ardamax | a6a770f26d9dbaf6f352b5d26d64b7ee26b67780ae11a78350b3ac169251d7b5

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26-09-2024 05:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f7a1bcf2b0ce10a8c4f6bbe425b3a7cc_JaffaCakes118.exe
Size

1.5MB
MD5

f7a1bcf2b0ce10a8c4f6bbe425b3a7cc
SHA1

72a47bc83963b89fe9e0bb9718b74e71d7779098
SHA256

a6a770f26d9dbaf6f352b5d26d64b7ee26b67780ae11a78350b3ac169251d7b5
SHA512

4f08a7e1a4a6c67a91e68c9c016facbc42dc096af90372318663ae810e11860efa24b2fd02b3f1962e8b710c108474a3d90c6c41ef91b8fb9ff9a1599fe6c926
SSDEEP

49152:roT7Np26KpMj+yb9MH1tqZQHDe0pmg2/9:6appMj+sMiZQrpmgE

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x000600000001926a-6.dat	family_ardamax

Executes dropped EXE 2 IoCs

pid	Process
2432	IDY.exe
2720	bPT Trainer.exe

Loads dropped DLL 3 IoCs

pid	Process
2076	f7a1bcf2b0ce10a8c4f6bbe425b3a7cc_JaffaCakes118.exe
2076	f7a1bcf2b0ce10a8c4f6bbe425b3a7cc_JaffaCakes118.exe
2076	f7a1bcf2b0ce10a8c4f6bbe425b3a7cc_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\IDY Start = "C:\\Windows\\SysWOW64\\MTIYPI\\IDY.exe"	IDY.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\MTIYPI\AKV.exe	f7a1bcf2b0ce10a8c4f6bbe425b3a7cc_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\MTIYPI\IDY.exe	f7a1bcf2b0ce10a8c4f6bbe425b3a7cc_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\MTIYPI\IDY.004	f7a1bcf2b0ce10a8c4f6bbe425b3a7cc_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\MTIYPI\IDY.001	f7a1bcf2b0ce10a8c4f6bbe425b3a7cc_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\MTIYPI\IDY.002	f7a1bcf2b0ce10a8c4f6bbe425b3a7cc_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f7a1bcf2b0ce10a8c4f6bbe425b3a7cc_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IDY.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bPT Trainer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2720	bPT Trainer.exe
2720	bPT Trainer.exe
2720	bPT Trainer.exe
2720	bPT Trainer.exe
2720	bPT Trainer.exe
2720	bPT Trainer.exe
2720	bPT Trainer.exe
2720	bPT Trainer.exe
2720	bPT Trainer.exe
2720	bPT Trainer.exe
2720	bPT Trainer.exe
2720	bPT Trainer.exe
2720	bPT Trainer.exe
2720	bPT Trainer.exe
2720	bPT Trainer.exe
2720	bPT Trainer.exe
2720	bPT Trainer.exe
2720	bPT Trainer.exe
2720	bPT Trainer.exe
2720	bPT Trainer.exe
2720	bPT Trainer.exe
2720	bPT Trainer.exe
2720	bPT Trainer.exe
2720	bPT Trainer.exe
2720	bPT Trainer.exe
2720	bPT Trainer.exe
2720	bPT Trainer.exe
2720	bPT Trainer.exe
2720	bPT Trainer.exe
2720	bPT Trainer.exe
2720	bPT Trainer.exe
2720	bPT Trainer.exe
2720	bPT Trainer.exe
2720	bPT Trainer.exe
2720	bPT Trainer.exe
2720	bPT Trainer.exe
2720	bPT Trainer.exe
2720	bPT Trainer.exe
2720	bPT Trainer.exe
2720	bPT Trainer.exe
2720	bPT Trainer.exe
2720	bPT Trainer.exe
2720	bPT Trainer.exe
2720	bPT Trainer.exe
2720	bPT Trainer.exe
2720	bPT Trainer.exe
2720	bPT Trainer.exe
2720	bPT Trainer.exe
2720	bPT Trainer.exe
2720	bPT Trainer.exe
2720	bPT Trainer.exe
2720	bPT Trainer.exe
2720	bPT Trainer.exe
2720	bPT Trainer.exe
2720	bPT Trainer.exe
2720	bPT Trainer.exe
2720	bPT Trainer.exe
2720	bPT Trainer.exe
2720	bPT Trainer.exe
2720	bPT Trainer.exe
2720	bPT Trainer.exe
2720	bPT Trainer.exe
2720	bPT Trainer.exe
2720	bPT Trainer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2432	IDY.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2720	bPT Trainer.exe
Token: SeSecurityPrivilege	2720	bPT Trainer.exe
Token: SeLoadDriverPrivilege	2720	bPT Trainer.exe
Token: SeSystemProfilePrivilege	2720	bPT Trainer.exe
Token: SeSystemtimePrivilege	2720	bPT Trainer.exe
Token: SeProfSingleProcessPrivilege	2720	bPT Trainer.exe
Token: SeIncBasePriorityPrivilege	2720	bPT Trainer.exe
Token: SeCreatePagefilePrivilege	2720	bPT Trainer.exe
Token: SeShutdownPrivilege	2720	bPT Trainer.exe
Token: SeDebugPrivilege	2720	bPT Trainer.exe
Token: SeSystemEnvironmentPrivilege	2720	bPT Trainer.exe
Token: SeRemoteShutdownPrivilege	2720	bPT Trainer.exe
Token: SeUndockPrivilege	2720	bPT Trainer.exe
Token: SeManageVolumePrivilege	2720	bPT Trainer.exe
Token: 33	2720	bPT Trainer.exe
Token: 34	2720	bPT Trainer.exe
Token: 35	2720	bPT Trainer.exe
Token: SeDebugPrivilege	2720	bPT Trainer.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2720	bPT Trainer.exe
2720	bPT Trainer.exe
2720	bPT Trainer.exe
2720	bPT Trainer.exe
2720	bPT Trainer.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
2720	bPT Trainer.exe
2720	bPT Trainer.exe
2720	bPT Trainer.exe
2720	bPT Trainer.exe
2720	bPT Trainer.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 2432	2076	f7a1bcf2b0ce10a8c4f6bbe425b3a7cc_JaffaCakes118.exe	30
PID 2076 wrote to memory of 2432	2076	f7a1bcf2b0ce10a8c4f6bbe425b3a7cc_JaffaCakes118.exe	30
PID 2076 wrote to memory of 2432	2076	f7a1bcf2b0ce10a8c4f6bbe425b3a7cc_JaffaCakes118.exe	30
PID 2076 wrote to memory of 2432	2076	f7a1bcf2b0ce10a8c4f6bbe425b3a7cc_JaffaCakes118.exe	30
PID 2076 wrote to memory of 2720	2076	f7a1bcf2b0ce10a8c4f6bbe425b3a7cc_JaffaCakes118.exe	31
PID 2076 wrote to memory of 2720	2076	f7a1bcf2b0ce10a8c4f6bbe425b3a7cc_JaffaCakes118.exe	31
PID 2076 wrote to memory of 2720	2076	f7a1bcf2b0ce10a8c4f6bbe425b3a7cc_JaffaCakes118.exe	31
PID 2076 wrote to memory of 2720	2076	f7a1bcf2b0ce10a8c4f6bbe425b3a7cc_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\f7a1bcf2b0ce10a8c4f6bbe425b3a7cc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f7a1bcf2b0ce10a8c4f6bbe425b3a7cc_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Windows\SysWOW64\MTIYPI\IDY.exe
  "C:\Windows\system32\MTIYPI\IDY.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2432
- C:\Users\Admin\AppData\Local\Temp\bPT Trainer.exe
  "C:\Users\Admin\AppData\Local\Temp\bPT Trainer.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bPT Trainer.exe

Filesize
1.1MB

MD5
8db0eea012f23e119765fef4794a3ca1

SHA1
72ec0723508e47b7338abac71c7c59a22acf300d

SHA256
f0a186faf09189e8af6949b230116aa9824105102790f96ecb7e586fda466493

SHA512
90af037cfcbba43ad4fe1851b6146e8d37f5a996ead71abecfc6ac6725ce83a654195fe6eef93fce01b3bc53967ca3f3d730dbc0c79dc2ed03f68eda342684d2

Download Submit
C:\Windows\SysWOW64\MTIYPI\AKV.exe

Filesize
466KB

MD5
4c5711d8a02899113661bdff195d80d5

SHA1
263592abea6d60887defb4b1bcb47dbb383edfb6

SHA256
661eee852ace18c0fe63548e3ca276866b40dd0dce722f67976b8c4bfdb92195

SHA512
4b16ee6c75a169ad02c6b30d08efcd969ba8840adf49f6eeec3abbe8b9f5f288e1b1cfb4431711a74510a6973663335e43d256ae0dcd1a68f55331152a4f64ae

Download Submit
C:\Windows\SysWOW64\MTIYPI\IDY.001

Filesize
61KB

MD5
7a5612cc859be918c5767487f8a6815a

SHA1
a855d3a3e6336ac0508a8099e8ace14680394c36

SHA256
643419bc7e3a46ecdd7196858b3489c806c5edc486b513ce58519a109544c9d1

SHA512
31c541870dbc695c34d132c4232accc2fe511f30188a4db33d5c41758cf5af00a4906b55b0a208b5848436313fd3d8ccf6be7f1af62ecedd3a5c4c301dc5e11d

Download Submit
C:\Windows\SysWOW64\MTIYPI\IDY.002

Filesize
43KB

MD5
b2bcd668abf17ee408d232cc636614b2

SHA1
c354f941121515536c4f0d9ae49ed1a9b28534b4

SHA256
563f5e99f0beb961ecf6a8284bf41fee3e85d6f63cdff1669438f5a2168bfd99

SHA512
ba1be164de5919ae45f4bedfebe7e7799626b457f07b42fc43b8912f2932955833617b45e147e2e4d406f57f57f50c1869aa611db18a569919395e42fa53a702

Download Submit
C:\Windows\SysWOW64\MTIYPI\IDY.004

Filesize
1KB

MD5
5cbe2aa572deaa1ab36d969259222171

SHA1
e6960055a4a50aa969d178ab4e090cfd4313a2c3

SHA256
72f9eb9922edd435fa787a3c066b1e523437bce7454275b75bfda8b4e0503b8e

SHA512
ac133e3381f69f8daf19c68bcc101076986489bb798467325e52840ebaca464aff2394367dddcd53104bc091854d09c731f19b3f07b4d7fe13910274236319e1

Download Submit
\Windows\SysWOW64\MTIYPI\IDY.exe

Filesize
1.5MB

MD5
a9ea3f61a57b36cde9953afd91f18d34

SHA1
e7e931b96b6e39b64a2a38d704bbe9561a234cbc

SHA256
accbdc6de9b6b671e6dc5bda9f1f983fbfcaa07467fbf6eabd25b9d5314d82ec

SHA512
0a6a42a772a3afd66233d9d3abb962b3a8cbf3d6e0e719352795b6441a148617dbe788991f0cead29d4b1540726504c9c56bebd9836ae6263b82a121fafd89fc

Download Submit
memory/2432-24-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2720-25-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2720-27-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2720-26-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download