ardamax | ce01dfd3f455df79927fd15ce174511f9144fb292fed1f12331ac4c8fd4664bf

Analysis

max time kernel
100s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
08/07/2024, 02:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a98aa48cb2a707c1c8b276c39be77a3_JaffaCakes118.exe
Size

720KB
MD5

2a98aa48cb2a707c1c8b276c39be77a3
SHA1

6fb85b3453d719f26beebe3cb3f260426d8ac551
SHA256

ce01dfd3f455df79927fd15ce174511f9144fb292fed1f12331ac4c8fd4664bf
SHA512

96e3317fd17bf0083b0ae2478e1271e0a8ba9db354d1835c16d16d7ea816f8d29a7dc2abac2c4151157f614f8e5dd39a1ccb416d6d7056538c78bfdba2424abf
SSDEEP

12288:hILk+Jr3/Z3HWBldgWaouk0/nAohnErIZfNOeiiOp9hqhVKcPks1Tnpt:w/J2BnJaO0/AoerIvOe5C9hYVKfs1Ft

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000700000002349a-74.dat	family_ardamax

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\Control Panel\International\Geo\Nation	2a98aa48cb2a707c1c8b276c39be77a3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\Control Panel\International\Geo\Nation	BMC Killer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\Control Panel\International\Geo\Nation	Exporer32.exe

Executes dropped EXE 3 IoCs

pid	Process
5024	BMC Killer.exe
4524	Exporer32.exe
1832	ICQV.exe

Loads dropped DLL 4 IoCs

pid	Process
4524	Exporer32.exe
1832	ICQV.exe
1832	ICQV.exe
1832	ICQV.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ICQV Agent = "C:\\Windows\\SysWOW64\\28463\\ICQV.exe"	ICQV.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\ICQV.001	Exporer32.exe
File created	C:\Windows\SysWOW64\28463\ICQV.006	Exporer32.exe
File created	C:\Windows\SysWOW64\28463\ICQV.007	Exporer32.exe
File created	C:\Windows\SysWOW64\28463\ICQV.exe	Exporer32.exe
File created	C:\Windows\SysWOW64\28463\AKV.exe	Exporer32.exe
File opened for modification	C:\Windows\SysWOW64\28463	ICQV.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3104	5024	WerFault.exe	85

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000_Classes\Local Settings	2a98aa48cb2a707c1c8b276c39be77a3_JaffaCakes118.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3668	WINWORD.EXE
3668	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1100	2a98aa48cb2a707c1c8b276c39be77a3_JaffaCakes118.exe
Token: 33	1832	ICQV.exe
Token: SeIncBasePriorityPrivilege	1832	ICQV.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
5024	BMC Killer.exe
5024	BMC Killer.exe
3668	WINWORD.EXE
3668	WINWORD.EXE
3668	WINWORD.EXE
3668	WINWORD.EXE
3668	WINWORD.EXE
3668	WINWORD.EXE
3668	WINWORD.EXE
1832	ICQV.exe
1832	ICQV.exe
1832	ICQV.exe
1832	ICQV.exe
1832	ICQV.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1100 wrote to memory of 5024	1100	2a98aa48cb2a707c1c8b276c39be77a3_JaffaCakes118.exe	85
PID 1100 wrote to memory of 5024	1100	2a98aa48cb2a707c1c8b276c39be77a3_JaffaCakes118.exe	85
PID 1100 wrote to memory of 5024	1100	2a98aa48cb2a707c1c8b276c39be77a3_JaffaCakes118.exe	85
PID 1100 wrote to memory of 3668	1100	2a98aa48cb2a707c1c8b276c39be77a3_JaffaCakes118.exe	86
PID 1100 wrote to memory of 3668	1100	2a98aa48cb2a707c1c8b276c39be77a3_JaffaCakes118.exe	86
PID 5024 wrote to memory of 4524	5024	BMC Killer.exe	90
PID 5024 wrote to memory of 4524	5024	BMC Killer.exe	90
PID 5024 wrote to memory of 4524	5024	BMC Killer.exe	90
PID 4524 wrote to memory of 1832	4524	Exporer32.exe	93
PID 4524 wrote to memory of 1832	4524	Exporer32.exe	93
PID 4524 wrote to memory of 1832	4524	Exporer32.exe	93

C:\Users\Admin\AppData\Local\Temp\2a98aa48cb2a707c1c8b276c39be77a3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2a98aa48cb2a707c1c8b276c39be77a3_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1100
- C:\Users\Admin\AppData\Local\Temp\BMC Killer.exe
  "C:\Users\Admin\AppData\Local\Temp\BMC Killer.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5024
- - C:\Users\Admin\AppData\Local\Temp\Exporer32.exe
    "C:\Users\Admin\AppData\Local\Temp\Exporer32.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4524
  - - C:\Windows\SysWOW64\28463\ICQV.exe
      "C:\Windows\system32\28463\ICQV.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1832
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 1440
    3⤵
    - Program crash
    PID:3104
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\BMC FILES IS BEEN DELETED.doc" /o ""
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:3668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5024 -ip 5024
1⤵
PID:4164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@D198.tmp

Filesize
4KB

MD5
25530555085337eb644b061f239aa9d4

SHA1
8d91e099aba5439d4bfa8bce464c94e3e1acf620

SHA256
3fb6b438ad1530abdd068bffb303fb8a4de51430e0e18ddb6b1a0469ffab8325

SHA512
b1f9de0c276533a5a7070aeb2b6415cc1c0bdd2baf5e0645c6ac5ba767cab0d76e5b4461800d89724992af2c863294ada3c1eb2e4516183fe2010c33d47d6a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\BMC FILES IS BEEN DELETED.doc

Filesize
185B

MD5
742c844c3a2bf06e759ee64203e00c9d

SHA1
28bfd095f6ea14f107433b684436f9d1436e8d49

SHA256
6c22fc85eacdff707103c06eec6d64b30f426adfec4b7aeb795849aab113ac53

SHA512
85879968c0b30727e00a5c452c17b56819a0e814ae5c9781bc0bcd2bbe34eb6282a8dc768b9aedc6a7827d2da0a18e2d5c057bdf9b48a1b023522d3ca577972c

Download Submit
C:\Users\Admin\AppData\Local\Temp\BMC Killer.exe

Filesize
527KB

MD5
484fefb87e6b935ebe57cdde015b9659

SHA1
619eb3197a89ef92f4871db3aade055e89271b52

SHA256
2defd256a5409dfd9cc44b64801bd814b5ce329688b1ec47847ef37cb9b5ec75

SHA512
1f5b2abdebcfbe50f35e4358f5c2afbe5d5c8da6f1de9796fe6b0ea5a81d7ec4fe3adaf9de29c48838b7ddda75219bacb473fdd2b70f39c08ab0b3740b7a95d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Exporer32.exe

Filesize
503KB

MD5
5b81d2a722548fda35998dd57c086eb1

SHA1
4979fe0cc17b9b8a28cf84ea8a42ed920c282703

SHA256
199ce83c1df59c827f382f42f90d4a0c002b212b5317dbb266a7eab11ab7182a

SHA512
846d3194e6e5ce4b2b4f3aa972ab540224600842a4db4e2c6055022503db269721c03fafbfa6c11051f2eca5d9924d3c1868d422d7002149494dc2d1a2a0a233

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD38B.tmp\sist02.xsl

Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
1KB

MD5
5484f1f8184b6e42f9631027ad82afea

SHA1
5ac6c17efa666516f2ef9311ab682a7258b63707

SHA256
aaea0ff42900092b8c752b4bfa91b182ab8961dec6e0322959ccecd75bf71a42

SHA512
b14f6be78312e9dfb64a8eed0cedb9f9996d51d485720a896165e9e718fe43f899efd998c787e4deabbb0271d0c9da5ad9442602415c891789dd72bdc19c7671

Download Submit
C:\Windows\SysWOW64\28463\AKV.exe

Filesize
395KB

MD5
d63cc8679a63448db1c64252e14e4ab5

SHA1
10b3a9ac4bc16e8ac1cd05e50b4d540fa3ef223e

SHA256
29b3646a556879a4a48e4f2f81e09179c34ac2051ed3e4f4c28e293092470d3d

SHA512
cb1911e1a77fb9be560aa4fd8bbef65e181b6d4438d65657501dbcd8dbf488ba01738a7222f35f8d4317e8df8c6f307d9e3623d6e3e45753e138b80fb68ff768

Download Submit
C:\Windows\SysWOW64\28463\ICQV.001

Filesize
404B

MD5
1bceab23d5ab382a596537d50697b649

SHA1
715311b1b0bcf5ce6b11d9661a5c720290ec6ad9

SHA256
6291f683a6926b840eb4730a24bf334b661aca095efba350768033616285b452

SHA512
9c36ccea46b13db81de0bf8a4e5df4804c2a4670f66c2a5c7d18d2807362c132236d1630709cb2372d3b3af44e113fcb2118a66a826b90fc74c004752e046792

Download Submit
C:\Windows\SysWOW64\28463\ICQV.006

Filesize
8KB

MD5
81e20f4361cf8f5a57812871c24d945e

SHA1
5d7877d6959ab26599b05795a71633f00c37a3da

SHA256
e6e8b4a29dccb3531f58c75b754caf7f26afe3e7043239305fd0ae7ab2f7571d

SHA512
69b1d75ab7123054bf98cf3a0f2cc7a0749cda8d85ebdef85be7d89f1454154ce29070907b934727a6c5276ff430e94810b87a5634d25d8529df9ee36fd20818

Download Submit
C:\Windows\SysWOW64\28463\ICQV.007

Filesize
5KB

MD5
e9fbdcc2f5fb657fa519b3f5c69fc52d

SHA1
c49cca77b46a59d620711de7564d43e5dafcd2b5

SHA256
cc440cfc4ce1a1ff503cc9e8937c59aae64bfce4daa3e7dc757220a25cadc2e4

SHA512
913759967e16b99d8ea66433e5dc99d5ddbf737be6784306e67c2b23a525b7a578fcae1028221d3209abc452ff30508eb750c62113c3868a7af36b544e525fb1

Download Submit
C:\Windows\SysWOW64\28463\ICQV.exe

Filesize
473KB

MD5
97d8ad45f48b4b28a93aab94699b7168

SHA1
8b69b7fd7c008b95d12386f6da415097e72151de

SHA256
661df22a66b2062b233eb0bd9665de924cfe0ac9c6ba29e20ffef24f817f9331

SHA512
3351eac970bab391de410fcf1937da75d2e4722b808f10332f487ddfe469544e32e7d4ed0e5bdc19bd5f472cffcc55ca1498c95945b4e9c4ceff6ff5cc521c8a

Download Submit
memory/1100-27-0x0000000074D30000-0x00000000754E0000-memory.dmp

Filesize
7.7MB

Download
memory/1100-0-0x0000000074D3E000-0x0000000074D3F000-memory.dmp

Filesize
4KB

Download
memory/1100-1-0x00000000008D0000-0x00000000008DC000-memory.dmp

Filesize
48KB

Download
memory/1100-2-0x00000000052A0000-0x000000000533C000-memory.dmp

Filesize
624KB

Download
memory/1100-3-0x00000000058F0000-0x0000000005E94000-memory.dmp

Filesize
5.6MB

Download
memory/1100-4-0x0000000005340000-0x00000000053D2000-memory.dmp

Filesize
584KB

Download
memory/1100-5-0x0000000005270000-0x000000000527A000-memory.dmp

Filesize
40KB

Download
memory/1100-6-0x0000000005550000-0x00000000055A6000-memory.dmp

Filesize
344KB

Download
memory/1100-7-0x0000000074D30000-0x00000000754E0000-memory.dmp

Filesize
7.7MB

Download
memory/3668-38-0x00007FFE43A50000-0x00007FFE43C45000-memory.dmp

Filesize
2.0MB

Download
memory/3668-34-0x00007FFE43A50000-0x00007FFE43C45000-memory.dmp

Filesize
2.0MB

Download
memory/3668-40-0x00007FFE43A50000-0x00007FFE43C45000-memory.dmp

Filesize
2.0MB

Download
memory/3668-39-0x00007FFE43A50000-0x00007FFE43C45000-memory.dmp

Filesize
2.0MB

Download
memory/3668-43-0x00007FFE43A50000-0x00007FFE43C45000-memory.dmp

Filesize
2.0MB

Download
memory/3668-44-0x00007FFE43A50000-0x00007FFE43C45000-memory.dmp

Filesize
2.0MB

Download
memory/3668-42-0x00007FFE43A50000-0x00007FFE43C45000-memory.dmp

Filesize
2.0MB

Download
memory/3668-41-0x00007FFE01590000-0x00007FFE015A0000-memory.dmp

Filesize
64KB

Download
memory/3668-31-0x00007FFE03AD0000-0x00007FFE03AE0000-memory.dmp

Filesize
64KB

Download
memory/3668-35-0x00007FFE01590000-0x00007FFE015A0000-memory.dmp

Filesize
64KB

Download
memory/3668-235-0x00007FFE43A50000-0x00007FFE43C45000-memory.dmp

Filesize
2.0MB

Download
memory/3668-36-0x00007FFE43A50000-0x00007FFE43C45000-memory.dmp

Filesize
2.0MB

Download
memory/3668-33-0x00007FFE43AED000-0x00007FFE43AEE000-memory.dmp

Filesize
4KB

Download
memory/3668-37-0x00007FFE43A50000-0x00007FFE43C45000-memory.dmp

Filesize
2.0MB

Download
memory/3668-32-0x00007FFE03AD0000-0x00007FFE03AE0000-memory.dmp

Filesize
64KB

Download
memory/3668-28-0x00007FFE03AD0000-0x00007FFE03AE0000-memory.dmp

Filesize
64KB

Download
memory/3668-234-0x00007FFE03AD0000-0x00007FFE03AE0000-memory.dmp

Filesize
64KB

Download
memory/3668-29-0x00007FFE03AD0000-0x00007FFE03AE0000-memory.dmp

Filesize
64KB

Download
memory/3668-30-0x00007FFE03AD0000-0x00007FFE03AE0000-memory.dmp

Filesize
64KB

Download
memory/3668-211-0x00007FFE43A50000-0x00007FFE43C45000-memory.dmp

Filesize
2.0MB

Download
memory/3668-233-0x00007FFE03AD0000-0x00007FFE03AE0000-memory.dmp

Filesize
64KB

Download
memory/3668-232-0x00007FFE03AD0000-0x00007FFE03AE0000-memory.dmp

Filesize
64KB

Download
memory/3668-231-0x00007FFE03AD0000-0x00007FFE03AE0000-memory.dmp

Filesize
64KB

Download
memory/5024-88-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/5024-17-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads