ardamax | 1421ec7a59d3e1fde0bfc5c1ecebaf45d3bf0cd226c362891468786ce8d59965

Analysis

max time kernel
92s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2024, 01:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e76f1a448a080f6bb32cca5adc826cd_JaffaCakes118.exe
Size

1.8MB
MD5

2e76f1a448a080f6bb32cca5adc826cd
SHA1

d10f711cb19f6705f0076e807b58f83dd2e19073
SHA256

1421ec7a59d3e1fde0bfc5c1ecebaf45d3bf0cd226c362891468786ce8d59965
SHA512

5244474e59ee2517c868068bae7b2ae706e56cfca26ad95ac9d1d2387b5275d206444df6b82ac0997efc75eae2ac38d08d0041a3bc1dfd88e017edab66fe01f1
SSDEEP

49152:wtFTM4iPnt3J8RnHR+KE9jagBNZpFXHeuxTXWR:4FTMBKHR+KEASNPF1xjk

Score

10^/10

ardamax discovery keylogger persistence stealer upx

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x00070000000234cd-42.dat	family_ardamax

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	2e76f1a448a080f6bb32cca5adc826cd_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	a.exe

Executes dropped EXE 4 IoCs

pid	Process
2724	msnmsgr.exe
228	b.exe
216	a.exe
4120	KBXI.exe

Loads dropped DLL 4 IoCs

pid	Process
216	a.exe
4120	KBXI.exe
4120	KBXI.exe
4120	KBXI.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2420-0-0x0000000000400000-0x000000000061D000-memory.dmp	upx
behavioral2/memory/2420-38-0x0000000000400000-0x000000000061D000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msn = "c:\\windows\\msnmsgr.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\KBXI Agent = "C:\\Windows\\SysWOW64\\28463\\KBXI.exe"	KBXI.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\KBXI.001	a.exe
File created	C:\Windows\SysWOW64\28463\KBXI.006	a.exe
File created	C:\Windows\SysWOW64\28463\KBXI.007	a.exe
File created	C:\Windows\SysWOW64\28463\KBXI.exe	a.exe
File created	C:\Windows\SysWOW64\28463\AKV.exe	a.exe
File opened for modification	C:\Windows\SysWOW64\28463	KBXI.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	\??\c:\windows\msnmsgr.exe	cmd.exe
File opened for modification	\??\c:\windows\msnmsgr.exe	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4120	KBXI.exe
Token: SeIncBasePriorityPrivilege	4120	KBXI.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4120	KBXI.exe
4120	KBXI.exe
4120	KBXI.exe
4120	KBXI.exe
4120	KBXI.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 3948	2420	2e76f1a448a080f6bb32cca5adc826cd_JaffaCakes118.exe	85
PID 2420 wrote to memory of 3948	2420	2e76f1a448a080f6bb32cca5adc826cd_JaffaCakes118.exe	85
PID 2420 wrote to memory of 3948	2420	2e76f1a448a080f6bb32cca5adc826cd_JaffaCakes118.exe	85
PID 3948 wrote to memory of 2924	3948	cmd.exe	88
PID 3948 wrote to memory of 2924	3948	cmd.exe	88
PID 3948 wrote to memory of 2924	3948	cmd.exe	88
PID 3948 wrote to memory of 2724	3948	cmd.exe	89
PID 3948 wrote to memory of 2724	3948	cmd.exe	89
PID 3948 wrote to memory of 2724	3948	cmd.exe	89
PID 3948 wrote to memory of 228	3948	cmd.exe	90
PID 3948 wrote to memory of 228	3948	cmd.exe	90
PID 3948 wrote to memory of 228	3948	cmd.exe	90
PID 228 wrote to memory of 216	228	b.exe	91
PID 228 wrote to memory of 216	228	b.exe	91
PID 228 wrote to memory of 216	228	b.exe	91
PID 216 wrote to memory of 4120	216	a.exe	92
PID 216 wrote to memory of 4120	216	a.exe	92
PID 216 wrote to memory of 4120	216	a.exe	92

C:\Users\Admin\AppData\Local\Temp\2e76f1a448a080f6bb32cca5adc826cd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2e76f1a448a080f6bb32cca5adc826cd_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9D0B.tmp\t.bat" "
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:3948
- - C:\Windows\SysWOW64\reg.exe
    reg add "hklm\Software\Microsoft\Windows\CurrentVersion\Run" /v msn /t REG_SZ /d c:\windows\msnmsgr.exe /f
    3⤵
    - Adds Run key to start application
    PID:2924
- - C:\windows\msnmsgr.exe
    C:\windows\msnmsgr.exe
    3⤵
    - Executes dropped EXE
    PID:2724
- - C:\Users\Admin\AppData\Local\Temp\9D0B.tmp\b.exe
    b.exe /p123
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:228
  - - C:\Arquivos de programas\Arquivos comuns\a.exe
      "C:\Arquivos de programas\Arquivos comuns\a.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:216
    - - C:\Windows\SysWOW64\28463\KBXI.exe
        
        "C:\Windows\system32\28463\KBXI.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Arquivos de programas\Arquivos comuns\a.exe

Filesize
480KB

MD5
c7a7f323b2c868b2d4eac294f45106b4

SHA1
60f9f1bcff85375d61a7d0a3dcce893cf1d2d593

SHA256
b7900015ae0c4d1509b173759248407cafa27c0450bbd83d25a580232b1499ba

SHA512
ac308942d529ee77048b65d5aad1582f26921db1d98c70dc8d5825494b48471332f7e22efde84746f8e98c047e076605d87ebcf2212237978566055b2b0ab567

Download Submit
C:\Users\Admin\AppData\Local\Temp\9D0B.tmp\b.exe

Filesize
722KB

MD5
fdcc1bf26697c1ea4ab08c9ef264b076

SHA1
f1dad70db4d7390fe85da9be4fc16e4903e2d3aa

SHA256
ac245f678baeccb84664d96cd5f10854730e88dc2f2b743866b211de2086d50b

SHA512
146ed2c947ad9e161e98afe066fc987750302bf3bcaf19429323ed8efd5bc51e14f561cb5a542d86880d468262942411628edc99911e7dcb758944027ff162ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\9D0B.tmp\msnmsgr.exe

Filesize
1.3MB

MD5
59ed114fa3688d9754279d370aa34d8f

SHA1
ab58147c37a9f845b4b9e60c9a46d7622ce99863

SHA256
7991f4581daa7b1d3fbd24318b1f36ae5a68b061c250c94639cb9a2830906605

SHA512
d8fdb584010eaf2430d77c955d711c537c8c4d4e94c1ea2149f38e841756f56bdb2eda3f21c35e12db1db377fd43360b927d767d364169b6b6eed130fea01de5

Download Submit
C:\Users\Admin\AppData\Local\Temp\9D0B.tmp\t.bat

Filesize
183B

MD5
7c11a273e1cda942e6ff9737bd05db21

SHA1
066df7908f2cc8707ad8e3f01b0b6c33ad3101b8

SHA256
adb56430eff4f1f7e9a082973bf5eb16149cda388e8832fcf6a9db05fe8cce04

SHA512
854150f99df09628809bf7d1a5550316453b89656309dea7c7769f9470d7afbd65f774112f23120021c1ac4ec38de2b9b6faf7adf2dd394a40e62804da8ce73f

Download Submit
C:\Users\Admin\AppData\Local\Temp\@A3B2.tmp

Filesize
4KB

MD5
c3679c3ff636d1a6b8c65323540da371

SHA1
d184758721a426467b687bec2a4acc80fe44c6f8

SHA256
d4eba51c616b439a8819218bddf9a6fa257d55c9f04cf81441cc99cc945ad3eb

SHA512
494a0a32eef4392ecb54df6e1da7d93183473c4e45f4ac4bd6ec3b0ed8c85c58303a0d36edec41420d05ff624195f08791b6b7e018419a3251b7e71ec9b730e7

Download Submit
C:\Windows\SysWOW64\28463\AKV.exe

Filesize
395KB

MD5
b8fa30233794772b8b76b4b1d91c7321

SHA1
0cf9561be2528944285e536f41d502be24c3aa87

SHA256
14116fa79ccc105fabd312b4dff74933f8684c6b27db37e5e3a79d159092d29a

SHA512
10ce8b18e7afb8c7e30bb90b0a1f199ef0b77873fa7a9efc596606e151be6b516c0ec6222a9032bdcc527e80964f53d20a28fa1881a08b4df303b2e28204549d

Download Submit
C:\Windows\SysWOW64\28463\KBXI.001

Filesize
478B

MD5
07b2f10f9592c89960c5c2b33d4ddd37

SHA1
f1f23713f9a4202330156007beef35a31c85317f

SHA256
ba1ec6ae936636d9f37e01f29f187d66685f763e6d5b6cc507e88a0d269975b0

SHA512
284402b639a476d28a36d43eb53d919b1bd5a80ec6f2ee8df7704264d853c60004484de52f79373e783dca538e92352b7a81e4bc8b769868a825006182f60736

Download Submit
C:\Windows\SysWOW64\28463\KBXI.006

Filesize
8KB

MD5
43f02e9974b1477c1e6388882f233db0

SHA1
f3e27b231193f8d5b2e1b09d05ae3a62795cf339

SHA256
3c9e56e51d5a7a1b9aefe853c12a98bf246039aa46db94227ea128f6331782ba

SHA512
e22d14735606fe75ee5e55204807c3f5531d3e0c4f63aa4a3b2d4bb6abda6128c7e2816753f2e64400ac6dae8f8ef1e013a7a464dff2a79ad9937c48821a067f

Download Submit
C:\Windows\SysWOW64\28463\KBXI.007

Filesize
5KB

MD5
b5a87d630436f958c6e1d82d15f98f96

SHA1
d3ff5e92198d4df0f98a918071aca53550bf1cff

SHA256
a895ad4d23e8b2c2dc552092f645ca309e62c36d4721ebfe7afd2eee7765d4b2

SHA512
fd7bae85a86bdaa12fec826d1d38728a90e2037cb3182ad7652d8a9f54c4b322734c587b62221e6f907fce24fcf2e0ae4cce1f5e3d8861661064b4da24bd87ce

Download Submit
C:\Windows\SysWOW64\28463\KBXI.exe

Filesize
473KB

MD5
17535dddecf8cb1efdba1f1952126547

SHA1
a862a9a3eb6c201751be1038537522a5281ea6cb

SHA256
1a3d28ac6359e58aa656f4734f9f36b6c09badadcf9fb900b9b118d90c38a9dd

SHA512
b4f31b552ab3bb3dafa365aa7a31f58674ae7ee82ce1d23457f2e7047431430b00abb3b5498491725639daf583b526b278a737168cfdc4e9ec796dfbc14a53d8

Download Submit
memory/2420-0-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/2420-38-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads