ardamax | c6a86f2c27b1250d7dbdabeedfa5edd5e6b3baf1d66955fbe08dec8821864103

Analysis

max time kernel
15s
max time network
20s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
20-07-2024 22:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

604d424543bc2eb56442f007b79c3ce4_JaffaCakes118.exe
Size

1.8MB
MD5

604d424543bc2eb56442f007b79c3ce4
SHA1

ae8b2394ff498823163346968de336ecf51f76d6
SHA256

c6a86f2c27b1250d7dbdabeedfa5edd5e6b3baf1d66955fbe08dec8821864103
SHA512

2f01840ebb5094cc83e811f886438dbfcd689c526bed3727dab5525fa7c15eb77c20137e2b67212da2c7cae82e27d19f8c53d50e624cef443b9399a9a211255b
SSDEEP

49152:eqxKXBJASciVHSLKi6YwkKrjjFETxNPV:eUKXX5chu91r1up

Score

10^/10

ardamax keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000018ee4-25.dat	family_ardamax

Executes dropped EXE 2 IoCs

pid	Process
2988	install.exe
1888	JVTB.exe

Loads dropped DLL 6 IoCs

pid	Process
2988	install.exe
2988	install.exe
2988	install.exe
1888	JVTB.exe
1888	JVTB.exe
1888	JVTB.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JVTB Agent = "C:\\Windows\\SysWOW64\\28463\\JVTB.exe"	JVTB.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\JVTB.001	install.exe
File created	C:\Windows\SysWOW64\28463\JVTB.006	install.exe
File created	C:\Windows\SysWOW64\28463\JVTB.007	install.exe
File created	C:\Windows\SysWOW64\28463\JVTB.exe	install.exe
File created	C:\Windows\SysWOW64\28463\AKV.exe	install.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\madruga.jpg	604d424543bc2eb56442f007b79c3ce4_JaffaCakes118.exe
File opened for modification	C:\Windows\madruga.jpg	DllHost.exe
File created	C:\Windows\install.exe	604d424543bc2eb56442f007b79c3ce4_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2944	DllHost.exe
2944	DllHost.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 828 wrote to memory of 2988	828	604d424543bc2eb56442f007b79c3ce4_JaffaCakes118.exe	30
PID 828 wrote to memory of 2988	828	604d424543bc2eb56442f007b79c3ce4_JaffaCakes118.exe	30
PID 828 wrote to memory of 2988	828	604d424543bc2eb56442f007b79c3ce4_JaffaCakes118.exe	30
PID 828 wrote to memory of 2988	828	604d424543bc2eb56442f007b79c3ce4_JaffaCakes118.exe	30
PID 828 wrote to memory of 2988	828	604d424543bc2eb56442f007b79c3ce4_JaffaCakes118.exe	30
PID 828 wrote to memory of 2988	828	604d424543bc2eb56442f007b79c3ce4_JaffaCakes118.exe	30
PID 828 wrote to memory of 2988	828	604d424543bc2eb56442f007b79c3ce4_JaffaCakes118.exe	30
PID 2988 wrote to memory of 1888	2988	install.exe	32
PID 2988 wrote to memory of 1888	2988	install.exe	32
PID 2988 wrote to memory of 1888	2988	install.exe	32
PID 2988 wrote to memory of 1888	2988	install.exe	32
PID 2988 wrote to memory of 1888	2988	install.exe	32
PID 2988 wrote to memory of 1888	2988	install.exe	32
PID 2988 wrote to memory of 1888	2988	install.exe	32

C:\Users\Admin\AppData\Local\Temp\604d424543bc2eb56442f007b79c3ce4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\604d424543bc2eb56442f007b79c3ce4_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:828
- C:\Windows\install.exe
  "C:\Windows\install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Windows\SysWOW64\28463\JVTB.exe
    "C:\Windows\system32\28463\JVTB.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    PID:1888

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\madruga.jpg

Filesize
22KB

MD5
32946b57633bf8f0be7ed3b405036a6d

SHA1
11d943452dfad1cfb80970cd510abab8a1c6545d

SHA256
b2040666cd2a7d3b463c3868d215b69460f0503bedb7bba28509319084df0b4a

SHA512
5dc0ab44b14dcf4950d219fea7532da2cb7ce1a94842427ddc626273dbbb6eb6649c628fa2b121d444d9e838c08ce6fb2e79a27f20539c4b1051fd86055d05dd

Download Submit
C:\Windows\SysWOW64\28463\AKV.exe

Filesize
395KB

MD5
b8fa30233794772b8b76b4b1d91c7321

SHA1
0cf9561be2528944285e536f41d502be24c3aa87

SHA256
14116fa79ccc105fabd312b4dff74933f8684c6b27db37e5e3a79d159092d29a

SHA512
10ce8b18e7afb8c7e30bb90b0a1f199ef0b77873fa7a9efc596606e151be6b516c0ec6222a9032bdcc527e80964f53d20a28fa1881a08b4df303b2e28204549d

Download Submit
C:\Windows\SysWOW64\28463\JVTB.001

Filesize
468B

MD5
55c6ac0a5aa9ab07f821d91ebf7fb606

SHA1
e3ceaf3558959bf3d67913f9c45f0faf42a08ed6

SHA256
6b04dacf865c83a6fabe617459c09d32fb995793852106e9cc0c3e46f2def478

SHA512
56d765bef180964060e2237d5b3bc24f4ec41cc6db4e8b1cf77dcbf629122cb8ec51ac41fafcd74b03cff815b8edd6c8ed951795400ca1dced8f366b030bb6f7

Download Submit
C:\Windows\SysWOW64\28463\JVTB.006

Filesize
8KB

MD5
43f02e9974b1477c1e6388882f233db0

SHA1
f3e27b231193f8d5b2e1b09d05ae3a62795cf339

SHA256
3c9e56e51d5a7a1b9aefe853c12a98bf246039aa46db94227ea128f6331782ba

SHA512
e22d14735606fe75ee5e55204807c3f5531d3e0c4f63aa4a3b2d4bb6abda6128c7e2816753f2e64400ac6dae8f8ef1e013a7a464dff2a79ad9937c48821a067f

Download Submit
C:\Windows\SysWOW64\28463\JVTB.007

Filesize
5KB

MD5
b5a87d630436f958c6e1d82d15f98f96

SHA1
d3ff5e92198d4df0f98a918071aca53550bf1cff

SHA256
a895ad4d23e8b2c2dc552092f645ca309e62c36d4721ebfe7afd2eee7765d4b2

SHA512
fd7bae85a86bdaa12fec826d1d38728a90e2037cb3182ad7652d8a9f54c4b322734c587b62221e6f907fce24fcf2e0ae4cce1f5e3d8861661064b4da24bd87ce

Download Submit
C:\Windows\SysWOW64\28463\JVTB.exe

Filesize
473KB

MD5
17535dddecf8cb1efdba1f1952126547

SHA1
a862a9a3eb6c201751be1038537522a5281ea6cb

SHA256
1a3d28ac6359e58aa656f4734f9f36b6c09badadcf9fb900b9b118d90c38a9dd

SHA512
b4f31b552ab3bb3dafa365aa7a31f58674ae7ee82ce1d23457f2e7047431430b00abb3b5498491725639daf583b526b278a737168cfdc4e9ec796dfbc14a53d8

Download Submit
C:\Windows\install.exe

Filesize
502KB

MD5
984204e4690b4605084cce4646da62a7

SHA1
9963ecd75d9eb8af4926d02558c02a21f63f368a

SHA256
3e96fddb0eac0981107aba860a47ea87939e6247253d03d67e27b8ce41e053d2

SHA512
b2d04f4679fde65bca26d7e40f4b17b3a35422f2866c752a0c354e8e8c8162549165385ed6296627c116b79877620237131a24239dd6d9794c79f477712e5f6a

Download Submit
C:\Windows\madruga.jpg

Filesize
162KB

MD5
e0989f1fe0c33462a62ad52ab2df079c

SHA1
f6197379ab77debe93fb0d5ea2d85505bb8474d9

SHA256
b37a6b128b6d597b56b2ed2cdd7c284e33dc2b57a9b4e3fcd8e483f3f0b9f285

SHA512
e84b9ec66e8cfc8f0ebac80174161b4460bbbfe91e719f277c73a1165cb79a6d7643744f97df3e55f9beff74013b44395866ec4a04ec93decb3efd13b044f924

Download Submit
\Users\Admin\AppData\Local\Temp\@E5CD.tmp

Filesize
4KB

MD5
c3679c3ff636d1a6b8c65323540da371

SHA1
d184758721a426467b687bec2a4acc80fe44c6f8

SHA256
d4eba51c616b439a8819218bddf9a6fa257d55c9f04cf81441cc99cc945ad3eb

SHA512
494a0a32eef4392ecb54df6e1da7d93183473c4e45f4ac4bd6ec3b0ed8c85c58303a0d36edec41420d05ff624195f08791b6b7e018419a3251b7e71ec9b730e7

Download Submit
memory/828-30-0x0000000000400000-0x00000000005C4000-memory.dmp

Filesize
1.8MB

Download
memory/828-35-0x0000000000401000-0x0000000000409000-memory.dmp

Filesize
32KB

Download
memory/828-28-0x0000000004800000-0x0000000004802000-memory.dmp

Filesize
8KB

Download
memory/828-0-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/828-3-0x0000000000401000-0x0000000000409000-memory.dmp

Filesize
32KB

Download
memory/828-1-0x0000000000830000-0x0000000000920000-memory.dmp

Filesize
960KB

Download
memory/2944-29-0x0000000000170000-0x0000000000172000-memory.dmp

Filesize
8KB

Download
memory/2988-36-0x0000000002B80000-0x0000000002B82000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads