ardamax | e9fcaa8f7becfa05cba3449a8b71bbe11f7b12d1188e8ef63c0a60cc2cddd8f1

Analysis

max time kernel
144s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-10-2024 16:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

48bf7b74c394e8fe3defa968f2a79101_JaffaCakes118.exe
Size

3.9MB
MD5

48bf7b74c394e8fe3defa968f2a79101
SHA1

882690453266998fbb3422bad49a4963de99bc1b
SHA256

e9fcaa8f7becfa05cba3449a8b71bbe11f7b12d1188e8ef63c0a60cc2cddd8f1
SHA512

25c05c168e9893bbc25a4ff3508c83206dac64c419fb06ad0bb22a05da30f723ed9160d2a097c83dab3564fbb9f3f969a8958797e26f56349e3680ab6c8c4fcb
SSDEEP

98304:UTLPcAEERmZnWgRLBsHUh0y6ASJGxOQP4t:ULPp72Wc2HUn6VJGxDAt

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000018be7-9.dat	family_ardamax

Executes dropped EXE 3 IoCs

pid	Process
1892	BYCC.exe
2308	setup-4.5.5.exe
2264	is-N2GS1.tmp

Loads dropped DLL 15 IoCs

pid	Process
2248	48bf7b74c394e8fe3defa968f2a79101_JaffaCakes118.exe
2248	48bf7b74c394e8fe3defa968f2a79101_JaffaCakes118.exe
2248	48bf7b74c394e8fe3defa968f2a79101_JaffaCakes118.exe
1892	BYCC.exe
1892	BYCC.exe
2248	48bf7b74c394e8fe3defa968f2a79101_JaffaCakes118.exe
2248	48bf7b74c394e8fe3defa968f2a79101_JaffaCakes118.exe
2248	48bf7b74c394e8fe3defa968f2a79101_JaffaCakes118.exe
2308	setup-4.5.5.exe
2308	setup-4.5.5.exe
2308	setup-4.5.5.exe
2264	is-N2GS1.tmp
2264	is-N2GS1.tmp
2264	is-N2GS1.tmp
2264	is-N2GS1.tmp

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BYCC Agent = "C:\\Windows\\SysWOW64\\28463\\BYCC.exe"	BYCC.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\28463	BYCC.exe
File created	C:\Windows\SysWOW64\28463\BYCC.001	48bf7b74c394e8fe3defa968f2a79101_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\28463\BYCC.006	48bf7b74c394e8fe3defa968f2a79101_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\28463\BYCC.007	48bf7b74c394e8fe3defa968f2a79101_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\28463\BYCC.exe	48bf7b74c394e8fe3defa968f2a79101_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\28463\AKV.exe	48bf7b74c394e8fe3defa968f2a79101_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	48bf7b74c394e8fe3defa968f2a79101_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BYCC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup-4.5.5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	is-N2GS1.tmp

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1892	BYCC.exe
Token: SeIncBasePriorityPrivilege	1892	BYCC.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1892	BYCC.exe
1892	BYCC.exe
1892	BYCC.exe
1892	BYCC.exe
1892	BYCC.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 1892	2248	48bf7b74c394e8fe3defa968f2a79101_JaffaCakes118.exe	30
PID 2248 wrote to memory of 1892	2248	48bf7b74c394e8fe3defa968f2a79101_JaffaCakes118.exe	30
PID 2248 wrote to memory of 1892	2248	48bf7b74c394e8fe3defa968f2a79101_JaffaCakes118.exe	30
PID 2248 wrote to memory of 1892	2248	48bf7b74c394e8fe3defa968f2a79101_JaffaCakes118.exe	30
PID 2248 wrote to memory of 2308	2248	48bf7b74c394e8fe3defa968f2a79101_JaffaCakes118.exe	31
PID 2248 wrote to memory of 2308	2248	48bf7b74c394e8fe3defa968f2a79101_JaffaCakes118.exe	31
PID 2248 wrote to memory of 2308	2248	48bf7b74c394e8fe3defa968f2a79101_JaffaCakes118.exe	31
PID 2248 wrote to memory of 2308	2248	48bf7b74c394e8fe3defa968f2a79101_JaffaCakes118.exe	31
PID 2248 wrote to memory of 2308	2248	48bf7b74c394e8fe3defa968f2a79101_JaffaCakes118.exe	31
PID 2248 wrote to memory of 2308	2248	48bf7b74c394e8fe3defa968f2a79101_JaffaCakes118.exe	31
PID 2248 wrote to memory of 2308	2248	48bf7b74c394e8fe3defa968f2a79101_JaffaCakes118.exe	31
PID 2308 wrote to memory of 2264	2308	setup-4.5.5.exe	32
PID 2308 wrote to memory of 2264	2308	setup-4.5.5.exe	32
PID 2308 wrote to memory of 2264	2308	setup-4.5.5.exe	32
PID 2308 wrote to memory of 2264	2308	setup-4.5.5.exe	32
PID 2308 wrote to memory of 2264	2308	setup-4.5.5.exe	32
PID 2308 wrote to memory of 2264	2308	setup-4.5.5.exe	32
PID 2308 wrote to memory of 2264	2308	setup-4.5.5.exe	32

C:\Users\Admin\AppData\Local\Temp\48bf7b74c394e8fe3defa968f2a79101_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\48bf7b74c394e8fe3defa968f2a79101_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Windows\SysWOW64\28463\BYCC.exe
  "C:\Windows\system32\28463\BYCC.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1892
- C:\Users\Admin\AppData\Local\Temp\setup-4.5.5.exe
  "C:\Users\Admin\AppData\Local\Temp\setup-4.5.5.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Users\Admin\AppData\Local\Temp\is-4KJBS.tmp\is-N2GS1.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-4KJBS.tmp\is-N2GS1.tmp" /SL4 $50146 "C:\Users\Admin\AppData\Local\Temp\setup-4.5.5.exe" 3287156 52736
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\28463\AKV.exe

Filesize
393KB

MD5
b0b09699ea39c0107af1c0833f07c054

SHA1
b730e2fb0bda9bf4a1b1f8768a00838e3ca9dcc1

SHA256
be63e3b5a6c3fbec11a737332d4e0040a23cc2d17182b4bc5e7d5dd41d930ee1

SHA512
55430e53058964961808f37d738c31f1502c3ec4a14b0296bef7bad22e468734bcd119eedba14cc87894d4acc81c9266572aff9919b18bd584823c47fa149796

Download Submit
C:\Windows\SysWOW64\28463\BYCC.001

Filesize
586B

MD5
ef6d3c2c2e6694650ab31572e59d3563

SHA1
0999dad4a57f57ec6406d2a4207ca5093aa893df

SHA256
dbb6d01bb6f1d9660112ec89d6afeae6d2914a8e2472d505f033df2f6922f63e

SHA512
e94ec9fe39e0c8bf5d5a275d089cf087413a8839a533d489b2f14903415a22a083763fca2082bef6dde49aa368c53e0d91cdbb97068b801edd4a2d3c175cb4fb

Download Submit
C:\Windows\SysWOW64\28463\BYCC.006

Filesize
7KB

MD5
e0fcfa7cad88d1a8a462cee6b06cf668

SHA1
a7e49078517abc929a6da261df06556c8f5a8cf0

SHA256
340ff9f7f784e299030abb9982c88547e67251a6cca07d30ca8073d01a2840c4

SHA512
430fd640432769047de7bb4432f710193855a5121fe5944ef07f6b68749608312e7c22b29834967d429637fc9b285671cd10bbc9e1cfb43654695a206ba9cf82

Download Submit
C:\Windows\SysWOW64\28463\BYCC.007

Filesize
5KB

MD5
ca72cd485d116033f1b776903ce7ee0a

SHA1
85b0b73a75b0498f56200dd1a5cf0de5371e42a3

SHA256
e583532d6b4d8cfc1def5e550674e9e1a4eef2a107adacddf729fddac64f49c4

SHA512
8dbf6920af64aac6a80c3da4a567473dc20c8d4e24078f7e66bb5aa1a08641e5081b0a1ee05f82fb1dd14218b62572c198ff39b1add5f19893008b3d8e54538f

Download Submit
\Users\Admin\AppData\Local\Temp\@C439.tmp

Filesize
4KB

MD5
908f7f4b0cf93759447afca95cd84aa6

SHA1
d1903a49b211bcb4a460904019ee7441420aa961

SHA256
3e6378164f9dc4148b86c9312b63c5a6b1fabcfebf9557f182d331e9cb32fc23

SHA512
958e0880565b008cdb045d6aba5103f0ba820ac037facf24b78924187a119258e3a8a97de4c3874694962114ef672d41a55feb71b92d5038e7d45bc3d91d6b0d

Download Submit
\Users\Admin\AppData\Local\Temp\is-4KJBS.tmp\is-N2GS1.tmp

Filesize
657KB

MD5
3dafb498bb15d5260cb2c12b391a0d48

SHA1
c775ae9fdf18ab0ce38a8adffabe378f461e79a1

SHA256
c5d5f5f814c5bc4989d691442051e5e78cf1971eb9b773a7a26b438e58a73d7a

SHA512
a42f39a73bd4615490c6e33c017fa09f9992e3327d244b050b6634ad696d421170fd63ec5d5e66e92d112dc804eabd0bcd56494c9499d78fad8b46fe2ef32a31

Download Submit
\Users\Admin\AppData\Local\Temp\is-VHJIK.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\setup-4.5.5.exe

Filesize
3.4MB

MD5
7e77cf49ee9736fdced1fa7ecf8c021f

SHA1
c2b2ab8622d31bf1c8daa9c5de492b05a6f0b6c4

SHA256
b406ab299e3db5c4456ca10de6a56693b2e05905801a195473d45defe316e57a

SHA512
72337404d9b764fdf181911758ae0fdfdc2fa9173f424c0c572f3a1e810bc3d538fef1a4f127815667b45aba3cc6294c5703f11e9a34164d482bd3594f3a6a8d

Download Submit
\Windows\SysWOW64\28463\BYCC.exe

Filesize
472KB

MD5
7ca78f42e7c88f01fb7fd88321b283ff

SHA1
8f6fb4e3f5b696cac4fd54490d5f8c1862d0bb6b

SHA256
2354f408b272232ea4bb74d17d22a4332b97f1003fb9bace174a9811f2b41729

SHA512
06e822f04a4657b492a485b5a542e5c8400060abf7e71020d17965fee11f1f7c0807e32b5f9426a4fb9b4d7dd05a68ae871e5fef0807e24204351ebe569eb4ca

Download Submit
memory/1892-23-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1892-51-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2248-35-0x000000007765F000-0x0000000077660000-memory.dmp

Filesize
4KB

Download
memory/2264-65-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2264-71-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2264-87-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2264-85-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2264-61-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2264-63-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2264-83-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2264-67-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2264-69-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2264-81-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2264-73-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2264-75-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2264-77-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2264-79-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2308-43-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2308-37-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/2308-59-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2308-36-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads