ardamax | c8831017d1d765734e5a86cb89cdf117750253f9a5999126da751ff11b7107b9

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28-09-2024 14:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc8bd6444f5b316ffb06524fd2c09163_JaffaCakes118.exe
Size

997KB
MD5

fc8bd6444f5b316ffb06524fd2c09163
SHA1

70cbf9e1dc429378dcfae250329fd0d806c3406c
SHA256

c8831017d1d765734e5a86cb89cdf117750253f9a5999126da751ff11b7107b9
SHA512

6ac16d18b74c31cb45aa6979d12cc3df19f211eb704b044118ab2d5f9d62d9350a16b43947563bec8a2538877c8dfcc8acbd86511c6416124a898d59e2675abe
SSDEEP

24576:RPQMmWeawqYTPGgCTi/SrdOcAqSxqnlIE9RE+7a4:JXefVPrCe/SOpxqlf9

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x00070000000234d6-22.dat	family_ardamax

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	fc8bd6444f5b316ffb06524fd2c09163_JaffaCakes118.TMP0

Executes dropped EXE 3 IoCs

pid	Process
3976	fc8bd6444f5b316ffb06524fd2c09163_JaffaCakes118.TMP0
4532	SMVO.exe
4828	hvpk3.9.exe

Loads dropped DLL 11 IoCs

pid	Process
4816	fc8bd6444f5b316ffb06524fd2c09163_JaffaCakes118.exe
3976	fc8bd6444f5b316ffb06524fd2c09163_JaffaCakes118.TMP0
4532	SMVO.exe
4532	SMVO.exe
4532	SMVO.exe
3976	fc8bd6444f5b316ffb06524fd2c09163_JaffaCakes118.TMP0
3976	fc8bd6444f5b316ffb06524fd2c09163_JaffaCakes118.TMP0
3976	fc8bd6444f5b316ffb06524fd2c09163_JaffaCakes118.TMP0
3976	fc8bd6444f5b316ffb06524fd2c09163_JaffaCakes118.TMP0
4816	fc8bd6444f5b316ffb06524fd2c09163_JaffaCakes118.exe
4816	fc8bd6444f5b316ffb06524fd2c09163_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SMVO Agent = "C:\\Windows\\SysWOW64\\28463\\SMVO.exe"	SMVO.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\AKV.exe	fc8bd6444f5b316ffb06524fd2c09163_JaffaCakes118.TMP0
File opened for modification	C:\Windows\SysWOW64\28463	SMVO.exe
File created	C:\Windows\SysWOW64\28463\SMVO.001	fc8bd6444f5b316ffb06524fd2c09163_JaffaCakes118.TMP0
File created	C:\Windows\SysWOW64\28463\SMVO.006	fc8bd6444f5b316ffb06524fd2c09163_JaffaCakes118.TMP0
File created	C:\Windows\SysWOW64\28463\SMVO.007	fc8bd6444f5b316ffb06524fd2c09163_JaffaCakes118.TMP0
File created	C:\Windows\SysWOW64\28463\SMVO.exe	fc8bd6444f5b316ffb06524fd2c09163_JaffaCakes118.TMP0

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4816 set thread context of 3976	4816	fc8bd6444f5b316ffb06524fd2c09163_JaffaCakes118.exe	81

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fc8bd6444f5b316ffb06524fd2c09163_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fc8bd6444f5b316ffb06524fd2c09163_JaffaCakes118.TMP0
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SMVO.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hvpk3.9.exe

Modifies registry class 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{606B86FF-E694-11D1-B2E4-0060975B8649}\TypeLib\ = "{C683BBF9-03DC-6002-736A-174248C75158}"	fc8bd6444f5b316ffb06524fd2c09163_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{606B86FF-E694-11D1-B2E4-0060975B8649}\TypeLib\ = "{C683BBF9-03DC-6002-9C68-427DCC4C0AA6}"	fc8bd6444f5b316ffb06524fd2c09163_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\CLSID	fc8bd6444f5b316ffb06524fd2c09163_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B801CA65-A1FC-11D0-85AD-444553540000}	fc8bd6444f5b316ffb06524fd2c09163_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{606B86FF-E694-11D1-B2E4-0060975B8649}	fc8bd6444f5b316ffb06524fd2c09163_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{606B86FF-E694-11D1-B2E4-0060975B8649}\TypeLib	fc8bd6444f5b316ffb06524fd2c09163_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4532	SMVO.exe
Token: SeIncBasePriorityPrivilege	4532	SMVO.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4532	SMVO.exe
4532	SMVO.exe
4532	SMVO.exe
4532	SMVO.exe
4532	SMVO.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 4816 wrote to memory of 3976	4816	fc8bd6444f5b316ffb06524fd2c09163_JaffaCakes118.exe	81
PID 4816 wrote to memory of 3976	4816	fc8bd6444f5b316ffb06524fd2c09163_JaffaCakes118.exe	81
PID 4816 wrote to memory of 3976	4816	fc8bd6444f5b316ffb06524fd2c09163_JaffaCakes118.exe	81
PID 4816 wrote to memory of 3976	4816	fc8bd6444f5b316ffb06524fd2c09163_JaffaCakes118.exe	81
PID 4816 wrote to memory of 3976	4816	fc8bd6444f5b316ffb06524fd2c09163_JaffaCakes118.exe	81
PID 3976 wrote to memory of 4532	3976	fc8bd6444f5b316ffb06524fd2c09163_JaffaCakes118.TMP0	82
PID 3976 wrote to memory of 4532	3976	fc8bd6444f5b316ffb06524fd2c09163_JaffaCakes118.TMP0	82
PID 3976 wrote to memory of 4532	3976	fc8bd6444f5b316ffb06524fd2c09163_JaffaCakes118.TMP0	82
PID 3976 wrote to memory of 4828	3976	fc8bd6444f5b316ffb06524fd2c09163_JaffaCakes118.TMP0	83
PID 3976 wrote to memory of 4828	3976	fc8bd6444f5b316ffb06524fd2c09163_JaffaCakes118.TMP0	83
PID 3976 wrote to memory of 4828	3976	fc8bd6444f5b316ffb06524fd2c09163_JaffaCakes118.TMP0	83
PID 4828 wrote to memory of 3416	4828	hvpk3.9.exe	84
PID 4828 wrote to memory of 3416	4828	hvpk3.9.exe	84
PID 4828 wrote to memory of 3416	4828	hvpk3.9.exe	84
PID 4828 wrote to memory of 3416	4828	hvpk3.9.exe	84
PID 4828 wrote to memory of 3416	4828	hvpk3.9.exe	84

C:\Users\Admin\AppData\Local\Temp\fc8bd6444f5b316ffb06524fd2c09163_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fc8bd6444f5b316ffb06524fd2c09163_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4816
- C:\Users\Admin\AppData\Local\Temp\fc8bd6444f5b316ffb06524fd2c09163_JaffaCakes118.TMP0
  "C:\Users\Admin\AppData\Local\Temp\fc8bd6444f5b316ffb06524fd2c09163_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3976
- - C:\Windows\SysWOW64\28463\SMVO.exe
    "C:\Windows\system32\28463\SMVO.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4532
- - C:\Users\Admin\AppData\Local\Temp\hvpk3.9.exe
    "C:\Users\Admin\AppData\Local\Temp\hvpk3.9.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4828
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@141F.tmp

Filesize
4KB

MD5
9dc64557fcebd521ca4b267da15c2914

SHA1
c2247f9e0f0c8d11c7b9ab93f43ed53943d0bdd2

SHA256
a49cb9cbab2a60418b2079d4110123682fc980bb6b46ac5ada144797b5fa2cf4

SHA512
00241a139ca307c5eb4d89fa8b6296833961091286282c3482746e4a3589ef61e6d007edb6aa6fa1ef812d57bf63a8e495e0db712e17decc77bbae2490cdbe01

Download Submit
C:\Users\Admin\AppData\Local\Temp\Arm1316.tmp

Filesize
64KB

MD5
cdf9f21934221a77a7d3903378101f9b

SHA1
9f4d5dc0c2332a3c253666a64370aeba3b678287

SHA256
3648ce2ea7bdfce9c03df670088cbed0a5411513ad5a9d0d8e997483ad52c845

SHA512
904bdb088c03ac5d869148d7461775731f25724f14331a1ca6d78969293f6f20052a31a19bb263245931374bee4e3c3a873043310d3096c815feac2225b41ee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\fc8bd6444f5b316ffb06524fd2c09163_JaffaCakes118.TMP0

Filesize
865KB

MD5
36a5d4a1f6fa1b1a663083ae6c54187e

SHA1
6220d401e0a92f2d504143b36cb0b4a9fe0936eb

SHA256
65e538e2ecd8213c9d03d9b45be18014530b78afcd211b3204cd1080330db7f2

SHA512
6fbdf43cf356b8a9916e1d558132cd3a12d8f50ae6758a69cb5356a41bdb0d4c8e40253d05d642548dff22c8c9ffb154bd0658e3cae5ba293cf9b48829f620e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\hvpk3.9.exe

Filesize
464KB

MD5
0aa85e8b4918e22380bae624dc782596

SHA1
7ba6e4bbadad62b0d5c7c1ccccccfc60603717bc

SHA256
59b540f1e4ebde5478e9b540a16d356e77d81010781dec243c1120505d6bf854

SHA512
6a014f0cace716158900d368b936dd80d74907ff9459261578b9202bf4d85f11955e64e655031d7e64cb4d3e5ddc0612a2da2e811ab3848a121f6f89e2dd5616

Download Submit
C:\Windows\SysWOW64\28463\AKV.exe

Filesize
394KB

MD5
10e53b4b4502bab5358837983b15d83e

SHA1
2845bb0d6667be127bab7676b6800994239850ce

SHA256
e91b458384ad38f5e81766bc7ae213025f27f30c69b72550731159aa60d62910

SHA512
35b2071598af5840ed0843e39f81b778660310725975c2b2cc8cd20ad37954bea04c4a2f173cdaffa467e9585b7f573b99fd444f659d11360bd7a8219c851cd7

Download Submit
C:\Windows\SysWOW64\28463\SMVO.001

Filesize
406B

MD5
cac4f1446c1b38472f50bf8f60bf71ec

SHA1
4033fd1df72fba69161663ca7a2393d5becdaef9

SHA256
61e2ab4df0585548c2b6195dc87c82dd3785b2b3927d630c7fe9fe60c4e885d1

SHA512
bead65f773d0ead33ee523c83bf16ce3ee6b21ff8bc10a4322762be0b40c0b126f8a85b51a702eda6bd53f2c83daf96e813c42661f21f57805c4c8b635fa7adb

Download Submit
C:\Windows\SysWOW64\28463\SMVO.006

Filesize
8KB

MD5
86d96c93965255cef35ca42413188b75

SHA1
9d77f203267febe047d049584e5c79f1c1801b2d

SHA256
b796bd1f5cdb1d1db91c3aca1ac700c015775b9caf2725fbf4b6089a096f21c5

SHA512
2db81080a16494ec549f4f39ee382580ba12cd5cbfe31632c8459ba94d767ce1ad3e9c0e6643f80530ae5e316fc42dca05708eeade7ce3c0341d669325cdb095

Download Submit
C:\Windows\SysWOW64\28463\SMVO.007

Filesize
5KB

MD5
b73942c11844487ca7fc3e78062c8abb

SHA1
28f4c4159528ccbe9d83b5cd5e157861d11ff04c

SHA256
4ba88f8964ee02a395d88974fd43b05610cf520b4ab40f36b3f98715ce1e0984

SHA512
d4c782f5abd91b3396b243345f968eb5a705a7aefeedf92e62047309f7ccf223c0825623c184de66e3667c22eb371f0329be97ea70f6d72b54f98b22042e1f9c

Download Submit
C:\Windows\SysWOW64\28463\SMVO.exe

Filesize
472KB

MD5
324154483b20e6f67a3c1486e3fc7c6a

SHA1
d6630eb1d8555b48413434b4a5d54c8de819cbf8

SHA256
ded1c934280294375d7b926773511e4d5e6c8dbb22b0dd25a80a6b0b3af065d3

SHA512
36349f7c53b9989eac63e8c91b7fb009a5a0dce934242ae5956a5e3d3764949a87296adeba81f3da96b5e035f3755b4dd75de2ffa211b7db296313c52f6d478b

Download Submit
memory/4532-32-0x0000000000A70000-0x0000000000A71000-memory.dmp

Filesize
4KB

Download
memory/4532-54-0x0000000000A70000-0x0000000000A71000-memory.dmp

Filesize
4KB

Download
memory/4828-49-0x0000000013140000-0x00000000131D3607-memory.dmp

Filesize
589KB

Download
memory/4828-50-0x0000000013140000-0x00000000131D3607-memory.dmp

Filesize
589KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads