ardamax | cd13e5b22e90c5c4c5b3b8eb311b41ddcca0a23bd581d4d18fc60ec9b098d788

Analysis

max time kernel
148s
max time network
118s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
31-08-2024 12:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ccc786f02cffcb6a1e949e48be258f3f_JaffaCakes118.exe
Size

2.2MB
MD5

ccc786f02cffcb6a1e949e48be258f3f
SHA1

5cc6d3b8cd1dfa2648e200459e20a7ddb4af50aa
SHA256

cd13e5b22e90c5c4c5b3b8eb311b41ddcca0a23bd581d4d18fc60ec9b098d788
SHA512

08e0a27ac324b393ef8a85d02e2011d026b0f4fca5262a79e6ce0373e354c5758e6ad3c22ea0981b431d97c1f13bff74bc1baeb1bdaa6072fa7d8a3cd336cbc0
SSDEEP

49152:CdApIMyoXpdbYaEV/ycnuN7P+Xgl4uGZJbO5SR7w/F2gh06r:CdATFuQnFP+Xy4uGTbO5SRzq

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x00060000000191c6-22.dat	family_ardamax

Executes dropped EXE 4 IoCs

pid	Process
2164	TESTAD~2.EXE
3064	NWKH.exe
2772	ANTI_V~1.EXE
2808	INS14A9.tmp

Loads dropped DLL 14 IoCs

pid	Process
2460	ccc786f02cffcb6a1e949e48be258f3f_JaffaCakes118.exe
2460	ccc786f02cffcb6a1e949e48be258f3f_JaffaCakes118.exe
2164	TESTAD~2.EXE
2164	TESTAD~2.EXE
2164	TESTAD~2.EXE
2164	TESTAD~2.EXE
3064	NWKH.exe
2460	ccc786f02cffcb6a1e949e48be258f3f_JaffaCakes118.exe
2772	ANTI_V~1.EXE
2772	ANTI_V~1.EXE
2772	ANTI_V~1.EXE
2772	ANTI_V~1.EXE
2808	INS14A9.tmp
2808	INS14A9.tmp

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ccc786f02cffcb6a1e949e48be258f3f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NWKH Agent = "C:\\Windows\\SysWOW64\\28463\\NWKH.exe"	NWKH.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\NWKH.001	TESTAD~2.EXE
File created	C:\Windows\SysWOW64\28463\NWKH.006	TESTAD~2.EXE
File created	C:\Windows\SysWOW64\28463\NWKH.007	TESTAD~2.EXE
File created	C:\Windows\SysWOW64\28463\NWKH.exe	TESTAD~2.EXE
File created	C:\Windows\SysWOW64\28463\AKV.exe	TESTAD~2.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ccc786f02cffcb6a1e949e48be258f3f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TESTAD~2.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NWKH.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ANTI_V~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	INS14A9.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2808	INS14A9.tmp

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2460 wrote to memory of 2164	2460	ccc786f02cffcb6a1e949e48be258f3f_JaffaCakes118.exe	31
PID 2460 wrote to memory of 2164	2460	ccc786f02cffcb6a1e949e48be258f3f_JaffaCakes118.exe	31
PID 2460 wrote to memory of 2164	2460	ccc786f02cffcb6a1e949e48be258f3f_JaffaCakes118.exe	31
PID 2460 wrote to memory of 2164	2460	ccc786f02cffcb6a1e949e48be258f3f_JaffaCakes118.exe	31
PID 2460 wrote to memory of 2164	2460	ccc786f02cffcb6a1e949e48be258f3f_JaffaCakes118.exe	31
PID 2460 wrote to memory of 2164	2460	ccc786f02cffcb6a1e949e48be258f3f_JaffaCakes118.exe	31
PID 2460 wrote to memory of 2164	2460	ccc786f02cffcb6a1e949e48be258f3f_JaffaCakes118.exe	31
PID 2164 wrote to memory of 3064	2164	TESTAD~2.EXE	32
PID 2164 wrote to memory of 3064	2164	TESTAD~2.EXE	32
PID 2164 wrote to memory of 3064	2164	TESTAD~2.EXE	32
PID 2164 wrote to memory of 3064	2164	TESTAD~2.EXE	32
PID 2164 wrote to memory of 3064	2164	TESTAD~2.EXE	32
PID 2164 wrote to memory of 3064	2164	TESTAD~2.EXE	32
PID 2164 wrote to memory of 3064	2164	TESTAD~2.EXE	32
PID 2460 wrote to memory of 2772	2460	ccc786f02cffcb6a1e949e48be258f3f_JaffaCakes118.exe	33
PID 2460 wrote to memory of 2772	2460	ccc786f02cffcb6a1e949e48be258f3f_JaffaCakes118.exe	33
PID 2460 wrote to memory of 2772	2460	ccc786f02cffcb6a1e949e48be258f3f_JaffaCakes118.exe	33
PID 2460 wrote to memory of 2772	2460	ccc786f02cffcb6a1e949e48be258f3f_JaffaCakes118.exe	33
PID 2460 wrote to memory of 2772	2460	ccc786f02cffcb6a1e949e48be258f3f_JaffaCakes118.exe	33
PID 2460 wrote to memory of 2772	2460	ccc786f02cffcb6a1e949e48be258f3f_JaffaCakes118.exe	33
PID 2460 wrote to memory of 2772	2460	ccc786f02cffcb6a1e949e48be258f3f_JaffaCakes118.exe	33
PID 2772 wrote to memory of 2808	2772	ANTI_V~1.EXE	34
PID 2772 wrote to memory of 2808	2772	ANTI_V~1.EXE	34
PID 2772 wrote to memory of 2808	2772	ANTI_V~1.EXE	34
PID 2772 wrote to memory of 2808	2772	ANTI_V~1.EXE	34
PID 2772 wrote to memory of 2808	2772	ANTI_V~1.EXE	34
PID 2772 wrote to memory of 2808	2772	ANTI_V~1.EXE	34
PID 2772 wrote to memory of 2808	2772	ANTI_V~1.EXE	34

C:\Users\Admin\AppData\Local\Temp\ccc786f02cffcb6a1e949e48be258f3f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ccc786f02cffcb6a1e949e48be258f3f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TESTAD~2.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TESTAD~2.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2164
- - C:\Windows\SysWOW64\28463\NWKH.exe
    "C:\Windows\system32\28463\NWKH.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:3064
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ANTI_V~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ANTI_V~1.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Users\Admin\AppData\Local\Temp\INS14A9.tmp
    C:\Users\Admin\AppData\Local\Temp\INS14A9.tmp /SL3 $501EE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ANTI_V~1.EXE 1732736 1736150 61952
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\28463\AKV.exe

Filesize
395KB

MD5
adbec81b510dcfe49835f95940ef961d

SHA1
77940f6e46fbd5f53de23bd49afe9172470769d0

SHA256
466efb4b00255f21075b340fc2d2444f182947ab90270840543658c5fd3a9b95

SHA512
ef4324a06fbe960933f5551ea6ac587cd87cb6025bc6879a2b81a4d1033cfe87e244b6a87fb5db5ad065321ccbe8035cf24a668452d5b0c6a4063a355a12b2a7

Download Submit
C:\Windows\SysWOW64\28463\NWKH.001

Filesize
368B

MD5
bd0ec59a6c16533941a71056979887bd

SHA1
e0b3e81d794349e36391c50e3f200328bffbb9d0

SHA256
da6d7c1c1a26ca417ba045588218a491f0d558ada9aa30f50ea3639bdff03c92

SHA512
8d4489e95b948a73d5922d133abf783de7d1d7425dbe31dd01129a14d52f9cc8a7295a1a6f6f411109ff6e655931ee1ae982744a67f38adff676e35a065a6ffe

Download Submit
C:\Windows\SysWOW64\28463\NWKH.006

Filesize
8KB

MD5
f5eff4f716427529b003207d5c953df5

SHA1
79696d6c8d67669ea690d240ef8978672e3d151c

SHA256
ac54ebb9eec3212f294462ce012fdc42f4b0896d785d776a5a2cc3599dc5bcde

SHA512
5a48599a5855f06c3e7d6f89c4e06bab1f4381b9d30cf3824c465b8fd6c142b316e6bd6aaad73d1f9b3e84d96113fb5e7374831bf503744013c9e1a0632a0caf

Download Submit
C:\Windows\SysWOW64\28463\NWKH.007

Filesize
5KB

MD5
bc75eddaa64823014fef0fe70bd34ffc

SHA1
15cd2ace3b68257faed33c78b794b2333eab7c0a

SHA256
9eada36d17635bedb85ce96a62cb019dbfee696b9986f69de7d5b5bc1f44df5d

SHA512
20db25f32f9cfdbffa4f30c0065125052c6e20b7dcc147fa7ebff38e37b51f6a43e48e486f148d7ee11671479b9fb0bbe1c6df151101af3b50c65fd334d13baa

Download Submit
\Users\Admin\AppData\Local\Temp\@FCC6.tmp

Filesize
4KB

MD5
13e10cd76f11d6cb43182dcba7370171

SHA1
e6b8ce329e49ff09f1cb529c60fc466cb9a579c8

SHA256
f1265c88f0077009eaa18db413f156cc7ad8d41dc9d797dd1032b0e0ae9c40d5

SHA512
ee32ef3f50838936417e51dfd365b166456900e327dbe51902700bb3d562dea22e6fbd9009c822ba0562687001802a2e61d38123f81ae19f7b3d05bb1fd5cda8

Download Submit
\Users\Admin\AppData\Local\Temp\INS14A9.tmp

Filesize
377KB

MD5
ef80f42a048f92263f758f14b09fa30d

SHA1
e250058636dee689d6a935d71c0f462e10457239

SHA256
a44707ed7ababc6ca81355e9a6afe0e5095d01f1c72ef7b37681447036da518e

SHA512
933b43e14cbb734ff48d9b0b06671f15e458633a4e4d52420dd2eda258fc477ae17183a5d83d47da78272d1d6c7f9ba547729cd846ebec5eaf9963b2fce605ed

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\ANTI_V~1.EXE

Filesize
1.7MB

MD5
d6a786d5afb7f58d4b52a9b994b61465

SHA1
9ab6f76671d7f6d07e3f77930d94cd1a9c1a374c

SHA256
5150ed7b0f3b3367e028ad7962d095f449ef0aa631116c3919cf716bc34189ea

SHA512
15c02a9d74d82321aaddfb0fc9dfa80625d52f85b68c78d0706f4f94346c193adaaf14f3637ea3c259e6f77fb2ca62e0246275b09bb2a4fc220b6a9a8abbf6fa

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\TESTAD~2.EXE

Filesize
505KB

MD5
de172fb5589c7488bb437f669f6ccacd

SHA1
e277052a2222246421154739e276310ad35df70e

SHA256
666655f521b19c1fda4e68ba0255c896171a121ee9d637213e4261df4f8389bc

SHA512
0772caa5f6499b9b58122427196305f57207276e56bab6d55ce383cdeb0f7611f8b40c782f67fa6672004355a568df3a9b8c9316405348176eaea937e1266549

Download Submit
\Users\Admin\AppData\Local\Temp\is-LL7DC.tmp\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Windows\SysWOW64\28463\NWKH.exe

Filesize
473KB

MD5
3c90d45b1c004e86a7f7a7a340f1abc8

SHA1
10602c450bcbda2735dc036f2e399646f0c64f4c

SHA256
f6d9c3bba7fc4dfa681cadf68f41093e3c431501c6789e891e599719e5d2781c

SHA512
85457be4c2aa76ede288cd185131d46e5f0b37187313f3a54fe789e28929ec6e44282f4ba0981f46354705cd5da83990586c8846f52fcdb807908254c8719cc1

Download Submit
memory/2772-57-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2808-58-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads