ardamax | 6b2077106846bc0b70bc937c5cf90284d732c20d9d6f199295688c593534d08d

Analysis

max time kernel
141s
max time network
123s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
11-08-2024 21:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8c075d528f02e7c94193796d42f4d596_JaffaCakes118.exe
Size

626KB
MD5

8c075d528f02e7c94193796d42f4d596
SHA1

03039ac299d7bcf9253ac1412cdd7f7659fb5c0c
SHA256

6b2077106846bc0b70bc937c5cf90284d732c20d9d6f199295688c593534d08d
SHA512

27689a2176059c20d742d68405f82662d0cab1393c2cac260ae20aeec6f7bd4144a57b3367eed12ddefdc0b7dc56ebb9e1be19216ce3e62c4eb6ca885affbaee
SSDEEP

12288:BOE4EjBJ2SDax4D4sYOFDm1nHL5RuJPxAbii+pLmsAUWuVDnodNHL7g6G40NQzD1:UtEVJ2v4nYO2FqmZ+ZKHuVQNHIF40q

Score

10^/10

ardamax aspackv2 discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0006000000018660-27.dat	family_ardamax

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0008000000016d29-72.dat	aspack_v212_v242

Executes dropped EXE 4 IoCs

pid	Process
2108	Install.exe
2112	WNNN.exe
2872	Agbot.exe
2952	agbot.exe

Loads dropped DLL 26 IoCs

pid	Process
1976	8c075d528f02e7c94193796d42f4d596_JaffaCakes118.exe
2108	Install.exe
2108	Install.exe
2108	Install.exe
2108	Install.exe
2108	Install.exe
2108	Install.exe
2112	WNNN.exe
2112	WNNN.exe
2112	WNNN.exe
2112	WNNN.exe
2112	WNNN.exe
2108	Install.exe
2108	Install.exe
2108	Install.exe
2108	Install.exe
1976	8c075d528f02e7c94193796d42f4d596_JaffaCakes118.exe
1976	8c075d528f02e7c94193796d42f4d596_JaffaCakes118.exe
2872	Agbot.exe
2872	Agbot.exe
2872	Agbot.exe
2952	agbot.exe
2952	agbot.exe
2952	agbot.exe
2872	Agbot.exe
2872	Agbot.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8c075d528f02e7c94193796d42f4d596_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WNNN Agent = "C:\\Windows\\SysWOW64\\28463\\WNNN.exe"	WNNN.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\WNNN.006	Install.exe
File created	C:\Windows\SysWOW64\28463\WNNN.007	Install.exe
File created	C:\Windows\SysWOW64\28463\WNNN.exe	Install.exe
File created	C:\Windows\SysWOW64\28463\AKV.exe	Install.exe
File opened for modification	C:\Windows\SysWOW64\28463	WNNN.exe
File created	C:\Windows\SysWOW64\28463\WNNN.001	Install.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agbot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	agbot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8c075d528f02e7c94193796d42f4d596_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WNNN.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2112	WNNN.exe
Token: SeIncBasePriorityPrivilege	2112	WNNN.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2952	agbot.exe
2872	Agbot.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2952	agbot.exe
2872	Agbot.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2112	WNNN.exe
2112	WNNN.exe
2112	WNNN.exe
2112	WNNN.exe
2112	WNNN.exe
2952	agbot.exe
2872	Agbot.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 2108	1976	8c075d528f02e7c94193796d42f4d596_JaffaCakes118.exe	30
PID 1976 wrote to memory of 2108	1976	8c075d528f02e7c94193796d42f4d596_JaffaCakes118.exe	30
PID 1976 wrote to memory of 2108	1976	8c075d528f02e7c94193796d42f4d596_JaffaCakes118.exe	30
PID 1976 wrote to memory of 2108	1976	8c075d528f02e7c94193796d42f4d596_JaffaCakes118.exe	30
PID 1976 wrote to memory of 2108	1976	8c075d528f02e7c94193796d42f4d596_JaffaCakes118.exe	30
PID 1976 wrote to memory of 2108	1976	8c075d528f02e7c94193796d42f4d596_JaffaCakes118.exe	30
PID 1976 wrote to memory of 2108	1976	8c075d528f02e7c94193796d42f4d596_JaffaCakes118.exe	30
PID 2108 wrote to memory of 2112	2108	Install.exe	31
PID 2108 wrote to memory of 2112	2108	Install.exe	31
PID 2108 wrote to memory of 2112	2108	Install.exe	31
PID 2108 wrote to memory of 2112	2108	Install.exe	31
PID 2108 wrote to memory of 2112	2108	Install.exe	31
PID 2108 wrote to memory of 2112	2108	Install.exe	31
PID 2108 wrote to memory of 2112	2108	Install.exe	31
PID 2108 wrote to memory of 2872	2108	Install.exe	32
PID 2108 wrote to memory of 2872	2108	Install.exe	32
PID 2108 wrote to memory of 2872	2108	Install.exe	32
PID 2108 wrote to memory of 2872	2108	Install.exe	32
PID 2108 wrote to memory of 2872	2108	Install.exe	32
PID 2108 wrote to memory of 2872	2108	Install.exe	32
PID 2108 wrote to memory of 2872	2108	Install.exe	32
PID 1976 wrote to memory of 2952	1976	8c075d528f02e7c94193796d42f4d596_JaffaCakes118.exe	33
PID 1976 wrote to memory of 2952	1976	8c075d528f02e7c94193796d42f4d596_JaffaCakes118.exe	33
PID 1976 wrote to memory of 2952	1976	8c075d528f02e7c94193796d42f4d596_JaffaCakes118.exe	33
PID 1976 wrote to memory of 2952	1976	8c075d528f02e7c94193796d42f4d596_JaffaCakes118.exe	33
PID 1976 wrote to memory of 2952	1976	8c075d528f02e7c94193796d42f4d596_JaffaCakes118.exe	33
PID 1976 wrote to memory of 2952	1976	8c075d528f02e7c94193796d42f4d596_JaffaCakes118.exe	33
PID 1976 wrote to memory of 2952	1976	8c075d528f02e7c94193796d42f4d596_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\8c075d528f02e7c94193796d42f4d596_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8c075d528f02e7c94193796d42f4d596_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2108
- - C:\Windows\SysWOW64\28463\WNNN.exe
    "C:\Windows\system32\28463\WNNN.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2112
- - C:\Users\Admin\AppData\Local\Temp\Agbot.exe
    "C:\Users\Admin\AppData\Local\Temp\Agbot.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:2872
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\agbot.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\agbot.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\28463\AKV.exe

Filesize
394KB

MD5
10e53b4b4502bab5358837983b15d83e

SHA1
2845bb0d6667be127bab7676b6800994239850ce

SHA256
e91b458384ad38f5e81766bc7ae213025f27f30c69b72550731159aa60d62910

SHA512
35b2071598af5840ed0843e39f81b778660310725975c2b2cc8cd20ad37954bea04c4a2f173cdaffa467e9585b7f573b99fd444f659d11360bd7a8219c851cd7

Download Submit
C:\Windows\SysWOW64\28463\WNNN.001

Filesize
456B

MD5
c434f0b948bcbed1517aebaf19ea8a29

SHA1
87b563acc841d75f59966e910d71f3df366bc48c

SHA256
22a58809cdf7d86c1a215ff6673748380205d5ee80480473a93a3551ace4faf4

SHA512
4bd0200bb9d3cefdf50f1ea180d16643dceca8f14b54dd20f68741436f806f0eeecf7b7aa7bb05a0f6089b2e35d7a9955b39b521be8294e5d494b7f5ee165275

Download Submit
\Users\Admin\AppData\Local\Temp\@BA2B.tmp

Filesize
4KB

MD5
9dc64557fcebd521ca4b267da15c2914

SHA1
c2247f9e0f0c8d11c7b9ab93f43ed53943d0bdd2

SHA256
a49cb9cbab2a60418b2079d4110123682fc980bb6b46ac5ada144797b5fa2cf4

SHA512
00241a139ca307c5eb4d89fa8b6296833961091286282c3482746e4a3589ef61e6d007edb6aa6fa1ef812d57bf63a8e495e0db712e17decc77bbae2490cdbe01

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe

Filesize
527KB

MD5
2777e8235675d1f95056335d29e60a34

SHA1
c56f898e76917aafb7c11a4a721d15af0a15f07e

SHA256
db686549a6f0bc721fe4ea2023fd86c220f3bc3eab37870509e6650d0cd476c2

SHA512
0e81cb99606171a56e25fce8349f7f5696684062a8b26048d4bbbde31adae4d5c8135260a6f5621e581d61e5372fbdd20c0321f7a60ae8c05ee5882f38803263

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\agbot.exe

Filesize
30KB

MD5
e3b337848a3c627279cc071b075b85ac

SHA1
7d46fced11b78ec1a07442dd141a25c087ab60e5

SHA256
df360deca85cb86e6aef88c9472397ac96317b67151e219e940d09a4026c5072

SHA512
954a96d3cfd503230ca1dc2eebd8e5ca3b439000a310d938ce4648adacdb80ed8ab254e77e4456abc46e9b73d94edcdef4e33e70f54ee2886883db4366cbea48

Download Submit
\Windows\SysWOW64\28463\WNNN.006

Filesize
8KB

MD5
86d96c93965255cef35ca42413188b75

SHA1
9d77f203267febe047d049584e5c79f1c1801b2d

SHA256
b796bd1f5cdb1d1db91c3aca1ac700c015775b9caf2725fbf4b6089a096f21c5

SHA512
2db81080a16494ec549f4f39ee382580ba12cd5cbfe31632c8459ba94d767ce1ad3e9c0e6643f80530ae5e316fc42dca05708eeade7ce3c0341d669325cdb095

Download Submit
\Windows\SysWOW64\28463\WNNN.007

Filesize
5KB

MD5
b73942c11844487ca7fc3e78062c8abb

SHA1
28f4c4159528ccbe9d83b5cd5e157861d11ff04c

SHA256
4ba88f8964ee02a395d88974fd43b05610cf520b4ab40f36b3f98715ce1e0984

SHA512
d4c782f5abd91b3396b243345f968eb5a705a7aefeedf92e62047309f7ccf223c0825623c184de66e3667c22eb371f0329be97ea70f6d72b54f98b22042e1f9c

Download Submit
\Windows\SysWOW64\28463\WNNN.exe

Filesize
472KB

MD5
324154483b20e6f67a3c1486e3fc7c6a

SHA1
d6630eb1d8555b48413434b4a5d54c8de819cbf8

SHA256
ded1c934280294375d7b926773511e4d5e6c8dbb22b0dd25a80a6b0b3af065d3

SHA512
36349f7c53b9989eac63e8c91b7fb009a5a0dce934242ae5956a5e3d3764949a87296adeba81f3da96b5e035f3755b4dd75de2ffa211b7db296313c52f6d478b

Download Submit
memory/1976-77-0x00000000001F0000-0x000000000020B000-memory.dmp

Filesize
108KB

Download
memory/1976-0-0x0000000001000000-0x000000000113B84F-memory.dmp

Filesize
1.2MB

Download
memory/1976-11-0x0000000001136000-0x0000000001137000-memory.dmp

Filesize
4KB

Download
memory/1976-1-0x0000000001000000-0x000000000113B84F-memory.dmp

Filesize
1.2MB

Download
memory/1976-12-0x0000000001000000-0x000000000113B84F-memory.dmp

Filesize
1.2MB

Download
memory/1976-10-0x0000000000860000-0x000000000099C000-memory.dmp

Filesize
1.2MB

Download
memory/1976-78-0x00000000001F0000-0x000000000020B000-memory.dmp

Filesize
108KB

Download
memory/2108-58-0x00000000003A0000-0x00000000003A6000-memory.dmp

Filesize
24KB

Download
memory/2872-81-0x0000000000020000-0x000000000003B000-memory.dmp

Filesize
108KB

Download
memory/2872-79-0x0000000000020000-0x000000000003B000-memory.dmp

Filesize
108KB

Download
memory/2872-59-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2872-80-0x0000000000020000-0x000000000003B000-memory.dmp

Filesize
108KB

Download
memory/2872-88-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2952-83-0x0000000000020000-0x000000000003B000-memory.dmp

Filesize
108KB

Download
memory/2952-82-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2952-89-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads