ardamax | 83dee15391870fd65b0454a117b689fd98e7473d533d5ed1ee3c9f8311bee08e

Analysis

max time kernel
141s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-09-2024 16:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f26c85384315a7a414eb76756b2b5956_JaffaCakes118.exe
Size

3.3MB
MD5

f26c85384315a7a414eb76756b2b5956
SHA1

68b32723aa3e18dd069ec490ff6d6342bdd21f7e
SHA256

83dee15391870fd65b0454a117b689fd98e7473d533d5ed1ee3c9f8311bee08e
SHA512

08afa305c3749926607368e5280d678ba8539e4debd81330c599a8d2a4b3f54e8b4ac49359486df02a4aed62b3808f2c53b6e44a985f9c1f7b169f6887570d1e
SSDEEP

98304:iyuFxS4FU/MDQ5krC6Vdt03YkV0sUp1oEuBhdh:wM4F+ErnTt03YE09uBx

Score

10^/10

ardamax discovery evasion keylogger persistence stealer themida

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x000500000001945c-51.dat	family_ardamax

Executes dropped EXE 7 IoCs

pid	Process
3056	pj.exe
2776	kill.exe
2672	pjupd.exe
2544	IFKM.exe
2668	IFKM.exe
2400	PJ_autoplay(Final).exe
1660	PJ_autoplay(Final).exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	f26c85384315a7a414eb76756b2b5956_JaffaCakes118.exe

Loads dropped DLL 14 IoCs

pid	Process
3056	pj.exe
2672	pjupd.exe
3056	pj.exe
3056	pj.exe
2672	pjupd.exe
2672	pjupd.exe
3056	pj.exe
2672	pjupd.exe
2668	IFKM.exe
1660	PJ_autoplay(Final).exe
2400	PJ_autoplay(Final).exe
2668	IFKM.exe
1660	PJ_autoplay(Final).exe
2400	PJ_autoplay(Final).exe

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2384-0-0x0000000000400000-0x00000000008CE000-memory.dmp	themida
behavioral1/memory/2384-6-0x0000000000400000-0x00000000008CE000-memory.dmp	themida
behavioral1/memory/2384-25-0x0000000000400000-0x00000000008CE000-memory.dmp	themida

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\pjupd.exe"	kill.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\IFKM Agent = "C:\\Windows\\SysWOW64\\28463\\IFKM.exe"	IFKM.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 11 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\IFKM.006	pj.exe
File opened for modification	C:\Windows\SysWOW64\28463\IFKM.001	pjupd.exe
File opened for modification	C:\Windows\SysWOW64\28463\IFKM.006	pjupd.exe
File opened for modification	C:\Windows\SysWOW64\28463\IFKM.007	pjupd.exe
File opened for modification	C:\Windows\SysWOW64\28463	IFKM.exe
File opened for modification	C:\Windows\SysWOW64\28463\AKV.exe	pjupd.exe
File created	C:\Windows\SysWOW64\28463\IFKM.001	pj.exe
File created	C:\Windows\SysWOW64\28463\IFKM.007	pj.exe
File created	C:\Windows\SysWOW64\28463\IFKM.exe	pj.exe
File opened for modification	C:\Windows\SysWOW64\28463\IFKM.exe	pjupd.exe
File created	C:\Windows\SysWOW64\28463\AKV.exe	pj.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\pj.exe	f26c85384315a7a414eb76756b2b5956_JaffaCakes118.exe
File created	C:\Windows\kill.exe	f26c85384315a7a414eb76756b2b5956_JaffaCakes118.exe
File created	C:\Windows\pj.exe	kill.exe
File created	C:\Windows\pjupd.exe	kill.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pjupd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IFKM.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IFKM.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PJ_autoplay(Final).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PJ_autoplay(Final).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f26c85384315a7a414eb76756b2b5956_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pj.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	PJ_autoplay(Final).exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	PJ_autoplay(Final).exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2384	f26c85384315a7a414eb76756b2b5956_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2400	PJ_autoplay(Final).exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2668	IFKM.exe
Token: SeIncBasePriorityPrivilege	2668	IFKM.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
2668	IFKM.exe
2668	IFKM.exe
2668	IFKM.exe
2668	IFKM.exe
1660	PJ_autoplay(Final).exe
1660	PJ_autoplay(Final).exe
2668	IFKM.exe
2400	PJ_autoplay(Final).exe
2400	PJ_autoplay(Final).exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 3056	2384	f26c85384315a7a414eb76756b2b5956_JaffaCakes118.exe	31
PID 2384 wrote to memory of 3056	2384	f26c85384315a7a414eb76756b2b5956_JaffaCakes118.exe	31
PID 2384 wrote to memory of 3056	2384	f26c85384315a7a414eb76756b2b5956_JaffaCakes118.exe	31
PID 2384 wrote to memory of 3056	2384	f26c85384315a7a414eb76756b2b5956_JaffaCakes118.exe	31
PID 2384 wrote to memory of 2776	2384	f26c85384315a7a414eb76756b2b5956_JaffaCakes118.exe	32
PID 2384 wrote to memory of 2776	2384	f26c85384315a7a414eb76756b2b5956_JaffaCakes118.exe	32
PID 2384 wrote to memory of 2776	2384	f26c85384315a7a414eb76756b2b5956_JaffaCakes118.exe	32
PID 2384 wrote to memory of 2776	2384	f26c85384315a7a414eb76756b2b5956_JaffaCakes118.exe	32
PID 2776 wrote to memory of 2672	2776	kill.exe	33
PID 2776 wrote to memory of 2672	2776	kill.exe	33
PID 2776 wrote to memory of 2672	2776	kill.exe	33
PID 2776 wrote to memory of 2672	2776	kill.exe	33
PID 3056 wrote to memory of 2544	3056	pj.exe	34
PID 3056 wrote to memory of 2544	3056	pj.exe	34
PID 3056 wrote to memory of 2544	3056	pj.exe	34
PID 3056 wrote to memory of 2544	3056	pj.exe	34
PID 2672 wrote to memory of 2668	2672	pjupd.exe	35
PID 2672 wrote to memory of 2668	2672	pjupd.exe	35
PID 2672 wrote to memory of 2668	2672	pjupd.exe	35
PID 2672 wrote to memory of 2668	2672	pjupd.exe	35
PID 3056 wrote to memory of 2400	3056	pj.exe	36
PID 3056 wrote to memory of 2400	3056	pj.exe	36
PID 3056 wrote to memory of 2400	3056	pj.exe	36
PID 3056 wrote to memory of 2400	3056	pj.exe	36
PID 2672 wrote to memory of 1660	2672	pjupd.exe	37
PID 2672 wrote to memory of 1660	2672	pjupd.exe	37
PID 2672 wrote to memory of 1660	2672	pjupd.exe	37
PID 2672 wrote to memory of 1660	2672	pjupd.exe	37

C:\Users\Admin\AppData\Local\Temp\f26c85384315a7a414eb76756b2b5956_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f26c85384315a7a414eb76756b2b5956_JaffaCakes118.exe"
1⤵
- Identifies Wine through registry keys
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\pj.exe
  "C:\Windows\pj.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Windows\SysWOW64\28463\IFKM.exe
    "C:\Windows\system32\28463\IFKM.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2544
- - C:\Users\Admin\AppData\Local\Temp\PJ_autoplay(Final).exe
    "C:\Users\Admin\AppData\Local\Temp\PJ_autoplay(Final).exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2400
- C:\Windows\kill.exe
  "C:\Windows\kill.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Windows\pjupd.exe
    "C:\Windows\pjupd.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Windows\SysWOW64\28463\IFKM.exe
      "C:\Windows\system32\28463\IFKM.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2668
  - - C:\Users\Admin\AppData\Local\Temp\PJ_autoplay(Final).exe
      "C:\Users\Admin\AppData\Local\Temp\PJ_autoplay(Final).exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\28463\AKV.exe

Filesize
395KB

MD5
b8fa30233794772b8b76b4b1d91c7321

SHA1
0cf9561be2528944285e536f41d502be24c3aa87

SHA256
14116fa79ccc105fabd312b4dff74933f8684c6b27db37e5e3a79d159092d29a

SHA512
10ce8b18e7afb8c7e30bb90b0a1f199ef0b77873fa7a9efc596606e151be6b516c0ec6222a9032bdcc527e80964f53d20a28fa1881a08b4df303b2e28204549d

Download Submit
C:\Windows\SysWOW64\28463\IFKM.001

Filesize
472B

MD5
551f1cc789c206b8ea4b4ea7f3f5f554

SHA1
c948a4d7dce9f0e46ec55a7df875985fc8ed09ff

SHA256
4792ca460c2ba23d506b41989b2e38083f1f4287c6bf849f47f0de650d09762f

SHA512
4b118f688d0ccf88e476ade8f0b8393cf1d10d67eb8216ffd8dda40a61008471f7dab8418359ac1c9bbef7cb275b4815a1490d294092dcfda243e7e19a900a25

Download Submit
C:\Windows\SysWOW64\28463\IFKM.006

Filesize
8KB

MD5
43f02e9974b1477c1e6388882f233db0

SHA1
f3e27b231193f8d5b2e1b09d05ae3a62795cf339

SHA256
3c9e56e51d5a7a1b9aefe853c12a98bf246039aa46db94227ea128f6331782ba

SHA512
e22d14735606fe75ee5e55204807c3f5531d3e0c4f63aa4a3b2d4bb6abda6128c7e2816753f2e64400ac6dae8f8ef1e013a7a464dff2a79ad9937c48821a067f

Download Submit
C:\Windows\SysWOW64\28463\IFKM.007

Filesize
5KB

MD5
b5a87d630436f958c6e1d82d15f98f96

SHA1
d3ff5e92198d4df0f98a918071aca53550bf1cff

SHA256
a895ad4d23e8b2c2dc552092f645ca309e62c36d4721ebfe7afd2eee7765d4b2

SHA512
fd7bae85a86bdaa12fec826d1d38728a90e2037cb3182ad7652d8a9f54c4b322734c587b62221e6f907fce24fcf2e0ae4cce1f5e3d8861661064b4da24bd87ce

Download Submit
C:\Windows\SysWOW64\28463\IFKM.exe

Filesize
473KB

MD5
17535dddecf8cb1efdba1f1952126547

SHA1
a862a9a3eb6c201751be1038537522a5281ea6cb

SHA256
1a3d28ac6359e58aa656f4734f9f36b6c09badadcf9fb900b9b118d90c38a9dd

SHA512
b4f31b552ab3bb3dafa365aa7a31f58674ae7ee82ce1d23457f2e7047431430b00abb3b5498491725639daf583b526b278a737168cfdc4e9ec796dfbc14a53d8

Download Submit
C:\Windows\kill.exe

Filesize
1.1MB

MD5
43dce6ecc549c36ec6830aa268916e91

SHA1
1224b08d827acfc5e1b02c7f18d769cd0f6822aa

SHA256
a62266f65cf5054796db6c786dad08208ab5d1eef5806540ab626340f7e9e577

SHA512
8ce1ea48779fe0c5984b22c99f8df733350378b4642420269da05074249a721e6ab5b62513f8e45378e43439ac6fee29ab89544e956c56eda7ff8d37be955f48

Download Submit
C:\Windows\pj.exe

Filesize
1.0MB

MD5
d0c3f385e5c386697a5e1bc3f451226d

SHA1
ab1214ebaafb5effa79a5cbbff8bea8f9662eac6

SHA256
f988f8d9ef1b72359b4faa744c86b2c24c1c510461d0186c26e1193ca1a1310f

SHA512
52f69189a842287f742a4d6ebead73a7bf4d93c827e976a15cd7664aa5ad0e65f3c565a4e6b42a2cecd074e1efd30c0cf52cb92455f2738278d18c8179d8bd6b

Download Submit
\Users\Admin\AppData\Local\Temp\@DC7A.tmp

Filesize
4KB

MD5
c3679c3ff636d1a6b8c65323540da371

SHA1
d184758721a426467b687bec2a4acc80fe44c6f8

SHA256
d4eba51c616b439a8819218bddf9a6fa257d55c9f04cf81441cc99cc945ad3eb

SHA512
494a0a32eef4392ecb54df6e1da7d93183473c4e45f4ac4bd6ec3b0ed8c85c58303a0d36edec41420d05ff624195f08791b6b7e018419a3251b7e71ec9b730e7

Download Submit
\Users\Admin\AppData\Local\Temp\PJ_autoplay(Final).exe

Filesize
382KB

MD5
d8adc4776d3d962df0b9c19066d2eb1e

SHA1
89a7f95552271f66327a583580489c6e19864d63

SHA256
4d44459510a0e38fd7ac7798d345f83dad8a840525c3930a3c2c3bd70f224d09

SHA512
90e24cf3229614b64c64b988baf2e07fb61cb9563d9eac13c1694d19d39c1d5b8cddefc14214cad1ee55c0928554e4cde7dba3d43a3d48a7451bc08033801097

Download Submit
memory/1660-97-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2384-6-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download
memory/2384-25-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download
memory/2384-7-0x00000000048A0000-0x00000000048B0000-memory.dmp

Filesize
64KB

Download
memory/2384-0-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download
memory/2384-4-0x0000000000401000-0x0000000000404000-memory.dmp

Filesize
12KB

Download
memory/2384-1-0x0000000002150000-0x0000000002250000-memory.dmp

Filesize
1024KB

Download
memory/2384-2-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2400-96-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2776-39-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download