ardamax | eb7e7372e08dd5300c0b9f85a199e506b6f339a52e5da85fd82e1d8b750c0cd3

Analysis

max time kernel
141s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-10-2024 02:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4af745ed3e25f9d3c94e76b540186c2c_JaffaCakes118.exe
Size

2.6MB
MD5

4af745ed3e25f9d3c94e76b540186c2c
SHA1

c40e5317a17036ff66436cc94c0a5d58e35efc40
SHA256

eb7e7372e08dd5300c0b9f85a199e506b6f339a52e5da85fd82e1d8b750c0cd3
SHA512

91a4f6423db11afce9010f0acd0ed63bd2f5ad77797fbdae1a71e1f8bb0d0a6d51316f7b4128e7e3242a264197df384f00628e65992e0e17eaa8707fcc4d438a
SSDEEP

49152:CVoq8dRYksIJmy9k4Ke2+oocceUKEMCXSaigwTliohWSwf7qrzbggY:CVoqIRwIXHKeihciCCaivhWTCMgY

Score

10^/10

ardamax bootkit discovery evasion keylogger persistence stealer trojan

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x00060000000192a1-11.dat	family_ardamax

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	sXe Injected.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	sXe Injected.exe

Executes dropped EXE 2 IoCs

pid	Process
2780	system32RFED.exe
2604	sXe Injected.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine	sXe Injected.exe

Loads dropped DLL 2 IoCs

pid	Process
2336	4af745ed3e25f9d3c94e76b540186c2c_JaffaCakes118.exe
2336	4af745ed3e25f9d3c94e76b540186c2c_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system32RFED Agent = "C:\\Windows\\system32RFED.exe"	system32RFED.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sXe Injected.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	sXe Injected.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2604	sXe Injected.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\system32RFED.exe	4af745ed3e25f9d3c94e76b540186c2c_JaffaCakes118.exe
File created	C:\Windows\system32AKV.exe	4af745ed3e25f9d3c94e76b540186c2c_JaffaCakes118.exe
File created	C:\Windows\system32RFED.009	system32RFED.exe
File opened for modification	C:\Windows\system32RFED.009	system32RFED.exe
File created	C:\Windows\system32RFED.001	4af745ed3e25f9d3c94e76b540186c2c_JaffaCakes118.exe
File created	C:\Windows\system32RFED.006	4af745ed3e25f9d3c94e76b540186c2c_JaffaCakes118.exe
File created	C:\Windows\system32RFED.007	4af745ed3e25f9d3c94e76b540186c2c_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4af745ed3e25f9d3c94e76b540186c2c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system32RFED.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sXe Injected.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2604	sXe Injected.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2780	system32RFED.exe
Token: SeIncBasePriorityPrivilege	2780	system32RFED.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2780	system32RFED.exe
2780	system32RFED.exe
2780	system32RFED.exe
2780	system32RFED.exe
2780	system32RFED.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2780	2336	4af745ed3e25f9d3c94e76b540186c2c_JaffaCakes118.exe	30
PID 2336 wrote to memory of 2780	2336	4af745ed3e25f9d3c94e76b540186c2c_JaffaCakes118.exe	30
PID 2336 wrote to memory of 2780	2336	4af745ed3e25f9d3c94e76b540186c2c_JaffaCakes118.exe	30
PID 2336 wrote to memory of 2780	2336	4af745ed3e25f9d3c94e76b540186c2c_JaffaCakes118.exe	30
PID 2336 wrote to memory of 2604	2336	4af745ed3e25f9d3c94e76b540186c2c_JaffaCakes118.exe	31
PID 2336 wrote to memory of 2604	2336	4af745ed3e25f9d3c94e76b540186c2c_JaffaCakes118.exe	31
PID 2336 wrote to memory of 2604	2336	4af745ed3e25f9d3c94e76b540186c2c_JaffaCakes118.exe	31
PID 2336 wrote to memory of 2604	2336	4af745ed3e25f9d3c94e76b540186c2c_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\4af745ed3e25f9d3c94e76b540186c2c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4af745ed3e25f9d3c94e76b540186c2c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Windows\system32RFED.exe
  "C:\Windows\system32RFED.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2780
- C:\Users\Admin\AppData\Local\Temp\sXe Injected.exe
  "C:\Users\Admin\AppData\Local\Temp\sXe Injected.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Checks whether UAC is enabled
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\sXe Injected.exe

Filesize
2.2MB

MD5
f566a76965f3ae362fda6066700e491b

SHA1
02087ef0353191e3cd741b33717834ee6303d6e6

SHA256
729117801bd446503b23b7f78d4312d458b7b581a1304fa792a1120f0fdcb0b6

SHA512
1fe5e586cd86b0d930f53c8a128963481a9eb728fb4925dba31653b8cb277a55a1b0b2cc48d6ad255e30c8ae835d8e248f148346601c8af3eb61d4dbde1f65e0

Download Submit
C:\Windows\system32RFED.001

Filesize
394B

MD5
8dd882b41779ba03f8f2fe0edeb5c403

SHA1
006f5cddce2c2989b3ad3ffe640e4f7a6ce6b575

SHA256
f22832c0e6a8fb915b060fc0ddcfd6a1e82c155864b7f2b80a1a561dcb0a9ae9

SHA512
aca2db6558e7a5e5e16d3eba4dc550455ca381d58bb1f01bbda6c68fc78f01442ba95bebf72452b6f5244b96c17c2b159ed12d7005d4ea43a32ee2b07f3c2283

Download Submit
C:\Windows\system32RFED.006

Filesize
7KB

MD5
87ccf7eb039971590aac6f254b2c788a

SHA1
3095496ffd364b32cdbe63ba4dd2f477fd848515

SHA256
59973b04dd9bec56a7ff9d898fda25e9214ee7652f2687ba409b435ae07e554b

SHA512
d5f9f7855725021522fae819a855d3d2d2cf028b0ea3ac191ad02039cbb688af42b191a1ec4f1868365e2f7de36acca2b7ba3bee0a7b8447820c4521e942d8d2

Download Submit
C:\Windows\system32RFED.007

Filesize
5KB

MD5
81938df0dbfee60828e9ce953bdf62e6

SHA1
b1182a051011e901c17eab2e28727bec8db475fb

SHA256
982e2e47e8af4384a6b71937fb4e678a61fbc354f6816204e14a01d325529a98

SHA512
64ebe41c17f55f725aeb946b1a7843ad27062490a3e9cc49df7ecb3e5e408444c766236642986cbe499e876e91d1d95d4aafe7d044fda3f5370bbe5f71532143

Download Submit
C:\Windows\system32RFED.exe

Filesize
471KB

MD5
912c55621b4c3f0fb2daef5b4f4f5f4c

SHA1
735701c75569b7563950508afc8948b52e7bf4b2

SHA256
41ecb7a6e3e9c32ce1bbfdff8fe381f6c21fc1f601f7e9be9fcfa2678d2420a0

SHA512
65a08579e959d4beebb5ad026cab451d381e147621be8a0707baca748eaee22050c020e3d54f312376eaf6f20a1fc3713e5e07cc9d4ee7f32b7c17dc15c80d05

Download Submit
\Users\Admin\AppData\Local\Temp\@2BC2.tmp

Filesize
4KB

MD5
b7ea0bc4bb833ab77dce179f16039c14

SHA1
b05cc205aa6ffc60a5316c1d5d3831def5a60c20

SHA256
e7bc62fb964bacd8e3189f22a8d64a27bddeb90007a38da3d3e6b58f6d8a2dba

SHA512
5a4ad9b469c7502a930158ca2db814b0b84880b2658a6a6dcca9fee60e6c8dc5f8a3c8d09e280a026d63e3d48b5291074827d16f3e680ce87645d8aad996a652

Download Submit
memory/2336-27-0x0000000002A20000-0x0000000002A26000-memory.dmp

Filesize
24KB

Download
memory/2336-26-0x0000000002A10000-0x0000000002A16000-memory.dmp

Filesize
24KB

Download
memory/2604-30-0x0000000077C4F000-0x0000000077C50000-memory.dmp

Filesize
4KB

Download
memory/2604-44-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/2604-50-0x0000000000400000-0x0000000000901000-memory.dmp

Filesize
5.0MB

Download
memory/2604-47-0x0000000000400000-0x0000000000901000-memory.dmp

Filesize
5.0MB

Download
memory/2604-32-0x0000000077C4F000-0x0000000077C50000-memory.dmp

Filesize
4KB

Download
memory/2604-33-0x0000000077C40000-0x0000000077C42000-memory.dmp

Filesize
8KB

Download
memory/2604-38-0x0000000000401000-0x000000000041F000-memory.dmp

Filesize
120KB

Download
memory/2604-29-0x0000000000400000-0x0000000000901000-memory.dmp

Filesize
5.0MB

Download
memory/2604-45-0x0000000000C20000-0x0000000000C26000-memory.dmp

Filesize
24KB

Download
memory/2604-46-0x0000000000400000-0x0000000000901000-memory.dmp

Filesize
5.0MB

Download
memory/2780-31-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2780-48-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/2780-49-0x00000000003E0000-0x00000000003E6000-memory.dmp

Filesize
24KB

Download
memory/2780-18-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download