ardamax | 4acfc937bd8dc060b878f7d46b5b61a68c63bd4364f390ae83c77074c3b20ef8

Analysis

max time kernel
148s
max time network
129s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18/09/2024, 17:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e9a882ea0bcff4e48ceab4296ce7ca5e_JaffaCakes118.exe
Size

1.1MB
MD5

e9a882ea0bcff4e48ceab4296ce7ca5e
SHA1

5f2f011bb98d71f9ab44da3a89424b628973230c
SHA256

4acfc937bd8dc060b878f7d46b5b61a68c63bd4364f390ae83c77074c3b20ef8
SHA512

74083e4ab65729af95e5f77bec95db72fdea76cd333d8aa4c10cd35858500af4fc2c38790a47438cba596dab40657615773aa8290ab085c09c7ef01b591582d9
SSDEEP

24576:gGwP1QmJnvPhkp2rsognYo6RkyGlqpE+NHKxv3M/OBj4vmOMpvqOEit:gfJnHKYrVgR0xhNqxvLBjSsCO1t

Score

10^/10

ardamax discovery keylogger stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x000600000001903b-629.dat	family_ardamax

Executes dropped EXE 3 IoCs

pid	Process
2212	car.exe
1128	JYNI.exe
600	WerFault.exe

Loads dropped DLL 10 IoCs

pid	Process
2260	e9a882ea0bcff4e48ceab4296ce7ca5e_JaffaCakes118.exe
2212	car.exe
2212	car.exe
2212	car.exe
1128	JYNI.exe
1128	JYNI.exe
600	WerFault.exe
600	WerFault.exe
600	WerFault.exe
600	WerFault.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\28463\JYNI.007	car.exe
File created	C:\Windows\28463\JYNI.exe	car.exe
File created	C:\Windows\28463\key.bin	car.exe
File created	C:\Windows\28463\AKV.exe	car.exe
File created	C:\Windows\28463\JYNI.001	car.exe
File created	C:\Windows\28463\JYNI.006	car.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	car.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JYNI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WerFault.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e9a882ea0bcff4e48ceab4296ce7ca5e_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
600	WerFault.exe
600	WerFault.exe
600	WerFault.exe
600	WerFault.exe
600	WerFault.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: 33	2260	e9a882ea0bcff4e48ceab4296ce7ca5e_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2260	e9a882ea0bcff4e48ceab4296ce7ca5e_JaffaCakes118.exe
Token: 33	2260	e9a882ea0bcff4e48ceab4296ce7ca5e_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2260	e9a882ea0bcff4e48ceab4296ce7ca5e_JaffaCakes118.exe
Token: 33	2260	e9a882ea0bcff4e48ceab4296ce7ca5e_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2260	e9a882ea0bcff4e48ceab4296ce7ca5e_JaffaCakes118.exe
Token: 33	2260	e9a882ea0bcff4e48ceab4296ce7ca5e_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2260	e9a882ea0bcff4e48ceab4296ce7ca5e_JaffaCakes118.exe
Token: 33	2212	car.exe
Token: SeIncBasePriorityPrivilege	2212	car.exe
Token: SeDebugPrivilege	600	WerFault.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 2212	2260	e9a882ea0bcff4e48ceab4296ce7ca5e_JaffaCakes118.exe	30
PID 2260 wrote to memory of 2212	2260	e9a882ea0bcff4e48ceab4296ce7ca5e_JaffaCakes118.exe	30
PID 2260 wrote to memory of 2212	2260	e9a882ea0bcff4e48ceab4296ce7ca5e_JaffaCakes118.exe	30
PID 2260 wrote to memory of 2212	2260	e9a882ea0bcff4e48ceab4296ce7ca5e_JaffaCakes118.exe	30
PID 2212 wrote to memory of 1128	2212	car.exe	32
PID 2212 wrote to memory of 1128	2212	car.exe	32
PID 2212 wrote to memory of 1128	2212	car.exe	32
PID 2212 wrote to memory of 1128	2212	car.exe	32
PID 1128 wrote to memory of 600	1128	JYNI.exe	33
PID 1128 wrote to memory of 600	1128	JYNI.exe	33
PID 1128 wrote to memory of 600	1128	JYNI.exe	33
PID 1128 wrote to memory of 600	1128	JYNI.exe	33

C:\Users\Admin\AppData\Local\Temp\e9a882ea0bcff4e48ceab4296ce7ca5e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e9a882ea0bcff4e48ceab4296ce7ca5e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Users\Admin\AppData\Local\Xenocode\Sandbox\butiful car\2.1.11.06\2011.10.30T08.49\Virtual\STUBEXE\@APPDATALOCAL@\Temp\car.exe
  "C:\Users\Admin\AppData\Local\Temp\car.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Users\Admin\AppData\Local\Xenocode\Sandbox\butiful car\2.1.11.06\2011.10.30T08.49\Native\STUBEXE\@WINDIR@\28463\JYNI.exe
    "C:\Windows\28463\JYNI.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1128
  - - C:\Users\Admin\AppData\Local\Xenocode\Sandbox\butiful car\2.1.11.06\2011.10.30T08.49\Native\STUBEXE\@SYSTEM@\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1128 -s 252
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Xenocode\Sandbox\butiful car\2.1.11.06\2011.10.30T08.49\Native\STUBEXE\@SYSTEM@\WerFault.exe

Filesize
17KB

MD5
36e3fa60e628d7cbd22bc1dc8ccd6a11

SHA1
7ae9f7da10ee11131aa0f48c8be00ad0a59bce11

SHA256
af12be88da7a4dff7849f9af96130976e137d2c854e699bedccb778dc0842e83

SHA512
0ab35aedae2c77e64f89be4280296cdbda268f91e78d8cdfd07f417f133d4f8fc003f2f40eea3f4b3bf7c78d56bc14c31d0c45616201e25070d53d04f86c4346

Download Submit
C:\Windows\28463\JYNI.exe

Filesize
649KB

MD5
2bff0c75a04401dada0adfab933e46a7

SHA1
364d97f90b137f8e359d998164fb15d474be7bbb

SHA256
2aa53bc5da3294817f95d8806effdf28e5af49661a955256c46db2b67cb6e6da

SHA512
88b82973d3c042bceb75e12297111fa7b8bd4e2a7a37d26b698c595d8d75ec670cc7aebfa2572206c1b2a4ecbbfa3103affb8bee6d7ef47428a225e2cd1bea3f

Download Submit
\Users\Admin\AppData\Local\Temp\@C330.tmp

Filesize
4KB

MD5
4b8ed89120fe8ddc31ddba07bc15372b

SHA1
181e7ac3d444656f50c1cd02a6832708253428e6

SHA256
2ae6b0e14465338be0bc5ad10703f5c823d092ebb8cff7e5a05b7d79c8459b93

SHA512
49269b71270b3eda0ddcb399021de9c88f6fd2086cf54fa4898a91e64afe109d44b635d47a5ea9bae7f53a5e968af97fa13bdf699ba00ce879ecadd7bbc8af23

Download Submit
\Users\Admin\AppData\Local\Xenocode\Sandbox\butiful car\2.1.11.06\2011.10.30T08.49\Native\STUBEXE\@WINDIR@\28463\JYNI.exe

Filesize
17KB

MD5
61fc1a846f0662883d8a2dc20b36b1fc

SHA1
b823c666fb127c641f8ba67be19a7e7a32660220

SHA256
b84424d8a68b763a95ca2a810d04781f255b7cae4b4be18226c99a8ff09cb1c0

SHA512
8c5f2f6eb296172a425a84c47dfe1fbff785a289ae6560b30c321ff1c3eeb04a944c5a8912cd66a26ed5286a72074817d010bf8ebef4ab2ee7a7c1e18e6caa23

Download Submit
\Users\Admin\AppData\Local\Xenocode\Sandbox\butiful car\2.1.11.06\2011.10.30T08.49\Virtual\STUBEXE\@APPDATALOCAL@\Temp\car.exe

Filesize
17KB

MD5
0ef59285d880acd4713ef5dbec6dddd0

SHA1
be849a5296016c8ed01ea34af4ad312007b651b5

SHA256
41a2fa8d4c05f9b86e5c5797d758439926ea08d42421953c6b626ac5ce2a470a

SHA512
84907bf9626e95adcde69c4c197b0f04ba949def7c5cd3e922c75cf38743ea5a85ff5d6aba02c771b6c9f36dbaee06609e21d8207bccb45f8f26fd12bb3228d8

Download Submit
memory/600-1261-0x00000000025E0000-0x00000000026BF000-memory.dmp

Filesize
892KB

Download
memory/600-1257-0x0000000000EB0000-0x0000000000F8F000-memory.dmp

Filesize
892KB

Download
memory/600-1258-0x0000000000EB0000-0x0000000000F8F000-memory.dmp

Filesize
892KB

Download
memory/600-1259-0x0000000000EB0000-0x0000000000F8F000-memory.dmp

Filesize
892KB

Download
memory/600-1263-0x0000000000EB0000-0x0000000000F8F000-memory.dmp

Filesize
892KB

Download
memory/600-1264-0x0000000000EB0000-0x0000000000F8F000-memory.dmp

Filesize
892KB

Download
memory/600-1265-0x0000000000EB0000-0x0000000000F8F000-memory.dmp

Filesize
892KB

Download
memory/600-1268-0x00000000025E0000-0x00000000026BF000-memory.dmp

Filesize
892KB

Download
memory/1128-1262-0x00000000009D0000-0x0000000000AAF000-memory.dmp

Filesize
892KB

Download
memory/1128-1256-0x00000000009D0000-0x0000000000AAF000-memory.dmp

Filesize
892KB

Download
memory/2260-1-0x0000000000500000-0x000000000056C000-memory.dmp

Filesize
432KB

Download
memory/2260-37-0x0000000077B20000-0x0000000077B21000-memory.dmp

Filesize
4KB

Download
memory/2260-0-0x0000000000500000-0x000000000056C000-memory.dmp

Filesize
432KB

Download
memory/2260-63-0x0000000000500000-0x000000000056C000-memory.dmp

Filesize
432KB

Download
memory/2260-121-0x0000000000500000-0x000000000056C000-memory.dmp

Filesize
432KB

Download
memory/2260-127-0x0000000000500000-0x000000000056C000-memory.dmp

Filesize
432KB

Download
memory/2260-114-0x0000000000500000-0x000000000056C000-memory.dmp

Filesize
432KB

Download
memory/2260-107-0x0000000000500000-0x000000000056C000-memory.dmp

Filesize
432KB

Download
memory/2260-100-0x0000000077B20000-0x0000000077B21000-memory.dmp

Filesize
4KB

Download
memory/2260-98-0x0000000000500000-0x000000000056C000-memory.dmp

Filesize
432KB

Download
memory/2260-90-0x0000000000500000-0x000000000056C000-memory.dmp

Filesize
432KB

Download
memory/2260-82-0x0000000000500000-0x000000000056C000-memory.dmp

Filesize
432KB

Download
memory/2260-67-0x0000000000500000-0x000000000056C000-memory.dmp

Filesize
432KB

Download
memory/2260-65-0x0000000000500000-0x000000000056C000-memory.dmp

Filesize
432KB

Download
memory/2260-61-0x0000000000500000-0x000000000056C000-memory.dmp

Filesize
432KB

Download
memory/2260-59-0x0000000000500000-0x000000000056C000-memory.dmp

Filesize
432KB

Download
memory/2260-57-0x0000000077B20000-0x0000000077B21000-memory.dmp

Filesize
4KB

Download
memory/2260-54-0x0000000000500000-0x000000000056C000-memory.dmp

Filesize
432KB

Download
memory/2260-51-0x0000000000500000-0x000000000056C000-memory.dmp

Filesize
432KB

Download
memory/2260-52-0x0000000000500000-0x000000000056C000-memory.dmp

Filesize
432KB

Download
memory/2260-49-0x0000000000500000-0x000000000056C000-memory.dmp

Filesize
432KB

Download
memory/2260-47-0x0000000000500000-0x000000000056C000-memory.dmp

Filesize
432KB

Download
memory/2260-43-0x0000000000500000-0x000000000056C000-memory.dmp

Filesize
432KB

Download
memory/2260-41-0x0000000000500000-0x000000000056C000-memory.dmp

Filesize
432KB

Download
memory/2260-39-0x0000000000500000-0x000000000056C000-memory.dmp

Filesize
432KB

Download
memory/2260-33-0x0000000000500000-0x000000000056C000-memory.dmp

Filesize
432KB

Download
memory/2260-36-0x0000000000500000-0x000000000056C000-memory.dmp

Filesize
432KB

Download
memory/2260-130-0x0000000000500000-0x000000000056C000-memory.dmp

Filesize
432KB

Download
memory/2260-129-0x0000000077B20000-0x0000000077B21000-memory.dmp

Filesize
4KB

Download
memory/2260-194-0x0000000000500000-0x000000000056C000-memory.dmp

Filesize
432KB

Download
memory/2260-262-0x0000000000500000-0x000000000056C000-memory.dmp

Filesize
432KB

Download
memory/2260-3-0x0000000000500000-0x000000000056C000-memory.dmp

Filesize
432KB

Download
memory/2260-5-0x0000000000500000-0x000000000056C000-memory.dmp

Filesize
432KB

Download
memory/2260-620-0x0000000000500000-0x000000000056C000-memory.dmp

Filesize
432KB

Download
memory/2260-7-0x0000000000500000-0x000000000056C000-memory.dmp

Filesize
432KB

Download
memory/2260-9-0x0000000000500000-0x000000000056C000-memory.dmp

Filesize
432KB

Download
memory/2260-639-0x0000000077B20000-0x0000000077B21000-memory.dmp

Filesize
4KB

Download
memory/2260-777-0x0000000000500000-0x000000000056C000-memory.dmp

Filesize
432KB

Download
memory/2260-11-0x0000000000500000-0x000000000056C000-memory.dmp

Filesize
432KB

Download
memory/2260-13-0x0000000000500000-0x000000000056C000-memory.dmp

Filesize
432KB

Download
memory/2260-15-0x0000000000500000-0x000000000056C000-memory.dmp

Filesize
432KB

Download
memory/2260-17-0x0000000000500000-0x000000000056C000-memory.dmp

Filesize
432KB

Download
memory/2260-19-0x0000000000500000-0x000000000056C000-memory.dmp

Filesize
432KB

Download
memory/2260-21-0x0000000000500000-0x000000000056C000-memory.dmp

Filesize
432KB

Download
memory/2260-23-0x0000000000500000-0x000000000056C000-memory.dmp

Filesize
432KB

Download
memory/2260-25-0x0000000000500000-0x000000000056C000-memory.dmp

Filesize
432KB

Download
memory/2260-27-0x0000000000500000-0x000000000056C000-memory.dmp

Filesize
432KB

Download
memory/2260-29-0x0000000000500000-0x000000000056C000-memory.dmp

Filesize
432KB

Download
memory/2260-31-0x0000000000500000-0x000000000056C000-memory.dmp

Filesize
432KB

Download