ardamax | cc0a3343554853f0ca889e0a299a3d05c4dbe8652d949ad6207bcd1eea3fdc61

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-10-2024 06:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

55fab8d5095780e3164196fdbe273ab3_JaffaCakes118.exe
Size

1.2MB
MD5

55fab8d5095780e3164196fdbe273ab3
SHA1

4f7bbd00ba02f74f11edf9fe69c743f79344f988
SHA256

cc0a3343554853f0ca889e0a299a3d05c4dbe8652d949ad6207bcd1eea3fdc61
SHA512

4484a261a7eb4c709abc2429172aaaf7e7d3015bbd4c7b2c584f3b2a07d781ab529670b03a2870239b6cef98b5ca64970e4c9e7b40a18ec66835bebbbafeaa5c
SSDEEP

24576:bzjD9iLvEpdbZ+FbaMH/xTJdbMkLTYi4hlRUnuOk819TL4ndGW1I:bzPtjZwl/WkLc1Udd

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.drivehq.com
Port:
21
Username:
facebooliker

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023b91-45.dat	family_ardamax

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	55fab8d5095780e3164196fdbe273ab3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Auto Facebook Liker Unliker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Enemies Of Islam.exe

Executes dropped EXE 4 IoCs

pid	Process
1284	Auto Facebook Liker Unliker.exe
3716	Enemies Of Islam.exe
5000	Facebook Bot Like Unlike.exe
4460	EGRK.exe

Loads dropped DLL 3 IoCs

pid	Process
3716	Enemies Of Islam.exe
4460	EGRK.exe
5052	55fab8d5095780e3164196fdbe273ab3_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\EGRK Agent = "C:\\Windows\\SysWOW64\\Sys32\\EGRK.exe"	EGRK.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	55fab8d5095780e3164196fdbe273ab3_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	55fab8d5095780e3164196fdbe273ab3_JaffaCakes118.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Sys32\EGRK.001	Enemies Of Islam.exe
File created	C:\Windows\SysWOW64\Sys32\EGRK.006	Enemies Of Islam.exe
File created	C:\Windows\SysWOW64\Sys32\EGRK.007	Enemies Of Islam.exe
File created	C:\Windows\SysWOW64\Sys32\EGRK.exe	Enemies Of Islam.exe
File created	C:\Windows\SysWOW64\Sys32\AKV.exe	Enemies Of Islam.exe
File opened for modification	C:\Windows\SysWOW64\Sys32	EGRK.exe
File created	C:\Windows\SysWOW64\Sys32\EGRK.009	EGRK.exe
File opened for modification	C:\Windows\SysWOW64\Sys32\EGRK.009	EGRK.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	55fab8d5095780e3164196fdbe273ab3_JaffaCakes118.exe
File created	C:\Windows\assembly\Desktop.ini	55fab8d5095780e3164196fdbe273ab3_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	55fab8d5095780e3164196fdbe273ab3_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	55fab8d5095780e3164196fdbe273ab3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Auto Facebook Liker Unliker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enemies Of Islam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EGRK.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4460	EGRK.exe
Token: SeIncBasePriorityPrivilege	4460	EGRK.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4460	EGRK.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
4460	EGRK.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4460	EGRK.exe
4460	EGRK.exe
4460	EGRK.exe
4460	EGRK.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 5052 wrote to memory of 1284	5052	55fab8d5095780e3164196fdbe273ab3_JaffaCakes118.exe	87
PID 5052 wrote to memory of 1284	5052	55fab8d5095780e3164196fdbe273ab3_JaffaCakes118.exe	87
PID 5052 wrote to memory of 1284	5052	55fab8d5095780e3164196fdbe273ab3_JaffaCakes118.exe	87
PID 1284 wrote to memory of 3716	1284	Auto Facebook Liker Unliker.exe	88
PID 1284 wrote to memory of 3716	1284	Auto Facebook Liker Unliker.exe	88
PID 1284 wrote to memory of 3716	1284	Auto Facebook Liker Unliker.exe	88
PID 1284 wrote to memory of 5000	1284	Auto Facebook Liker Unliker.exe	89
PID 1284 wrote to memory of 5000	1284	Auto Facebook Liker Unliker.exe	89
PID 3716 wrote to memory of 4460	3716	Enemies Of Islam.exe	90
PID 3716 wrote to memory of 4460	3716	Enemies Of Islam.exe	90
PID 3716 wrote to memory of 4460	3716	Enemies Of Islam.exe	90

C:\Users\Admin\AppData\Local\Temp\55fab8d5095780e3164196fdbe273ab3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\55fab8d5095780e3164196fdbe273ab3_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5052
- C:\Users\Admin\AppData\Local\Temp\Auto Facebook Liker Unliker.exe
  "C:\Users\Admin\AppData\Local\Temp\Auto Facebook Liker Unliker.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1284
- - C:\Users\Admin\AppData\Local\Temp\Enemies Of Islam.exe
    "C:\Users\Admin\AppData\Local\Temp\Enemies Of Islam.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3716
  - - C:\Windows\SysWOW64\Sys32\EGRK.exe
      "C:\Windows\system32\Sys32\EGRK.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:4460
- - C:\Users\Admin\AppData\Local\Temp\Facebook Bot Like Unlike.exe
    "C:\Users\Admin\AppData\Local\Temp\Facebook Bot Like Unlike.exe"
    3⤵
    - Executes dropped EXE
    PID:5000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@7A21.tmp

Filesize
4KB

MD5
33303ca8abef9221cb410b8a232e9fe4

SHA1
0cdfc25dbf0e9ad7d4585cd9037dc2e6604be00c

SHA256
5110301dee966f0f26307ab1b430279d1e4999c2c4a0ea924ff32f1a9ded869a

SHA512
da29821045773ba776def985966b62e09e69bb5bf1786b16c2fff6feb68a03b9e22c5f7d081e3dd58d1785cd7ac64736497c043b7cf6c7149c3a54f8ef111800

Download Submit
C:\Users\Admin\AppData\Local\Temp\Auto Facebook Liker Unliker.exe

Filesize
890KB

MD5
2b4e4dd7496b57e7afaa69d4649c4378

SHA1
285add7949b6ecc4b62b484d55d8617409307347

SHA256
f8a10f4d13b3956bd3db01e9c5cceb7072526722e052e7008af00d8771de30f4

SHA512
05d4a55c018914a80ccf19db7abe5696fc3d85f0593095267845999e6cdb1b84d4d452ccda58b54d0e845d364de226e1b8f7015207cab9321c214fee4ab06b05

Download Submit
C:\Users\Admin\AppData\Local\Temp\Enemies Of Islam.exe

Filesize
617KB

MD5
42a4efe6d2ca15d5b25911c0bb6eed7c

SHA1
0de78cd022d22a2600b8f551af6e3b24fad944ef

SHA256
175b9668c9bb16d54ea624be1dd16495b18b029074e875443b5f815b9acbd26b

SHA512
3a658fe26a207c33c23fc97abbdb7dffa3eeaf018dac7cf7074acc192fb4ffe9923dd30e5f2c7c4d222b9968e26b4020ad97f037b55b5dac97e10c2f53a3bb63

Download Submit
C:\Users\Admin\AppData\Local\Temp\Facebook Bot Like Unlike.exe

Filesize
110KB

MD5
e2bf9d104fb4a74dcef35d87f1c7b42d

SHA1
f8843b678e4c2407cecbd3642e08e9137a76d865

SHA256
ba49120ff45cfc066b64db02120b78010835d8445a4338df971f952eecddf8ec

SHA512
5d3d3ebb92d4f1d74d859c6aa6fa08f0c007443bd9cdd1061d587a41eff9da4eb372cdba55495b471c302bfc4046fa0b2e8cfc188855f56b1c42e3f78b263321

Download Submit
C:\Windows\SysWOW64\Sys32\AKV.exe

Filesize
391KB

MD5
869461e168a87283a8782e70f5d5a3a8

SHA1
ab189b5f2682ae66162226b4f646b1e80486c653

SHA256
992cb5ea845b2d24c02f4e40873bf4ebd7b58b57ae2e001907228af4879e575b

SHA512
e4e77e07eb0ef2adb6d5ebdb9629f4632c417cf3d1a22e4c414b806bfbd259df13f6c88265f9346ed2b22bf67eb3d63924d86767c8508be4abdc9067f15a82ae

Download Submit
C:\Windows\SysWOW64\Sys32\EGRK.001

Filesize
434B

MD5
ecc45ad137718a0dcf2deba0009e6d34

SHA1
972ecf580c784503d0c147da6e97b07b013de227

SHA256
f2779f369d20c27e21658c6f0bbafea32d9de0afa65354d8f5e09d9683729038

SHA512
7e19971e062c3f6b64057bc212ebd2818ba36bf405db5aa7b7716f78d47a9ce093db2301292dffe0088fa717be7fe00f92a38b2fefaf1f6e5a665d7c5d52059a

Download Submit
C:\Windows\SysWOW64\Sys32\EGRK.006

Filesize
7KB

MD5
928cc65dc793834c709a054ca57c19c8

SHA1
a1e5d8407199c1bd6a4b274044de640fe0d9e99b

SHA256
e3473d81a02ed30e4236591384136f41f17b6a4aae24b5468789644ccd4bf192

SHA512
f7c8f7a75c4f8a418630e2ac15676740a902449d9a3c4baf3184409f8701c9caa3e82304d141362d95503f1af6b693eed7b77f690d92ca0162f7ea3ecbc80fdf

Download Submit
C:\Windows\SysWOW64\Sys32\EGRK.007

Filesize
5KB

MD5
3e1f5d5a06cf97b0495b8d129fbe02e4

SHA1
b0de258a813f5edde85004f6865b6ed91f6d6f8f

SHA256
f49448fc7c567e64eaeb9cc4dbd3c8021a82b5d9df0a622a439f7b42dc2f26d7

SHA512
b0e0b81cb5776d298e96346aa61027c9799a47191c94de50be2209c32747774959d002ddeb98fd15556ee893b0d7bd1f0c8a901469dce4e3acf94e2c4c3e2bfd

Download Submit
C:\Windows\SysWOW64\Sys32\EGRK.exe

Filesize
476KB

MD5
ef52b540cb404d908338e9cbf7cff283

SHA1
778765e1736c0a197685978c3fee7a44e7bde419

SHA256
39d8bdb975fbfcbcec8fe63be4e9fe6ce39ae5d23a005118aeffa07b17a3f815

SHA512
596b77bf5b15455c326a5a2efd66bc69685eb625e3e211ea0341ad4d8920ada7618a7107e42f2c0963fe6c2d92f2acf47b641ef33071a7c42004e5874d5219a6

Download Submit
memory/5000-61-0x0000000001890000-0x0000000001898000-memory.dmp

Filesize
32KB

Download
memory/5000-57-0x000000001BEA0000-0x000000001BF46000-memory.dmp

Filesize
664KB

Download
memory/5000-58-0x000000001C420000-0x000000001C8EE000-memory.dmp

Filesize
4.8MB

Download
memory/5000-60-0x000000001C9E0000-0x000000001CA7C000-memory.dmp

Filesize
624KB

Download
memory/5000-46-0x0000000001920000-0x0000000001930000-memory.dmp

Filesize
64KB

Download
memory/5000-62-0x000000001CB40000-0x000000001CB8C000-memory.dmp

Filesize
304KB

Download
memory/5000-66-0x0000000001920000-0x0000000001930000-memory.dmp

Filesize
64KB

Download
memory/5052-0-0x00000000751A2000-0x00000000751A3000-memory.dmp

Filesize
4KB

Download
memory/5052-5-0x00000000751A0000-0x0000000075751000-memory.dmp

Filesize
5.7MB

Download
memory/5052-2-0x00000000751A0000-0x0000000075751000-memory.dmp

Filesize
5.7MB

Download
memory/5052-1-0x00000000751A0000-0x0000000075751000-memory.dmp

Filesize
5.7MB

Download
memory/5052-64-0x00000000751A2000-0x00000000751A3000-memory.dmp

Filesize
4KB

Download
memory/5052-65-0x00000000751A0000-0x0000000075751000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads