ardamax | 82f9c12f77368b7013e7a19818e3053e30eb9aa25469940823152214de8eaa56

Analysis

max time kernel
143s
max time network
122s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
05-10-2024 05:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1663c91a5ac2dc1621dff7b70f923458_JaffaCakes118.exe
Size

922KB
MD5

1663c91a5ac2dc1621dff7b70f923458
SHA1

fa25086f5c71b2f7d84c2b3c1a79349915425de5
SHA256

82f9c12f77368b7013e7a19818e3053e30eb9aa25469940823152214de8eaa56
SHA512

480c2f442ee15fa343813619e152b51e22cbc7aa90ab7224f39511d012fb5570bdf54b9e5bd69988c93627fddd97bc4ed5d2e434433fe74b0cab48e0bce68815
SSDEEP

24576:43xZPCUOAhkpBZKKjp5cslpHsIm0lx1UjSQ/m:o5OAKd11ftmVj6

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0006000000016ddf-633.dat	family_ardamax

Executes dropped EXE 2 IoCs

pid	Process
900	pruebaconfoto27.exe
2160	ANUH.exe

Loads dropped DLL 10 IoCs

pid	Process
2232	1663c91a5ac2dc1621dff7b70f923458_JaffaCakes118.exe
900	pruebaconfoto27.exe
900	pruebaconfoto27.exe
900	pruebaconfoto27.exe
2160	ANUH.exe
2160	ANUH.exe
2160	ANUH.exe
4016	DllHost.exe
4016	DllHost.exe
900	pruebaconfoto27.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ANUH Agent = "C:\\Windows\\SysWOW64\\Sys\\ANUH.exe"	ANUH.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Sys\ANUH.001	pruebaconfoto27.exe
File created	C:\Windows\SysWOW64\Sys\ANUH.006	pruebaconfoto27.exe
File created	C:\Windows\SysWOW64\Sys\ANUH.007	pruebaconfoto27.exe
File created	C:\Windows\SysWOW64\Sys\ANUH.exe	pruebaconfoto27.exe
File created	C:\Windows\SysWOW64\Sys\AKV.exe	pruebaconfoto27.exe
File opened for modification	C:\Windows\SysWOW64\Sys	ANUH.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1663c91a5ac2dc1621dff7b70f923458_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pruebaconfoto27.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ANUH.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: 33	2232	1663c91a5ac2dc1621dff7b70f923458_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2232	1663c91a5ac2dc1621dff7b70f923458_JaffaCakes118.exe
Token: 33	2232	1663c91a5ac2dc1621dff7b70f923458_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2232	1663c91a5ac2dc1621dff7b70f923458_JaffaCakes118.exe
Token: 33	2232	1663c91a5ac2dc1621dff7b70f923458_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2232	1663c91a5ac2dc1621dff7b70f923458_JaffaCakes118.exe
Token: 33	2232	1663c91a5ac2dc1621dff7b70f923458_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2232	1663c91a5ac2dc1621dff7b70f923458_JaffaCakes118.exe
Token: 33	900	pruebaconfoto27.exe
Token: SeIncBasePriorityPrivilege	900	pruebaconfoto27.exe
Token: 33	2160	ANUH.exe
Token: SeIncBasePriorityPrivilege	2160	ANUH.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4016	DllHost.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2160	ANUH.exe
2160	ANUH.exe
2160	ANUH.exe
2160	ANUH.exe
2160	ANUH.exe
4016	DllHost.exe
4016	DllHost.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 900	2232	1663c91a5ac2dc1621dff7b70f923458_JaffaCakes118.exe	28
PID 2232 wrote to memory of 900	2232	1663c91a5ac2dc1621dff7b70f923458_JaffaCakes118.exe	28
PID 2232 wrote to memory of 900	2232	1663c91a5ac2dc1621dff7b70f923458_JaffaCakes118.exe	28
PID 2232 wrote to memory of 900	2232	1663c91a5ac2dc1621dff7b70f923458_JaffaCakes118.exe	28
PID 900 wrote to memory of 2160	900	pruebaconfoto27.exe	29
PID 900 wrote to memory of 2160	900	pruebaconfoto27.exe	29
PID 900 wrote to memory of 2160	900	pruebaconfoto27.exe	29
PID 900 wrote to memory of 2160	900	pruebaconfoto27.exe	29

C:\Users\Admin\AppData\Local\Temp\1663c91a5ac2dc1621dff7b70f923458_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1663c91a5ac2dc1621dff7b70f923458_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Users\Admin\AppData\Local\Xenocode\Sandbox\acnner tools\20.1.11.06\2012.05.13T21.26\Virtual\STUBEXE\@APPDATALOCAL@\Temp\pruebaconfoto27.exe
  "C:\Users\Admin\AppData\Local\Temp\pruebaconfoto27.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:900
- - C:\Users\Admin\AppData\Local\Xenocode\Sandbox\acnner tools\20.1.11.06\2012.05.13T21.26\Native\STUBEXE\@SYSTEM@\Sys\ANUH.exe
    "C:\Windows\system32\Sys\ANUH.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2160

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DSC00002.jpg

Filesize
80KB

MD5
d745d4edc5ca9a3d64e88fbb4ce07fdf

SHA1
166fed9ea632a489a0e5ecca3eb23546dce3f2fc

SHA256
81f2e34f8db48a759aea9f9b68b0eb0bff7f49ab444f89492a336d06ef7684a7

SHA512
87a1f95775ee37d390d0770d153ffd4bf1fd28600c5ebf6e351020f4da0a35a162cc38ac652e45178b5846fda5c1e799bf4badc6ba7151d48c1e5c70126936e8

Download Submit
C:\Users\Admin\AppData\Local\Xenocode\Sandbox\acnner tools\20.1.11.06\2012.05.13T21.26\Native\STUBEXE\@SYSTEM@\Sys\ANUH.exe

Filesize
17KB

MD5
e325cd0e3100e3a452591969f29e3689

SHA1
abbbe66de78db149a8d1902f731adaf7d367bf55

SHA256
25b13cdae8d3b05ab354b5f96ba3f9f3f71ad2060c846cb234e66c6127ce4ec5

SHA512
96937aff1f74334268889bece71f11a4c5258f64badd53329813929e4140d03472564a1f14c8bf24cd73aa20ab39bcb7b974496fd71de5e5cd58516f64259299

Download Submit
C:\Windows\SysWOW64\Sys\AKV.exe

Filesize
390KB

MD5
db485c0d252649c051970bf5c42167af

SHA1
e5ca18b8e3d033cf27ed3c02bf893bd007767d43

SHA256
a53287648d0a86577044a1ae0347a72c5e20b6a1087ba4e59b369209fa01498f

SHA512
afab398e80e242967c081dc16b52834270f548a8dc453e337d7e275ae78b104f0e82bb4968d570286a605e3c3bb0fccead70ef0abb8e33de3f6a648fe4d3120f

Download Submit
C:\Windows\SysWOW64\Sys\ANUH.001

Filesize
454B

MD5
ed86f46d6f9edac62d0faf7443e0b4c7

SHA1
c343ee61dc8ef4a34b1eef98d3a449b6bf4eb2c9

SHA256
7ab23f84d1ff2e3bef3b4a0b775ee9a329e89179d02632914bce7063214f4beb

SHA512
79388814fe5df2d73803e3c00d3c43761de4def6d5bd8edbed66eefda85829a301bd87d0031d1e9bc356b8644eeb60446301381100a64a9d8e9efc3e2cab5053

Download Submit
C:\Windows\SysWOW64\Sys\ANUH.007

Filesize
5KB

MD5
0766f2291c9f350a0d3d70c25d4d0c23

SHA1
67d07f1963833e31c3406eddaf63da125e3478f4

SHA256
d1f5c987db340dd00d620f546c7b89a1816d86d169a03bce9a3ff0f25207f8b5

SHA512
ebfeedae7b5fdbd2f0e3f70ce42ee3eba6c464a1f314546b329e6b483e688c39daef8b010c7cf6d8eebc06db7560c77198b38b3166bb4dab146b8b46eb87b161

Download Submit
\Users\Admin\AppData\Local\Temp\@B616.tmp

Filesize
4KB

MD5
84739b32b36267ca4ad9458d3fe6aff6

SHA1
57b7394c461b15f600554f57796397f2c65d2886

SHA256
b82cb4c1d7766d8536cd19f3689ae7fd153df43ff5ac78244c1604d0fe96ba00

SHA512
3aa1b092ff14b029386a26fabf095055cd371b21e726bd6a7fc94c2c6145dea151f78faa52e8eee1392d1d840176837a4f1bdc4a327c688fb462917876a324c8

Download Submit
\Users\Admin\AppData\Local\Xenocode\Sandbox\acnner tools\20.1.11.06\2012.05.13T21.26\Virtual\STUBEXE\@APPDATALOCAL@\Temp\pruebaconfoto27.exe

Filesize
17KB

MD5
910907d5df7d288d4a8fe0ddadd2f657

SHA1
026caaee980bb16110ac7ba8828354b76dbcd5fe

SHA256
7c9aef0e696b5a7b4c4f942b3dd3ecc0b64239788b32e11d760aa8eb8f9c4aea

SHA512
1035c37f7e7b17d29db89533cdc1b512e6b71e5405e08e69c7cc830da8419e5f8fd61f0d191b2c8bff4c939c0e50ec5fb26a984a62a94c9f235a5c2a7c20af30

Download Submit
\Windows\SysWOW64\Sys\ANUH.006

Filesize
7KB

MD5
dc31755a645defcff561e0c96a13f004

SHA1
19f46782befe3fd743b8b0134bb711fd7b30cb82

SHA256
674997f5cd56e9a013a97fcb4f5848f1aa20825e8f5989d5fb96bd4c32d21704

SHA512
8cd892647011826408d764f6bea0f57317ff5d216d9c31bf9e6ead3329c14653dd2e84e91997f1cded78eca0012936779ee6f22a66c8923ce11ebc5269e1ee4b

Download Submit
\Windows\SysWOW64\Sys\ANUH.exe

Filesize
476KB

MD5
b751c3555cdff47c29334fa53a449a45

SHA1
ea8ae7c80619980f8271d44890ee5ac29febb3fc

SHA256
c8b941cc547d4c79826626619a86852d29a56a70f3369e8bdd419b62e2b167c4

SHA512
ab46e167e94cef76b3fbc3488ecdaa8cec8eff3b4d952cd69a225d2e237842d3f382342bc1226d0a777672361d1ff925582f58ecb8adbd836e4c2c1e3ccf441f

Download Submit
memory/2232-245-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2232-193-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2232-18-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2232-38-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2232-185-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2232-218-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2232-261-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2232-310-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2232-10-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2232-12-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2232-16-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2232-8-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2232-65-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2232-213-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2232-312-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2232-311-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2232-308-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2232-299-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2232-288-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2232-279-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2232-272-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2232-1-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2232-230-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2232-210-0x0000000077D80000-0x0000000077D81000-memory.dmp

Filesize
4KB

Download
memory/2232-208-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2232-205-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2232-194-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2232-15-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2232-62-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2232-60-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2232-58-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2232-56-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2232-54-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2232-52-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2232-50-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2232-48-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2232-46-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2232-44-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2232-42-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2232-40-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2232-36-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2232-34-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2232-32-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2232-30-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2232-4-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2232-6-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2232-2-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2232-28-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2232-26-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2232-24-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2232-22-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2232-20-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2232-959-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2232-0-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads