ardamax | d63515b0562d08252069d37a54ecc8edf6c28f06da3a7e937a21e83d25c806d9

Analysis

max time kernel
142s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-10-2024 16:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d97eddf4ce51c5604f97b6a8c37e752_JaffaCakes118.doc
Size

289KB
MD5

5d97eddf4ce51c5604f97b6a8c37e752
SHA1

af5b4b430adb928ae440324f60c0691787846ad4
SHA256

d63515b0562d08252069d37a54ecc8edf6c28f06da3a7e937a21e83d25c806d9
SHA512

21953cf23b5f79232ad13bea0b0a32160e13571253cb810ab8f5ed28e9064263cc034fde1a21cafa971b1911c1bb351635d1c7b9dc7311eecf016fc03b551036
SSDEEP

6144:aT16276Gd37WAmXmpyGc2YBPJQWQcwu2hUGe2LA9mzC6:ac2e8rWZP22PCWX2hb3y6

Score

10^/10

ardamax defense_evasion discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023c73-57.dat	family_ardamax

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	2376	3652	cmd.exe	83

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	svshost.exe

Executes dropped EXE 2 IoCs

pid	Process
2744	tmp.exe
5028	svshost.exe

Loads dropped DLL 4 IoCs

pid	Process
2744	tmp.exe
5028	svshost.exe
5028	svshost.exe
5028	svshost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svshost = "C:\\Windows\\SysWOW64\\svshost.exe"	svshost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\svshost.006	tmp.exe
File created	C:\Windows\SysWOW64\svshost.007	tmp.exe
File created	C:\Windows\SysWOW64\svshost.exe	tmp.exe
File created	C:\Windows\SysWOW64\svshost.001	tmp.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64	svshost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svshost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\~WRD0000.tmp\:Zone.Identifier:$DATA	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3652	WINWORD.EXE
3652	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	5028	svshost.exe
Token: SeIncBasePriorityPrivilege	5028	svshost.exe
Token: SeIncBasePriorityPrivilege	5028	svshost.exe

Suspicious use of SetWindowsHookEx 21 IoCs

pid	Process
3652	WINWORD.EXE
3652	WINWORD.EXE
3652	WINWORD.EXE
3652	WINWORD.EXE
3652	WINWORD.EXE
3652	WINWORD.EXE
3652	WINWORD.EXE
3652	WINWORD.EXE
3652	WINWORD.EXE
3652	WINWORD.EXE
3652	WINWORD.EXE
3652	WINWORD.EXE
3652	WINWORD.EXE
5028	svshost.exe
5028	svshost.exe
5028	svshost.exe
5028	svshost.exe
3652	WINWORD.EXE
3652	WINWORD.EXE
3652	WINWORD.EXE
3652	WINWORD.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3652 wrote to memory of 2744	3652	WINWORD.EXE	86
PID 3652 wrote to memory of 2744	3652	WINWORD.EXE	86
PID 3652 wrote to memory of 2744	3652	WINWORD.EXE	86
PID 3652 wrote to memory of 2376	3652	WINWORD.EXE	89
PID 3652 wrote to memory of 2376	3652	WINWORD.EXE	89
PID 2744 wrote to memory of 5028	2744	tmp.exe	91
PID 2744 wrote to memory of 5028	2744	tmp.exe	91
PID 2744 wrote to memory of 5028	2744	tmp.exe	91
PID 5028 wrote to memory of 2628	5028	svshost.exe	110
PID 5028 wrote to memory of 2628	5028	svshost.exe	110
PID 5028 wrote to memory of 2628	5028	svshost.exe	110

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5d97eddf4ce51c5604f97b6a8c37e752_JaffaCakes118.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3652
- C:\tmp.exe
  C:\tmp.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Windows\SysWOW64\svshost.exe
    "C:\Windows\system32\svshost.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5028
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\svshost.exe > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\tmp.bat
  2⤵
  - Process spawned unexpected child process
  PID:2376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@A103.tmp

Filesize
4KB

MD5
75e03e528628f1b435614e2982661c31

SHA1
400358a42179c337c01b6b9c7492705853efdc18

SHA256
880128dc529da91fc984c5d80feb09342fada3c24a13a5a413bc77fd603ef56c

SHA512
6377b296937a2af642d2216ad8583e502b5f2a5925800aca60ee022619683d4e0998b02548b19f860d97b7bdc0f6deb6de0e26898f3bdde7c283ce9550cb62c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDE3FE.tmp\gb.xsl

Filesize
262KB

MD5
51d32ee5bc7ab811041f799652d26e04

SHA1
412193006aa3ef19e0a57e16acf86b830993024a

SHA256
6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

SHA512
5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Download Submit
C:\Users\Admin\AppData\Local\Temp\~WRD0000.tmp

Filesize
118KB

MD5
507421d87cb414b17b04d7508415ca6a

SHA1
c489777df18bee3a790790b66dfaa7c076108cd6

SHA256
d7ac9872a9d4bd3b3944ef4548b7dc006b6fce24fa72a26fb0386d71190d7f6b

SHA512
e7bcfd69f0adc90f3f1e759924b62a7e0f0af36737e562ddab58e9d8a1b0da36c1b97de2ff31eceed77e9a6cb961111e67204be5d490d0bbb9877ab57b91aa0b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
d969bf41816f47adf597d2905178fa4c

SHA1
2c2f3db46232e437879aa4d7af16b9a7c18a2508

SHA256
f8fc8b1e88832539883309ebd33bf0b0ced9d90529df57132d39beade5f2b1bb

SHA512
4a95ba5ab65b9a352e215742394606af971134ad77fe1697bc53e377ed3fd20f9bd97db96b7de2903176a1a85b0f1421d7baa88bbeda1816b7ccf750a01539da

Download Submit
C:\Windows\SysWOW64\svshost.001

Filesize
2KB

MD5
3fc403723af05bbe1f7c8a9bd433c4e1

SHA1
38f9e59d3a2942d58934cf85be1a8a6857718f0d

SHA256
0e2c985ac5b2b4bd911eb0ffe554003908dd08bd3bea1de5ae7cce58d265cc77

SHA512
2ec49396a944fd87bfee388b43c43a622c9345c44252af2c4f88d31a8e5ffb4896ec31281b51d79f7670065e6875bf4e4ed8ca4d398ee0c2865494fd32c76e89

Download Submit
C:\Windows\SysWOW64\svshost.006

Filesize
5KB

MD5
751af9fd705f1c046dba80d13dc151f4

SHA1
873c556c548f893dd4fdc5aa7f5a53a6966f1f8d

SHA256
9f2555ea46c5b4d8c0a8150360609a37f82691dbab5cdb46120da806d614ac50

SHA512
b86126932584376e966b8dffa9ef367372627c45199b8f1d5d67cb4c977284ccaf4d026c79952b33157fd211f856783006e5470db05d8ff7c2ff64589336e1a7

Download Submit
C:\Windows\SysWOW64\svshost.007

Filesize
4KB

MD5
ce92c6226c4192736c898f6fddc55c82

SHA1
c02a50511be7e146e8f9b59ce5c47d75f6d85728

SHA256
c963421686c1393fdfeb7838351cd8a95de0837696975f869f6ee75c3751f77d

SHA512
e6db4c41f0a606ac0aa9f0afd9849047fc16471cc7d0f4b2abb1f27f75b30ef9af4491911c1694b85b094c34539a85068debdf222651b0ac65dca33a73300106

Download Submit
C:\Windows\SysWOW64\svshost.exe

Filesize
286KB

MD5
b9683df54fd54f5330846c2e0f53a00c

SHA1
8148b461cfe9192ee89930427b553476e34d5d92

SHA256
127760b71ac1fb6cc8539f460cf3dbe5ad6424e282308f8eb4a01f38feb7d7ae

SHA512
a738e99f21d973cf88049032e3b7911fb24508431d1beaff3fdaca2be3d45487b8e69c1cd686d231526f6fb0c2ddb6830c730479566d5ce5e45b6569c919d501

Download Submit
C:\tmp.bat

Filesize
68B

MD5
e0ccf13efb712acd2cf1b013c9fb395d

SHA1
81c9a8020011b47c5b1e7b0dd8dcef5da5daa922

SHA256
1f5b0a9de7deaead02d853c107351f28aa41d3cabeae49b42823ec9a3db66c06

SHA512
5067bebe549a35420285eaac27fa18fd64ff77a1baeb483b36972217ebd1d84e8c9ca99b81e80ab0080f2c0f33b16becc164cd762d61a7a012d658b14f0e5ffa

Download Submit
C:\tmp.exe

Filesize
168KB

MD5
8288643770473d70be48f7ea4dcb1f88

SHA1
803547bcbf8a7c56fa1aa57d87a61040f9a578aa

SHA256
af7c75274b1f259754b286dfdaf6ef3d095e7b673629ed9b6f18afaee7fa53f7

SHA512
5f2de7e6ae7e9aea6ccb3294ea62cf348cb88ae5b656049feb827ab2a85decde4fb8578e2e723be94ff470ad81abb54d84771c56f17b1f0027e391c3d2b30747

Download Submit
memory/3652-12-0x00007FFBE2950000-0x00007FFBE2B45000-memory.dmp

Filesize
2.0MB

Download
memory/3652-7-0x00007FFBE2950000-0x00007FFBE2B45000-memory.dmp

Filesize
2.0MB

Download
memory/3652-10-0x00007FFBE2950000-0x00007FFBE2B45000-memory.dmp

Filesize
2.0MB

Download
memory/3652-15-0x00007FFBE2950000-0x00007FFBE2B45000-memory.dmp

Filesize
2.0MB

Download
memory/3652-18-0x00007FFBE2950000-0x00007FFBE2B45000-memory.dmp

Filesize
2.0MB

Download
memory/3652-17-0x00007FFBE2950000-0x00007FFBE2B45000-memory.dmp

Filesize
2.0MB

Download
memory/3652-19-0x00007FFBA08C0000-0x00007FFBA08D0000-memory.dmp

Filesize
64KB

Download
memory/3652-20-0x00007FFBE2950000-0x00007FFBE2B45000-memory.dmp

Filesize
2.0MB

Download
memory/3652-16-0x00007FFBE2950000-0x00007FFBE2B45000-memory.dmp

Filesize
2.0MB

Download
memory/3652-14-0x00007FFBE2950000-0x00007FFBE2B45000-memory.dmp

Filesize
2.0MB

Download
memory/3652-13-0x00007FFBA08C0000-0x00007FFBA08D0000-memory.dmp

Filesize
64KB

Download
memory/3652-36-0x00007FFBE2950000-0x00007FFBE2B45000-memory.dmp

Filesize
2.0MB

Download
memory/3652-37-0x00007FFBE2950000-0x00007FFBE2B45000-memory.dmp

Filesize
2.0MB

Download
memory/3652-1-0x00007FFBE29ED000-0x00007FFBE29EE000-memory.dmp

Filesize
4KB

Download
memory/3652-35-0x00007FFBE2950000-0x00007FFBE2B45000-memory.dmp

Filesize
2.0MB

Download
memory/3652-6-0x00007FFBE2950000-0x00007FFBE2B45000-memory.dmp

Filesize
2.0MB

Download
memory/3652-55-0x00007FFBE2950000-0x00007FFBE2B45000-memory.dmp

Filesize
2.0MB

Download
memory/3652-11-0x00007FFBE2950000-0x00007FFBE2B45000-memory.dmp

Filesize
2.0MB

Download
memory/3652-8-0x00007FFBE2950000-0x00007FFBE2B45000-memory.dmp

Filesize
2.0MB

Download
memory/3652-9-0x00007FFBE2950000-0x00007FFBE2B45000-memory.dmp

Filesize
2.0MB

Download
memory/3652-5-0x00007FFBA29D0000-0x00007FFBA29E0000-memory.dmp

Filesize
64KB

Download
memory/3652-2-0x00007FFBA29D0000-0x00007FFBA29E0000-memory.dmp

Filesize
64KB

Download
memory/3652-4-0x00007FFBA29D0000-0x00007FFBA29E0000-memory.dmp

Filesize
64KB

Download
memory/3652-95-0x00007FFBE2950000-0x00007FFBE2B45000-memory.dmp

Filesize
2.0MB

Download
memory/3652-97-0x00007FFBE2950000-0x00007FFBE2B45000-memory.dmp

Filesize
2.0MB

Download
memory/3652-96-0x00007FFBE29ED000-0x00007FFBE29EE000-memory.dmp

Filesize
4KB

Download
memory/3652-98-0x00007FFBE2950000-0x00007FFBE2B45000-memory.dmp

Filesize
2.0MB

Download
memory/3652-99-0x00007FFBE2950000-0x00007FFBE2B45000-memory.dmp

Filesize
2.0MB

Download
memory/3652-3-0x00007FFBA29D0000-0x00007FFBA29E0000-memory.dmp

Filesize
64KB

Download
memory/3652-105-0x00007FFBE2950000-0x00007FFBE2B45000-memory.dmp

Filesize
2.0MB

Download
memory/3652-106-0x00007FFBE2950000-0x00007FFBE2B45000-memory.dmp

Filesize
2.0MB

Download
memory/3652-107-0x00007FFBE2950000-0x00007FFBE2B45000-memory.dmp

Filesize
2.0MB

Download
memory/3652-0-0x00007FFBA29D0000-0x00007FFBA29E0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads