ardamax | a62f325139cbfa63063824173e01eeaf31b83a785ab0e30efe414665bd32aa11

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-10-2024 03:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b353bf884852c093cc15a9e5bf88ba1_JaffaCakes118.exe
Size

390KB
MD5

1b353bf884852c093cc15a9e5bf88ba1
SHA1

7d5278583e8cacfd1624619282cc02a2aedb861d
SHA256

a62f325139cbfa63063824173e01eeaf31b83a785ab0e30efe414665bd32aa11
SHA512

95bc604cf94a807a7648c97cb3c6df99b9e6ad126cdcf185ccb02b6cecb9769fc27b0b88210819f157ba83235dccd3458ea0e9cf5f229d93de4ff486c123890f
SSDEEP

12288:2/4zdlKlLDDeS+OGYI9RMooXhdnsN60juQ3:FnKlKAGFTMa6PQ3

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000016101-9.dat	family_ardamax

Executes dropped EXE 2 IoCs

pid	Process
2904	GOVN.exe
2620	Elfbot Scripts.exe

Loads dropped DLL 10 IoCs

pid	Process
2896	1b353bf884852c093cc15a9e5bf88ba1_JaffaCakes118.exe
2896	1b353bf884852c093cc15a9e5bf88ba1_JaffaCakes118.exe
2896	1b353bf884852c093cc15a9e5bf88ba1_JaffaCakes118.exe
2904	GOVN.exe
2904	GOVN.exe
2896	1b353bf884852c093cc15a9e5bf88ba1_JaffaCakes118.exe
2896	1b353bf884852c093cc15a9e5bf88ba1_JaffaCakes118.exe
2896	1b353bf884852c093cc15a9e5bf88ba1_JaffaCakes118.exe
2620	Elfbot Scripts.exe
2620	Elfbot Scripts.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\GOVN Agent = "C:\\Windows\\SysWOW64\\28463\\GOVN.exe"	GOVN.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\__tmp_rar_sfx_access_check_259423578	Elfbot Scripts.exe
File created	C:\Windows\SysWOW64\28463\Elfbot Scripts\YalaElves with depos.elfc	Elfbot Scripts.exe
File created	C:\Windows\SysWOW64\28463\Elfbot Scripts\[Knight] Mutated Shit v25.elfc	Elfbot Scripts.exe
File created	C:\Windows\SysWOW64\28463\Elfbot Scripts\[EK]Port_Hupe_crocodiles2.elfc	Elfbot Scripts.exe
File opened for modification	C:\Windows\SysWOW64\28463\Elfbot Scripts\EdronTroll-Perfect.elfc	Elfbot Scripts.exe
File created	C:\Windows\SysWOW64\28463\Elfbot Scripts\North Port Hope (Mage).elfc	Elfbot Scripts.exe
File created	C:\Windows\SysWOW64\28463\Elfbot Scripts\Pirates Yalahar.elfc	Elfbot Scripts.exe
File opened for modification	C:\Windows\SysWOW64\28463\Elfbot Scripts\tortoise.elfc	Elfbot Scripts.exe
File created	C:\Windows\SysWOW64\28463\Elfbot Scripts\yalahar cemetery undeads right .elfc	Elfbot Scripts.exe
File created	C:\Windows\SysWOW64\28463\Elfbot Scripts\Yalahar Elfs.elft	Elfbot Scripts.exe
File created	C:\Windows\SysWOW64\28463\Elfbot Scripts\Rot-LB -3 +Dep.elfc	Elfbot Scripts.exe
File opened for modification	C:\Windows\SysWOW64\28463\Elfbot Scripts\Dworcs knight.elfc	Elfbot Scripts.exe
File created	C:\Windows\SysWOW64\28463\Elfbot Scripts\Edron goblins -1 and -2.elfc	Elfbot Scripts.exe
File opened for modification	C:\Windows\SysWOW64\28463\Elfbot Scripts\Fenrock Tortoises Pally.elft	Elfbot Scripts.exe
File opened for modification	C:\Windows\SysWOW64\28463\Elfbot Scripts\Goblins.elft	Elfbot Scripts.exe
File opened for modification	C:\Windows\SysWOW64\28463\Elfbot Scripts\PH Tortoise + Depot walker.elfc	Elfbot Scripts.exe
File opened for modification	C:\Windows\SysWOW64\28463\Elfbot Scripts\port hope swamp trolls.wpt	Elfbot Scripts.exe
File opened for modification	C:\Windows\SysWOW64\28463\Elfbot Scripts\Cycpolis with deposit	Elfbot Scripts.exe
File created	C:\Windows\SysWOW64\28463\Elfbot Scripts\port hope swamp trolls.wpt	Elfbot Scripts.exe
File opened for modification	C:\Windows\SysWOW64\28463\Elfbot Scripts\Rot-LB -2 -3.elfc	Elfbot Scripts.exe
File created	C:\Windows\SysWOW64\28463\Elfbot Scripts\Yalahar Cemetery Undeads.elft	Elfbot Scripts.exe
File opened for modification	C:\Windows\SysWOW64\28463\Elfbot Scripts\PH.SMUGGLERS.wpt	Elfbot Scripts.exe
File created	C:\Windows\SysWOW64\28463\Elfbot Scripts\Rot-LB -2 -3.elfc	Elfbot Scripts.exe
File created	C:\Windows\SysWOW64\28463\Elfbot Scripts\rots.elft	Elfbot Scripts.exe
File created	C:\Windows\SysWOW64\28463\Elfbot Scripts\tyrsung -1 -2 -3.elfc	Elfbot Scripts.exe
File opened for modification	C:\Windows\SysWOW64\28463\Elfbot Scripts\Yalahar Cemetery Undeads.elft	Elfbot Scripts.exe
File created	C:\Windows\SysWOW64\28463\Elfbot Scripts\[Knight] Mutated Shit v6.elfc	Elfbot Scripts.exe
File created	C:\Windows\SysWOW64\28463\Elfbot Scripts\Dworcs.elft	Elfbot Scripts.exe
File opened for modification	C:\Windows\SysWOW64\28463\Elfbot Scripts\laguna-d.elft	Elfbot Scripts.exe
File created	C:\Windows\SysWOW64\28463\Elfbot Scripts\LagunaDepositer.elfc	Elfbot Scripts.exe
File opened for modification	C:\Windows\SysWOW64\28463\Elfbot Scripts\Edron trolls.elft	Elfbot Scripts.exe
File opened for modification	C:\Windows\SysWOW64\28463\Elfbot Scripts\Goblins-1only.wpt	Elfbot Scripts.exe
File opened for modification	C:\Windows\SysWOW64\28463\Elfbot Scripts\wolfs - rookgaard.elfc	Elfbot Scripts.exe
File opened for modification	C:\Windows\SysWOW64\28463\Elfbot Scripts\Pirates Yalahar.elfc	Elfbot Scripts.exe
File created	C:\Windows\SysWOW64\28463\Elfbot Scripts\Pirates.elft	Elfbot Scripts.exe
File created	C:\Windows\SysWOW64\28463\Elfbot Scripts\Rook v1.9.elfc	Elfbot Scripts.exe
File created	C:\Windows\SysWOW64\28463\Elfbot Scripts\Rot LB.elft	Elfbot Scripts.exe
File created	C:\Windows\SysWOW64\28463\Elfbot Scripts\peninsula tomb -2 depositer+royal spear(2).elfc	Elfbot Scripts.exe
File opened for modification	C:\Windows\SysWOW64\28463\Elfbot Scripts\stone tomb -2 depositer + spear.elfc	Elfbot Scripts.exe
File opened for modification	C:\Windows\SysWOW64\28463\Elfbot Scripts\Blessings.elfc	Elfbot Scripts.exe
File created	C:\Windows\SysWOW64\28463\Elfbot Scripts\Cycpolis with deposit targeting.elft	Elfbot Scripts.exe
File created	C:\Windows\SysWOW64\28463\Elfbot Scripts\EdronTroll-Perfect2.elfc	Elfbot Scripts.exe
File created	C:\Windows\SysWOW64\28463\Elfbot Scripts\tyrsung.elft	Elfbot Scripts.exe
File created	C:\Windows\SysWOW64\28463\Elfbot Scripts\Water Elemental Pro v 6.0.elft	Elfbot Scripts.exe
File created	C:\Windows\SysWOW64\28463\Elfbot Scripts\yalahar pirate by jah.elft	Elfbot Scripts.exe
File opened for modification	C:\Windows\SysWOW64\28463\Elfbot Scripts\Rot-LB -3.elfc	Elfbot Scripts.exe
File opened for modification	C:\Windows\SysWOW64\28463\Elfbot Scripts\specialrots2.elfc	Elfbot Scripts.exe
File created	C:\Windows\SysWOW64\28463\Elfbot Scripts\Crocodiles - Port Hope - Task - Paladin.elfc	Elfbot Scripts.exe
File created	C:\Windows\SysWOW64\28463\Elfbot Scripts\Fenrock Tortoises.elft	Elfbot Scripts.exe
File opened for modification	C:\Windows\SysWOW64\28463\Elfbot Scripts\peninsula tomb -2 depositer+royal spear(2).elfc	Elfbot Scripts.exe
File created	C:\Windows\SysWOW64\28463\Elfbot Scripts\peninsula tomb -2 depositer+royal spear.elfc	Elfbot Scripts.exe
File created	C:\Windows\SysWOW64\28463\Elfbot Scripts\Port Hope (Mage).elft	Elfbot Scripts.exe
File opened for modification	C:\Windows\SysWOW64\28463\Elfbot Scripts\Postman.elfc	Elfbot Scripts.exe
File opened for modification	C:\Windows\SysWOW64\28463\Elfbot Scripts\Dworcs Knight.elft	Elfbot Scripts.exe
File opened for modification	C:\Windows\SysWOW64\28463\Elfbot Scripts\EdronTroll-Perfect2.elfc	Elfbot Scripts.exe
File created	C:\Windows\SysWOW64\28463\Elfbot Scripts\laguna-d.elft	Elfbot Scripts.exe
File created	C:\Windows\SysWOW64\28463\Elfbot Scripts\Rook.elft	Elfbot Scripts.exe
File opened for modification	C:\Windows\SysWOW64\28463\Elfbot Scripts\YalaElves with depos.elfc	Elfbot Scripts.exe
File opened for modification	C:\Windows\SysWOW64\28463\Elfbot Scripts\[EK]Port_Hupe_crocodiles2.elfc	Elfbot Scripts.exe
File created	C:\Windows\SysWOW64\28463\Elfbot Scripts\Cycpolis with deposit	Elfbot Scripts.exe
File created	C:\Windows\SysWOW64\28463\Elfbot Scripts\edron goblin done.wpt	Elfbot Scripts.exe
File opened for modification	C:\Windows\SysWOW64\28463\Elfbot Scripts\Pirates.elft	Elfbot Scripts.exe
File opened for modification	C:\Windows\SysWOW64\28463\Elfbot Scripts\tyrsung.elft	Elfbot Scripts.exe
File opened for modification	C:\Windows\SysWOW64\28463\Elfbot Scripts\yalahar pirate by jah.elft	Elfbot Scripts.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1b353bf884852c093cc15a9e5bf88ba1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GOVN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Elfbot Scripts.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	Elfbot Scripts.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2904	GOVN.exe
Token: SeIncBasePriorityPrivilege	2904	GOVN.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2904	GOVN.exe
2904	GOVN.exe
2904	GOVN.exe
2904	GOVN.exe
2904	GOVN.exe
2620	Elfbot Scripts.exe
2620	Elfbot Scripts.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 2904	2896	1b353bf884852c093cc15a9e5bf88ba1_JaffaCakes118.exe	30
PID 2896 wrote to memory of 2904	2896	1b353bf884852c093cc15a9e5bf88ba1_JaffaCakes118.exe	30
PID 2896 wrote to memory of 2904	2896	1b353bf884852c093cc15a9e5bf88ba1_JaffaCakes118.exe	30
PID 2896 wrote to memory of 2904	2896	1b353bf884852c093cc15a9e5bf88ba1_JaffaCakes118.exe	30
PID 2896 wrote to memory of 2620	2896	1b353bf884852c093cc15a9e5bf88ba1_JaffaCakes118.exe	31
PID 2896 wrote to memory of 2620	2896	1b353bf884852c093cc15a9e5bf88ba1_JaffaCakes118.exe	31
PID 2896 wrote to memory of 2620	2896	1b353bf884852c093cc15a9e5bf88ba1_JaffaCakes118.exe	31
PID 2896 wrote to memory of 2620	2896	1b353bf884852c093cc15a9e5bf88ba1_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\1b353bf884852c093cc15a9e5bf88ba1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1b353bf884852c093cc15a9e5bf88ba1_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Windows\SysWOW64\28463\GOVN.exe
  "C:\Windows\system32\28463\GOVN.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2904
- C:\Users\Admin\AppData\Local\Temp\Elfbot Scripts.exe
  "C:\Users\Admin\AppData\Local\Temp\Elfbot Scripts.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\28463\GOVN.001

Filesize
392B

MD5
9c51088174085d3e12a0f8abcfb267ac

SHA1
533a791b8efa8d235e6af3f19fdc02767aee0612

SHA256
012f18324590cc0a475143a3a219c7b4d6ce349c40607da9c4173da54d7d714a

SHA512
ac653b78d52e3a81fca43c0e7f0c46a2e046ec4ab56e130c8b176a839da72f444b12dfae61d8e7d5e42f925554d41b58358cc7bdc05ff70a2f48f3bf506f3eea

Download Submit
C:\Windows\SysWOW64\28463\GOVN.006

Filesize
8KB

MD5
86d96c93965255cef35ca42413188b75

SHA1
9d77f203267febe047d049584e5c79f1c1801b2d

SHA256
b796bd1f5cdb1d1db91c3aca1ac700c015775b9caf2725fbf4b6089a096f21c5

SHA512
2db81080a16494ec549f4f39ee382580ba12cd5cbfe31632c8459ba94d767ce1ad3e9c0e6643f80530ae5e316fc42dca05708eeade7ce3c0341d669325cdb095

Download Submit
C:\Windows\SysWOW64\28463\GOVN.007

Filesize
5KB

MD5
b73942c11844487ca7fc3e78062c8abb

SHA1
28f4c4159528ccbe9d83b5cd5e157861d11ff04c

SHA256
4ba88f8964ee02a395d88974fd43b05610cf520b4ab40f36b3f98715ce1e0984

SHA512
d4c782f5abd91b3396b243345f968eb5a705a7aefeedf92e62047309f7ccf223c0825623c184de66e3667c22eb371f0329be97ea70f6d72b54f98b22042e1f9c

Download Submit
\Users\Admin\AppData\Local\Temp\@6171.tmp

Filesize
4KB

MD5
9dc64557fcebd521ca4b267da15c2914

SHA1
c2247f9e0f0c8d11c7b9ab93f43ed53943d0bdd2

SHA256
a49cb9cbab2a60418b2079d4110123682fc980bb6b46ac5ada144797b5fa2cf4

SHA512
00241a139ca307c5eb4d89fa8b6296833961091286282c3482746e4a3589ef61e6d007edb6aa6fa1ef812d57bf63a8e495e0db712e17decc77bbae2490cdbe01

Download Submit
\Users\Admin\AppData\Local\Temp\Elfbot Scripts.exe

Filesize
164KB

MD5
090f3f53d08fbd780f3f74c7b5f93391

SHA1
cb5f9a49c668e65a0c38d128b26358f3cda2d9fa

SHA256
949a04e62bfdbd4465e534a2c863a91eba59e376ef7450f6852ab1ac62d5540d

SHA512
8b056e6e7989ba9c38f76aaa825011eefc2c862fc8ee90516703157f2c6131adb3d7ccde8c8b92cc0ab87d0180d72de5e1d331c7c04347cf04d66face2c4ecaa

Download Submit
\Windows\SysWOW64\28463\GOVN.exe

Filesize
472KB

MD5
324154483b20e6f67a3c1486e3fc7c6a

SHA1
d6630eb1d8555b48413434b4a5d54c8de819cbf8

SHA256
ded1c934280294375d7b926773511e4d5e6c8dbb22b0dd25a80a6b0b3af065d3

SHA512
36349f7c53b9989eac63e8c91b7fb009a5a0dce934242ae5956a5e3d3764949a87296adeba81f3da96b5e035f3755b4dd75de2ffa211b7db296313c52f6d478b

Download Submit
memory/2620-37-0x0000000076FEF000-0x0000000076FF0000-memory.dmp

Filesize
4KB

Download
memory/2620-36-0x0000000076FEF000-0x0000000076FF0000-memory.dmp

Filesize
4KB

Download
memory/2620-193-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2896-32-0x0000000076FEF000-0x0000000076FF0000-memory.dmp

Filesize
4KB

Download
memory/2904-21-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2904-48-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads