ardamax | c6cfc9f16ba8570994eb54f4a5e977eb84d4ec4af6386ee7773320c9ddcd4b33

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-09-2024 02:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dba5fc65a87fd0717377dda82d0637ed_JaffaCakes118.exe
Size

1.5MB
MD5

dba5fc65a87fd0717377dda82d0637ed
SHA1

46cbff17a6f14eaeac9693d5d2fb07c0d1f19b77
SHA256

c6cfc9f16ba8570994eb54f4a5e977eb84d4ec4af6386ee7773320c9ddcd4b33
SHA512

c250fcfe5cedd0004f89fd971ec62f3c2ec9ee56170bb0e62786e7aeb5a9baf6b91c1893677b4d31892fde063eb3e5087a823dea38bda03426efcbbb6969584f
SSDEEP

49152:mBTzGChFU9v4jCw7416BtXH1xrBDhUEs/RPRxFa:JChFUvYCwsYrJ+PrF

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0008000000016dd9-8.dat	family_ardamax

Executes dropped EXE 2 IoCs

pid	Process
2868	PWD.exe
2700	ALLZACK Inject 2.3.exe

Loads dropped DLL 5 IoCs

pid	Process
1152	dba5fc65a87fd0717377dda82d0637ed_JaffaCakes118.exe
1152	dba5fc65a87fd0717377dda82d0637ed_JaffaCakes118.exe
1152	dba5fc65a87fd0717377dda82d0637ed_JaffaCakes118.exe
2868	PWD.exe
2700	ALLZACK Inject 2.3.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PWD Start = "C:\\Windows\\SysWOW64\\CMBNGT\\PWD.exe"	PWD.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\CMBNGT\	PWD.exe
File created	C:\Windows\SysWOW64\CMBNGT\PWD.004	dba5fc65a87fd0717377dda82d0637ed_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\CMBNGT\PWD.001	dba5fc65a87fd0717377dda82d0637ed_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\CMBNGT\PWD.002	dba5fc65a87fd0717377dda82d0637ed_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\CMBNGT\AKV.exe	dba5fc65a87fd0717377dda82d0637ed_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\CMBNGT\PWD.chm	dba5fc65a87fd0717377dda82d0637ed_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\CMBNGT\PWD.003	dba5fc65a87fd0717377dda82d0637ed_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\CMBNGT\PWD.exe	dba5fc65a87fd0717377dda82d0637ed_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ALLZACK Inject 2.3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PWD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dba5fc65a87fd0717377dda82d0637ed_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2700	ALLZACK Inject 2.3.exe
2700	ALLZACK Inject 2.3.exe
2700	ALLZACK Inject 2.3.exe
2700	ALLZACK Inject 2.3.exe
2700	ALLZACK Inject 2.3.exe
2700	ALLZACK Inject 2.3.exe
2700	ALLZACK Inject 2.3.exe
2700	ALLZACK Inject 2.3.exe
2700	ALLZACK Inject 2.3.exe
2700	ALLZACK Inject 2.3.exe
2700	ALLZACK Inject 2.3.exe
2700	ALLZACK Inject 2.3.exe
2700	ALLZACK Inject 2.3.exe
2700	ALLZACK Inject 2.3.exe
2700	ALLZACK Inject 2.3.exe
2700	ALLZACK Inject 2.3.exe
2700	ALLZACK Inject 2.3.exe
2700	ALLZACK Inject 2.3.exe
2700	ALLZACK Inject 2.3.exe
2700	ALLZACK Inject 2.3.exe
2700	ALLZACK Inject 2.3.exe
2700	ALLZACK Inject 2.3.exe
2700	ALLZACK Inject 2.3.exe
2700	ALLZACK Inject 2.3.exe
2700	ALLZACK Inject 2.3.exe
2700	ALLZACK Inject 2.3.exe
2700	ALLZACK Inject 2.3.exe
2700	ALLZACK Inject 2.3.exe
2700	ALLZACK Inject 2.3.exe
2700	ALLZACK Inject 2.3.exe
2700	ALLZACK Inject 2.3.exe
2700	ALLZACK Inject 2.3.exe
2700	ALLZACK Inject 2.3.exe
2700	ALLZACK Inject 2.3.exe
2700	ALLZACK Inject 2.3.exe
2700	ALLZACK Inject 2.3.exe
2700	ALLZACK Inject 2.3.exe
2700	ALLZACK Inject 2.3.exe
2700	ALLZACK Inject 2.3.exe
2700	ALLZACK Inject 2.3.exe
2700	ALLZACK Inject 2.3.exe
2700	ALLZACK Inject 2.3.exe
2700	ALLZACK Inject 2.3.exe
2700	ALLZACK Inject 2.3.exe
2700	ALLZACK Inject 2.3.exe
2700	ALLZACK Inject 2.3.exe
2700	ALLZACK Inject 2.3.exe
2700	ALLZACK Inject 2.3.exe
2700	ALLZACK Inject 2.3.exe
2700	ALLZACK Inject 2.3.exe
2700	ALLZACK Inject 2.3.exe
2700	ALLZACK Inject 2.3.exe
2700	ALLZACK Inject 2.3.exe
2700	ALLZACK Inject 2.3.exe
2700	ALLZACK Inject 2.3.exe
2700	ALLZACK Inject 2.3.exe
2700	ALLZACK Inject 2.3.exe
2700	ALLZACK Inject 2.3.exe
2700	ALLZACK Inject 2.3.exe
2700	ALLZACK Inject 2.3.exe
2700	ALLZACK Inject 2.3.exe
2700	ALLZACK Inject 2.3.exe
2700	ALLZACK Inject 2.3.exe
2700	ALLZACK Inject 2.3.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2868	PWD.exe
Token: SeIncBasePriorityPrivilege	2868	PWD.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2868	PWD.exe
2868	PWD.exe
2868	PWD.exe
2868	PWD.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 2868	1152	dba5fc65a87fd0717377dda82d0637ed_JaffaCakes118.exe	31
PID 1152 wrote to memory of 2868	1152	dba5fc65a87fd0717377dda82d0637ed_JaffaCakes118.exe	31
PID 1152 wrote to memory of 2868	1152	dba5fc65a87fd0717377dda82d0637ed_JaffaCakes118.exe	31
PID 1152 wrote to memory of 2868	1152	dba5fc65a87fd0717377dda82d0637ed_JaffaCakes118.exe	31
PID 1152 wrote to memory of 2700	1152	dba5fc65a87fd0717377dda82d0637ed_JaffaCakes118.exe	32
PID 1152 wrote to memory of 2700	1152	dba5fc65a87fd0717377dda82d0637ed_JaffaCakes118.exe	32
PID 1152 wrote to memory of 2700	1152	dba5fc65a87fd0717377dda82d0637ed_JaffaCakes118.exe	32
PID 1152 wrote to memory of 2700	1152	dba5fc65a87fd0717377dda82d0637ed_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\dba5fc65a87fd0717377dda82d0637ed_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dba5fc65a87fd0717377dda82d0637ed_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Windows\SysWOW64\CMBNGT\PWD.exe
  "C:\Windows\system32\CMBNGT\PWD.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2868
- C:\Users\Admin\AppData\Local\Temp\ALLZACK Inject 2.3.exe
  "C:\Users\Admin\AppData\Local\Temp\ALLZACK Inject 2.3.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ALLZACK Inject 2.3.exe

Filesize
598KB

MD5
1b41db30f70666b352a074c773f674b4

SHA1
f4e73a3fae9ebea89d3f17dd982112953e06047b

SHA256
5f477b4976f6886156a129b2751b02dc1051e63b1c0db76b06c1c287102a1f74

SHA512
360224874a09094d5b913d8f6db5d9ba9ac9baaced113da49487b16970c7d82c2e87f7539b372fdd68f2dc4cc5dfd0b3162a24d6fad0122e91e5f39754a772bd

Download Submit
C:\Windows\SysWOW64\CMBNGT\AKV.exe

Filesize
461KB

MD5
eed8ebfafcd3dcb0f88b237388fba8df

SHA1
620767d6de979bf360e3a188ed03534c769f337b

SHA256
dc3c5152d69547ffb583574707025eee74af46882cdf851221f66b1e81d2ed90

SHA512
28148a2bfdbcaf61f5f664c6b4dd0377d151d775ad001818da2bba6327f02020fabb016a4c8aaa5f841ea1dc1a6d8419bca55bc74924a657476e15abbd8dabb3

Download Submit
C:\Windows\SysWOW64\CMBNGT\PWD.002

Filesize
43KB

MD5
246761f047f6aa98d6eaad66a2f883b9

SHA1
42474a5b23d03e094103b62fd7e820457cf807c4

SHA256
3774021a3cdf32d23fd5921cea4de8c26b08f0d601f3097550a7e8af7b00f111

SHA512
d39d0913975ca2f8d585b72667d76de09ce7817f6de26ef21a8b62edc25d7fab39785f036992d19ca5700f5fc2ee377e696142c41529f23f503e8eefff393144

Download Submit
C:\Windows\SysWOW64\CMBNGT\PWD.003

Filesize
68KB

MD5
9f8cfef5ec715a3a2c278926683ae8c7

SHA1
b575d77c1cd840ecc5ace3720e0253999826cb43

SHA256
7fb748ba7393ac637a7bfd6bfe42e7246112ee4f80b14a3640a12f3a530270ac

SHA512
664da9b5fc7a716d4c5ff6cb790a2f0f6002d193c13f32460647e2e6ddefb0f45dc3731ae1af4164eb0d3089b0c2f69eb74e07fd4fead30458087c06f9a09d26

Download Submit
C:\Windows\SysWOW64\CMBNGT\PWD.004

Filesize
1KB

MD5
691ef518f4df2cd5283d332067da0789

SHA1
03dc416ff0412c2899e4dd4de04b19d1106f5a22

SHA256
92c4b0431f0caa5be14c6b3178414ea16e94882b28ddb8f74593a1655fd03941

SHA512
ab07fa1bfbda1aeb66758806e34e1489921944c881e946dce1d9fe9ebe5c8052fa4cea18f8dca397a0dd2e9b54c4779d24ff0ee4f52ddb1b56a6e5cdf2b1cb6a

Download Submit
C:\Windows\SysWOW64\CMBNGT\PWD.chm

Filesize
20KB

MD5
164ea98e2f64635f8a097870781da36c

SHA1
7cd9294657902f6bc199007e30f6514fce66f666

SHA256
c69e694d6db9a958a99901afb86a8b864a17b510a5dcdd1c176f53abf0c61a61

SHA512
4e19842a0d959876cdac60fd145fa36f2d98650b843c6faea2b01e205b2f0ce262b45c1c60fbf483320f012d4c00b96dff36e72d27ecbe9133f09d6618cbde20

Download Submit
\Windows\SysWOW64\CMBNGT\PWD.001

Filesize
61KB

MD5
34c92b717ae97bc926f56ba56a44f24a

SHA1
ccaf3c6bf0c73564d0bf19c92b8d25008ffffbfa

SHA256
6e60d85b35f5e9222375f606e4116b38364a4a943596ddb0d914cf1cf4791774

SHA512
2a9eb63837db128c9e036976d903ebd925e6952ab6bf4efa0e370e79f9fefe0ed6e44e4ab444f56ace1149f4dd14797f568e8827e7cebd1e5581dcf309f9745a

Download Submit
\Windows\SysWOW64\CMBNGT\PWD.exe

Filesize
1.5MB

MD5
9ab9b7b74790b7bb2798dd2b26f4a913

SHA1
e8ffa981a0149aa6441dcb0dd42f7baf6eb773a2

SHA256
df1c8d608ebd300889cf21c3bda6d5dd2574d68e1f530cc5a885449a22177a75

SHA512
ffffe21d8cc244aacaaba2eb13cc77ad800a196ecf6f77637a8a1f6d456cabb8331970ab358ab21dcf9832343379b4f0486da3990d45eb2f2765e55b7404739e

Download Submit
memory/2700-21-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2700-32-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2700-33-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2868-29-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2868-34-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download