ardamax | 170d96b3472934e446b7cfe8066986025ad8fdaf326f410907848bc47a2e367b

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
16/07/2024, 13:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4e7033d83754606e2da5f4e887546bef_JaffaCakes118.exe
Size

843KB
MD5

4e7033d83754606e2da5f4e887546bef
SHA1

d56becb8abbe960e7a113015eecf6bdd81e34d61
SHA256

170d96b3472934e446b7cfe8066986025ad8fdaf326f410907848bc47a2e367b
SHA512

59f4e69ac57c64f4e88c09ea3e69db65f119ad16bc0a50291d35c6c51f02f14396994165837ccb77e9340dbf0d8d5b5c11f0a78eeedae46fbd07987d961be6a1
SSDEEP

24576:+tAicmk7aJj0wBgvCF9Rey1S1QjRQcqKxWVd8:/dPq0eWCF9AaSyjrqKkVd8

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x000700000001661e-9.dat	family_ardamax

Executes dropped EXE 2 IoCs

pid	Process
2064	TYCP.exe
2076	PuritySilkroadLoader.exe

Loads dropped DLL 5 IoCs

pid	Process
1996	4e7033d83754606e2da5f4e887546bef_JaffaCakes118.exe
1996	4e7033d83754606e2da5f4e887546bef_JaffaCakes118.exe
1996	4e7033d83754606e2da5f4e887546bef_JaffaCakes118.exe
2064	TYCP.exe
2064	TYCP.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TYCP Agent = "C:\\Windows\\SysWOW64\\28463\\TYCP.exe"	TYCP.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\AKV.exe	4e7033d83754606e2da5f4e887546bef_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\28463	TYCP.exe
File created	C:\Windows\SysWOW64\28463\TYCP.001	4e7033d83754606e2da5f4e887546bef_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\28463\TYCP.006	4e7033d83754606e2da5f4e887546bef_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\28463\TYCP.007	4e7033d83754606e2da5f4e887546bef_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\28463\TYCP.exe	4e7033d83754606e2da5f4e887546bef_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\28463\key.bin	4e7033d83754606e2da5f4e887546bef_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 35 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{45D3E1C2-5E3E-483C-F898-93C1EDBBCC95}\TypeLib	TYCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E9DC239-4151-9E64-88D9-E105D8CFBE63}\1.0\FLAGS\ = "0"	TYCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E9DC239-4151-9E64-88D9-E105D8CFBE63}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\"	TYCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{45D3E1C2-5E3E-483C-F898-93C1EDBBCC95}\TypeLib\	TYCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{45D3E1C2-5E3E-483C-F898-93C1EDBBCC95}\VersionIndependentProgID\	TYCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E9DC239-4151-9E64-88D9-E105D8CFBE63}	TYCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E9DC239-4151-9E64-88D9-E105D8CFBE63}\1.0\ = "Groove System Services 1.0 Type Library"	TYCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E9DC239-4151-9E64-88D9-E105D8CFBE63}\1.0\FLAGS\	TYCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{45D3E1C2-5E3E-483C-F898-93C1EDBBCC95}\Version\	TYCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{45D3E1C2-5E3E-483C-F898-93C1EDBBCC95}\InprocServer32	TYCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{45D3E1C2-5E3E-483C-F898-93C1EDBBCC95}\InprocServer32\	TYCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{45D3E1C2-5E3E-483C-F898-93C1EDBBCC95}\InprocServer32\ = "C:\\Windows\\SysWOW64\\RACPLDlg.dll"	TYCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{45D3E1C2-5E3E-483C-F898-93C1EDBBCC95}\ProgID\	TYCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E9DC239-4151-9E64-88D9-E105D8CFBE63}\1.0\FLAGS	TYCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{45D3E1C2-5E3E-483C-F898-93C1EDBBCC95}\TypeLib\ = "{1E9DC239-4151-9E64-88D9-E105D8CFBE63}"	TYCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{45D3E1C2-5E3E-483C-F898-93C1EDBBCC95}\ProgID	TYCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{45D3E1C2-5E3E-483C-F898-93C1EDBBCC95}\Programmable	TYCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E9DC239-4151-9E64-88D9-E105D8CFBE63}\1.0\0\win32\	TYCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E9DC239-4151-9E64-88D9-E105D8CFBE63}\1.0\0\win32\ = "C:\\PROGRA~2\\MICROS~1\\Office14\\GROOVE.EXE\\127"	TYCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{45D3E1C2-5E3E-483C-F898-93C1EDBBCC95}	TYCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{45D3E1C2-5E3E-483C-F898-93C1EDBBCC95}\Version\ = "1.0"	TYCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{45D3E1C2-5E3E-483C-F898-93C1EDBBCC95}\VersionIndependentProgID	TYCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{45D3E1C2-5E3E-483C-F898-93C1EDBBCC95}\ = "Siwoplat Xobiwa object"	TYCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{45D3E1C2-5E3E-483C-F898-93C1EDBBCC95}\ProgID\ = "RACplDlg.RARegSetting.1"	TYCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E9DC239-4151-9E64-88D9-E105D8CFBE63}\	TYCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{45D3E1C2-5E3E-483C-F898-93C1EDBBCC95}\Version	TYCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E9DC239-4151-9E64-88D9-E105D8CFBE63}\1.0\HELPDIR	TYCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{45D3E1C2-5E3E-483C-F898-93C1EDBBCC95}\VersionIndependentProgID\ = "RACplDlg.RARegSetting"	TYCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E9DC239-4151-9E64-88D9-E105D8CFBE63}\1.0\0\	TYCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E9DC239-4151-9E64-88D9-E105D8CFBE63}\1.0\0\win32	TYCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E9DC239-4151-9E64-88D9-E105D8CFBE63}\1.0\HELPDIR\	TYCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{45D3E1C2-5E3E-483C-F898-93C1EDBBCC95}\Programmable\	TYCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E9DC239-4151-9E64-88D9-E105D8CFBE63}\1.0	TYCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E9DC239-4151-9E64-88D9-E105D8CFBE63}\1.0\	TYCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E9DC239-4151-9E64-88D9-E105D8CFBE63}\1.0\0	TYCP.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	2064	TYCP.exe
Token: SeIncBasePriorityPrivilege	2064	TYCP.exe
Token: SeIncBasePriorityPrivilege	2064	TYCP.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2064	TYCP.exe
2064	TYCP.exe
2064	TYCP.exe
2064	TYCP.exe
2064	TYCP.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 2064	1996	4e7033d83754606e2da5f4e887546bef_JaffaCakes118.exe	30
PID 1996 wrote to memory of 2064	1996	4e7033d83754606e2da5f4e887546bef_JaffaCakes118.exe	30
PID 1996 wrote to memory of 2064	1996	4e7033d83754606e2da5f4e887546bef_JaffaCakes118.exe	30
PID 1996 wrote to memory of 2064	1996	4e7033d83754606e2da5f4e887546bef_JaffaCakes118.exe	30
PID 1996 wrote to memory of 2076	1996	4e7033d83754606e2da5f4e887546bef_JaffaCakes118.exe	31
PID 1996 wrote to memory of 2076	1996	4e7033d83754606e2da5f4e887546bef_JaffaCakes118.exe	31
PID 1996 wrote to memory of 2076	1996	4e7033d83754606e2da5f4e887546bef_JaffaCakes118.exe	31
PID 1996 wrote to memory of 2076	1996	4e7033d83754606e2da5f4e887546bef_JaffaCakes118.exe	31
PID 2064 wrote to memory of 2828	2064	TYCP.exe	33
PID 2064 wrote to memory of 2828	2064	TYCP.exe	33
PID 2064 wrote to memory of 2828	2064	TYCP.exe	33
PID 2064 wrote to memory of 2828	2064	TYCP.exe	33

C:\Users\Admin\AppData\Local\Temp\4e7033d83754606e2da5f4e887546bef_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4e7033d83754606e2da5f4e887546bef_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Windows\SysWOW64\28463\TYCP.exe
  "C:\Windows\system32\28463\TYCP.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\28463\TYCP.exe > nul
    3⤵
    PID:2828
- C:\Users\Admin\AppData\Local\Temp\PuritySilkroadLoader.exe
  "C:\Users\Admin\AppData\Local\Temp\PuritySilkroadLoader.exe"
  2⤵
  - Executes dropped EXE
  PID:2076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\PuritySilkroadLoader.exe

Filesize
71KB

MD5
bd7da5a374fc77695c76d4876193c095

SHA1
4ea164e4a6dbeda1b05f8a510ec3543ec27601f2

SHA256
e5faef3b0a814f6b57416503e777885ef678ccc8f03d34345c35c23174552c36

SHA512
f2581609de64579c00442d072d70d65150bd57b4b46ea77f15ee52f95273f788fb5032cdc3231ba10e381c50a94e3a554adb0c08bf63417b18124985f48a40b4

Download Submit
C:\Users\Admin\AppData\Roaming\edxLabs\edxSilkroadLoader\edxSilkroadLoader.ini

Filesize
83B

MD5
e0ed68b06e7db9bb620a0f8bb90fe830

SHA1
61a3fffe58c59770bd095c960f93ec127c07d0ca

SHA256
dff09dfe689ce6bfbae4cb3fde00e49691c54be3f04789ab37bfede0e5f54f30

SHA512
728be6e87f61764901a9b1465b6d6ff20c5246cb5cb2babe673a21d0a9933ffb44384d0762b8f74e101e6f56e3c6cb537dce489c623fcb46ba34e8cced849b75

Download Submit
C:\Windows\SysWOW64\28463\AKV.exe

Filesize
457KB

MD5
752e814c2a5d197b8065501e786683c9

SHA1
c7b5840ab79ec308d0aca9a8f07d59730b31ad99

SHA256
5b387c65f0c677d415a3ec75fc314ecf4825b85cc8316575267ece340810c3f7

SHA512
af4bad6716f4f57e776145eb68f64d31c0fb2146b02ccb3dcda1a864215b9aeaa80abd5314d999a0bef721185c62f38463da6caba1eb7eb95c86c22691c510bf

Download Submit
C:\Windows\SysWOW64\28463\TYCP.001

Filesize
406B

MD5
fd389a8feab0a2e5553200a351d1c4d6

SHA1
78be5d9dd432d0bedb9ee8a1ae414d377d36ea90

SHA256
769295341c8b36219e83f4b31d785911bbcb8361511b90d3c6d3e8aeeb0d0477

SHA512
26bc6ae6b87d8459b815caa2c0967e9b0be4f7152ba785e38a62380ae4cbc8ecc53dfdcd81d868b53591572bdb90a341bf33279e9ddf7ff08db6811e61eb7436

Download Submit
C:\Windows\SysWOW64\28463\TYCP.006

Filesize
8KB

MD5
911a5a213762001178a48b2ceefa1880

SHA1
de9b25ac58e893397ab9ad3331bd922bbd5043ae

SHA256
273375c7be87b6da793320ee25ea08967bf8cb43e6213e4af94955e565afabc9

SHA512
cc4f95dc64085033a6f5308d61bce83991a8949ec89513fa0428527b6c20f40bc4ce0b323da3020f405f29bf3fcf703722082247f591568d39e8e355543f04c9

Download Submit
C:\Windows\SysWOW64\28463\TYCP.007

Filesize
5KB

MD5
2183e6a435b000fc6e85b712513c3480

SHA1
c088b82494aaeca23a5acfaf83f55597bd0bdc6e

SHA256
9a1a58cea0b0cfe3479d29bb39b0a5af0ee75fbd94254529ad28f2e54aec30e5

SHA512
94ffbd46b10cf71ea59d3d44ceece691d7d50e8e111e330d44346f1e56e62d7a3b5c375917494fff89966d0ea5fc562d45b14b983269eba72b2831abce7a1afe

Download Submit
C:\Windows\SysWOW64\28463\key.bin

Filesize
106B

MD5
639d75ab6799987dff4f0cf79fa70c76

SHA1
be2678476d07f78bb81e8813c9ee2bfff7cc7efb

SHA256
fc42ab050ffdfed8c8c7aac6d7e4a7cad4696218433f7ca327bcfdf9f318ac98

SHA512
4b511d0330d7204af948ce7b15615d745e8d4ea0a73bbece4e00fb23ba2635dd99e4fa54a76236d6f74bdbcdba57d32fd4c36b608d52628e72d11d5ed6f8cde2

Download Submit
\Users\Admin\AppData\Local\Temp\@C4B6.tmp

Filesize
4KB

MD5
b89311bdf4e6640cc9051e629476cbe4

SHA1
ced30235482232b045cd5d8004e8ead01b30f9ca

SHA256
db0e9d83d8a5309ae4ab4747ff6ce506a2f85b01a598caad697a69b3ddb557a1

SHA512
8e71c2238e23cd793feb061736d00f8aea0002f79e2632093529ed6242f9af2a99baa598d58c04bbc9c02715d7f18955ae88334e39caa2978e88904cf27911d4

Download Submit
\Windows\SysWOW64\28463\TYCP.exe

Filesize
647KB

MD5
b314bd03990cf08f3ca04dd98ece3e9c

SHA1
760dca4682edbefb1bb8636bf1011207b763a7b0

SHA256
c6b1edc51c705e8f46ab7b2ddc03378e0f2bdcc4948578eff870aad6d421acd1

SHA512
b331dff33995e4e2c7e926cd4f0ea2d40da972924d05d28fe0db2f8de92d0cad5a48ce95819f7243c7efadce11d1ecf17e093c1a7bed9497520123c8715fa47a

Download Submit
memory/1996-57-0x00000000028E0000-0x00000000029BF000-memory.dmp

Filesize
892KB

Download
memory/1996-16-0x00000000028E0000-0x00000000029BF000-memory.dmp

Filesize
892KB

Download
memory/2064-22-0x0000000001ED0000-0x0000000001ED1000-memory.dmp

Filesize
4KB

Download
memory/2064-30-0x0000000001E70000-0x0000000001E71000-memory.dmp

Filesize
4KB

Download
memory/2064-29-0x0000000003120000-0x0000000003121000-memory.dmp

Filesize
4KB

Download
memory/2064-21-0x0000000001EB0000-0x0000000001EB1000-memory.dmp

Filesize
4KB

Download
memory/2064-20-0x0000000001EC0000-0x0000000001EC1000-memory.dmp

Filesize
4KB

Download
memory/2064-25-0x0000000001E50000-0x0000000001E51000-memory.dmp

Filesize
4KB

Download
memory/2064-18-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2064-48-0x0000000003110000-0x0000000003111000-memory.dmp

Filesize
4KB

Download
memory/2064-47-0x00000000030D0000-0x00000000030D1000-memory.dmp

Filesize
4KB

Download
memory/2064-46-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2064-45-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2064-23-0x0000000001E90000-0x0000000001E91000-memory.dmp

Filesize
4KB

Download
memory/2064-26-0x00000000030C0000-0x00000000030C1000-memory.dmp

Filesize
4KB

Download
memory/2064-17-0x0000000001CD0000-0x0000000001D2A000-memory.dmp

Filesize
360KB

Download
memory/2064-27-0x00000000030B0000-0x00000000030B3000-memory.dmp

Filesize
12KB

Download
memory/2064-56-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2064-28-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/2064-58-0x0000000001CD0000-0x0000000001D2A000-memory.dmp

Filesize
360KB

Download
memory/2064-59-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/2064-61-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2064-64-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2064-66-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2064-67-0x0000000001CD0000-0x0000000001D2A000-memory.dmp

Filesize
360KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads