ardamax | ce374345ae6308cd299882d3108ed32d3c53a4b7bf61b359e587dc06d43f6fd4

Analysis

max time kernel
140s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
08-09-2024 14:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d49e7fe0d0899b6567575440384a3427_JaffaCakes118.exe
Size

2.1MB
MD5

d49e7fe0d0899b6567575440384a3427
SHA1

ff40f3a782140c0e10cd774a659e7712262b7359
SHA256

ce374345ae6308cd299882d3108ed32d3c53a4b7bf61b359e587dc06d43f6fd4
SHA512

1c7979378970dd206f35dfe261a785330177207e52fe0f00719fe5acffd0dfd7c194e3a0c712edd0b384529493f54d56220582864aa880d394fba70952dfe313
SSDEEP

24576:O5/QZs3lTfpZ/YzqsTJG0KmnFDNw6yX+DA5ZmDSvcBcLCEqLsYp1srjXzRTPlIod:7OFQ9bnzqOE+G3WsjPM0bf1YBjMKC

Score

10^/10

ardamax discovery keylogger persistence stealer themida

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0008000000018be5-29.dat	family_ardamax

Executes dropped EXE 2 IoCs

pid	Process
2692	Install.exe
1576	JMDF.exe

Loads dropped DLL 12 IoCs

pid	Process
2420	d49e7fe0d0899b6567575440384a3427_JaffaCakes118.exe
2692	Install.exe
2692	Install.exe
2692	Install.exe
2692	Install.exe
2692	Install.exe
1576	JMDF.exe
1576	JMDF.exe
1576	JMDF.exe
2588	DllHost.exe
1576	JMDF.exe
2588	DllHost.exe

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2420-5-0x0000000000400000-0x0000000000551000-memory.dmp	themida
behavioral1/memory/2420-7-0x0000000000400000-0x0000000000551000-memory.dmp	themida
behavioral1/memory/2420-44-0x0000000000400000-0x0000000000551000-memory.dmp	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JMDF Agent = "C:\\Windows\\SysWOW64\\28463\\JMDF.exe"	JMDF.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\JMDF.006	Install.exe
File created	C:\Windows\SysWOW64\28463\JMDF.007	Install.exe
File created	C:\Windows\SysWOW64\28463\JMDF.exe	Install.exe
File created	C:\Windows\SysWOW64\28463\key.bin	Install.exe
File created	C:\Windows\SysWOW64\28463\AKV.exe	Install.exe
File opened for modification	C:\Windows\SysWOW64\28463	JMDF.exe
File created	C:\Windows\SysWOW64\28463\JMDF.001	Install.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d49e7fe0d0899b6567575440384a3427_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JMDF.exe

Modifies registry class 34 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CB8E304B-D121-E4E8-C72A-973292C02BD7}\1.0\0\win32	JMDF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D35E272A-3E54-42C2-CFB2-1DE0092BF0C8}\TypeLib\	JMDF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D35E272A-3E54-42C2-CFB2-1DE0092BF0C8}\TypeLib\ = "{CB8E304B-D121-E4E8-C72A-973292C02BD7}"	JMDF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D35E272A-3E54-42C2-CFB2-1DE0092BF0C8}\ProgID\ = "HxDS.HxSession.1"	JMDF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CB8E304B-D121-E4E8-C72A-973292C02BD7}\1.0\0\win32\	JMDF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CB8E304B-D121-E4E8-C72A-973292C02BD7}\1.0\HELPDIR\	JMDF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D35E272A-3E54-42C2-CFB2-1DE0092BF0C8}\InprocServer32	JMDF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D35E272A-3E54-42C2-CFB2-1DE0092BF0C8}\Programmable	JMDF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CB8E304B-D121-E4E8-C72A-973292C02BD7}\1.0	JMDF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CB8E304B-D121-E4E8-C72A-973292C02BD7}\1.0\FLAGS\	JMDF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CB8E304B-D121-E4E8-C72A-973292C02BD7}\1.0\HELPDIR\ = "%SystemRoot%\\system32"	JMDF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D35E272A-3E54-42C2-CFB2-1DE0092BF0C8}	JMDF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D35E272A-3E54-42C2-CFB2-1DE0092BF0C8}\Implemented Categories	JMDF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CB8E304B-D121-E4E8-C72A-973292C02BD7}	JMDF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CB8E304B-D121-E4E8-C72A-973292C02BD7}\	JMDF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CB8E304B-D121-E4E8-C72A-973292C02BD7}\1.0\	JMDF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D35E272A-3E54-42C2-CFB2-1DE0092BF0C8}\Implemented Categories\	JMDF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D35E272A-3E54-42C2-CFB2-1DE0092BF0C8}\InprocServer32\	JMDF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D35E272A-3E54-42C2-CFB2-1DE0092BF0C8}\InprocServer32\ = "C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Help\\hxds.dll"	JMDF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CB8E304B-D121-E4E8-C72A-973292C02BD7}\1.0\0	JMDF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CB8E304B-D121-E4E8-C72A-973292C02BD7}\1.0\0\win32\ = "%SystemRoot%\\SysWow64\\shgina.dll"	JMDF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CB8E304B-D121-E4E8-C72A-973292C02BD7}\1.0\HELPDIR	JMDF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D35E272A-3E54-42C2-CFB2-1DE0092BF0C8}\ProgID	JMDF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CB8E304B-D121-E4E8-C72A-973292C02BD7}\1.0\ = "SHGINA 1.0 Type Library"	JMDF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CB8E304B-D121-E4E8-C72A-973292C02BD7}\1.0\FLAGS\ = "0"	JMDF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D35E272A-3E54-42C2-CFB2-1DE0092BF0C8}\VersionIndependentProgID\ = "HxDS.HxSession"	JMDF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D35E272A-3E54-42C2-CFB2-1DE0092BF0C8}\ = "Zaworiwa Cogizac Cizeh Class"	JMDF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CB8E304B-D121-E4E8-C72A-973292C02BD7}\1.0\0\	JMDF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D35E272A-3E54-42C2-CFB2-1DE0092BF0C8}\TypeLib	JMDF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D35E272A-3E54-42C2-CFB2-1DE0092BF0C8}\VersionIndependentProgID	JMDF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D35E272A-3E54-42C2-CFB2-1DE0092BF0C8}\VersionIndependentProgID\	JMDF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D35E272A-3E54-42C2-CFB2-1DE0092BF0C8}\ProgID\	JMDF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D35E272A-3E54-42C2-CFB2-1DE0092BF0C8}\Programmable\	JMDF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CB8E304B-D121-E4E8-C72A-973292C02BD7}\1.0\FLAGS	JMDF.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2420	d49e7fe0d0899b6567575440384a3427_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1576	JMDF.exe
Token: SeIncBasePriorityPrivilege	1576	JMDF.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2588	DllHost.exe
2588	DllHost.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2420	d49e7fe0d0899b6567575440384a3427_JaffaCakes118.exe
1576	JMDF.exe
1576	JMDF.exe
1576	JMDF.exe
1576	JMDF.exe
1576	JMDF.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 2692	2420	d49e7fe0d0899b6567575440384a3427_JaffaCakes118.exe	30
PID 2420 wrote to memory of 2692	2420	d49e7fe0d0899b6567575440384a3427_JaffaCakes118.exe	30
PID 2420 wrote to memory of 2692	2420	d49e7fe0d0899b6567575440384a3427_JaffaCakes118.exe	30
PID 2420 wrote to memory of 2692	2420	d49e7fe0d0899b6567575440384a3427_JaffaCakes118.exe	30
PID 2420 wrote to memory of 2692	2420	d49e7fe0d0899b6567575440384a3427_JaffaCakes118.exe	30
PID 2420 wrote to memory of 2692	2420	d49e7fe0d0899b6567575440384a3427_JaffaCakes118.exe	30
PID 2420 wrote to memory of 2692	2420	d49e7fe0d0899b6567575440384a3427_JaffaCakes118.exe	30
PID 2692 wrote to memory of 1576	2692	Install.exe	32
PID 2692 wrote to memory of 1576	2692	Install.exe	32
PID 2692 wrote to memory of 1576	2692	Install.exe	32
PID 2692 wrote to memory of 1576	2692	Install.exe	32
PID 2692 wrote to memory of 1576	2692	Install.exe	32
PID 2692 wrote to memory of 1576	2692	Install.exe	32
PID 2692 wrote to memory of 1576	2692	Install.exe	32

C:\Users\Admin\AppData\Local\Temp\d49e7fe0d0899b6567575440384a3427_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d49e7fe0d0899b6567575440384a3427_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Users\Admin\AppData\Local\Temp\Install.exe
  "C:\Users\Admin\AppData\Local\Temp\Install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\SysWOW64\28463\JMDF.exe
    "C:\Windows\system32\28463\JMDF.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1576

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IMG_3880.JPG

Filesize
31KB

MD5
f8591d8094d49e0fcba0a4426e906c88

SHA1
506ae831756abe09cea5de6d8e407d7893bd5293

SHA256
72ec02b2eafeea05fafbb847e66645bd9a7044d2d93feff252b3c75ca1e1bb9d

SHA512
44a922f5b6e00795ce64c71dffe7dda15b931087fa9d24f05847a36117b973bf039a052597600defa2e3a97915ad7630fd55840e71aaf5edbe36ed9508cd7595

Download Submit
C:\Windows\SysWOW64\28463\AKV.exe

Filesize
457KB

MD5
828586f5f9fd7e6bd99401fe7cece954

SHA1
8eb70f4af2cec3c3dd3ec1491913369e99b7b874

SHA256
02b8379b1838ea70f7f17e0785aaaedb7c721d9b6e262577723bba9492748d0c

SHA512
16b64be59cf9ae403fb3b7e1fc8da98cb2a5db84aef0e352910172796ecf96dcf86a7e16afe78fa7e22b7b6948e8a1fa027da7161d5a0ad98e76175d764ed6a7

Download Submit
C:\Windows\SysWOW64\28463\JMDF.001

Filesize
500B

MD5
1f53cbff2c33b78ee561ba15222dde5d

SHA1
89b697ce857568a7bb5b5c6087444c2d19990be0

SHA256
47e7084acdbd49a9f7528cdaee5d81c29300f38722647fb33b739f25584e9b94

SHA512
196b7318612eca96be06169ce1348eae7b4d142a8d8268dba55b678a0009ddef6d175c15913dc4c78bb995362265df43989c9efe81d617a5e6f4c27907471470

Download Submit
C:\Windows\SysWOW64\28463\JMDF.006

Filesize
8KB

MD5
69db8c925f2dd8136d956a086ed1ee41

SHA1
9d0f653cc7ab881eb45fe93490a9c096f2dec6cf

SHA256
984da5476c2c69a779bc99d0901569347cc605a36499e2284706cda3ed6e13f3

SHA512
fa5cedd539dca3631511488aea8bcb7821db1d53452c1b61ee663cb5700bb9919b092593a7f5eb7a3c3a75f801b2980f817de4a66bf8aa51093ced4b30ffd068

Download Submit
C:\Windows\SysWOW64\28463\JMDF.007

Filesize
5KB

MD5
9e9da4c851850726c789bb4b94a41bb3

SHA1
1e2fd71f1d1a3ac15d3c820d8459635cd775cf24

SHA256
94f6502a4e94de0301ae07befd63767a4de35d9b2d2d00687a3130e883ab1963

SHA512
4c60e951056c5773d769a9c88245fc4a597949deb72a1a7546991488e85ffc4ff2a34840ad227595bcdc105cf187207721b57c457ac832ee0159dd0e1d9be063

Download Submit
C:\Windows\SysWOW64\28463\key.bin

Filesize
106B

MD5
639d75ab6799987dff4f0cf79fa70c76

SHA1
be2678476d07f78bb81e8813c9ee2bfff7cc7efb

SHA256
fc42ab050ffdfed8c8c7aac6d7e4a7cad4696218433f7ca327bcfdf9f318ac98

SHA512
4b511d0330d7204af948ce7b15615d745e8d4ea0a73bbece4e00fb23ba2635dd99e4fa54a76236d6f74bdbcdba57d32fd4c36b608d52628e72d11d5ed6f8cde2

Download Submit
\Users\Admin\AppData\Local\Temp\@954.tmp

Filesize
4KB

MD5
ccf39f70a662f70e7cae4cfc81255c44

SHA1
00177d41252c2a5322be8e54567a845217072e2c

SHA256
4c9cca81f2f2d91b636c0ec747e96821749788368c48981bf04accfeb5c2e5d0

SHA512
2cc006d3bd6af737f31707b457caaa267ee1361cfd0afab0be8b74be8587d02b20909962d138e137fe79252e0d112bd3be091a98ba50863520b5bbf21bb9501d

Download Submit
\Users\Admin\AppData\Local\Temp\Install.exe

Filesize
818KB

MD5
35ae2e53b845ad6d2c849b252c6698b6

SHA1
12afc3674e1c7c6ebc2e8b200de6595d55723d69

SHA256
24c783200ff674d6ed69744b153963a7f5003cd03a9ae75bdb83aa0da9c612bc

SHA512
5b59e87257456e151d9529527b27d593de8ee5fee11b7d5c99280f7a7810092cfacf01d41bafa5612fd73844868e8451ca786dbff4ab672c1d07e036d05c0922

Download Submit
\Windows\SysWOW64\28463\JMDF.exe

Filesize
648KB

MD5
c5ca2c96edc99cf9edf0f861d784209a

SHA1
6cb654b3eb20c85224a4849c4cc30012cabbdbaa

SHA256
0ca27dfe22971bfb19c7f3d6fe03cd398816a88fc50943ba9821fa6b91be7807

SHA512
aeb36bbbf68c7b733ddd856f8f0cdd9548ff597843a22611757c98f69a589035410fecfa692bb83c740823ddae6432d3be5cb66f4309a9d0f5fedeb7b017ff36

Download Submit
memory/1576-43-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1576-66-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1576-62-0x00000000008D0000-0x00000000009AF000-memory.dmp

Filesize
892KB

Download
memory/1576-61-0x00000000008D0000-0x00000000009AF000-memory.dmp

Filesize
892KB

Download
memory/1576-60-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1576-46-0x00000000008D0000-0x00000000009AF000-memory.dmp

Filesize
892KB

Download
memory/1576-45-0x00000000008D0000-0x00000000009AF000-memory.dmp

Filesize
892KB

Download
memory/2420-0-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2420-44-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/2420-7-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/2420-5-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/2420-2-0x0000000000401000-0x0000000000407000-memory.dmp

Filesize
24KB

Download
memory/2420-1-0x0000000000560000-0x000000000064B000-memory.dmp

Filesize
940KB

Download
memory/2420-27-0x0000000004950000-0x0000000004952000-memory.dmp

Filesize
8KB

Download
memory/2420-42-0x0000000000401000-0x0000000000407000-memory.dmp

Filesize
24KB

Download
memory/2588-28-0x00000000000B0000-0x00000000000B2000-memory.dmp

Filesize
8KB

Download
memory/2692-48-0x0000000002B00000-0x0000000002B02000-memory.dmp

Filesize
8KB

Download
memory/2692-36-0x0000000002940000-0x0000000002A1F000-memory.dmp

Filesize
892KB

Download