ardamax | 09b682f6d836616919f565a99391abdf9986b1a0ebbc744628deb5fc3e7f40b2

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-10-2024 09:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f1a8f822eef7aebec580f2bf5f66555_JaffaCakes118.exe
Size

646KB
MD5

2f1a8f822eef7aebec580f2bf5f66555
SHA1

a4b2173f8bbe11d92dc6534f760ff13d77f4dd8b
SHA256

09b682f6d836616919f565a99391abdf9986b1a0ebbc744628deb5fc3e7f40b2
SHA512

ccb899b5137d822d44b801b51d2399bc655af652438c230f4ef132d8c0ea9a985d41598b76f909ce8824134f16302bc8737cc8657b1b1c6de373c622ff4d9e8e
SSDEEP

12288:0DKZvj+2l3i6Vp+jtUvApvQS6FMlAEVpcWcsWApN63SdEmmfsH:QmpllVeqs4mbam6iSmf

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x000500000001926c-35.dat	family_ardamax

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	2f1a8f822eef7aebec580f2bf5f66555_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
1964	Exporer32.exe
2716	HHVK.exe

Loads dropped DLL 7 IoCs

pid	Process
1924	2f1a8f822eef7aebec580f2bf5f66555_JaffaCakes118.exe
1924	2f1a8f822eef7aebec580f2bf5f66555_JaffaCakes118.exe
1964	Exporer32.exe
1964	Exporer32.exe
1964	Exporer32.exe
2716	HHVK.exe
2716	HHVK.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HHVK Agent = "C:\\Windows\\SysWOW64\\28463\\HHVK.exe"	HHVK.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	2f1a8f822eef7aebec580f2bf5f66555_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	2f1a8f822eef7aebec580f2bf5f66555_JaffaCakes118.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\HHVK.001	Exporer32.exe
File created	C:\Windows\SysWOW64\28463\HHVK.006	Exporer32.exe
File created	C:\Windows\SysWOW64\28463\HHVK.007	Exporer32.exe
File created	C:\Windows\SysWOW64\28463\HHVK.exe	Exporer32.exe
File created	C:\Windows\SysWOW64\28463\AKV.exe	Exporer32.exe
File opened for modification	C:\Windows\SysWOW64\28463	HHVK.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2f1a8f822eef7aebec580f2bf5f66555_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Exporer32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HHVK.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2f1a8f822eef7aebec580f2bf5f66555_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2f1a8f822eef7aebec580f2bf5f66555_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2f1a8f822eef7aebec580f2bf5f66555_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1924	2f1a8f822eef7aebec580f2bf5f66555_JaffaCakes118.exe
1924	2f1a8f822eef7aebec580f2bf5f66555_JaffaCakes118.exe
1924	2f1a8f822eef7aebec580f2bf5f66555_JaffaCakes118.exe
1924	2f1a8f822eef7aebec580f2bf5f66555_JaffaCakes118.exe
1924	2f1a8f822eef7aebec580f2bf5f66555_JaffaCakes118.exe
1924	2f1a8f822eef7aebec580f2bf5f66555_JaffaCakes118.exe
1924	2f1a8f822eef7aebec580f2bf5f66555_JaffaCakes118.exe
1924	2f1a8f822eef7aebec580f2bf5f66555_JaffaCakes118.exe
1924	2f1a8f822eef7aebec580f2bf5f66555_JaffaCakes118.exe
1924	2f1a8f822eef7aebec580f2bf5f66555_JaffaCakes118.exe
1924	2f1a8f822eef7aebec580f2bf5f66555_JaffaCakes118.exe
1924	2f1a8f822eef7aebec580f2bf5f66555_JaffaCakes118.exe
1924	2f1a8f822eef7aebec580f2bf5f66555_JaffaCakes118.exe
1924	2f1a8f822eef7aebec580f2bf5f66555_JaffaCakes118.exe
1924	2f1a8f822eef7aebec580f2bf5f66555_JaffaCakes118.exe
1924	2f1a8f822eef7aebec580f2bf5f66555_JaffaCakes118.exe
1924	2f1a8f822eef7aebec580f2bf5f66555_JaffaCakes118.exe
1924	2f1a8f822eef7aebec580f2bf5f66555_JaffaCakes118.exe
1924	2f1a8f822eef7aebec580f2bf5f66555_JaffaCakes118.exe
1924	2f1a8f822eef7aebec580f2bf5f66555_JaffaCakes118.exe
1924	2f1a8f822eef7aebec580f2bf5f66555_JaffaCakes118.exe
1924	2f1a8f822eef7aebec580f2bf5f66555_JaffaCakes118.exe
1924	2f1a8f822eef7aebec580f2bf5f66555_JaffaCakes118.exe
1924	2f1a8f822eef7aebec580f2bf5f66555_JaffaCakes118.exe
1924	2f1a8f822eef7aebec580f2bf5f66555_JaffaCakes118.exe
1924	2f1a8f822eef7aebec580f2bf5f66555_JaffaCakes118.exe
1924	2f1a8f822eef7aebec580f2bf5f66555_JaffaCakes118.exe
1924	2f1a8f822eef7aebec580f2bf5f66555_JaffaCakes118.exe
1924	2f1a8f822eef7aebec580f2bf5f66555_JaffaCakes118.exe
1924	2f1a8f822eef7aebec580f2bf5f66555_JaffaCakes118.exe
1924	2f1a8f822eef7aebec580f2bf5f66555_JaffaCakes118.exe
1924	2f1a8f822eef7aebec580f2bf5f66555_JaffaCakes118.exe
1924	2f1a8f822eef7aebec580f2bf5f66555_JaffaCakes118.exe
1924	2f1a8f822eef7aebec580f2bf5f66555_JaffaCakes118.exe
1924	2f1a8f822eef7aebec580f2bf5f66555_JaffaCakes118.exe
1924	2f1a8f822eef7aebec580f2bf5f66555_JaffaCakes118.exe
1924	2f1a8f822eef7aebec580f2bf5f66555_JaffaCakes118.exe
1924	2f1a8f822eef7aebec580f2bf5f66555_JaffaCakes118.exe
1924	2f1a8f822eef7aebec580f2bf5f66555_JaffaCakes118.exe
1924	2f1a8f822eef7aebec580f2bf5f66555_JaffaCakes118.exe
1924	2f1a8f822eef7aebec580f2bf5f66555_JaffaCakes118.exe
1924	2f1a8f822eef7aebec580f2bf5f66555_JaffaCakes118.exe
1924	2f1a8f822eef7aebec580f2bf5f66555_JaffaCakes118.exe
1924	2f1a8f822eef7aebec580f2bf5f66555_JaffaCakes118.exe
1924	2f1a8f822eef7aebec580f2bf5f66555_JaffaCakes118.exe
1924	2f1a8f822eef7aebec580f2bf5f66555_JaffaCakes118.exe
1924	2f1a8f822eef7aebec580f2bf5f66555_JaffaCakes118.exe
1924	2f1a8f822eef7aebec580f2bf5f66555_JaffaCakes118.exe
1924	2f1a8f822eef7aebec580f2bf5f66555_JaffaCakes118.exe
1924	2f1a8f822eef7aebec580f2bf5f66555_JaffaCakes118.exe
1924	2f1a8f822eef7aebec580f2bf5f66555_JaffaCakes118.exe
1924	2f1a8f822eef7aebec580f2bf5f66555_JaffaCakes118.exe
1924	2f1a8f822eef7aebec580f2bf5f66555_JaffaCakes118.exe
1924	2f1a8f822eef7aebec580f2bf5f66555_JaffaCakes118.exe
1924	2f1a8f822eef7aebec580f2bf5f66555_JaffaCakes118.exe
1924	2f1a8f822eef7aebec580f2bf5f66555_JaffaCakes118.exe
1924	2f1a8f822eef7aebec580f2bf5f66555_JaffaCakes118.exe
1924	2f1a8f822eef7aebec580f2bf5f66555_JaffaCakes118.exe
1924	2f1a8f822eef7aebec580f2bf5f66555_JaffaCakes118.exe
1924	2f1a8f822eef7aebec580f2bf5f66555_JaffaCakes118.exe
1924	2f1a8f822eef7aebec580f2bf5f66555_JaffaCakes118.exe
1924	2f1a8f822eef7aebec580f2bf5f66555_JaffaCakes118.exe
1924	2f1a8f822eef7aebec580f2bf5f66555_JaffaCakes118.exe
1924	2f1a8f822eef7aebec580f2bf5f66555_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2716	HHVK.exe
Token: SeIncBasePriorityPrivilege	2716	HHVK.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1924	2f1a8f822eef7aebec580f2bf5f66555_JaffaCakes118.exe
2716	HHVK.exe
2716	HHVK.exe
2716	HHVK.exe
2716	HHVK.exe
2716	HHVK.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 1964	1924	2f1a8f822eef7aebec580f2bf5f66555_JaffaCakes118.exe	30
PID 1924 wrote to memory of 1964	1924	2f1a8f822eef7aebec580f2bf5f66555_JaffaCakes118.exe	30
PID 1924 wrote to memory of 1964	1924	2f1a8f822eef7aebec580f2bf5f66555_JaffaCakes118.exe	30
PID 1924 wrote to memory of 1964	1924	2f1a8f822eef7aebec580f2bf5f66555_JaffaCakes118.exe	30
PID 1964 wrote to memory of 2716	1964	Exporer32.exe	31
PID 1964 wrote to memory of 2716	1964	Exporer32.exe	31
PID 1964 wrote to memory of 2716	1964	Exporer32.exe	31
PID 1964 wrote to memory of 2716	1964	Exporer32.exe	31

C:\Users\Admin\AppData\Local\Temp\2f1a8f822eef7aebec580f2bf5f66555_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2f1a8f822eef7aebec580f2bf5f66555_JaffaCakes118.exe"
1⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Users\Admin\AppData\Local\Temp\Exporer32.exe
  "C:\Users\Admin\AppData\Local\Temp\Exporer32.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Windows\SysWOW64\28463\HHVK.exe
    "C:\Windows\system32\28463\HHVK.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\pcgdemo\PCGWIN32.LI4

Filesize
528B

MD5
8a7cc28c282ec086c34a2c6c04157683

SHA1
653e529f9fd518e0f66dbed78e2142632193a72b

SHA256
74e75a8be24fb66195e6a25fb6773718c533b12d0489d1cad45ca4b7d8bd471b

SHA512
5495b6e196d8990a82fa32662ee22521d23fe4e3dbfcd47f8cb327847fba8068b852055599eb20ecfeaa8c04fd1ff283010cca0dcb4028db9a59c6fdafb43d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\Exporer32.exe

Filesize
478KB

MD5
249e2adb3fbdb5c8124ffb674ebd5cf6

SHA1
42189b1b77ac8c17c736829530d59b84d0c64b4c

SHA256
73f5e71c835f94eef3c673cbe433030df3eab702ccadf83a8432c47d7d506736

SHA512
c976d72c1becba3bb7e05784eb6006fe1a85f6cca434790ccbd6951bdb24a51d5bc968c3bd5a930a0f71122eb913ada77e1e2b6b7431863d70e28fca2ef88046

Download Submit
C:\Windows\SysWOW64\28463\AKV.exe

Filesize
393KB

MD5
1e13f68fd4258a545d262c77e38c76cd

SHA1
b8f6710c83e52ad354d8763a1b51293ee5758956

SHA256
d7785409d6e2512d9d907670f79b313192a85138707c6ca0cc59a71f8fd6a247

SHA512
938880407818a1489ecb9911cf05d4c9b69ecb2e0f908c3d3b8ba87b8c437ae16916e46bdf780bba24c38ad2c3981a5dcd4d3acd8ea227ac4dced12f1ca21eb3

Download Submit
C:\Windows\SysWOW64\28463\HHVK.001

Filesize
362B

MD5
01d274d845bb3bf62bfb2d6b7b1b46ce

SHA1
ef5689efb9c80f1af0143f3b77a70a07ce31457f

SHA256
ff8d2b9dac894b7356a5ddcf3e19412e448a67bec0c116f4d9dfdb0aaf635ee3

SHA512
7672201daa322993ca41335100bdd60e401270100b6f31ac921f362794e94b806ea61c6a4a3718d216719b14145bc6b14a30f5f1e8a025f8be32778c82df07ce

Download Submit
C:\Windows\SysWOW64\28463\HHVK.006

Filesize
7KB

MD5
46e0f5831dfe24c3105ef20190c5f0d7

SHA1
dbd701062695f9df971bffc1fa433eb18ef61727

SHA256
d7c7932d10e19ebde38c50583b4f5a0215a0ac88a2b131ea1b2a97824af759f9

SHA512
3dbe9e90f989ae3939d304f9f7822c3886e2d76ef575162e6a0518b61f5a52fcd8d0c63e06bbcf920c6f8298cb918ef5f3c0b92d42e99fa3eaabd787fc686a61

Download Submit
C:\Windows\SysWOW64\28463\HHVK.007

Filesize
5KB

MD5
70c68ec7e4e7f18abf35d47976a47f0f

SHA1
f1263f67e712760e055833d3030ed4583611ad6f

SHA256
cb8664787c631611643518ca2853f10ba9d460c25e476f55fb1b9f79838801fb

SHA512
80cad83643c9c83be70809eebb4b662f58a323cbd5f1bfbc328722fbfa16f1a846f9ef159552a066850f12157cb7388d6ab37ea6f4e7563fff7cc26258b77a81

Download Submit
\Users\Admin\AppData\Local\Temp\@AD21.tmp

Filesize
4KB

MD5
a33680859a24229dc931c0e8a82ae84a

SHA1
dff1e7e7160ffbfaae221cd3a85de40722fddde6

SHA256
d5913b88289154f5979c03325b29f00d1d8c6a1e5f6195df915d96a46d0f71f3

SHA512
a419214699ab3478926fbb7f621a616e192eae22db20e72c83a4b529ba5307ab4dc906e0b1286bc4e4cb13ba1e28fb93fa4918c3ff7345273197e39c206c10bf

Download Submit
\Windows\SysWOW64\28463\HHVK.exe

Filesize
471KB

MD5
328ef8c28309203cfbe5655274d5ea48

SHA1
403399787e94f7d4e3c8e237e25399263e9f4047

SHA256
0f92918405d195ce10b0c897f07a73493d06e9e49505371a525d50cea75213bb

SHA512
93dde6ab2d06af2d09b7f52619f2f475912152bbfd4b4ff93796eeffe7363f0ee777f4a46edb808039466fe0f82036dc291a378d4a8c6e407f0e1d4f3f6ea40a

Download Submit
memory/1924-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1924-32-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1924-33-0x0000000000230000-0x0000000000245000-memory.dmp

Filesize
84KB

Download
memory/1924-1-0x0000000000230000-0x0000000000245000-memory.dmp

Filesize
84KB

Download
memory/2716-50-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2716-53-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download