ardamax | e2ee2bfb5ff49cab23e9ead4ea71b532f3b41574ab19538974d2a4bccae727c7

Analysis

max time kernel
142s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07-10-2024 05:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1bd75fd7ec149fcc7ccb3bb634fe076c_JaffaCakes118.exe
Size

2.3MB
MD5

1bd75fd7ec149fcc7ccb3bb634fe076c
SHA1

45a77430927619025e60d2c352a701f62501753d
SHA256

e2ee2bfb5ff49cab23e9ead4ea71b532f3b41574ab19538974d2a4bccae727c7
SHA512

7b5686b067d02013245bfb1a7e07f922ba4faa01d93671b83971e2e2626d1355eb8bcf0cd6fe52237144ef853e2fda7e402f5e3d4ae85b161e1f83654a59c0f4
SSDEEP

49152:ijpL8sc5VaDv9EzHMEcLPsWKyWQZirzq16cYiO:6pLeAGzsEcLPsWDWQfUcD

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x00070000000233a8-40.dat	family_ardamax

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	tmps.execu
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	1bd75fd7ec149fcc7ccb3bb634fe076c_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

pid	Process
2564	Install.exe
5040	tmps.execu
1108	OIWD.exe

Loads dropped DLL 4 IoCs

pid	Process
5040	tmps.execu
1108	OIWD.exe
1108	OIWD.exe
1108	OIWD.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OIWD Agent = "C:\\Windows\\SysWOW64\\28463\\OIWD.exe"	OIWD.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\28463	OIWD.exe
File opened for modification	C:\Windows\SysWOW64\tmps.execu	Install.exe
File created	C:\Windows\SysWOW64\28463\OIWD.001	tmps.execu
File created	C:\Windows\SysWOW64\28463\OIWD.006	tmps.execu
File created	C:\Windows\SysWOW64\28463\OIWD.007	tmps.execu
File created	C:\Windows\SysWOW64\28463\OIWD.exe	tmps.execu
File created	C:\Windows\SysWOW64\28463\key.bin	tmps.execu

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmps.execu
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OIWD.exe

Modifies registry class 34 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7D34F1F1-790D-658F-8E7B-5A6C3CB5C4DB}\1.0\0\	OIWD.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B7BD676F-6F0A-47A7-F087-157A3DE2EEBA}	OIWD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B7BD676F-6F0A-47A7-F087-157A3DE2EEBA}\InprocServer32\ = "%SystemRoot%\\SysWow64\\MsRdpWebAccess.dll"	OIWD.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7D34F1F1-790D-658F-8E7B-5A6C3CB5C4DB}\1.0	OIWD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7D34F1F1-790D-658F-8E7B-5A6C3CB5C4DB}\1.0\	OIWD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7D34F1F1-790D-658F-8E7B-5A6C3CB5C4DB}\1.0\ = "Microsoft IMAPI2 Base Functionality"	OIWD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B7BD676F-6F0A-47A7-F087-157A3DE2EEBA}\ = "Baceb Ovepa Igipa"	OIWD.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B7BD676F-6F0A-47A7-F087-157A3DE2EEBA}\InprocServer32	OIWD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7D34F1F1-790D-658F-8E7B-5A6C3CB5C4DB}\	OIWD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B7BD676F-6F0A-47A7-F087-157A3DE2EEBA}\VersionIndependentProgID\ = "MsRdpWebAccess.MsRdpClientShell"	OIWD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.execu\Content Type = "application/x-msdownload"	Install.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B7BD676F-6F0A-47A7-F087-157A3DE2EEBA}\TypeLib\ = "{7D34F1F1-790D-658F-8E7B-5A6C3CB5C4DB}"	OIWD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7D34F1F1-790D-658F-8E7B-5A6C3CB5C4DB}\1.0\FLAGS\	OIWD.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.execu\PresistentHandler	Install.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.execu\ = "exefile"	Install.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B7BD676F-6F0A-47A7-F087-157A3DE2EEBA}\ProgID\	OIWD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7D34F1F1-790D-658F-8E7B-5A6C3CB5C4DB}\1.0\0\win64\ = "C:\\Windows\\SysWow64\\imapi2.dll"	OIWD.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7D34F1F1-790D-658F-8E7B-5A6C3CB5C4DB}\1.0\FLAGS	OIWD.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7D34F1F1-790D-658F-8E7B-5A6C3CB5C4DB}\1.0\0\win64	OIWD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B7BD676F-6F0A-47A7-F087-157A3DE2EEBA}\TypeLib\	OIWD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B7BD676F-6F0A-47A7-F087-157A3DE2EEBA}\VersionIndependentProgID\	OIWD.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.execu	Install.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.execu\PresistentHandler\ = "{098f2470-bae0-11cd-b579-08002b30bfeb}"	Install.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B7BD676F-6F0A-47A7-F087-157A3DE2EEBA}\ProgID	OIWD.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B7BD676F-6F0A-47A7-F087-157A3DE2EEBA}\TypeLib	OIWD.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B7BD676F-6F0A-47A7-F087-157A3DE2EEBA}\VersionIndependentProgID	OIWD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B7BD676F-6F0A-47A7-F087-157A3DE2EEBA}\ProgID\ = "MsRdpWebAccess.MsRdpClientShell.1"	OIWD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B7BD676F-6F0A-47A7-F087-157A3DE2EEBA}\Programmable\	OIWD.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7D34F1F1-790D-658F-8E7B-5A6C3CB5C4DB}	OIWD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7D34F1F1-790D-658F-8E7B-5A6C3CB5C4DB}\1.0\0\win64\	OIWD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B7BD676F-6F0A-47A7-F087-157A3DE2EEBA}\InprocServer32\	OIWD.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B7BD676F-6F0A-47A7-F087-157A3DE2EEBA}\Programmable	OIWD.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7D34F1F1-790D-658F-8E7B-5A6C3CB5C4DB}\1.0\0	OIWD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7D34F1F1-790D-658F-8E7B-5A6C3CB5C4DB}\1.0\FLAGS\ = "0"	OIWD.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1108	OIWD.exe
Token: SeIncBasePriorityPrivilege	1108	OIWD.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2564	Install.exe
1108	OIWD.exe
1108	OIWD.exe
1108	OIWD.exe
1108	OIWD.exe
1108	OIWD.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3416 wrote to memory of 2564	3416	1bd75fd7ec149fcc7ccb3bb634fe076c_JaffaCakes118.exe	81
PID 3416 wrote to memory of 2564	3416	1bd75fd7ec149fcc7ccb3bb634fe076c_JaffaCakes118.exe	81
PID 3416 wrote to memory of 2564	3416	1bd75fd7ec149fcc7ccb3bb634fe076c_JaffaCakes118.exe	81
PID 2564 wrote to memory of 5040	2564	Install.exe	82
PID 2564 wrote to memory of 5040	2564	Install.exe	82
PID 2564 wrote to memory of 5040	2564	Install.exe	82
PID 5040 wrote to memory of 1108	5040	tmps.execu	84
PID 5040 wrote to memory of 1108	5040	tmps.execu	84
PID 5040 wrote to memory of 1108	5040	tmps.execu	84

C:\Users\Admin\AppData\Local\Temp\1bd75fd7ec149fcc7ccb3bb634fe076c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1bd75fd7ec149fcc7ccb3bb634fe076c_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3416
- C:\Users\Admin\AppData\Local\Temp\Install.exe
  "C:\Users\Admin\AppData\Local\Temp\Install.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Windows\SysWOW64\tmps.execu
    "C:\Windows\system32\tmps.execu"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5040
  - - C:\Windows\SysWOW64\28463\OIWD.exe
      "C:\Windows\system32\28463\OIWD.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@DCB4.tmp

Filesize
4KB

MD5
557e0039dc13a0453af7ca9373a0d301

SHA1
50efb19b1b1eddd10ddb4c2ff23d18cccba92dfe

SHA256
54850e4c8644c042b15dab73a15135105ff84a240d26d1476c8b80d176a341fc

SHA512
d96fdc89ddbcd8459966c9548d3243a0fa319f8be2f418b4e17f313fb3f86d32dd7f254a035641f35e35ed849832773c0d1fe34ff362761309c64e959c025a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe

Filesize
621KB

MD5
71e10203bf0a54122ddb67691226e03f

SHA1
f5e882f48350559b3be1a1cff3913fbd0a387a84

SHA256
6cf9c5cdc6800ebcad06af0669d198a408cee0983f89109237877a49dac4c464

SHA512
ed699a9a1900a00c8374edfe32acbfe8a951befcb5b780af3e4e19d52b02d8c1e76dd999f990eca3dfec986dcc84254a7fa10fe19cb18d9691d701c0f32618d0

Download Submit
C:\Windows\SysWOW64\28463\OIWD.001

Filesize
424B

MD5
bd25dc3bf5d4acb144fdd93d0f6538e6

SHA1
cab829a192f48967400b0a4832317d2802f72cec

SHA256
c9a2f6734984686df1df2d0b68bd38b9fb131e04dd87a3d810398e2f762c025b

SHA512
760111ad7d5fc5327c3478b8b7c7db49834e09628c926c7173983a67d8e72c359ea10c3d0011b0eea40b5ec5ced7fde03652dc93b7f661cc64ce0b222511fc81

Download Submit
C:\Windows\SysWOW64\28463\OIWD.006

Filesize
8KB

MD5
5153b016d36928c296131c5c8e669446

SHA1
c444f61a2dc49ede6a2325f26d76af66de5989d2

SHA256
4c52ec0d5d4cad21ed134af76f64c3cb44b826594641f44487e4625f5bc96f59

SHA512
c9084ff30f1f023b1f9cd00dc66cdbf846e95993093163c3e71a13535ccfc79d59be5b28a78ccfa6b0a82389b08b157676d71a9ccca2c170369080feac386f09

Download Submit
C:\Windows\SysWOW64\28463\OIWD.007

Filesize
5KB

MD5
80bbc7ace13d97396bd7b1abbaf4008b

SHA1
d013c0def603915675b1e0ce5877d413cdaf6523

SHA256
18dbfb27d4b10501e8426db1a78df8247f6570656d183f78b061d7db4c7865ae

SHA512
bc7afd0e730f432852d374812827077574181928aa97c25d8170ce1b766677383360bf2bb21afc51e8168eb3f6539ce8499c4002d86190f27d4836da3f907919

Download Submit
C:\Windows\SysWOW64\28463\OIWD.exe

Filesize
648KB

MD5
5530832fa82582288ce640f73a4915a0

SHA1
c40673ed59a61dd3b39f8ed6d0e1345838d98e44

SHA256
6f7daff3caf7f24a00e08e4ed414b4d23e13d2cac4657ad7a071d9cbeb42cb88

SHA512
ee2a2dc3c85a13b39f15a276f842afab8d341aacb457c1750b8bf0fa46b03a3bfabeff5be6439f3edf2c428d504ecabf07a399ebbdb09a75693309b55903775c

Download Submit
C:\Windows\SysWOW64\28463\key.bin

Filesize
105B

MD5
27c90d4d9b049f4cd00f32ed1d2e5baf

SHA1
338a3ea8f1e929d8916ece9b6e91e697eb562550

SHA256
172d6f21165fb3ca925e5b000451fd8946920206f7438018c28b158b90cf5ffb

SHA512
d73dadb3cf74c647ce5bad5b87d3fb42a212defcba8afb8cf962020b61a0369c0a2b1005797583daf1f1ae88b29b7288bc544a53d643f3519cf604aa0ffd6dae

Download Submit
C:\Windows\SysWOW64\tmps.execu

Filesize
565KB

MD5
dac9665b52486ef753a2a49bfbc89b80

SHA1
2f422f290460ac996d2e818112398b9ed1046c6d

SHA256
75e990edf6d62b8df92f145c41c7419a760d1c8e3d5df8263315eacd3dd802bb

SHA512
389b13e8b80d433270f7ab547f58091d01879776d93dbfca7525bc8d15f6967e7ab2a57debcff9d4beb99f79ebbe08d0dfb101346b00a239aa770ff9c07eb429

Download Submit
memory/1108-47-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1108-56-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1108-59-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/3416-7-0x000000001C110000-0x000000001C15C000-memory.dmp

Filesize
304KB

Download
memory/3416-20-0x00007FFD089D0000-0x00007FFD09371000-memory.dmp

Filesize
9.6MB

Download
memory/3416-0-0x00007FFD08C85000-0x00007FFD08C86000-memory.dmp

Filesize
4KB

Download
memory/3416-6-0x0000000001020000-0x0000000001028000-memory.dmp

Filesize
32KB

Download
memory/3416-5-0x000000001BFB0000-0x000000001C04C000-memory.dmp

Filesize
624KB

Download
memory/3416-4-0x00007FFD089D0000-0x00007FFD09371000-memory.dmp

Filesize
9.6MB

Download
memory/3416-3-0x000000001B9C0000-0x000000001BE8E000-memory.dmp

Filesize
4.8MB

Download
memory/3416-2-0x00007FFD089D0000-0x00007FFD09371000-memory.dmp

Filesize
9.6MB

Download
memory/3416-1-0x000000001B420000-0x000000001B4C6000-memory.dmp

Filesize
664KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads