ardamax | 1410bfce5cb5ff66e569c744d2f132fe633f3467e46573127244ecbc2871bcea

Analysis

max time kernel
149s
max time network
127s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-10-2024 07:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

098c01d130d35c4e15ef2b76a38a0dce_JaffaCakes118.exe
Size

1.3MB
MD5

098c01d130d35c4e15ef2b76a38a0dce
SHA1

7fedc43d09aa84322b6d0662dc52bfcf83a75946
SHA256

1410bfce5cb5ff66e569c744d2f132fe633f3467e46573127244ecbc2871bcea
SHA512

0e1fb764d235ed3c0c47bf6920bd50190a60abe0d5373306a93c01e74e91dc55822773221c3a56fcecda4a7dadf3bb6dc03e4f208469f312a32befb43133333c
SSDEEP

24576:poviLoFVH7e/4tGpv7GPE7dupqi5K3syLPOm5sxucCzBjcd6TJ97WTzL:poH704tBg0pqi5K3ZjOXucq5cd27k

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0005000000019074-105.dat	family_ardamax

Executes dropped EXE 2 IoCs

pid	Process
1148	Install.exe
2752	TTYA.exe

Loads dropped DLL 10 IoCs

pid	Process
2992	098c01d130d35c4e15ef2b76a38a0dce_JaffaCakes118.exe
1148	Install.exe
1148	Install.exe
1148	Install.exe
1148	Install.exe
1148	Install.exe
2752	TTYA.exe
2752	TTYA.exe
2752	TTYA.exe
2752	TTYA.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TTYA Agent = "C:\\Windows\\SysWOW64\\28463\\TTYA.exe"	TTYA.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\TTYA.exe	Install.exe
File created	C:\Windows\SysWOW64\28463\key.bin	Install.exe
File opened for modification	C:\Windows\SysWOW64\28463	TTYA.exe
File created	C:\Windows\SysWOW64\28463\TTYA.001	Install.exe
File created	C:\Windows\SysWOW64\28463\TTYA.006	Install.exe
File created	C:\Windows\SysWOW64\28463\TTYA.007	Install.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TTYA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	098c01d130d35c4e15ef2b76a38a0dce_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	098c01d130d35c4e15ef2b76a38a0dce_JaffaCakes118.exe

Modifies registry class 35 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EAE41C5A-FEBD-4EAB-91A7-EEABBD752E5C}\ProgID	TTYA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CFF77CBE-AC41-430B-53F2-F609BE950B5A}	TTYA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CFF77CBE-AC41-430B-53F2-F609BE950B5A}\1.0\0\win32\	TTYA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CFF77CBE-AC41-430B-53F2-F609BE950B5A}\1.0\0\win64	TTYA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EAE41C5A-FEBD-4EAB-91A7-EEABBD752E5C}\TypeLib\ = "{CFF77CBE-AC41-430B-53F2-F609BE950B5A}"	TTYA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EAE41C5A-FEBD-4EAB-91A7-EEABBD752E5C}\InprocServer32\ = "%PROGRAMFILES%\\Windows Media Player\\wmpnssci.dll"	TTYA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CFF77CBE-AC41-430B-53F2-F609BE950B5A}\	TTYA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CFF77CBE-AC41-430B-53F2-F609BE950B5A}\1.0\FLAGS\ = "0"	TTYA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EAE41C5A-FEBD-4EAB-91A7-EEABBD752E5C}\TypeLib\	TTYA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EAE41C5A-FEBD-4EAB-91A7-EEABBD752E5C}\InprocServer32	TTYA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EAE41C5A-FEBD-4EAB-91A7-EEABBD752E5C}\Version\	TTYA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EAE41C5A-FEBD-4EAB-91A7-EEABBD752E5C}\VersionIndependentProgID	TTYA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EAE41C5A-FEBD-4EAB-91A7-EEABBD752E5C}\ = "Laribo Imiwi Debone"	TTYA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EAE41C5A-FEBD-4EAB-91A7-EEABBD752E5C}\ProgID\	TTYA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CFF77CBE-AC41-430B-53F2-F609BE950B5A}\1.0\FLAGS	TTYA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EAE41C5A-FEBD-4EAB-91A7-EEABBD752E5C}\Version	TTYA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CFF77CBE-AC41-430B-53F2-F609BE950B5A}\1.0	TTYA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CFF77CBE-AC41-430B-53F2-F609BE950B5A}\1.0\0\	TTYA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EAE41C5A-FEBD-4EAB-91A7-EEABBD752E5C}\TypeLib	TTYA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EAE41C5A-FEBD-4EAB-91A7-EEABBD752E5C}\Version\ = "1.0"	TTYA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CFF77CBE-AC41-430B-53F2-F609BE950B5A}\1.0\0\win64\	TTYA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EAE41C5A-FEBD-4EAB-91A7-EEABBD752E5C}\VersionIndependentProgID\	TTYA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EAE41C5A-FEBD-4EAB-91A7-EEABBD752E5C}	TTYA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EAE41C5A-FEBD-4EAB-91A7-EEABBD752E5C}\Programmable	TTYA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CFF77CBE-AC41-430B-53F2-F609BE950B5A}\1.0\ = "WcsPlugInService 1.0 Type Library"	TTYA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CFF77CBE-AC41-430B-53F2-F609BE950B5A}\1.0\0	TTYA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CFF77CBE-AC41-430B-53F2-F609BE950B5A}\1.0\0\win32\ = "%SystemRoot%\\SysWow64\\WcsPlugInService.dll"	TTYA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EAE41C5A-FEBD-4EAB-91A7-EEABBD752E5C}\ProgID\ = "WMPNSSCI.NSSManager.1"	TTYA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CFF77CBE-AC41-430B-53F2-F609BE950B5A}\1.0\0\win32	TTYA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EAE41C5A-FEBD-4EAB-91A7-EEABBD752E5C}\VersionIndependentProgID\ = "WMPNSSCI.NSSManager"	TTYA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EAE41C5A-FEBD-4EAB-91A7-EEABBD752E5C}\InprocServer32\	TTYA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EAE41C5A-FEBD-4EAB-91A7-EEABBD752E5C}\Programmable\	TTYA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CFF77CBE-AC41-430B-53F2-F609BE950B5A}\1.0\	TTYA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CFF77CBE-AC41-430B-53F2-F609BE950B5A}\1.0\0\win64\ = "%SystemRoot%\\SysWow64\\WcsPlugInService.dll"	TTYA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CFF77CBE-AC41-430B-53F2-F609BE950B5A}\1.0\FLAGS\	TTYA.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2752	TTYA.exe
Token: SeIncBasePriorityPrivilege	2752	TTYA.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2992	098c01d130d35c4e15ef2b76a38a0dce_JaffaCakes118.exe
2992	098c01d130d35c4e15ef2b76a38a0dce_JaffaCakes118.exe
2752	TTYA.exe
2752	TTYA.exe
2752	TTYA.exe
2752	TTYA.exe
2752	TTYA.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 1148	2992	098c01d130d35c4e15ef2b76a38a0dce_JaffaCakes118.exe	30
PID 2992 wrote to memory of 1148	2992	098c01d130d35c4e15ef2b76a38a0dce_JaffaCakes118.exe	30
PID 2992 wrote to memory of 1148	2992	098c01d130d35c4e15ef2b76a38a0dce_JaffaCakes118.exe	30
PID 2992 wrote to memory of 1148	2992	098c01d130d35c4e15ef2b76a38a0dce_JaffaCakes118.exe	30
PID 2992 wrote to memory of 1148	2992	098c01d130d35c4e15ef2b76a38a0dce_JaffaCakes118.exe	30
PID 2992 wrote to memory of 1148	2992	098c01d130d35c4e15ef2b76a38a0dce_JaffaCakes118.exe	30
PID 2992 wrote to memory of 1148	2992	098c01d130d35c4e15ef2b76a38a0dce_JaffaCakes118.exe	30
PID 1148 wrote to memory of 2752	1148	Install.exe	31
PID 1148 wrote to memory of 2752	1148	Install.exe	31
PID 1148 wrote to memory of 2752	1148	Install.exe	31
PID 1148 wrote to memory of 2752	1148	Install.exe	31
PID 1148 wrote to memory of 2752	1148	Install.exe	31
PID 1148 wrote to memory of 2752	1148	Install.exe	31
PID 1148 wrote to memory of 2752	1148	Install.exe	31

C:\Users\Admin\AppData\Local\Temp\098c01d130d35c4e15ef2b76a38a0dce_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\098c01d130d35c4e15ef2b76a38a0dce_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Users\Admin\AppData\Local\Temp\ChipF2\Install.exe
  "C:\Users\Admin\AppData\Local\Temp\ChipF2\Install.exe" /Install.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1148
- - C:\Windows\SysWOW64\28463\TTYA.exe
    "C:\Windows\system32\28463\TTYA.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\28463\TTYA.001

Filesize
380B

MD5
165932c59ad2052c401888de8b6ba47b

SHA1
72ec41e78f1f5ac1694b78af3584be274d91ab5d

SHA256
0fa0a80ed829f51548c108885f5e7526e1b211fadb99621d3a4a1a7a1dbd7460

SHA512
c8ceec59faca0a6a8ce07cb084efe8cc73b5cd05a1bd299b3cbb6061feeb9772b3b6ca0fc720f457e6f7e16878cf53761ef3719d4899380acf75a3c0cd7e8738

Download Submit
C:\Windows\SysWOW64\28463\TTYA.006

Filesize
8KB

MD5
a7d56ebb7d4df6da32fd0eb2cbb01c8d

SHA1
9649efa83dec688d20733e73706ab45469877dec

SHA256
e8f58299afe568e8f28c1775597b410eb2692c09f2113345a36d6940c623ad83

SHA512
52daef6e65ad7132a2fcd28b7d5580f18eba107cf86134db88137d70db86b9b8cc080fdc63c8cb3e5d381274624a885e707b3191bdcd53bd20845da62076cda6

Download Submit
C:\Windows\SysWOW64\28463\TTYA.007

Filesize
5KB

MD5
33713b71361b69fff8125c8a4f327716

SHA1
cc7870a3671ea4ff0d3a04f7372e82d10e497ecb

SHA256
8cfcbace29a286d3bd1b42683ac7a4c384440d2cac16fc7b87c7135d59a526b9

SHA512
8b7f214122d368d66eda0ff1be54dc2c9b3d73d37e2e143d80b8c382758eeb2568d5a55ba1f1b3f1e1b8981d22708178f5f0e21b14d384dd2c214fe7569b3e4f

Download Submit
C:\Windows\SysWOW64\28463\key.bin

Filesize
105B

MD5
27c90d4d9b049f4cd00f32ed1d2e5baf

SHA1
338a3ea8f1e929d8916ece9b6e91e697eb562550

SHA256
172d6f21165fb3ca925e5b000451fd8946920206f7438018c28b158b90cf5ffb

SHA512
d73dadb3cf74c647ce5bad5b87d3fb42a212defcba8afb8cf962020b61a0369c0a2b1005797583daf1f1ae88b29b7288bc544a53d643f3519cf604aa0ffd6dae

Download Submit
\Users\Admin\AppData\Local\Temp\@63F1.tmp

Filesize
4KB

MD5
2edeacb33f56af3ef5395d72e1ce1e7e

SHA1
452986cfb1d19ffee51dd827e620d3669133a2dd

SHA256
fb1b34f7019ce4cdb95b0a95744d69ba4843480ada1c5a13d694dc094d994441

SHA512
650cfcdcc848b05be816f224301e1f91293024767edb32cfc140b73030f33f6dd7311f25ea5b2716eaab891ba342c8e9429652f45497e9f3d9031f83bb996301

Download Submit
\Users\Admin\AppData\Local\Temp\ChipF2\Install.exe

Filesize
567KB

MD5
bef27a443dae7fc76faa5f4ab2b873bd

SHA1
c91bb14906d0efc24648540fa80d5a67831389de

SHA256
894144a0d7b8604e40af5490d8127e2e079d0a96128723c64af7833cea8bbc0d

SHA512
b5f100bf9a504195e13364b47a9efbfc5f249437d8b1f99439cbafe0a68fb03dc36f81e535a595fc080adaf7ad7a65b4793e95a3105ffb90f44ce7d9a78ec36c

Download Submit
\Windows\SysWOW64\28463\TTYA.exe

Filesize
649KB

MD5
22c27e66d6fa15ec1230ab9544c03ed7

SHA1
048c618c233a90fdbb7acb64abcbeead5e6ef350

SHA256
1b383815dcf2f514bc75338def0c2e8770eeae23f3c00521b09aa2570cdc3772

SHA512
5d8a6bf322dc84226a5ea14824f209815d54bd7acef9feba0719b497e99d24935d0214022a21a3903b814809aa83e868a6db3683b681874c7d7f25f0aeada9ca

Download Submit
memory/1148-107-0x00000000025B0000-0x000000000268F000-memory.dmp

Filesize
892KB

Download
memory/2752-117-0x0000000000240000-0x000000000031F000-memory.dmp

Filesize
892KB

Download
memory/2752-116-0x0000000000240000-0x000000000031F000-memory.dmp

Filesize
892KB

Download
memory/2752-124-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2752-128-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads