ardamax | 19db7102c31302f10d02116d3656183b02604b821cbd18efa456c9191d11f190

Analysis

max time kernel
148s
max time network
22s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
14-10-2024 18:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4399d5c5913aef60bc2245669f36b7b1_JaffaCakes118.exe
Size

553KB
MD5

4399d5c5913aef60bc2245669f36b7b1
SHA1

edc091624e7928d45b9a5f6a1d75576e02e686dd
SHA256

19db7102c31302f10d02116d3656183b02604b821cbd18efa456c9191d11f190
SHA512

1c71288cead4d78ea735dc3fade8cbcfe7fea08106fe16bf350f1b5edccdbe72c8911ae8b83b295655a10cc1a8f186f3f063347d62178c20881148d7fa71a322
SSDEEP

12288:phaCEJNB7Yn82wZIASOK50GcL1CSZcBuOzdsudtax/wqmhdcydK1F5:pwCINBMHwZIHOGM1ChhNfaxb0pKR

Score

10^/10

ardamax bootkit discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0009000000018bf3-38.dat	family_ardamax

Executes dropped EXE 4 IoCs

pid	Process
988	setup.exe.exe
2836	2139246.exe
2916	NIH.exe
2812	aimb0Yd.exe

Loads dropped DLL 26 IoCs

pid	Process
672	cmd.exe
988	setup.exe.exe
988	setup.exe.exe
988	setup.exe.exe
988	setup.exe.exe
988	setup.exe.exe
2836	2139246.exe
2836	2139246.exe
2836	2139246.exe
2836	2139246.exe
2836	2139246.exe
2836	2139246.exe
2916	NIH.exe
2916	NIH.exe
2916	NIH.exe
2836	2139246.exe
2836	2139246.exe
2812	aimb0Yd.exe
2812	aimb0Yd.exe
2812	aimb0Yd.exe
2916	NIH.exe
2812	aimb0Yd.exe
2916	NIH.exe
2812	aimb0Yd.exe
2656	DllHost.exe
988	setup.exe.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	aimb0Yd.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\NIH.006	2139246.exe
File created	C:\Windows\SysWOW64\NIH.007	2139246.exe
File created	C:\Windows\SysWOW64\NIH.exe	2139246.exe
File created	C:\Windows\SysWOW64\NIH.001	2139246.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64	NIH.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aimb0Yd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4399d5c5913aef60bc2245669f36b7b1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2139246.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NIH.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2916	NIH.exe
Token: SeIncBasePriorityPrivilege	2916	NIH.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2656	DllHost.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
988	setup.exe.exe
2916	NIH.exe
2812	aimb0Yd.exe
2916	NIH.exe
2916	NIH.exe
2916	NIH.exe
2656	DllHost.exe
2656	DllHost.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1744 wrote to memory of 672	1744	4399d5c5913aef60bc2245669f36b7b1_JaffaCakes118.exe	29
PID 1744 wrote to memory of 672	1744	4399d5c5913aef60bc2245669f36b7b1_JaffaCakes118.exe	29
PID 1744 wrote to memory of 672	1744	4399d5c5913aef60bc2245669f36b7b1_JaffaCakes118.exe	29
PID 1744 wrote to memory of 672	1744	4399d5c5913aef60bc2245669f36b7b1_JaffaCakes118.exe	29
PID 672 wrote to memory of 988	672	cmd.exe	31
PID 672 wrote to memory of 988	672	cmd.exe	31
PID 672 wrote to memory of 988	672	cmd.exe	31
PID 672 wrote to memory of 988	672	cmd.exe	31
PID 672 wrote to memory of 988	672	cmd.exe	31
PID 672 wrote to memory of 988	672	cmd.exe	31
PID 672 wrote to memory of 988	672	cmd.exe	31
PID 988 wrote to memory of 2836	988	setup.exe.exe	32
PID 988 wrote to memory of 2836	988	setup.exe.exe	32
PID 988 wrote to memory of 2836	988	setup.exe.exe	32
PID 988 wrote to memory of 2836	988	setup.exe.exe	32
PID 988 wrote to memory of 2836	988	setup.exe.exe	32
PID 988 wrote to memory of 2836	988	setup.exe.exe	32
PID 988 wrote to memory of 2836	988	setup.exe.exe	32
PID 2836 wrote to memory of 2916	2836	2139246.exe	33
PID 2836 wrote to memory of 2916	2836	2139246.exe	33
PID 2836 wrote to memory of 2916	2836	2139246.exe	33
PID 2836 wrote to memory of 2916	2836	2139246.exe	33
PID 2836 wrote to memory of 2916	2836	2139246.exe	33
PID 2836 wrote to memory of 2916	2836	2139246.exe	33
PID 2836 wrote to memory of 2916	2836	2139246.exe	33
PID 2836 wrote to memory of 2812	2836	2139246.exe	34
PID 2836 wrote to memory of 2812	2836	2139246.exe	34
PID 2836 wrote to memory of 2812	2836	2139246.exe	34
PID 2836 wrote to memory of 2812	2836	2139246.exe	34
PID 2836 wrote to memory of 2812	2836	2139246.exe	34
PID 2836 wrote to memory of 2812	2836	2139246.exe	34
PID 2836 wrote to memory of 2812	2836	2139246.exe	34

C:\Users\Admin\AppData\Local\Temp\4399d5c5913aef60bc2245669f36b7b1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4399d5c5913aef60bc2245669f36b7b1_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bt5625.bat
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:672
- - C:\Users\Admin\AppData\Local\Temp\setup.exe.exe
    setup.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:988
  - - C:\Users\Admin\AppData\Local\Temp\2139246.exe
      "C:\Users\Admin\AppData\Local\Temp\2139246.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2836
    - - C:\Windows\SysWOW64\NIH.exe
        
        "C:\Windows\system32\NIH.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2916
    - - C:\Users\Admin\AppData\Local\Temp\aimb0Yd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\aimb0Yd.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2812

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8364178.jpg

Filesize
30KB

MD5
49bdb63db3828eb03c2580b2bba754d5

SHA1
55a44475ccf301dc4bf74f77f36ebf6563f5a32a

SHA256
1c4b2d6256137ca626107ef4a20d4fe120b15c190e29094a8310853b54cfc186

SHA512
a71ac706b0dc8de04d53f13e924ff3eeb37e141152be03a4d898fd1a91596a24b7d9129a57dc73fa5da1b47d7e65161881e8dbd357d4656911616800dcf3ac87

Download Submit
C:\Users\Admin\AppData\Local\Temp\aimb0Yd.exe

Filesize
213KB

MD5
876a61a3cd4c2fd90eb4d78a3f6c3eb8

SHA1
23b6f19f7d50f9025e7e870ab71e0e98090a0870

SHA256
0eb717a3ade04361acf91d7298fa545071983f428eb8ef3a012cb89f63045a5f

SHA512
f6807249ee72d0b5048ef53ea9881708230ed178a26750a2ad0ad58928b4770c4cc0c4285dd3c1bcc4cdd0a889edcbee8658d9ffa65f831494ea77427fd79ae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\bt5625.bat

Filesize
54B

MD5
fdff9afa334dff40aee26e75f5dec8a1

SHA1
228e95eeecab9dce4402b24e18a256813c250dbc

SHA256
8a7a48c2cb589b60e920926b6ae0383d13677715b73686834d55b518b1a2849c

SHA512
12df0fe63837818ec5163e08439369efe6ca25bec7113be11430732d208000a8f40cda79a63be3f6605768895e70b29d4511a9936d1d501d4d27253dff45e0c6

Download Submit
C:\Windows\SysWOW64\NIH.001

Filesize
2KB

MD5
abe1ed4b26798069d1c28f8f1b8d8b7d

SHA1
83c2f8de213866740dc6ed6a11a27e3c50a8d5bc

SHA256
f395e35395efb1a3be72850f27f8d701a6dba118987f9779bf0a6df77f2e3924

SHA512
de63ce8a7f5fe03815fd6313860eaf03c0240505282ae452ab0ae61422950f1f8f89c0ab0552e15b2d04fd3e81026f1675c13c08949e1aac32dc07f8706a4b06

Download Submit
\Users\Admin\AppData\Local\Temp\2139246.exe

Filesize
378KB

MD5
0dc17f724007acda1ca2f36d1be745d5

SHA1
312b8319e2c2e1040447136865d26d68d9c3d8b2

SHA256
cff7d83527fc620cf1424d28b5670719a8fe2687cade5e14e9a05434407f0840

SHA512
896c18db0807ca4daf70d7299dbcdbf14b184295593c921d879fa5f281115f09fb16fe16a380348b86587fc7545e8b4b1a67e15063a9b263c463bfa6301326bf

Download Submit
\Users\Admin\AppData\Local\Temp\@6C4.tmp

Filesize
4KB

MD5
3e52aef4a9e1bbf25dc611e0f5c45934

SHA1
91862bee5ac57eb719cf9bc14c69f9ef5affcbbf

SHA256
1b881b4299a8555f785088bd0e1b6969e76dc470f1f67429678a678c5f8b349d

SHA512
e4bc9fab4d1c555a896936927ff5866634885401a41f2eade5a976311dad3cdc40c0c7229c61925a8b32ae7b69c4c99537dc10baf292375a82a885a7a908a807

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe.exe

Filesize
429KB

MD5
26e73604896ab321d6c8f3439f7c06d6

SHA1
c07b53562f470149ee90f114933aafb9c05c4122

SHA256
7756976b7f34c5a43308f4716e4414e5bd301cc20d04156a73a45f01d56ad8ae

SHA512
ebee06050208e4431fe97bd46c4a1e91cf516d18f23c2110cc534a223bdd01f5617bf0d368927617c9f44c952b4fe34d83bca33b679f08ebabbae2411e94cfaa

Download Submit
\Windows\SysWOW64\NIH.006

Filesize
5KB

MD5
e98ae645054f00269eaad44b95c4e37c

SHA1
59bcfb291cb15f521e6e5982c12913052b5755b1

SHA256
028e4ef0ed6a7d9792ad2694c56b41ba247e72ef690089142c47bb6e1a693221

SHA512
ae4b1316c9785623944a0bc1884648f1382f3f8fb494927e7c872a72b0786fb5a1d090ebc2d5e468b91c8eef7663b43f73be4a1f65f7d8dd9bdaa6dfc694a35e

Download Submit
\Windows\SysWOW64\NIH.007

Filesize
4KB

MD5
ea32497496dd6b80be1c47fe5fac1fcf

SHA1
2bf9bee8e0f83b6785188a91047695ebcdf342da

SHA256
370a94fec91220668a370c2dcd0d2ac10c3f0a1d1befc7fee50db6f5e0b99676

SHA512
353d11071b695fe23080bc6d5cb5dc557b59b152b42921daec6f4124f9e8bb58555ac30c5ec96dae31871ff3d2416e91690b5f862d4feb5e7b038a996c8a1ff3

Download Submit
\Windows\SysWOW64\NIH.exe

Filesize
295KB

MD5
decf3769c920a9b642f56e24933cdf81

SHA1
930ddaf6b310fa2b3569580ff671e91d80b8b11b

SHA256
46a451f14816a0dc46d392158d1507f5806fe76e9fc9f0080d00d0b3dd26183b

SHA512
2807345e5ae0438c0bd41c3d0b6b09e3d1c04d0397e5e990d614125a14b6100de3c3f5bebab168f5654d6823eef5dbfd5a878aa0de64eec13bb546c8c32b8cb2

Download Submit
memory/988-78-0x0000000000510000-0x0000000000512000-memory.dmp

Filesize
8KB

Download
memory/1744-9-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2656-79-0x00000000002E0000-0x00000000002E2000-memory.dmp

Filesize
8KB

Download
memory/2812-62-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2812-67-0x0000000000230000-0x0000000000277000-memory.dmp

Filesize
284KB

Download
memory/2812-68-0x0000000000230000-0x0000000000277000-memory.dmp

Filesize
284KB

Download
memory/2812-82-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2812-84-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2836-59-0x0000000002A50000-0x0000000002A97000-memory.dmp

Filesize
284KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads