ardamax | fa9eca326bf9415313b6f1a5c943b96dee5c2db80b7d66c9e5410cc9865e54a8

Analysis

max time kernel
148s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-09-2024 13:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6244d556f00543086c0b6d572fd1a78_JaffaCakes118.exe
Size

966KB
MD5

f6244d556f00543086c0b6d572fd1a78
SHA1

c44390cb9db5dd60011d9f2b4f8dcb7a8907fa71
SHA256

fa9eca326bf9415313b6f1a5c943b96dee5c2db80b7d66c9e5410cc9865e54a8
SHA512

4a906292fecfef825aad2620e144adef286d57ad9eeb5837ae1490c0ed9dce5400b59eaf1aa4b5d24441bcd93bb7508ed4912bf9a71278604cb590b26356f360
SSDEEP

24576:W5TV5nSC0nmcBUkM6upd1+PGwkD2gkMFe1ugEzaqP6KbuDf:+SCOmcCkWd4kD2d1XE56Ki

Score

10^/10

ardamax credential_access discovery keylogger spyware stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0005000000019271-551.dat	family_ardamax

Executes dropped EXE 3 IoCs

pid	Process
1092	Install.exe
2312	BIDP.exe
1736	WerFault.exe

Loads dropped DLL 15 IoCs

pid	Process
2636	f6244d556f00543086c0b6d572fd1a78_JaffaCakes118.exe
1092	Install.exe
1092	Install.exe
1092	Install.exe
1092	Install.exe
1092	Install.exe
1092	Install.exe
2312	BIDP.exe
2312	BIDP.exe
2312	BIDP.exe
2312	BIDP.exe
1736	WerFault.exe
1736	WerFault.exe
1736	WerFault.exe
1736	WerFault.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\key.bin	Install.exe
File created	C:\Windows\SysWOW64\28463\BIDP.001	Install.exe
File created	C:\Windows\SysWOW64\28463\BIDP.006	Install.exe
File created	C:\Windows\SysWOW64\28463\BIDP.007	Install.exe
File created	C:\Windows\SysWOW64\28463\BIDP.exe	Install.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f6244d556f00543086c0b6d572fd1a78_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BIDP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WerFault.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1736	WerFault.exe
1736	WerFault.exe
1736	WerFault.exe
1736	WerFault.exe
1736	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	2636	f6244d556f00543086c0b6d572fd1a78_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2636	f6244d556f00543086c0b6d572fd1a78_JaffaCakes118.exe
Token: SeDebugPrivilege	1736	WerFault.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2636 wrote to memory of 1092	2636	f6244d556f00543086c0b6d572fd1a78_JaffaCakes118.exe	30
PID 2636 wrote to memory of 1092	2636	f6244d556f00543086c0b6d572fd1a78_JaffaCakes118.exe	30
PID 2636 wrote to memory of 1092	2636	f6244d556f00543086c0b6d572fd1a78_JaffaCakes118.exe	30
PID 2636 wrote to memory of 1092	2636	f6244d556f00543086c0b6d572fd1a78_JaffaCakes118.exe	30
PID 2636 wrote to memory of 1092	2636	f6244d556f00543086c0b6d572fd1a78_JaffaCakes118.exe	30
PID 2636 wrote to memory of 1092	2636	f6244d556f00543086c0b6d572fd1a78_JaffaCakes118.exe	30
PID 2636 wrote to memory of 1092	2636	f6244d556f00543086c0b6d572fd1a78_JaffaCakes118.exe	30
PID 1092 wrote to memory of 2312	1092	Install.exe	31
PID 1092 wrote to memory of 2312	1092	Install.exe	31
PID 1092 wrote to memory of 2312	1092	Install.exe	31
PID 1092 wrote to memory of 2312	1092	Install.exe	31
PID 1092 wrote to memory of 2312	1092	Install.exe	31
PID 1092 wrote to memory of 2312	1092	Install.exe	31
PID 1092 wrote to memory of 2312	1092	Install.exe	31
PID 2312 wrote to memory of 1736	2312	BIDP.exe	32
PID 2312 wrote to memory of 1736	2312	BIDP.exe	32
PID 2312 wrote to memory of 1736	2312	BIDP.exe	32
PID 2312 wrote to memory of 1736	2312	BIDP.exe	32
PID 2312 wrote to memory of 1736	2312	BIDP.exe	32
PID 2312 wrote to memory of 1736	2312	BIDP.exe	32
PID 2312 wrote to memory of 1736	2312	BIDP.exe	32

C:\Users\Admin\AppData\Local\Temp\f6244d556f00543086c0b6d572fd1a78_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f6244d556f00543086c0b6d572fd1a78_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2636
- C:\Users\Admin\AppData\Local\Xenocode\ApplianceCaches\isthealer.exe_v11717352\Native\STUBEXE\@APPDATA@\Install.exe
  "C:\Users\Admin\AppData\Roaming\Install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1092
- - C:\Users\Admin\AppData\Local\Xenocode\ApplianceCaches\isthealer.exe_v11717352\Native\STUBEXE\@SYSTEM@\28463\BIDP.exe
    "C:\Windows\system32\28463\BIDP.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2312
  - - C:\Users\Admin\AppData\Local\Xenocode\ApplianceCaches\isthealer.exe_v11717352\Native\STUBEXE\@WINDIR@\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 308
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Install.exe

Filesize
567KB

MD5
0060a6e5045e773d6b4d1ba6c45a9d39

SHA1
f1bae602a6c15231747828b4613f389c7ccc0dd7

SHA256
b4803d62f01a2459e5ca1c4bf249a05c404bd98d1b42b1e90d8920b580e1c885

SHA512
5379167448132bcfb4704720b1ad27692c3904e93cde28a535ab1b8a4a3306747e3068b8d5a51a0586667806398500deba2ae748688504bc40d95ddd981579ea

Download Submit
C:\Windows\SysWOW64\28463\BIDP.exe

Filesize
649KB

MD5
2bff0c75a04401dada0adfab933e46a7

SHA1
364d97f90b137f8e359d998164fb15d474be7bbb

SHA256
2aa53bc5da3294817f95d8806effdf28e5af49661a955256c46db2b67cb6e6da

SHA512
88b82973d3c042bceb75e12297111fa7b8bd4e2a7a37d26b698c595d8d75ec670cc7aebfa2572206c1b2a4ecbbfa3103affb8bee6d7ef47428a225e2cd1bea3f

Download Submit
\Users\Admin\AppData\Local\Temp\@57C1.tmp

Filesize
4KB

MD5
4b8ed89120fe8ddc31ddba07bc15372b

SHA1
181e7ac3d444656f50c1cd02a6832708253428e6

SHA256
2ae6b0e14465338be0bc5ad10703f5c823d092ebb8cff7e5a05b7d79c8459b93

SHA512
49269b71270b3eda0ddcb399021de9c88f6fd2086cf54fa4898a91e64afe109d44b635d47a5ea9bae7f53a5e968af97fa13bdf699ba00ce879ecadd7bbc8af23

Download Submit
\Users\Admin\AppData\Local\Xenocode\ApplianceCaches\isthealer.exe_v11717352\Native\STUBEXE\@APPDATA@\Install.exe

Filesize
16KB

MD5
723f37ea619ded6d2eb7be08c7ba70b5

SHA1
54f971b772dce6e3cf40d8c68f1107f09080e954

SHA256
547859013fff8f4992a2dcb524efa7ada23ffc4fbc98e997cd0f2b8af3c193be

SHA512
8ace00d184c1508a69841f58e76c046cea809a7bbd450ffcc6e5dc2b1856837f721b87733540c6a55f7490c468bbf79e1eaa9a51c241a6895035d0d0677a249e

Download Submit
\Users\Admin\AppData\Local\Xenocode\ApplianceCaches\isthealer.exe_v11717352\Native\STUBEXE\@SYSTEM@\28463\BIDP.exe

Filesize
16KB

MD5
29c412f3d08b75f68665915b2bc756c2

SHA1
3d3f85a80eda4bb9edf003017f4919f3dc76b95c

SHA256
5c6e670a150c1df00051f38256b0c4b26fab98d3eb491e9bde18a7582e057b9f

SHA512
42bba25d7586577828d962e2f7adf71d9fc3643c3991add4a8a1261e52ef8260ed579fd0bb44cdb788d541499e1450547cc60319ced0d3fc416fddb7651e2726

Download Submit
\Users\Admin\AppData\Local\Xenocode\ApplianceCaches\isthealer.exe_v11717352\Native\STUBEXE\@WINDIR@\SysWOW64\WerFault.exe

Filesize
16KB

MD5
b3d1dd030834b01371e031c0946fe94e

SHA1
9f03fa14d9ee09859700f379db7cba54b13af8a9

SHA256
17fb77bd57f06968aa20f1241833027c2142f0b90badfc96b594a46a0c5a769e

SHA512
59085848cfeb19615c0daca3f1f72840e5935aa55cc759fe6fa347fac965a14478d4b7b5e8feabe7dae0eff035aa03bd66b14dfc0debab830b5bd8be0fd930ba

Download Submit
memory/1092-557-0x0000000003390000-0x000000000346F000-memory.dmp

Filesize
892KB

Download
memory/1736-1092-0x0000000002810000-0x00000000028EF000-memory.dmp

Filesize
892KB

Download
memory/1736-1089-0x0000000002810000-0x00000000028EF000-memory.dmp

Filesize
892KB

Download
memory/1736-1088-0x0000000002810000-0x00000000028EF000-memory.dmp

Filesize
892KB

Download
memory/1736-1087-0x0000000002810000-0x00000000028EF000-memory.dmp

Filesize
892KB

Download
memory/1736-1094-0x0000000002810000-0x00000000028EF000-memory.dmp

Filesize
892KB

Download
memory/1736-1093-0x0000000002810000-0x00000000028EF000-memory.dmp

Filesize
892KB

Download
memory/2312-1091-0x00000000026D0000-0x00000000027AF000-memory.dmp

Filesize
892KB

Download
memory/2312-561-0x0000000000230000-0x000000000030F000-memory.dmp

Filesize
892KB

Download
memory/2312-670-0x0000000000230000-0x000000000030F000-memory.dmp

Filesize
892KB

Download
memory/2312-824-0x00000000026D0000-0x00000000027AF000-memory.dmp

Filesize
892KB

Download
memory/2636-19-0x0000000000330000-0x0000000000382000-memory.dmp

Filesize
328KB

Download
memory/2636-67-0x0000000000330000-0x0000000000382000-memory.dmp

Filesize
328KB

Download
memory/2636-13-0x0000000000330000-0x0000000000382000-memory.dmp

Filesize
328KB

Download
memory/2636-9-0x0000000000330000-0x0000000000382000-memory.dmp

Filesize
328KB

Download
memory/2636-7-0x0000000000330000-0x0000000000382000-memory.dmp

Filesize
328KB

Download
memory/2636-5-0x0000000000330000-0x0000000000382000-memory.dmp

Filesize
328KB

Download
memory/2636-3-0x0000000000330000-0x0000000000382000-memory.dmp

Filesize
328KB

Download
memory/2636-1-0x0000000000330000-0x0000000000382000-memory.dmp

Filesize
328KB

Download
memory/2636-0-0x0000000000330000-0x0000000000382000-memory.dmp

Filesize
328KB

Download
memory/2636-55-0x0000000000330000-0x0000000000382000-memory.dmp

Filesize
328KB

Download
memory/2636-53-0x0000000077440000-0x0000000077441000-memory.dmp

Filesize
4KB

Download
memory/2636-52-0x0000000000330000-0x0000000000382000-memory.dmp

Filesize
328KB

Download
memory/2636-175-0x0000000000330000-0x0000000000382000-memory.dmp

Filesize
328KB

Download
memory/2636-266-0x0000000000330000-0x0000000000382000-memory.dmp

Filesize
328KB

Download
memory/2636-264-0x0000000000330000-0x0000000000382000-memory.dmp

Filesize
328KB

Download
memory/2636-263-0x0000000000330000-0x0000000000382000-memory.dmp

Filesize
328KB

Download
memory/2636-251-0x0000000000330000-0x0000000000382000-memory.dmp

Filesize
328KB

Download
memory/2636-240-0x0000000000330000-0x0000000000382000-memory.dmp

Filesize
328KB

Download
memory/2636-177-0x0000000077440000-0x0000000077441000-memory.dmp

Filesize
4KB

Download
memory/2636-158-0x0000000000330000-0x0000000000382000-memory.dmp

Filesize
328KB

Download
memory/2636-143-0x0000000000330000-0x0000000000382000-memory.dmp

Filesize
328KB

Download
memory/2636-128-0x0000000000330000-0x0000000000382000-memory.dmp

Filesize
328KB

Download
memory/2636-112-0x0000000000330000-0x0000000000382000-memory.dmp

Filesize
328KB

Download
memory/2636-96-0x0000000000330000-0x0000000000382000-memory.dmp

Filesize
328KB

Download
memory/2636-74-0x0000000000330000-0x0000000000382000-memory.dmp

Filesize
328KB

Download
memory/2636-15-0x0000000000330000-0x0000000000382000-memory.dmp

Filesize
328KB

Download
memory/2636-262-0x0000000000330000-0x0000000000382000-memory.dmp

Filesize
328KB

Download
memory/2636-64-0x0000000077440000-0x0000000077441000-memory.dmp

Filesize
4KB

Download
memory/2636-61-0x0000000000330000-0x0000000000382000-memory.dmp

Filesize
328KB

Download
memory/2636-62-0x0000000000330000-0x0000000000382000-memory.dmp

Filesize
328KB

Download
memory/2636-59-0x0000000000330000-0x0000000000382000-memory.dmp

Filesize
328KB

Download
memory/2636-17-0x0000000000330000-0x0000000000382000-memory.dmp

Filesize
328KB

Download
memory/2636-11-0x0000000000330000-0x0000000000382000-memory.dmp

Filesize
328KB

Download
memory/2636-276-0x0000000000330000-0x0000000000382000-memory.dmp

Filesize
328KB

Download
memory/2636-21-0x0000000000330000-0x0000000000382000-memory.dmp

Filesize
328KB

Download
memory/2636-25-0x0000000000330000-0x0000000000382000-memory.dmp

Filesize
328KB

Download
memory/2636-27-0x0000000000330000-0x0000000000382000-memory.dmp

Filesize
328KB

Download
memory/2636-29-0x0000000000330000-0x0000000000382000-memory.dmp

Filesize
328KB

Download
memory/2636-31-0x0000000000330000-0x0000000000382000-memory.dmp

Filesize
328KB

Download
memory/2636-33-0x0000000000330000-0x0000000000382000-memory.dmp

Filesize
328KB

Download
memory/2636-35-0x0000000000330000-0x0000000000382000-memory.dmp

Filesize
328KB

Download
memory/2636-37-0x0000000000330000-0x0000000000382000-memory.dmp

Filesize
328KB

Download
memory/2636-39-0x0000000000330000-0x0000000000382000-memory.dmp

Filesize
328KB

Download
memory/2636-43-0x0000000000330000-0x0000000000382000-memory.dmp

Filesize
328KB

Download
memory/2636-45-0x0000000000330000-0x0000000000382000-memory.dmp

Filesize
328KB

Download
memory/2636-47-0x0000000000330000-0x0000000000382000-memory.dmp

Filesize
328KB

Download
memory/2636-49-0x0000000000330000-0x0000000000382000-memory.dmp

Filesize
328KB

Download
memory/2636-23-0x0000000000330000-0x0000000000382000-memory.dmp

Filesize
328KB

Download
memory/2636-41-0x0000000000330000-0x0000000000382000-memory.dmp

Filesize
328KB

Download