d129fbe02e4

SHA1
b0de258a813f5edde85004f6865b6ed91f6d6f8f

SHA256
f49448fc7c567e64eaeb9cc4dbd3c8021a82b5d9df0a622a439f7b42dc2f26d7

SHA512
b0e0b81cb5776d298e96346aa61027c9799a47191c94de50be2209c32747774959d002ddeb98fd15556ee893b0d7bd1f0c8a901469dce4e3acf94e2c4c3e2bfd

Download Submit
C:\Windows\SysWOW64\Sys32\RAXD.exe

Filesize
476KB

MD5
ef52b540cb404d908338e9cbf7cff283

SHA1
778765e1736c0a197685978c3fee7a44e7bde419

SHA256
39d8bdb975fbfcbcec8fe63be4e9fe6ce39ae5d23a005118aeffa07b17a3f815

SHA512
596b77bf5b15455c326a5a2efd66bc69685eb625e3e211ea0341ad4d8920ada7618a7107e42f2c0963fe6c2d92f2acf47b641ef33071a7c42004e5874d5219a6

Download Submit
\Users\Admin\AppData\Local\Temp\@14B9.tmp

Filesize
4KB

MD5
33303ca8abef9221cb410b8a232e9fe4

SHA1
0cdfc25dbf0e9ad7d4585cd9037dc2e6604be00c

SHA256
5110301dee966f0f26307ab1b430279d1e4999c2c4a0ea924ff32f1a9ded869a

SHA512
da29821045773ba776def985966b62e09e69bb5bf1786b16c2fff6feb68a03b9e22c5f7d081e3dd58d1785cd7ac64736497c043b7cf6c7149c3a54f8ef111800

Download Submit
\Users\Admin\AppData\Local\Temp\Moja Focia.exe

Filesize
519KB

MD5
83e53c4f04f4d1bd2909386f18edee05

SHA1
0ab9b87896520bce5f202445246a000f9eac45ed

SHA256
3a9c75835ac8e813df7679ac942cbac409390cca1da1f00110c8e2335be3b849

SHA512
e3d4667502a2a94fb27938872810cd6b738c935abfc50c7b150fb65ec035fb9a1ee239e463d4cbf64f61551ca9344d5c08b0b611aa5a6b3cffa96ceed19850cb

Download Submit
\Users\Admin\AppData\Local\Temp\is-3FIGI.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-MOM5B.tmp\setup-4.5.9.tmp

Filesize
683KB

MD5
ce4e0ff83ac2a3256fd5c220562294a1

SHA1
72429c43cc4ed0a184a9c7b208902005489ff49a

SHA256
130ec61d37b76fa26a4c7ebcf210467c5be3ae2ace7346546c65f093478bb06b

SHA512
b375a78ca9b8e30ba665d3934716e5d3ac5737d8cf05a562f59c8b142923e3a79f1c44b55e995bd43fd0a9056a122cbe332d33947f626fa2d5bfb9f2e1824e98

Download Submit
\Users\Admin\AppData\Local\Temp\setup-4.5.9.exe

Filesize
2.0MB

MD5
76641925fb1808e61be234c076ee0793

SHA1
9536eef3b699d52460e9e5261b9f669f87955d0f

SHA256
dd0b2a6f679c52c13c70b01aac9102a8e6b6442e208bcc7c2debc3a4de7c9a80

SHA512
6c588de91cf02b8eba5567821ad96d82c243dfd2b9e84d348cbe53d6342316655b5365c02aec44ed0eda45943a01828111673664d53936c6d9efdeb6bc8bf6d7

Download Submit
memory/1260-55-0x0000000000500000-0x0000000000502000-memory.dmp

Filesize
8KB

Download
memory/2024-6-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2024-10-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/2024-67-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2256-33-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2256-68-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2556-56-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads