ardamax | 4774a12109840d5944bdbb2f8a60f33416eecea42f8cbbd876cb6c29f3750b7e

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
21-07-2024 21:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6166359117594c83d2b01a3ab6420a7b_JaffaCakes118.exe
Size

835KB
MD5

6166359117594c83d2b01a3ab6420a7b
SHA1

b852f541c19a02e00c87d34b118834623a39f3e4
SHA256

4774a12109840d5944bdbb2f8a60f33416eecea42f8cbbd876cb6c29f3750b7e
SHA512

5ca3cc9481d29cc8eaef8329e0f56170dc1f2085d778af1dd89ad2c05aac937e5b5335e91a24d75327914e9e7339d5c580398521da680e3c501f69c7d9d671e6
SSDEEP

24576:zjgRdwgPd7710U04i7OyOzkwgLiAXW0qVF:zjgRdwudG7KyQqLDXaF

Score

10^/10

ardamax discovery keylogger persistence stealer upx

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0006000000016dec-34.dat	family_ardamax

Executes dropped EXE 4 IoCs

pid	Process
2204	rinst.exe
2244	PerX.exe
2840	CAQF.exe
2724	PerX.exe

Loads dropped DLL 17 IoCs

pid	Process
2964	6166359117594c83d2b01a3ab6420a7b_JaffaCakes118.exe
2964	6166359117594c83d2b01a3ab6420a7b_JaffaCakes118.exe
2964	6166359117594c83d2b01a3ab6420a7b_JaffaCakes118.exe
2964	6166359117594c83d2b01a3ab6420a7b_JaffaCakes118.exe
2204	rinst.exe
2204	rinst.exe
2244	PerX.exe
2244	PerX.exe
2244	PerX.exe
2244	PerX.exe
2244	PerX.exe
2840	CAQF.exe
2724	PerX.exe
2840	CAQF.exe
2724	PerX.exe
2964	6166359117594c83d2b01a3ab6420a7b_JaffaCakes118.exe
2964	6166359117594c83d2b01a3ab6420a7b_JaffaCakes118.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2724-58-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/files/0x0006000000016df7-57.dat	upx
behavioral1/memory/2724-67-0x0000000000400000-0x00000000004B5000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CAQF Agent = "C:\\Windows\\SysWOW64\\28463\\CAQF.exe"	CAQF.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\CAQF.007	PerX.exe
File created	C:\Windows\SysWOW64\28463\CAQF.exe	PerX.exe
File created	C:\Windows\SysWOW64\28463\AKV.exe	PerX.exe
File opened for modification	C:\Windows\SysWOW64\28463	CAQF.exe
File created	C:\Windows\SysWOW64\28463\CAQF.001	PerX.exe
File created	C:\Windows\SysWOW64\28463\CAQF.006	PerX.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2724	PerX.exe
2724	PerX.exe
2724	PerX.exe
2724	PerX.exe
2724	PerX.exe
2724	PerX.exe
2724	PerX.exe
2724	PerX.exe
2724	PerX.exe
2724	PerX.exe
2724	PerX.exe
2724	PerX.exe
2724	PerX.exe
2724	PerX.exe
2724	PerX.exe
2724	PerX.exe
2724	PerX.exe
2724	PerX.exe
2724	PerX.exe
2724	PerX.exe
2724	PerX.exe
2724	PerX.exe
2724	PerX.exe
2724	PerX.exe
2724	PerX.exe
2724	PerX.exe
2724	PerX.exe
2724	PerX.exe
2724	PerX.exe
2724	PerX.exe
2724	PerX.exe
2724	PerX.exe
2724	PerX.exe
2724	PerX.exe
2724	PerX.exe
2724	PerX.exe
2724	PerX.exe
2724	PerX.exe
2724	PerX.exe
2724	PerX.exe
2724	PerX.exe
2724	PerX.exe
2724	PerX.exe
2724	PerX.exe
2724	PerX.exe
2724	PerX.exe
2724	PerX.exe
2724	PerX.exe
2724	PerX.exe
2724	PerX.exe
2724	PerX.exe
2724	PerX.exe
2724	PerX.exe
2724	PerX.exe
2724	PerX.exe
2724	PerX.exe
2724	PerX.exe
2724	PerX.exe
2724	PerX.exe
2724	PerX.exe
2724	PerX.exe
2724	PerX.exe
2724	PerX.exe
2724	PerX.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2840	CAQF.exe
Token: SeIncBasePriorityPrivilege	2840	CAQF.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2840	CAQF.exe
2840	CAQF.exe
2840	CAQF.exe
2840	CAQF.exe
2840	CAQF.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 2204	2964	6166359117594c83d2b01a3ab6420a7b_JaffaCakes118.exe	30
PID 2964 wrote to memory of 2204	2964	6166359117594c83d2b01a3ab6420a7b_JaffaCakes118.exe	30
PID 2964 wrote to memory of 2204	2964	6166359117594c83d2b01a3ab6420a7b_JaffaCakes118.exe	30
PID 2964 wrote to memory of 2204	2964	6166359117594c83d2b01a3ab6420a7b_JaffaCakes118.exe	30
PID 2204 wrote to memory of 2244	2204	rinst.exe	31
PID 2204 wrote to memory of 2244	2204	rinst.exe	31
PID 2204 wrote to memory of 2244	2204	rinst.exe	31
PID 2204 wrote to memory of 2244	2204	rinst.exe	31
PID 2244 wrote to memory of 2840	2244	PerX.exe	32
PID 2244 wrote to memory of 2840	2244	PerX.exe	32
PID 2244 wrote to memory of 2840	2244	PerX.exe	32
PID 2244 wrote to memory of 2840	2244	PerX.exe	32
PID 2244 wrote to memory of 2724	2244	PerX.exe	33
PID 2244 wrote to memory of 2724	2244	PerX.exe	33
PID 2244 wrote to memory of 2724	2244	PerX.exe	33
PID 2244 wrote to memory of 2724	2244	PerX.exe	33

C:\Users\Admin\AppData\Local\Temp\6166359117594c83d2b01a3ab6420a7b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6166359117594c83d2b01a3ab6420a7b_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\PerX.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PerX.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2244
  - - C:\Windows\SysWOW64\28463\CAQF.exe
      "C:\Windows\system32\28463\CAQF.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2840
  - - C:\Users\Admin\AppData\Local\Temp\PerX.exe
      "C:\Users\Admin\AppData\Local\Temp\PerX.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\PerX.exe

Filesize
262KB

MD5
e974a7ed7fa0c096aa1f59ae6d8cce72

SHA1
24b215e712fa745ac94d033ee7c5a556a5df0dab

SHA256
d042a6add7b1547e5165d0c0c0f0eb21ee778b44c27e0a2bbce9f02b79156c0b

SHA512
156cfa7b252d8737a4d3fdc3f8095353051d7f15e1293d6c1213de36ea44d526fd94e75765b3a1f75ed83f9b02dd4329b9eab466e9188fea107e622d0c1d6ba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PerX.exe

Filesize
768KB

MD5
5353f2b0bfb1077ad9008a6309ab6819

SHA1
1d068ee7a8e6db6a62450176f4dacd3eb066bd2c

SHA256
beb79f59fb44b406d3d627e193f7ff840801790075f9e2aeb505a984187d63bd

SHA512
64b286872bc4ec431ca3ae83def9754b1a99f6c58f065289133395e7bc356feb860d7d6f202645b1f55f25631d4250a64bb7e657c13b3b99acf3ef292b919c20

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\inst.dat

Filesize
996B

MD5
8338a452f64f96c644e6f37d1ada3a21

SHA1
5d34f8144193bcde7dbc46b24085b8bdbeb3d4e7

SHA256
2649ef5ae43a01c18e0e17d8e88f86990ba93fb5af79d80ae5dca8a9f277e63a

SHA512
3031b74836c53ab45ea3a9a102272c45e4d43f9f0d7aad6d1672375053f9125c711c2078ecdf04156bd43234f7387fdab16bbca960791519432a7ddfbbbe87ee

Download Submit
C:\Windows\SysWOW64\28463\AKV.exe

Filesize
394KB

MD5
10e53b4b4502bab5358837983b15d83e

SHA1
2845bb0d6667be127bab7676b6800994239850ce

SHA256
e91b458384ad38f5e81766bc7ae213025f27f30c69b72550731159aa60d62910

SHA512
35b2071598af5840ed0843e39f81b778660310725975c2b2cc8cd20ad37954bea04c4a2f173cdaffa467e9585b7f573b99fd444f659d11360bd7a8219c851cd7

Download Submit
C:\Windows\SysWOW64\28463\CAQF.001

Filesize
486B

MD5
ad9ed68e26b6ed33edbf4fc417179788

SHA1
97680296a72d93623450dc73e9d0a81ddd60270d

SHA256
84b9c2b1ffe4acdaeb0e1cb6a25e0bab7e9122e83d9718635330ac5385c58636

SHA512
fbc9865204f5c004cd6ad2d10eab93044b60418ab6e22182b519b2eec3feee8dfe14421d2fa6382bb0b72742835f2efec78b566a21a788b7d1008dcbe5b0ab37

Download Submit
C:\Windows\SysWOW64\28463\CAQF.007

Filesize
5KB

MD5
b73942c11844487ca7fc3e78062c8abb

SHA1
28f4c4159528ccbe9d83b5cd5e157861d11ff04c

SHA256
4ba88f8964ee02a395d88974fd43b05610cf520b4ab40f36b3f98715ce1e0984

SHA512
d4c782f5abd91b3396b243345f968eb5a705a7aefeedf92e62047309f7ccf223c0825623c184de66e3667c22eb371f0329be97ea70f6d72b54f98b22042e1f9c

Download Submit
\Users\Admin\AppData\Local\Temp\@A257.tmp

Filesize
4KB

MD5
9dc64557fcebd521ca4b267da15c2914

SHA1
c2247f9e0f0c8d11c7b9ab93f43ed53943d0bdd2

SHA256
a49cb9cbab2a60418b2079d4110123682fc980bb6b46ac5ada144797b5fa2cf4

SHA512
00241a139ca307c5eb4d89fa8b6296833961091286282c3482746e4a3589ef61e6d007edb6aa6fa1ef812d57bf63a8e495e0db712e17decc77bbae2490cdbe01

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe

Filesize
7KB

MD5
a455ca431e66975d886f1a8cfee8cb9f

SHA1
95868529973c77199b76ec593a686d9b324dee8b

SHA256
6bba0b8d8bf03ba15828c53e72d83d766e44b3238b55ab75348d8ce93bfd0056

SHA512
53e0c4edf9d91ebdea04bfb343c568190eaaeb066bc6742262f1e5943d2b27c375e1eca483419ae8753138dc2131c9d3c7742812c16863689c3bb266057c0531

Download Submit
\Windows\SysWOW64\28463\CAQF.006

Filesize
8KB

MD5
86d96c93965255cef35ca42413188b75

SHA1
9d77f203267febe047d049584e5c79f1c1801b2d

SHA256
b796bd1f5cdb1d1db91c3aca1ac700c015775b9caf2725fbf4b6089a096f21c5

SHA512
2db81080a16494ec549f4f39ee382580ba12cd5cbfe31632c8459ba94d767ce1ad3e9c0e6643f80530ae5e316fc42dca05708eeade7ce3c0341d669325cdb095

Download Submit
\Windows\SysWOW64\28463\CAQF.exe

Filesize
472KB

MD5
324154483b20e6f67a3c1486e3fc7c6a

SHA1
d6630eb1d8555b48413434b4a5d54c8de819cbf8

SHA256
ded1c934280294375d7b926773511e4d5e6c8dbb22b0dd25a80a6b0b3af065d3

SHA512
36349f7c53b9989eac63e8c91b7fb009a5a0dce934242ae5956a5e3d3764949a87296adeba81f3da96b5e035f3755b4dd75de2ffa211b7db296313c52f6d478b

Download Submit
memory/2724-58-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2724-67-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2964-66-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download