ardamax | 6bf3529a21cc6ca742cd048bb6846369edf360448fe93fa856f7d754413c76fc

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
15/07/2024, 21:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b74d21e0431fdafeb4bcad97fd89e31_JaffaCakes118.exe
Size

1.3MB
MD5

4b74d21e0431fdafeb4bcad97fd89e31
SHA1

70e32efe4ca8aa95817b249ceff32faad4c12f0c
SHA256

6bf3529a21cc6ca742cd048bb6846369edf360448fe93fa856f7d754413c76fc
SHA512

7ea76f5b7e247337821a3183fe78bf05bd908bf2801efaaad6c5d72756ef2b2d0999318af38cb144d759610a791019f24641c5042637e0553a37743c702d8117
SSDEEP

24576:a1YLTV7I4p2dWCYyRxRRtGLQRxnS0nu1NgMoFM+XR5NjthQe+iCdkg6:a1OTV9p2Q0Re0nu1NroFtXXthvCdk

Score

10^/10

ardamax keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x000700000001667f-6.dat	family_ardamax

Executes dropped EXE 1 IoCs

pid	Process
2764	HYY.exe

Loads dropped DLL 1 IoCs

pid	Process
2640	4b74d21e0431fdafeb4bcad97fd89e31_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HYY Start = "C:\\Windows\\SysWOW64\\PHVQSM\\HYY.exe"	HYY.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\PHVQSM\HYY.exe	4b74d21e0431fdafeb4bcad97fd89e31_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\PHVQSM\HYY.004	4b74d21e0431fdafeb4bcad97fd89e31_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\PHVQSM\HYY.001	4b74d21e0431fdafeb4bcad97fd89e31_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\PHVQSM\HYY.002	4b74d21e0431fdafeb4bcad97fd89e31_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\PHVQSM\AKV.exe	4b74d21e0431fdafeb4bcad97fd89e31_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 2764	2640	4b74d21e0431fdafeb4bcad97fd89e31_JaffaCakes118.exe	30
PID 2640 wrote to memory of 2764	2640	4b74d21e0431fdafeb4bcad97fd89e31_JaffaCakes118.exe	30
PID 2640 wrote to memory of 2764	2640	4b74d21e0431fdafeb4bcad97fd89e31_JaffaCakes118.exe	30
PID 2640 wrote to memory of 2764	2640	4b74d21e0431fdafeb4bcad97fd89e31_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\4b74d21e0431fdafeb4bcad97fd89e31_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4b74d21e0431fdafeb4bcad97fd89e31_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Windows\SysWOW64\PHVQSM\HYY.exe
  "C:\Windows\system32\PHVQSM\HYY.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\PHVQSM\AKV.exe

Filesize
487KB

MD5
5fd84c80f68477c1b320b199ca2e790e

SHA1
005420d1c5ae14bf7c58c8d72973e70eb89d0af1

SHA256
2ed62e2c5947d8756eeb8a45958e9e12ba895495680e8cf2a1cf63ad4e043436

SHA512
7cc028cfc07d436239e936df7ecf2bc57c33fbe400499caf8ef341aa4da542b4be7b202e5366f65f2e5f0071eebbfec0492f988968a4ac1dc29cb4be61788e52

Download Submit
C:\Windows\SysWOW64\PHVQSM\HYY.001

Filesize
61KB

MD5
18b0969d5f59b5326636342e608eab15

SHA1
461c2a486077c4339e6cda094166e68da3a852d6

SHA256
ca66304ffff7f2437eaf2757b3938607665f9f390f451e703f60c0a8c2a1f658

SHA512
ed71c5f4535ab4dd068ba37d59c058542ba475e988a0564f523dae4d031e7516bf7866bf4bd52940d2048542994c56a5f0d0540206c0ccdaedd0c703e025ecdd

Download Submit
C:\Windows\SysWOW64\PHVQSM\HYY.002

Filesize
44KB

MD5
1017d72de6c53aa7805272bd85e76671

SHA1
56dcc53bd339d2fc7a2c6a3cbf3dfc1de126801b

SHA256
66e2e833749335d9dbad3abf7b94081ba53d9231fc9726a3916d20735043461e

SHA512
9d982e47843ca28354428388d08ad8ebad21b10af13cc9691c0ba3d563f1aaa207238cbec2cf655fbb59b02824cf9a32fbc16e9da46e16d0b055aef96e2920f1

Download Submit
C:\Windows\SysWOW64\PHVQSM\HYY.004

Filesize
1KB

MD5
60325009d0f88b93218c69bb26c9a30e

SHA1
c78b1d3a01863c216b059b7b6501e5e03ab07202

SHA256
9f2bea0f8a93bd6e64a25a428ddbb269d920fc8f531ff09e39d103e9ba2388da

SHA512
7ada5ffa102c56bab500f7680562c7e9cc70447cf3d5dfac6642274cb45f60d40af675e525429a7d18a5b1ebe58991e2ea2eba5524fdabc07a28d73c1cc9bfe7

Download Submit
\Windows\SysWOW64\PHVQSM\HYY.exe

Filesize
1.7MB

MD5
69654934ee989113a3ef7b852abf39f5

SHA1
f763638204ea73ed74d8c51e541dc9928afb4e08

SHA256
a6e8c9331281c8f67ffb04ca9f3ae5ca8de50e67fff1fa206e60674b30eb86b2

SHA512
aceeb5b8d5a4e91d2fd44cc3856d00a540dada6e99c9a50abef22b33b7ada3eb2baa2d5d7ecf7f8568d2d8e9fccb08bba0b5aac1691037860d53e84a9a357eb0

Download Submit
memory/2764-15-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads