ardamax | ea15114bf7a597c69f61fbe6c6677e1b1d0adc01f3340ece18b0c2fc981845a4

Analysis

max time kernel
150s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24-08-2024 23:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bfb15bb6d83aae45602945097c96e901_JaffaCakes118.exe
Size

1.5MB
MD5

bfb15bb6d83aae45602945097c96e901
SHA1

753a4994302b7d7f6ed908ebbaf872c036d50f92
SHA256

ea15114bf7a597c69f61fbe6c6677e1b1d0adc01f3340ece18b0c2fc981845a4
SHA512

ed8eab7ebb96fd3c1265c4be40d2e5fb9394740e060572a51bacaa3e0949812ee483b9fe970274602146c2a9d0ed7f1ffc7368f1141ec0774932948fd2da59a7
SSDEEP

24576:MHvZT6pIATHLBxh0JYxAxov8JAeAywXMlErdGy3R8a3vaAnYlyf:UBT6pI0H1mYxA0ywX5rf5x7

Score

10^/10

ardamax defense_evasion discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023452-10.dat	family_ardamax

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	bfb15bb6d83aae45602945097c96e901_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	KOU.exe

Executes dropped EXE 2 IoCs

pid	Process
936	KOU.exe
4716	NNN Turbo Injector V3.0.exe

Loads dropped DLL 3 IoCs

pid	Process
936	KOU.exe
836	bfb15bb6d83aae45602945097c96e901_JaffaCakes118.exe
4716	NNN Turbo Injector V3.0.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\KOU Start = "C:\\Windows\\SysWOW64\\ESETPI\\KOU.exe"	KOU.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ESETPI\	KOU.exe
File created	C:\Windows\SysWOW64\ESETPI\KOU.004	bfb15bb6d83aae45602945097c96e901_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ESETPI\KOU.001	bfb15bb6d83aae45602945097c96e901_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ESETPI\KOU.002	bfb15bb6d83aae45602945097c96e901_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ESETPI\AKV.exe	bfb15bb6d83aae45602945097c96e901_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ESETPI\KOU.chm	bfb15bb6d83aae45602945097c96e901_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ESETPI\KOU.003	bfb15bb6d83aae45602945097c96e901_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ESETPI\KOU.exe	bfb15bb6d83aae45602945097c96e901_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bfb15bb6d83aae45602945097c96e901_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KOU.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NNN Turbo Injector V3.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4716	NNN Turbo Injector V3.0.exe
4716	NNN Turbo Injector V3.0.exe
4716	NNN Turbo Injector V3.0.exe
4716	NNN Turbo Injector V3.0.exe
4716	NNN Turbo Injector V3.0.exe
4716	NNN Turbo Injector V3.0.exe
4716	NNN Turbo Injector V3.0.exe
4716	NNN Turbo Injector V3.0.exe
4716	NNN Turbo Injector V3.0.exe
4716	NNN Turbo Injector V3.0.exe
4716	NNN Turbo Injector V3.0.exe
4716	NNN Turbo Injector V3.0.exe
4716	NNN Turbo Injector V3.0.exe
4716	NNN Turbo Injector V3.0.exe
4716	NNN Turbo Injector V3.0.exe
4716	NNN Turbo Injector V3.0.exe
4716	NNN Turbo Injector V3.0.exe
4716	NNN Turbo Injector V3.0.exe
4716	NNN Turbo Injector V3.0.exe
4716	NNN Turbo Injector V3.0.exe
4716	NNN Turbo Injector V3.0.exe
4716	NNN Turbo Injector V3.0.exe
4716	NNN Turbo Injector V3.0.exe
4716	NNN Turbo Injector V3.0.exe
4716	NNN Turbo Injector V3.0.exe
4716	NNN Turbo Injector V3.0.exe
4716	NNN Turbo Injector V3.0.exe
4716	NNN Turbo Injector V3.0.exe
4716	NNN Turbo Injector V3.0.exe
4716	NNN Turbo Injector V3.0.exe
4716	NNN Turbo Injector V3.0.exe
4716	NNN Turbo Injector V3.0.exe
4716	NNN Turbo Injector V3.0.exe
4716	NNN Turbo Injector V3.0.exe
4716	NNN Turbo Injector V3.0.exe
4716	NNN Turbo Injector V3.0.exe
4716	NNN Turbo Injector V3.0.exe
4716	NNN Turbo Injector V3.0.exe
4716	NNN Turbo Injector V3.0.exe
4716	NNN Turbo Injector V3.0.exe
4716	NNN Turbo Injector V3.0.exe
4716	NNN Turbo Injector V3.0.exe
4716	NNN Turbo Injector V3.0.exe
4716	NNN Turbo Injector V3.0.exe
4716	NNN Turbo Injector V3.0.exe
4716	NNN Turbo Injector V3.0.exe
4716	NNN Turbo Injector V3.0.exe
4716	NNN Turbo Injector V3.0.exe
4716	NNN Turbo Injector V3.0.exe
4716	NNN Turbo Injector V3.0.exe
4716	NNN Turbo Injector V3.0.exe
4716	NNN Turbo Injector V3.0.exe
4716	NNN Turbo Injector V3.0.exe
4716	NNN Turbo Injector V3.0.exe
4716	NNN Turbo Injector V3.0.exe
4716	NNN Turbo Injector V3.0.exe
4716	NNN Turbo Injector V3.0.exe
4716	NNN Turbo Injector V3.0.exe
4716	NNN Turbo Injector V3.0.exe
4716	NNN Turbo Injector V3.0.exe
4716	NNN Turbo Injector V3.0.exe
4716	NNN Turbo Injector V3.0.exe
4716	NNN Turbo Injector V3.0.exe
4716	NNN Turbo Injector V3.0.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	936	KOU.exe
Token: SeIncBasePriorityPrivilege	936	KOU.exe
Token: SeIncBasePriorityPrivilege	936	KOU.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
936	KOU.exe
936	KOU.exe
936	KOU.exe
936	KOU.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 836 wrote to memory of 936	836	bfb15bb6d83aae45602945097c96e901_JaffaCakes118.exe	84
PID 836 wrote to memory of 936	836	bfb15bb6d83aae45602945097c96e901_JaffaCakes118.exe	84
PID 836 wrote to memory of 936	836	bfb15bb6d83aae45602945097c96e901_JaffaCakes118.exe	84
PID 836 wrote to memory of 4716	836	bfb15bb6d83aae45602945097c96e901_JaffaCakes118.exe	85
PID 836 wrote to memory of 4716	836	bfb15bb6d83aae45602945097c96e901_JaffaCakes118.exe	85
PID 836 wrote to memory of 4716	836	bfb15bb6d83aae45602945097c96e901_JaffaCakes118.exe	85
PID 936 wrote to memory of 4280	936	KOU.exe	99
PID 936 wrote to memory of 4280	936	KOU.exe	99
PID 936 wrote to memory of 4280	936	KOU.exe	99

C:\Users\Admin\AppData\Local\Temp\bfb15bb6d83aae45602945097c96e901_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bfb15bb6d83aae45602945097c96e901_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:836
- C:\Windows\SysWOW64\ESETPI\KOU.exe
  "C:\Windows\system32\ESETPI\KOU.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:936
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\ESETPI\KOU.exe > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4280
- C:\Users\Admin\AppData\Local\Temp\NNN Turbo Injector V3.0.exe
  "C:\Users\Admin\AppData\Local\Temp\NNN Turbo Injector V3.0.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NNN Turbo Injector V3.0.exe

Filesize
657KB

MD5
c06a2ced5dbdeb0d716fb20b834c5879

SHA1
99a0ba3ae771bb247e17bd2a56f66b2b2c45fe81

SHA256
b26512b8168dede558f3117ea041995f06c39ff1ea658aeb6453dcbb48b7e675

SHA512
97ed06e53edfeb449bcccdc0cd6ff07c2350881e74d86b513a6e7c4ccabb5a4f6c3385e650181cc816b690daa0988cf525caa4343eb70561a10ba25b430f378f

Download Submit
C:\Windows\SysWOW64\ESETPI\AKV.exe

Filesize
461KB

MD5
eed8ebfafcd3dcb0f88b237388fba8df

SHA1
620767d6de979bf360e3a188ed03534c769f337b

SHA256
dc3c5152d69547ffb583574707025eee74af46882cdf851221f66b1e81d2ed90

SHA512
28148a2bfdbcaf61f5f664c6b4dd0377d151d775ad001818da2bba6327f02020fabb016a4c8aaa5f841ea1dc1a6d8419bca55bc74924a657476e15abbd8dabb3

Download Submit
C:\Windows\SysWOW64\ESETPI\KOU.001

Filesize
61KB

MD5
34c92b717ae97bc926f56ba56a44f24a

SHA1
ccaf3c6bf0c73564d0bf19c92b8d25008ffffbfa

SHA256
6e60d85b35f5e9222375f606e4116b38364a4a943596ddb0d914cf1cf4791774

SHA512
2a9eb63837db128c9e036976d903ebd925e6952ab6bf4efa0e370e79f9fefe0ed6e44e4ab444f56ace1149f4dd14797f568e8827e7cebd1e5581dcf309f9745a

Download Submit
C:\Windows\SysWOW64\ESETPI\KOU.002

Filesize
43KB

MD5
246761f047f6aa98d6eaad66a2f883b9

SHA1
42474a5b23d03e094103b62fd7e820457cf807c4

SHA256
3774021a3cdf32d23fd5921cea4de8c26b08f0d601f3097550a7e8af7b00f111

SHA512
d39d0913975ca2f8d585b72667d76de09ce7817f6de26ef21a8b62edc25d7fab39785f036992d19ca5700f5fc2ee377e696142c41529f23f503e8eefff393144

Download Submit
C:\Windows\SysWOW64\ESETPI\KOU.003

Filesize
68KB

MD5
9f8cfef5ec715a3a2c278926683ae8c7

SHA1
b575d77c1cd840ecc5ace3720e0253999826cb43

SHA256
7fb748ba7393ac637a7bfd6bfe42e7246112ee4f80b14a3640a12f3a530270ac

SHA512
664da9b5fc7a716d4c5ff6cb790a2f0f6002d193c13f32460647e2e6ddefb0f45dc3731ae1af4164eb0d3089b0c2f69eb74e07fd4fead30458087c06f9a09d26

Download Submit
C:\Windows\SysWOW64\ESETPI\KOU.004

Filesize
1KB

MD5
2c165957af665d2ccadf933f0840c592

SHA1
eb2afd51601b4fa028d3aa33d453bd5075893686

SHA256
888ea727d43bd243075bbcc0c77e0f4c0cc32c4aef24afdb310a72ee346933b9

SHA512
77c6eba430fa8dbc6eac4893c16d4318bfd4487b68e91ef1d8402cc054d00206310e50cf0f6637cd9104bcd6d33a52b70f5db7dba64e1c680713e84bb496752e

Download Submit
C:\Windows\SysWOW64\ESETPI\KOU.chm

Filesize
20KB

MD5
164ea98e2f64635f8a097870781da36c

SHA1
7cd9294657902f6bc199007e30f6514fce66f666

SHA256
c69e694d6db9a958a99901afb86a8b864a17b510a5dcdd1c176f53abf0c61a61

SHA512
4e19842a0d959876cdac60fd145fa36f2d98650b843c6faea2b01e205b2f0ce262b45c1c60fbf483320f012d4c00b96dff36e72d27ecbe9133f09d6618cbde20

Download Submit
C:\Windows\SysWOW64\ESETPI\KOU.exe

Filesize
1.5MB

MD5
9ab9b7b74790b7bb2798dd2b26f4a913

SHA1
e8ffa981a0149aa6441dcb0dd42f7baf6eb773a2

SHA256
df1c8d608ebd300889cf21c3bda6d5dd2574d68e1f530cc5a885449a22177a75

SHA512
ffffe21d8cc244aacaaba2eb13cc77ad800a196ecf6f77637a8a1f6d456cabb8331970ab358ab21dcf9832343379b4f0486da3990d45eb2f2765e55b7404739e

Download Submit
memory/936-25-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/936-33-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/4716-32-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/4716-35-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/4716-34-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/4716-46-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download