ardamax | c130c171760e4c8d691b8a0b4cc53496236abfcebca0cfb9be19221270f52480

Analysis

max time kernel
148s
max time network
122s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
29-08-2024 09:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c88eba3feb82c4957973a98b6131045e_JaffaCakes118.exe
Size

1.1MB
MD5

c88eba3feb82c4957973a98b6131045e
SHA1

a0b1814828e9d8d5f99b515d0ff6fce9c4271fd8
SHA256

c130c171760e4c8d691b8a0b4cc53496236abfcebca0cfb9be19221270f52480
SHA512

db6ae289e82c139a0fe9ac6ec39c9caff946b6f9a22384d5fb57cd69ca48cca43542c28f2fa44739ab05b226c892835d4821d896c072cba184e1246d2ebe1152
SSDEEP

24576:VrQ7fNJzeihkp75qOk6f3s0lai7GthFM9wG4jRJ3stZKQ56:GhBeiKTNvs0laiithFuwG41JqB56

Score

10^/10

ardamax discovery keylogger stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x000500000001a34d-626.dat	family_ardamax

Executes dropped EXE 3 IoCs

pid	Process
1288	Install.exe
2728	GQPT.exe
1604	WerFault.exe

Loads dropped DLL 12 IoCs

pid	Process
1972	c88eba3feb82c4957973a98b6131045e_JaffaCakes118.exe
1288	Install.exe
1288	Install.exe
1288	Install.exe
2728	GQPT.exe
2728	GQPT.exe
2728	GQPT.exe
2728	GQPT.exe
1604	WerFault.exe
1604	WerFault.exe
1604	WerFault.exe
1604	WerFault.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\GQPT.exe	Install.exe
File created	C:\Windows\SysWOW64\28463\key.bin	Install.exe
File created	C:\Windows\SysWOW64\28463\AKV.exe	Install.exe
File created	C:\Windows\SysWOW64\28463\GQPT.001	Install.exe
File created	C:\Windows\SysWOW64\28463\GQPT.006	Install.exe
File created	C:\Windows\SysWOW64\28463\GQPT.007	Install.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c88eba3feb82c4957973a98b6131045e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GQPT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WerFault.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1604	WerFault.exe
1604	WerFault.exe
1604	WerFault.exe
1604	WerFault.exe
1604	WerFault.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: 33	1972	c88eba3feb82c4957973a98b6131045e_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1972	c88eba3feb82c4957973a98b6131045e_JaffaCakes118.exe
Token: 33	1972	c88eba3feb82c4957973a98b6131045e_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1972	c88eba3feb82c4957973a98b6131045e_JaffaCakes118.exe
Token: 33	1972	c88eba3feb82c4957973a98b6131045e_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1972	c88eba3feb82c4957973a98b6131045e_JaffaCakes118.exe
Token: 33	1288	Install.exe
Token: SeIncBasePriorityPrivilege	1288	Install.exe
Token: SeDebugPrivilege	1604	WerFault.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 1288	1972	c88eba3feb82c4957973a98b6131045e_JaffaCakes118.exe	30
PID 1972 wrote to memory of 1288	1972	c88eba3feb82c4957973a98b6131045e_JaffaCakes118.exe	30
PID 1972 wrote to memory of 1288	1972	c88eba3feb82c4957973a98b6131045e_JaffaCakes118.exe	30
PID 1972 wrote to memory of 1288	1972	c88eba3feb82c4957973a98b6131045e_JaffaCakes118.exe	30
PID 1972 wrote to memory of 1288	1972	c88eba3feb82c4957973a98b6131045e_JaffaCakes118.exe	30
PID 1972 wrote to memory of 1288	1972	c88eba3feb82c4957973a98b6131045e_JaffaCakes118.exe	30
PID 1972 wrote to memory of 1288	1972	c88eba3feb82c4957973a98b6131045e_JaffaCakes118.exe	30
PID 1288 wrote to memory of 2728	1288	Install.exe	31
PID 1288 wrote to memory of 2728	1288	Install.exe	31
PID 1288 wrote to memory of 2728	1288	Install.exe	31
PID 1288 wrote to memory of 2728	1288	Install.exe	31
PID 1288 wrote to memory of 2728	1288	Install.exe	31
PID 1288 wrote to memory of 2728	1288	Install.exe	31
PID 1288 wrote to memory of 2728	1288	Install.exe	31
PID 2728 wrote to memory of 1604	2728	GQPT.exe	32
PID 2728 wrote to memory of 1604	2728	GQPT.exe	32
PID 2728 wrote to memory of 1604	2728	GQPT.exe	32
PID 2728 wrote to memory of 1604	2728	GQPT.exe	32
PID 2728 wrote to memory of 1604	2728	GQPT.exe	32
PID 2728 wrote to memory of 1604	2728	GQPT.exe	32
PID 2728 wrote to memory of 1604	2728	GQPT.exe	32

C:\Users\Admin\AppData\Local\Temp\c88eba3feb82c4957973a98b6131045e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c88eba3feb82c4957973a98b6131045e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Users\Admin\AppData\Local\Xenocode\Sandbox\scnner tools\20.1.11.06\2011.06.25T21.39\Virtual\STUBEXE\@APPDATALOCAL@\Temp\Install.exe
  "C:\Users\Admin\AppData\Local\Temp\Install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1288
- - C:\Users\Admin\AppData\Local\Xenocode\Sandbox\scnner tools\20.1.11.06\2011.06.25T21.39\Native\STUBEXE\@SYSTEM@\28463\GQPT.exe
    "C:\Windows\system32\28463\GQPT.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Users\Admin\AppData\Local\Xenocode\Sandbox\scnner tools\20.1.11.06\2011.06.25T21.39\Native\STUBEXE\@SYSTEM@\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 328
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\28463\GQPT.exe

Filesize
649KB

MD5
2bff0c75a04401dada0adfab933e46a7

SHA1
364d97f90b137f8e359d998164fb15d474be7bbb

SHA256
2aa53bc5da3294817f95d8806effdf28e5af49661a955256c46db2b67cb6e6da

SHA512
88b82973d3c042bceb75e12297111fa7b8bd4e2a7a37d26b698c595d8d75ec670cc7aebfa2572206c1b2a4ecbbfa3103affb8bee6d7ef47428a225e2cd1bea3f

Download Submit
\Users\Admin\AppData\Local\Temp\@7D6A.tmp

Filesize
4KB

MD5
4b8ed89120fe8ddc31ddba07bc15372b

SHA1
181e7ac3d444656f50c1cd02a6832708253428e6

SHA256
2ae6b0e14465338be0bc5ad10703f5c823d092ebb8cff7e5a05b7d79c8459b93

SHA512
49269b71270b3eda0ddcb399021de9c88f6fd2086cf54fa4898a91e64afe109d44b635d47a5ea9bae7f53a5e968af97fa13bdf699ba00ce879ecadd7bbc8af23

Download Submit
\Users\Admin\AppData\Local\Xenocode\Sandbox\scnner tools\20.1.11.06\2011.06.25T21.39\Native\STUBEXE\@SYSTEM@\28463\GQPT.exe

Filesize
17KB

MD5
61fc1a846f0662883d8a2dc20b36b1fc

SHA1
b823c666fb127c641f8ba67be19a7e7a32660220

SHA256
b84424d8a68b763a95ca2a810d04781f255b7cae4b4be18226c99a8ff09cb1c0

SHA512
8c5f2f6eb296172a425a84c47dfe1fbff785a289ae6560b30c321ff1c3eeb04a944c5a8912cd66a26ed5286a72074817d010bf8ebef4ab2ee7a7c1e18e6caa23

Download Submit
\Users\Admin\AppData\Local\Xenocode\Sandbox\scnner tools\20.1.11.06\2011.06.25T21.39\Native\STUBEXE\@SYSTEM@\WerFault.exe

Filesize
17KB

MD5
36e3fa60e628d7cbd22bc1dc8ccd6a11

SHA1
7ae9f7da10ee11131aa0f48c8be00ad0a59bce11

SHA256
af12be88da7a4dff7849f9af96130976e137d2c854e699bedccb778dc0842e83

SHA512
0ab35aedae2c77e64f89be4280296cdbda268f91e78d8cdfd07f417f133d4f8fc003f2f40eea3f4b3bf7c78d56bc14c31d0c45616201e25070d53d04f86c4346

Download Submit
\Users\Admin\AppData\Local\Xenocode\Sandbox\scnner tools\20.1.11.06\2011.06.25T21.39\Virtual\STUBEXE\@APPDATALOCAL@\Temp\Install.exe

Filesize
17KB

MD5
0ef59285d880acd4713ef5dbec6dddd0

SHA1
be849a5296016c8ed01ea34af4ad312007b651b5

SHA256
41a2fa8d4c05f9b86e5c5797d758439926ea08d42421953c6b626ac5ce2a470a

SHA512
84907bf9626e95adcde69c4c197b0f04ba949def7c5cd3e922c75cf38743ea5a85ff5d6aba02c771b6c9f36dbaee06609e21d8207bccb45f8f26fd12bb3228d8

Download Submit
memory/1288-635-0x0000000003B50000-0x0000000003C2F000-memory.dmp

Filesize
892KB

Download
memory/1604-1268-0x0000000002850000-0x000000000292F000-memory.dmp

Filesize
892KB

Download
memory/1604-1269-0x0000000002850000-0x000000000292F000-memory.dmp

Filesize
892KB

Download
memory/1604-1267-0x0000000002850000-0x000000000292F000-memory.dmp

Filesize
892KB

Download
memory/1604-1263-0x00000000035D0000-0x00000000036AF000-memory.dmp

Filesize
892KB

Download
memory/1604-1259-0x0000000002850000-0x000000000292F000-memory.dmp

Filesize
892KB

Download
memory/1604-1260-0x0000000002850000-0x000000000292F000-memory.dmp

Filesize
892KB

Download
memory/1604-1261-0x0000000002850000-0x000000000292F000-memory.dmp

Filesize
892KB

Download
memory/1604-1272-0x00000000035D0000-0x00000000036AF000-memory.dmp

Filesize
892KB

Download
memory/1972-54-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1972-38-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1972-184-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1972-222-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1972-235-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1972-255-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1972-271-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1972-282-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1972-36-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1972-239-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1972-219-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1972-212-0x0000000077780000-0x0000000077781000-memory.dmp

Filesize
4KB

Download
memory/1972-205-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1972-204-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1972-194-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1972-64-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1972-60-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1972-281-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1972-58-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1972-56-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1972-46-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1972-52-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1972-50-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1972-48-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1972-44-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1972-42-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1972-40-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1972-62-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1972-34-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1972-32-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1972-30-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1972-28-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1972-26-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1972-22-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1972-20-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1972-18-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1972-16-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1972-14-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1972-630-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1972-24-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1972-0-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1972-8-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1972-10-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1972-1255-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1972-1-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1972-2-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1972-4-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1972-6-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1972-12-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2728-1265-0x00000000002F0000-0x00000000003CF000-memory.dmp

Filesize
892KB

Download
memory/2728-1266-0x0000000002840000-0x000000000291F000-memory.dmp

Filesize
892KB

Download
memory/2728-1264-0x00000000002F0000-0x00000000003CF000-memory.dmp

Filesize
892KB

Download
memory/2728-948-0x0000000002840000-0x000000000291F000-memory.dmp

Filesize
892KB

Download
memory/2728-876-0x00000000002F0000-0x00000000003CF000-memory.dmp

Filesize
892KB

Download
memory/2728-875-0x00000000002F0000-0x00000000003CF000-memory.dmp

Filesize
892KB

Download