ardamax | cff9731943e9a8022b996bf370f898a4ccac3b283dd23deab41fb693704ae192

Analysis

max time kernel
122s
max time network
153s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
18/07/2024, 07:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

56795e24f35888b2c3d1488f2fa48359_JaffaCakes118.exe
Size

1.1MB
MD5

56795e24f35888b2c3d1488f2fa48359
SHA1

098845009b8bf9ae8aecd0fac4d2c44f03901a0c
SHA256

cff9731943e9a8022b996bf370f898a4ccac3b283dd23deab41fb693704ae192
SHA512

1d757c1052d144734e7e17190878894bc2aa8b5c7760587398ff994315608a7d1e56e854e8117154ff573773d877b91a3865a8b414faf7c04de2543e2a7d67c9
SSDEEP

24576:kZxTj7huqkszuD23BWQp/Jpvyfdk/POpxq0v7RxE+HUz284phl:kXTsNsiOZRJN+dQOpUmXBcR

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0009000000018faa-26.dat	family_ardamax

Executes dropped EXE 3 IoCs

pid	Process
2844	1.exe
2896	2.exe
3048	NWY.exe

Loads dropped DLL 3 IoCs

pid	Process
2896	2.exe
3048	NWY.exe
2844	1.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NWY Start = "C:\\Windows\\SysWOW64\\LJYQOV\\NWY.exe"	NWY.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
5	sites.google.com
6	sites.google.com
7	sites.google.com

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\LJYQOV\NWY.001	2.exe
File created	C:\Windows\SysWOW64\LJYQOV\NWY.002	2.exe
File created	C:\Windows\SysWOW64\LJYQOV\AKV.exe	2.exe
File created	C:\Windows\SysWOW64\LJYQOV\NWY.exe	2.exe
File opened for modification	C:\Windows\SysWOW64\LJYQOV\	NWY.exe
File created	C:\Windows\SysWOW64\LJYQOV\NWY.004	2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main	1.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	3048	NWY.exe
Token: SeIncBasePriorityPrivilege	3048	NWY.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2844	1.exe
2844	1.exe
3048	NWY.exe
3048	NWY.exe
3048	NWY.exe
3048	NWY.exe
2844	1.exe
2844	1.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 2844	2936	56795e24f35888b2c3d1488f2fa48359_JaffaCakes118.exe	31
PID 2936 wrote to memory of 2844	2936	56795e24f35888b2c3d1488f2fa48359_JaffaCakes118.exe	31
PID 2936 wrote to memory of 2844	2936	56795e24f35888b2c3d1488f2fa48359_JaffaCakes118.exe	31
PID 2936 wrote to memory of 2844	2936	56795e24f35888b2c3d1488f2fa48359_JaffaCakes118.exe	31
PID 2936 wrote to memory of 2896	2936	56795e24f35888b2c3d1488f2fa48359_JaffaCakes118.exe	32
PID 2936 wrote to memory of 2896	2936	56795e24f35888b2c3d1488f2fa48359_JaffaCakes118.exe	32
PID 2936 wrote to memory of 2896	2936	56795e24f35888b2c3d1488f2fa48359_JaffaCakes118.exe	32
PID 2936 wrote to memory of 2896	2936	56795e24f35888b2c3d1488f2fa48359_JaffaCakes118.exe	32
PID 2896 wrote to memory of 3048	2896	2.exe	33
PID 2896 wrote to memory of 3048	2896	2.exe	33
PID 2896 wrote to memory of 3048	2896	2.exe	33
PID 2896 wrote to memory of 3048	2896	2.exe	33

C:\Users\Admin\AppData\Local\Temp\56795e24f35888b2c3d1488f2fa48359_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\56795e24f35888b2c3d1488f2fa48359_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Users\Admin\AppData\Local\Temp\1.exe
  "C:\Users\Admin\AppData\Local\Temp\1.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2844
- C:\Users\Admin\AppData\Local\Temp\2.exe
  "C:\Users\Admin\AppData\Local\Temp\2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Windows\SysWOW64\LJYQOV\NWY.exe
    "C:\Windows\system32\LJYQOV\NWY.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F59A01A8B782D93EA6991BC172CEFFB1

Filesize
867B

MD5
c5dfb849ca051355ee2dba1ac33eb028

SHA1
d69b561148f01c77c54578c10926df5b856976ad

SHA256
cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b

SHA512
88289cdd2c2dd1f5f4c13ab2cf9bc601fc634b5945309bedf9fc5b96bf21697b4cd6da2f383497825e02272816befbac4f44955282ffbbd4dd0ddc52281082da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a63a92bacf92916ba5ab9760d25bcd89

SHA1
c98a79cd507b177e57f39d6714ee41d4606379e3

SHA256
344023dba3b7d428b665630ab1eaa373f9b6d0701ec04ca55d75e7a2f13e8978

SHA512
b63060186f2f741fab1252e06cd5247580d7192352d6c4d70c09afdc6497be90b856e745747a661aa4dbb947540324c1d6a07976db12771426d329466de7b012

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
77edf95ee3fce933ad46420dc7476789

SHA1
d1ad79d020b65b781616ffde0ba49ad07adec68c

SHA256
daa97df36d270f670386e7a9efe4b43ca003ce4160992b29b9c6c3d3e5702059

SHA512
97100908de09a4fc61b6ef95611307e19d6025b9757822c96b32df6de0e654e69555c4eabec0d1080da9a547444679c6e2a0cc614e7fb52456c8549013ca0f7b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d0652e873fd3ec6db3cc45de41c494fc

SHA1
69ac0bfc660db58f90b0287438e274063cecd4e3

SHA256
20c649b6b17a845fbefbcdfd84d8cc1de819152330089f80e830954645bdb2d3

SHA512
3d5b1ba913de3b8f333cc226b686135396a500c39be7b2eff645e6c42bbc642c019f8c8a9c2f1c12f2aa5c30c44aa63934f52f11b7fd04a4cc7a11e13b877577

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a026e140f753a5ba8bc23e6602f9aa50

SHA1
fd7e6774376814f6aa8b01fba9b232a83a3ca7f9

SHA256
d58645a02cd5504158ac15f19aaf6870c894f62e5f76749be74e7cd008e57df1

SHA512
b53f56fe2609a2adbb47d2f4d617dcce23b02d21d6b47b97aa31bcc91894190a741ef7db7496ed1591930c782c379e5c32de5be1055860f76a3a9221dc9174a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5f23ef36a25ea18f59e086793d9fabd4

SHA1
189f257b7252cbda0e5e78aa1d6e9d7ab43c4e24

SHA256
39a2c37d3cf305ae986dd4bcd30d2070cdef1ed23f282900ee8a581b9ab7ab30

SHA512
7accc7ec1f6fac82a2664d47174f4a3ed23b8fddd04691bd996cb7b4cb90373e8ada6391cb83a31d0e0a421b18529e8cf2b91f8c11ec176e8340b11b3821a9c7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5c6cc207e96fa8537a1b4f0e97ba6b7a

SHA1
7de28ac25c5dc4fb7aa1eaf1e7d6de740d7172ac

SHA256
b27ec99c69a2e5033f2167e2cf770f0820d2a8f402234b2061ff9d7b02783f83

SHA512
b5c45effe69e391389b321563054c2adfcb5b90054b814d88e806626b28fe9eb8b7cb3510378027c9eb10c9bc69fd80b6908c6b520d349b3caba7fab8bd78afc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
65c3745621486cf33c1e8982ed2faa1f

SHA1
66bd01cefa4293d87a4826232bacae56b2c37327

SHA256
80da799c42dada06e1278cdc3bfda1ebf1e7b5648d64d884e2f194c33bc68854

SHA512
15200126075a5cf5d7b5315a2f935b4e449960a396c87c27e4b77a087e0b58db688d24c495d3837dd2c0552d74b42d9a9e55518e104f45a4710b21ddbfc6124b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5492314c685ae4d2ca79435e1f23d508

SHA1
bbf8051797da519477e7b1839ad038c99644ab3e

SHA256
ed65e8e87dd2f04dc4329ebaf5d32423147b0e9f2aa434a07e466ba23730630a

SHA512
c8475c744dbe32bd105cd97eeb6d31f91efa43fafb2b8e6226f4144429c5160d5458d97e3bd33ac3c7e8fb695967cf0247f932d5d073b555d1e98cbb2615fe52

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F59A01A8B782D93EA6991BC172CEFFB1

Filesize
242B

MD5
05d9202bcb765c0397c736e28a0be02b

SHA1
dd6331addace01495cac5be0579111be08d5d140

SHA256
a5481a1bf90efba8d5eec7dcecf2bf0b1acb78a8569a1447fee70c85e9ba9d2b

SHA512
9d6f78dcf536c00f4da47deefae638ca3bb0c0140759eb67ac2e40ed1d67d32879725bd7cac60b9465aca2a25f426c9f76a60fc866cd85c96dfdcc5bee161d54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NFAY0EOS\identifier[1].htm

Filesize
181KB

MD5
3507012ce97e444b3ffa5c55a476507e

SHA1
ba8a9c2da22fdef37f63341387239bd6076e9025

SHA256
2cf57727fa8dd62084a3e66ff540d8c15983562e8a9ed2fbeb87be3a6d644599

SHA512
7a8ab2920438ff231bd03e08b9bee054ffb0884129c8dc8039e1fc888c58fe98d96015f9864d1a53cd4695b483d8d6673a38d15172b3f8528ca1b13920f0c75e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NFAY0EOS\identifier[2].htm

Filesize
181KB

MD5
060f2fb1654255039c57fbf3bf7da9a1

SHA1
a3daea0f544297f1ff0715a6d812d5913c30e445

SHA256
cf2442a2fb44d0a9f2067a424df71269d616fb43fe6c811fc303d0b52228cb6a

SHA512
59968aed18830806703deda9fd65cc89399fa1198ee4233b0352c77bc826a851ca6c40d7f9491709871928ce1845cc17d43ad196d278a5ae00c9d949535fb17b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XWMUP5AI\identifier[1].htm

Filesize
181KB

MD5
4a3c48fa2b5abf7580823d781172ae52

SHA1
771e8f8d8891b098837f78cbf54ef39600b5d894

SHA256
b3d8da15904e0d81d43cb0e1fc98cfb4ec129e1a6fd5351733517c1eb10f87b4

SHA512
9e809dd83754c850653976c733097434afa287120c41212fbe17dada637c09740ac9ddf3bded2008dcbc6f5c1775ee44f07b28015b5fab6e5c7e55c03be807b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
72KB

MD5
306fab489b8294118d84d42b449c1a5e

SHA1
aeca5ffe1b815212d09e2d57a313620118d19f1d

SHA256
18bc1c5fd3e789937017e7d41cbcddc608d14a7c66d16e1282f070b300fcdb8c

SHA512
12794f920a605305579eeef6dcbed81606abd2a5818586bf79ca040f68dbb1918c2817a01ff04d38b0464e86b2ee9792663ae493b007f62bc264bdb9df2c3e37

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe

Filesize
1.1MB

MD5
e76f2cce30691d234d0a1ebd48eec7b6

SHA1
798344dd72b3f87acacd4dd429adac8962e8e192

SHA256
7d9f0ee198741e8d4ea5bfc9554feede4464217b82f9022af3b6a896068205c5

SHA512
f38d683b8d1e7a9aac7e34b1ec603296c9ca831552c2d503e05bbf79cff64c743f47dacb282b2d2a1fd368fb95a2fae5af5194cf45211246fddf8a469368fc48

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9D4E.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9E69.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\SysWOW64\LJYQOV\AKV.exe

Filesize
456KB

MD5
1f29b1075a91b3da0ccc0b9c49eece56

SHA1
048e675f087181035aedece9e7b11d065c6355cc

SHA256
4f6825548b32329c3360ed9abb7c0a6809a2c2291cf0bcaac511a9fa32a6336e

SHA512
7e152caf055f57f599ecc1e3a404b540b721b3315d2ba16bff6eb21f03edeb3a06ae185621e3139293612d94210f500f098bd281489ca7f336efd8b5284ee060

Download Submit
C:\Windows\SysWOW64\LJYQOV\NWY.001

Filesize
61KB

MD5
31c866d8e4448c28ae63660a0521cd92

SHA1
0e4dcb44e3c8589688b8eacdd8cc463a920baab9

SHA256
dc0eaf9d62f0e40b6522d28b2e06b39ff619f9086ea7aa45fd40396a8eb61aa1

SHA512
1076da7f8137a90b5d3bbbbe2b24fd9774de6adbcdfd41fd55ae90c70b9eb4bbf441732689ad25e5b3048987bfb1d63ba59d5831a04c6d84cb05bbfd2d32f839

Download Submit
C:\Windows\SysWOW64\LJYQOV\NWY.002

Filesize
43KB

MD5
093e599a1281e943ce1592f61d9591af

SHA1
6896810fe9b7efe4f5ae68bf280fec637e97adf5

SHA256
1ac0964d97b02204f4d4ae79cd5244342f1a1798f5846e9dd7f3448d4177a009

SHA512
64cb58fbf6295d15d9ee6a8a7a325e7673af7ee02e4ece8da5a95257f666566a425b348b802b78ac82e7868ba7923f85255c2c31e548618afa9706c1f88d34dc

Download Submit
C:\Windows\SysWOW64\LJYQOV\NWY.004

Filesize
1KB

MD5
04883daf002d1e31229edaf67a763811

SHA1
cfa27de24b3b4f0da96567278babe2a5470130aa

SHA256
927ee45ace88b0049c15086cae86877c2b50206d800a51e14551956fb0968205

SHA512
fd79159a23ee99e8812aa6e8a0e5773c4e02672c21250dba4fcb4bce832e5b0f70e9af0f791d9a4b82379204001859a88386ead719915494af261a7015c40388

Download Submit
\Windows\SysWOW64\LJYQOV\NWY.exe

Filesize
1.5MB

MD5
0aaffc12ef1b416b9276bdc3fdec9dff

SHA1
9f38d7cf6241d867da58f89db9ff26544314b938

SHA256
42b33dd905c5668c2518a6a7d407fb10c303cfedeaefcd7b6e4c7cc1b891c73b

SHA512
bbde0986b298c6172e7c8e3f938db9425f54cca097e280736e1ba289afd06a0b86f7cbc91f6d46458bc8e75069c12cda1cf808acf3b6c773b0661d081136ee7c

Download Submit
memory/2844-75-0x0000000002AA0000-0x0000000002ACE000-memory.dmp

Filesize
184KB

Download
memory/2844-79-0x0000000003700000-0x000000000370B000-memory.dmp

Filesize
44KB

Download
memory/2844-81-0x00000000058C0000-0x0000000005C07000-memory.dmp

Filesize
3.3MB

Download
memory/2844-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2844-12-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2844-703-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2936-0-0x000007FEF62AE000-0x000007FEF62AF000-memory.dmp

Filesize
4KB

Download
memory/2936-29-0x000007FEF5FF0000-0x000007FEF698D000-memory.dmp

Filesize
9.6MB

Download
memory/2936-4-0x000007FEF5FF0000-0x000007FEF698D000-memory.dmp

Filesize
9.6MB

Download
memory/2936-3-0x000007FEF5FF0000-0x000007FEF698D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads