ardamax | 903a315f8e05abfbdc9cf2b32f5c23c770505d5dcb1190c5e17a8117287ce4f4

Analysis

max time kernel
135s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
25-07-2024 01:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6d9645853f6a14a564f7be1110327e6f_JaffaCakes118.exe
Size

1.3MB
MD5

6d9645853f6a14a564f7be1110327e6f
SHA1

fb1846009cd0065061cb36c8d263ed6c1fcbd8cd
SHA256

903a315f8e05abfbdc9cf2b32f5c23c770505d5dcb1190c5e17a8117287ce4f4
SHA512

da0c7807bdd5a817f2474f0a3d2eafc32281ed9d15ce33f1d7aad9fc8f41629cac5e303ce905fc97c73f1125e2eadf8a1ec3e3795ad5226d8e93c39a1951df28
SSDEEP

24576:lJF4vJ6FKrNSxFYM7xgZniP6MLeFFRYnQwzOR6cBWMy/vYKiGfAbZhDAv4:lJF4xSxyMlgozev0QwuWXPNIlE4

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023439-24.dat	family_ardamax

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	6d9645853f6a14a564f7be1110327e6f_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	Install.exe

Executes dropped EXE 3 IoCs

pid	Process
2932	Install.exe
2756	Kermit.exe
1292	LDB.exe

Loads dropped DLL 4 IoCs

pid	Process
2756	Kermit.exe
1292	LDB.exe
2756	Kermit.exe
2756	Kermit.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LDB Start = "C:\\Windows\\SysWOW64\\MCBFIX\\LDB.exe"	LDB.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\MCBFIX\LDB.004	Install.exe
File created	C:\Windows\SysWOW64\MCBFIX\LDB.001	Install.exe
File created	C:\Windows\SysWOW64\MCBFIX\LDB.002	Install.exe
File created	C:\Windows\SysWOW64\MCBFIX\LDB.003	Install.exe
File created	C:\Windows\SysWOW64\MCBFIX\LDB.exe	Install.exe
File opened for modification	C:\Windows\SysWOW64\MCBFIX\	LDB.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LDB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6d9645853f6a14a564f7be1110327e6f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kermit.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x0008000000023432-12.dat	nsis_installer_1
behavioral2/files/0x0008000000023432-12.dat	nsis_installer_2

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1292	LDB.exe
Token: SeIncBasePriorityPrivilege	1292	LDB.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1292	LDB.exe
1292	LDB.exe
1292	LDB.exe
1292	LDB.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 2932	2884	6d9645853f6a14a564f7be1110327e6f_JaffaCakes118.exe	83
PID 2884 wrote to memory of 2932	2884	6d9645853f6a14a564f7be1110327e6f_JaffaCakes118.exe	83
PID 2884 wrote to memory of 2932	2884	6d9645853f6a14a564f7be1110327e6f_JaffaCakes118.exe	83
PID 2884 wrote to memory of 2756	2884	6d9645853f6a14a564f7be1110327e6f_JaffaCakes118.exe	84
PID 2884 wrote to memory of 2756	2884	6d9645853f6a14a564f7be1110327e6f_JaffaCakes118.exe	84
PID 2884 wrote to memory of 2756	2884	6d9645853f6a14a564f7be1110327e6f_JaffaCakes118.exe	84
PID 2932 wrote to memory of 1292	2932	Install.exe	85
PID 2932 wrote to memory of 1292	2932	Install.exe	85
PID 2932 wrote to memory of 1292	2932	Install.exe	85

C:\Users\Admin\AppData\Local\Temp\6d9645853f6a14a564f7be1110327e6f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6d9645853f6a14a564f7be1110327e6f_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Users\Admin\AppData\Local\Temp\Install.exe
  "C:\Users\Admin\AppData\Local\Temp\Install.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2932
- - C:\Windows\SysWOW64\MCBFIX\LDB.exe
    "C:\Windows\system32\MCBFIX\LDB.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1292
- C:\Users\Admin\AppData\Local\Temp\Kermit.exe
  "C:\Users\Admin\AppData\Local\Temp\Kermit.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Install.exe

Filesize
972KB

MD5
7852b729c3ac6da81dc48173058c1e51

SHA1
f66fb8c96bdaf5e4f6901280f1b4096b31efc496

SHA256
9f8a15c488dc42ee3694996d10df1cc734107b62afb526ef2a157f45bc63ee26

SHA512
72a0a8359b02a832eb2d493bf663ad8b312ca2bc25b69e55ccd26b3b4879a01e379712e49dc2ffb2711dab49e595713909549c225a2f6654533904660f4add09

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kermit.exe

Filesize
380KB

MD5
6146c7becde8f5aa3f06c56a5c7876c6

SHA1
599b289ae7ddd6fd3a1e3ded4b6a7db0b627603b

SHA256
94b2bd510e45e2e4611d8106a88fe26d3beafae9acb5f1f94d9042a705605e84

SHA512
4260e85d70b98855ebb234ba180a3056d4bc181ba4f3628c16a6953474e50d9001178cf933f4dd8462e70e438e51df9e380724ce8daa59c62505ab4d0e62c347

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx730F.tmp\InstallOptions.dll

Filesize
14KB

MD5
325b008aec81e5aaa57096f05d4212b5

SHA1
27a2d89747a20305b6518438eff5b9f57f7df5c3

SHA256
c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b

SHA512
18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx730F.tmp\ioSpecial.ini

Filesize
729B

MD5
5fa641f0f97ef5509b876afc3624ca14

SHA1
f8d5897f4bc1e897e9e95da59dda09b8fcad3634

SHA256
b9302a4bf6dd9f707b3cdcd4ac9170a6d0b8bfcca7b26646b9635f4bec72c193

SHA512
7b68e8e4e7cfdd5c59f8a8852539a89e0124bcc3f4034eacb4ebf3e1dd8f931f08365d4eaca49132c5bd9a0822b1f74490a12f17859945b093f627b9c19e9400

Download Submit
C:\Windows\SysWOW64\MCBFIX\LDB.001

Filesize
61KB

MD5
383d5f5d4240d590e7dec3f7312a4ac7

SHA1
f6bcade8d37afb80cf52a89b3e84683f4643fbce

SHA256
7e87f6817b17a75106d34ce9884c40ddfb381bf8f2013930916498d1df0a6422

SHA512
e652c41ec95d653940b869426bc2cbd8e5b3159110ffaab7d623e23eebe1f34ca65be6a9a9cdcd5f41aec7567469d6b4d6362d24ae92267cddb8940e1265806a

Download Submit
C:\Windows\SysWOW64\MCBFIX\LDB.002

Filesize
43KB

MD5
93df156c4bd9d7341f4c4a4847616a69

SHA1
c7663b32c3c8e247bc16b51aff87b45484652dc1

SHA256
e55b6eabf0f99b90bd4cf3777c25813bded7b6fc5c9955188c8aa5224d299c3e

SHA512
ed2e98c5fd1f0d49e5bac8baa515d489c89f8d42772ae05e4b7a32da8f06d511adad27867034ca0865beae9f78223e95c7d0f826154fc663f2fab9bd61e36e35

Download Submit
C:\Windows\SysWOW64\MCBFIX\LDB.003

Filesize
65KB

MD5
cefd6e9c8a039ab9a7833414dfb03f76

SHA1
2a026d0514e0119d0fd545a0d2f6deb198806b70

SHA256
4d71cf9a598c7babd938c2635a755441da18502118cc3336ae25389510c7d01f

SHA512
efcfd6654bf0c45158f43a8c8fd45cc8d40cac227926faa0cd368f1d8012df1bc271f3c7d5db539b1bf282087e533e5a809cf040ac087fcfab58bb320c5a5502

Download Submit
C:\Windows\SysWOW64\MCBFIX\LDB.004

Filesize
1KB

MD5
12184213127875905ed91975d1972e48

SHA1
42431004f6a147e75875361ee8dc029fb5add072

SHA256
c2c838072aa40b9b29ce12e0051c11bc2b0b46efc814b4462ac4502136f4e983

SHA512
7c8a48270f8804205ced0cbfefd4ce63fc7cf53bdf866416d941e805655d637f31f3650d24da3b6fbe7407e3ce43d3a7f14658b28adb457281e1d552d654b8f9

Download Submit
C:\Windows\SysWOW64\MCBFIX\LDB.exe

Filesize
1.7MB

MD5
3cd29c0df98a7aeb69a9692843ca3edb

SHA1
7c86aea093f1979d18901bd1b89a2b02a60ac3e2

SHA256
5a37cd66508fa3fc85ae547de3498e709bd45167cb57f5e9b271dc3a1cb71a32

SHA512
e78f3206b1878e8db1766d4038a375bbebcbcdb8d1b0a0cb9b0dc72c54881392b9c27e2864ad9118702da58f203f13e0ad5d230980ad1ef2370391a2c4acffc9

Download Submit
memory/2756-111-0x0000000002360000-0x0000000002375000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads