ardamax | 05d2afe450d8c8591ef4f655e7a2e3a4b6d41f02312c426a9cc9a3f1de50cec1

Analysis

max time kernel
92s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22/09/2024, 16:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f26f7b2229f054390927633ba61503c9_JaffaCakes118.exe
Size

1.4MB
MD5

f26f7b2229f054390927633ba61503c9
SHA1

5086ddfc8d07354116c7d8dc2654849537fc25ce
SHA256

05d2afe450d8c8591ef4f655e7a2e3a4b6d41f02312c426a9cc9a3f1de50cec1
SHA512

df2f23b4bee2993cfdc9344fa14d01e38b72e8879063ce50a813a6d267d9eb411f020fb519cca622a49ecda4d42f20c361646bdaaa34c0d693424241293daafb
SSDEEP

24576:Rav02/FBa7o6tm4ZqRieZqRgHUSD69m7uUPUA8dzjPmTzUGgn5:0i0if1SDM6EA8V+8Zn5

Score

10^/10

ardamax discovery evasion keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000800000002346a-199.dat	family_ardamax

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	LinDo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	f26f7b2229f054390927633ba61503c9_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	Av-Kill.exe

Executes dropped EXE 5 IoCs

pid	Process
4764	Av-Kill.exe
2196	LinDo.exe
4864	Kill1.exe
3628	Kill2.exe
3508	ELUK.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Wine	f26f7b2229f054390927633ba61503c9_JaffaCakes118.exe

Loads dropped DLL 1 IoCs

pid	Process
2196	LinDo.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ELUK Agent = "C:\\Windows\\SysWOW64\\28463\\ELUK.exe"	ELUK.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\ELUK.001	LinDo.exe
File created	C:\Windows\SysWOW64\28463\ELUK.006	LinDo.exe
File created	C:\Windows\SysWOW64\28463\ELUK.007	LinDo.exe
File created	C:\Windows\SysWOW64\28463\ELUK.exe	LinDo.exe
File created	C:\Windows\SysWOW64\28463\AKV.exe	LinDo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f26f7b2229f054390927633ba61503c9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Av-Kill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LinDo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kill1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kill2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ELUK.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	f26f7b2229f054390927633ba61503c9_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4572	POWERPNT.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
4864	Kill1.exe
4864	Kill1.exe
4864	Kill1.exe
4864	Kill1.exe
4864	Kill1.exe
4864	Kill1.exe
4864	Kill1.exe
4864	Kill1.exe
4864	Kill1.exe
4864	Kill1.exe
3628	Kill2.exe
3628	Kill2.exe
3628	Kill2.exe
3628	Kill2.exe
3628	Kill2.exe
3628	Kill2.exe
3628	Kill2.exe
3628	Kill2.exe
3628	Kill2.exe
3628	Kill2.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1944	f26f7b2229f054390927633ba61503c9_JaffaCakes118.exe
4764	Av-Kill.exe
4572	POWERPNT.EXE
4864	Kill1.exe
3628	Kill2.exe
4572	POWERPNT.EXE
4572	POWERPNT.EXE

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1944 wrote to memory of 4572	1944	f26f7b2229f054390927633ba61503c9_JaffaCakes118.exe	82
PID 1944 wrote to memory of 4572	1944	f26f7b2229f054390927633ba61503c9_JaffaCakes118.exe	82
PID 1944 wrote to memory of 4572	1944	f26f7b2229f054390927633ba61503c9_JaffaCakes118.exe	82
PID 1944 wrote to memory of 4764	1944	f26f7b2229f054390927633ba61503c9_JaffaCakes118.exe	83
PID 1944 wrote to memory of 4764	1944	f26f7b2229f054390927633ba61503c9_JaffaCakes118.exe	83
PID 1944 wrote to memory of 4764	1944	f26f7b2229f054390927633ba61503c9_JaffaCakes118.exe	83
PID 1944 wrote to memory of 2196	1944	f26f7b2229f054390927633ba61503c9_JaffaCakes118.exe	84
PID 1944 wrote to memory of 2196	1944	f26f7b2229f054390927633ba61503c9_JaffaCakes118.exe	84
PID 1944 wrote to memory of 2196	1944	f26f7b2229f054390927633ba61503c9_JaffaCakes118.exe	84
PID 4764 wrote to memory of 4864	4764	Av-Kill.exe	87
PID 4764 wrote to memory of 4864	4764	Av-Kill.exe	87
PID 4764 wrote to memory of 4864	4764	Av-Kill.exe	87
PID 4764 wrote to memory of 3628	4764	Av-Kill.exe	88
PID 4764 wrote to memory of 3628	4764	Av-Kill.exe	88
PID 4764 wrote to memory of 3628	4764	Av-Kill.exe	88
PID 2196 wrote to memory of 3508	2196	LinDo.exe	98
PID 2196 wrote to memory of 3508	2196	LinDo.exe	98
PID 2196 wrote to memory of 3508	2196	LinDo.exe	98

C:\Users\Admin\AppData\Local\Temp\f26f7b2229f054390927633ba61503c9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f26f7b2229f054390927633ba61503c9_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Identifies Wine through registry keys
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "C:\Users\Admin\AppData\Local\Temp\Teste de -QI.pps" /ou ""
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:4572
- C:\Users\Admin\AppData\Local\Temp\Av-Kill.exe
  "C:\Users\Admin\AppData\Local\Temp\Av-Kill.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4764
- - C:\Users\Admin\AppData\Local\Temp\Kill1.exe
    "C:\Users\Admin\AppData\Local\Temp\Kill1.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4864
- - C:\Users\Admin\AppData\Local\Temp\Kill2.exe
    "C:\Users\Admin\AppData\Local\Temp\Kill2.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3628
- C:\Users\Admin\AppData\Local\Temp\LinDo.exe
  "C:\Users\Admin\AppData\Local\Temp\LinDo.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Windows\SysWOW64\28463\ELUK.exe
    "C:\Windows\system32\28463\ELUK.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:3508

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\FirewallControlPanel.dll,ShowWarningDialog "C:\Users\Admin\AppData\Local\Temp\Av-Kill.exe"
1⤵
- Modifies registry class
PID:3384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@9D2A.tmp

Filesize
4KB

MD5
cde9827bcff03c6c1f883f693c8c6700

SHA1
c2ce6d6a1dd2e17d8736e779ebe1f6d0383b4f46

SHA256
ba4566adf8b2cd5a6afb6fcb2a43cd80139d1882f71f03ccd4d0eea71fac8252

SHA512
11b901e644a52826c317435dc87872b55a36fa9d477530a030d1f137beb2710544b1f0e2fd23b3f6528f2f71ab55c66d219a87f1d5bc0f6ec0fd5aecd7659bc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Av-Kill.exe

Filesize
76KB

MD5
f5dc0b871e490ee7e895499f9b43cb98

SHA1
78da91e8af6200bcf4e88990f4ae2db4f61a3ddd

SHA256
d5fb74b44073f0622e2c795b0a97aa495c9a80fae497d09633ce5e49da3d1d2a

SHA512
59e77030bca757ade0d7771fae12568a9522604e620a00353fe21dc57f98512963a20afe5a5f7ee082c087984d609bc657ab29408c84fb0b5ea0ccd44c2a4378

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kill1.exe

Filesize
32KB

MD5
89a6d01576dce0c344f78f980dd77d93

SHA1
cfaf3a9e081316f7c9bf8c3eb90ca18692d4483e

SHA256
49a7a2527a6da35b942995921ca257ffffd925e852176fc339e6fe46b12037d7

SHA512
3ccd745a820a1def59d03c3f9acd029ed6b956d32868017fed82e304183ee42f1adaa239326c18447b0bb09e11ddee09d97fc181c5cfd99689ed5526a214574b

Download Submit
C:\Users\Admin\AppData\Local\Temp\LinDo.exe

Filesize
537KB

MD5
36ff90ffbf75a6f393aa1d74102fbcc0

SHA1
2a3b06fde1dc7f0e77a765e0c3ea4fdc408d261d

SHA256
cce0fe44145dbd2524336855335996b4bc514cae637e4db18546e41f00229384

SHA512
7641661a6f50ce72c3364a6980ec91164eb61e89cf21d1117fcde680a3405b050d35b9ae87b07f212ddd0d0abb96430aedeeba8b3cbe6db45ec4cd855d32048c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Teste de -QI.pps

Filesize
80KB

MD5
d9830f7eaa5dbafd6c62f8bffb22cbbd

SHA1
1be982c50c713f67d7f73c2294b545a5c0275374

SHA256
59bb483333784b87ef9d8888396fdee44d5e46c83b9f995b2de73e6665fc6ad7

SHA512
7147229869cddfaef7749e7e66922447dfc58b209fcf59a45bc37794b7c6cfa388d63cd616aaf7983791de3218d2a60ac6d804fe0d4fb3c1ca6e1004ddab43cc

Download Submit
C:\Windows\SysWOW64\28463\AKV.exe

Filesize
458KB

MD5
14f8412a6efc0043fdf855f6eff2217f

SHA1
99c8ada8c45b390c44e7daf706705a653914f85f

SHA256
57dad901c66f57147e75656fa5b4df9fd62158b546dc7ceee18767f1ca95e6bc

SHA512
cafbbb42a9b0877f1bcf17a0219d9570bee5878cccbfe2a30f947cff492d3bc089fed34dbf12e410031f9f70decccbaf3464c1e4e71d7d771efa048580bbeb81

Download Submit
C:\Windows\SysWOW64\28463\ELUK.001

Filesize
488B

MD5
58257437918c75bc2174247256125e30

SHA1
f6b3e6d1b93e34013b76718503bb5bc17ae8247a

SHA256
233ecfb57641eb440efaf6ede71098a7a5973dfd3590d5b7e6ce1a71b7a06834

SHA512
735b9b4c94a033bb86e823cf68a06130309114f9b5541443ca62860bb9a94c35b0eb1efa3b96e389086a89766d23de838dccffdbda6f6f3a5985146e2b1f26d6

Download Submit
C:\Windows\SysWOW64\28463\ELUK.006

Filesize
8KB

MD5
acfe714319d5092d079a46d20785dab8

SHA1
67c491b9abb9ecffa1c87ce9ec1d516cd5fd9715

SHA256
832732c6ebefed88a2db93f73867ca0d5bd5b2a012ccbcfcf26e22bed6dc4fac

SHA512
895b25109ae1d6b64c6383cd74e8354cda27aa4925c06d7ef90edb748fb7765a07253ce0f69b3d0a13f8c63d1d226df61f50a56fe05569d31a4a5265f4175a8f

Download Submit
C:\Windows\SysWOW64\28463\ELUK.007

Filesize
5KB

MD5
dd462f9742de6d9d95459334538c2b1f

SHA1
8718400320b2aa38ff37dba0fe82062e5d3839bd

SHA256
b172cb7ab44abac00ea09707fe8926aa327e01f22726a887fa0e8eb72cdf1e54

SHA512
bc21d555ade6009250a892ef4b55f8ee96998dfafb3557da1e347297f0dc5f0e53e635f4b5d53261cccc46629adabd208fbc7a53fb826ff1606c47eb57e4537c

Download Submit
C:\Windows\SysWOW64\28463\ELUK.exe

Filesize
567KB

MD5
4ea1467f05af54ad8c98ee4926aff85c

SHA1
a377d95a18ed943cae552af415647ec6e9861c1e

SHA256
b5a510cf3884c0217cafd5f378ce3eb389bd4e88eea5f662e5c364a6e3fb4476

SHA512
049b8f935e96773f35f67d0ff6de74e6dda04f5add09964500a356184db0c3229943ef5a27df2b1e8098bf693e3016007272e797c37e99a1ebdce0999363963d

Download Submit
memory/1944-42-0x0000000000401000-0x0000000000407000-memory.dmp

Filesize
24KB

Download
memory/1944-0-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1944-1-0x0000000000401000-0x0000000000407000-memory.dmp

Filesize
24KB

Download
memory/1944-41-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/4572-46-0x00007FFCE59F0000-0x00007FFCE5BE5000-memory.dmp

Filesize
2.0MB

Download
memory/4572-44-0x00007FFCE59F0000-0x00007FFCE5BE5000-memory.dmp

Filesize
2.0MB

Download
memory/4572-52-0x00007FFCE59F0000-0x00007FFCE5BE5000-memory.dmp

Filesize
2.0MB

Download
memory/4572-51-0x00007FFCE59F0000-0x00007FFCE5BE5000-memory.dmp

Filesize
2.0MB

Download
memory/4572-54-0x00007FFCE59F0000-0x00007FFCE5BE5000-memory.dmp

Filesize
2.0MB

Download
memory/4572-53-0x00007FFCA3970000-0x00007FFCA3980000-memory.dmp

Filesize
64KB

Download
memory/4572-49-0x00007FFCE59F0000-0x00007FFCE5BE5000-memory.dmp

Filesize
2.0MB

Download
memory/4572-45-0x00007FFCA3970000-0x00007FFCA3980000-memory.dmp

Filesize
64KB

Download
memory/4572-48-0x00007FFCE59F0000-0x00007FFCE5BE5000-memory.dmp

Filesize
2.0MB

Download
memory/4572-30-0x00007FFCA5A70000-0x00007FFCA5A80000-memory.dmp

Filesize
64KB

Download
memory/4572-29-0x00007FFCE59F0000-0x00007FFCE5BE5000-memory.dmp

Filesize
2.0MB

Download
memory/4572-36-0x00007FFCA5A70000-0x00007FFCA5A80000-memory.dmp

Filesize
64KB

Download
memory/4572-43-0x00007FFCE59F0000-0x00007FFCE5BE5000-memory.dmp

Filesize
2.0MB

Download
memory/4572-47-0x00007FFCE59F0000-0x00007FFCE5BE5000-memory.dmp

Filesize
2.0MB

Download
memory/4572-98-0x00007FFCE59F0000-0x00007FFCE5BE5000-memory.dmp

Filesize
2.0MB

Download
memory/4572-99-0x00007FFCE59F0000-0x00007FFCE5BE5000-memory.dmp

Filesize
2.0MB

Download
memory/4572-100-0x00007FFCE5A8D000-0x00007FFCE5A8E000-memory.dmp

Filesize
4KB

Download
memory/4572-187-0x00007FFCA5A70000-0x00007FFCA5A80000-memory.dmp

Filesize
64KB

Download
memory/4572-189-0x00007FFCA5A70000-0x00007FFCA5A80000-memory.dmp

Filesize
64KB

Download
memory/4572-190-0x00007FFCA5A70000-0x00007FFCA5A80000-memory.dmp

Filesize
64KB

Download
memory/4572-188-0x00007FFCA5A70000-0x00007FFCA5A80000-memory.dmp

Filesize
64KB

Download
memory/4572-191-0x00007FFCE59F0000-0x00007FFCE5BE5000-memory.dmp

Filesize
2.0MB

Download
memory/4572-33-0x00007FFCE59F0000-0x00007FFCE5BE5000-memory.dmp

Filesize
2.0MB

Download
memory/4572-24-0x00007FFCA5A70000-0x00007FFCA5A80000-memory.dmp

Filesize
64KB

Download
memory/4572-25-0x00007FFCA5A70000-0x00007FFCA5A80000-memory.dmp

Filesize
64KB

Download
memory/4572-22-0x00007FFCA5A70000-0x00007FFCA5A80000-memory.dmp

Filesize
64KB

Download
memory/4572-23-0x00007FFCE5A8D000-0x00007FFCE5A8E000-memory.dmp

Filesize
4KB

Download