ardamax | c69bdd84f2975702cdf824c22c083b3bac5dd831ff501f2505ad2cbd9a686211

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-10-2024 20:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e7513cb6231f124202feb9c6fff5f8c_JaffaCakes118.exe
Size

1.2MB
MD5

5e7513cb6231f124202feb9c6fff5f8c
SHA1

0c226a252c631bd9dfec8691116e400051e9c8ea
SHA256

c69bdd84f2975702cdf824c22c083b3bac5dd831ff501f2505ad2cbd9a686211
SHA512

8e09ad9213cbcb0c1ae53deada825e6b670a5c6764969752ce2b47e434ca15c00ac5959fc6d398fd541fd613b29e83a62d21e28a755875964f7389461ae9c2e1
SSDEEP

24576:P8NYABaUhRVw2f0UNHvGoV1ItrMnIudGqUnKAusuirmEFjy4X4o5:P8NYAY0wvUNPGo0RSEbKAjuirmtY5

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
hackk.leadhoster.com
Port:
21
Username:
550950
Password:
samet123

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0008000000016d40-29.dat	family_ardamax

Executes dropped EXE 5 IoCs

pid	Process
2928	Setup.exe
2916	Crack.exe
2676	HTV.exe
2996	Speedhack.exe
2340	is-TF4BA.tmp

Loads dropped DLL 19 IoCs

pid	Process
2652	5e7513cb6231f124202feb9c6fff5f8c_JaffaCakes118.exe
2928	Setup.exe
2916	Crack.exe
2916	Crack.exe
2676	HTV.exe
2676	HTV.exe
2928	Setup.exe
2928	Setup.exe
2928	Setup.exe
2996	Speedhack.exe
2996	Speedhack.exe
2996	Speedhack.exe
2996	Speedhack.exe
2996	Speedhack.exe
2996	Speedhack.exe
2340	is-TF4BA.tmp
2340	is-TF4BA.tmp
2340	is-TF4BA.tmp
2340	is-TF4BA.tmp

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HTV Agent = "C:\\Users\\Admin\\AppData\\Local\\Temp\\plugtpm\\HTV.exe"	HTV.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Crack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HTV.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Speedhack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	is-TF4BA.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5e7513cb6231f124202feb9c6fff5f8c_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2676	HTV.exe
Token: SeIncBasePriorityPrivilege	2676	HTV.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2676	HTV.exe
2676	HTV.exe
2676	HTV.exe
2676	HTV.exe
2676	HTV.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 2928	2652	5e7513cb6231f124202feb9c6fff5f8c_JaffaCakes118.exe	30
PID 2652 wrote to memory of 2928	2652	5e7513cb6231f124202feb9c6fff5f8c_JaffaCakes118.exe	30
PID 2652 wrote to memory of 2928	2652	5e7513cb6231f124202feb9c6fff5f8c_JaffaCakes118.exe	30
PID 2652 wrote to memory of 2928	2652	5e7513cb6231f124202feb9c6fff5f8c_JaffaCakes118.exe	30
PID 2652 wrote to memory of 2928	2652	5e7513cb6231f124202feb9c6fff5f8c_JaffaCakes118.exe	30
PID 2652 wrote to memory of 2928	2652	5e7513cb6231f124202feb9c6fff5f8c_JaffaCakes118.exe	30
PID 2652 wrote to memory of 2928	2652	5e7513cb6231f124202feb9c6fff5f8c_JaffaCakes118.exe	30
PID 2928 wrote to memory of 2916	2928	Setup.exe	31
PID 2928 wrote to memory of 2916	2928	Setup.exe	31
PID 2928 wrote to memory of 2916	2928	Setup.exe	31
PID 2928 wrote to memory of 2916	2928	Setup.exe	31
PID 2916 wrote to memory of 2676	2916	Crack.exe	32
PID 2916 wrote to memory of 2676	2916	Crack.exe	32
PID 2916 wrote to memory of 2676	2916	Crack.exe	32
PID 2916 wrote to memory of 2676	2916	Crack.exe	32
PID 2928 wrote to memory of 2996	2928	Setup.exe	33
PID 2928 wrote to memory of 2996	2928	Setup.exe	33
PID 2928 wrote to memory of 2996	2928	Setup.exe	33
PID 2928 wrote to memory of 2996	2928	Setup.exe	33
PID 2928 wrote to memory of 2996	2928	Setup.exe	33
PID 2928 wrote to memory of 2996	2928	Setup.exe	33
PID 2928 wrote to memory of 2996	2928	Setup.exe	33
PID 2996 wrote to memory of 2340	2996	Speedhack.exe	34
PID 2996 wrote to memory of 2340	2996	Speedhack.exe	34
PID 2996 wrote to memory of 2340	2996	Speedhack.exe	34
PID 2996 wrote to memory of 2340	2996	Speedhack.exe	34
PID 2996 wrote to memory of 2340	2996	Speedhack.exe	34
PID 2996 wrote to memory of 2340	2996	Speedhack.exe	34
PID 2996 wrote to memory of 2340	2996	Speedhack.exe	34

C:\Users\Admin\AppData\Local\Temp\5e7513cb6231f124202feb9c6fff5f8c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5e7513cb6231f124202feb9c6fff5f8c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Users\Admin\AppData\Local\Temp\plugtmp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\plugtmp\Setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Users\Admin\AppData\Local\Temp\plugtmp\Crack.exe
    "C:\Users\Admin\AppData\Local\Temp\plugtmp\Crack.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2916
  - - C:\Users\Admin\AppData\Local\Temp\plugtpm\HTV.exe
      "C:\Users\Admin\AppData\Local\Temp\plugtpm\HTV.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2676
- - C:\Users\Admin\AppData\Local\Temp\plugtmp\Speedhack.exe
    "C:\Users\Admin\AppData\Local\Temp\plugtmp\Speedhack.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2996
  - - C:\Users\Admin\AppData\Local\Temp\is-20CCN.tmp\is-TF4BA.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-20CCN.tmp\is-TF4BA.tmp" /SL4 $B0152 "C:\Users\Admin\AppData\Local\Temp\plugtmp\Speedhack.exe" 578730 52224
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\plugtmp\Crack.exe

Filesize
346KB

MD5
7f81aa45d4d1069c6c74632a3fb6de41

SHA1
946589ed97702468a888c7a5105b848fe6bc5400

SHA256
0252b58eeb9d7e17b33dd49a62c5c8ba3c4e1fe7ddd7b20c5533b15e08511202

SHA512
46f0c0e4ca594642a355c240adb4c735f4064601331a428e982d430dd39c09cc49e3c00309d4dd4b6b64e316b3e9c09bf3b684fa21dd21b343c82af1d98564e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\plugtmp\Setup.exe

Filesize
883KB

MD5
b32884f2e85763f6fe4bd2b08764cb19

SHA1
b521d022b19900dec937356fadadd3be9be2e744

SHA256
9cd58d127692a0f2c01751e4dabd90881a9cf352b4b95bd0b5c4de3fbb87f66d

SHA512
070d74d822f1f32af9866cc6422fdc971c0891423bdc69ea45888ec2706b1e4c3036600eb76d56d4f2667b949abda3a0d3359fd242e12cf7d36bb79143d4b96c

Download Submit
C:\Users\Admin\AppData\Local\Temp\plugtpm\HTV.001

Filesize
2KB

MD5
60ee2641b86f717ef12286c112b1deff

SHA1
81c90ae83b1f9972da3a91672d94ab2e4491c085

SHA256
2b004c4043c809a51c6a2142ff9b3233b61c055e4ad1effe57ccf2e09c46706d

SHA512
1ceec4506de1096e536050cd0b63554cdb00d5a5ef041e6d2459e22babf7ab6b9f0d0973ea5447fe81fa5e035ccb03697d490ea319810df54d7bfadd3ce3e98a

Download Submit
C:\Users\Admin\AppData\Local\Temp\plugtpm\HTV.002

Filesize
768B

MD5
645fe4effc2d21f99c15b7efa8346a09

SHA1
86521893912bd90aa9f426fd739bb0acfe32e831

SHA256
28ee51f8127e77c390a501bcbc0953bdc404287e83ea3330264a733cea3494fd

SHA512
4648e3966d7a08da5bbf0707d900574f612dc767598dd8d1ec98c4d31b65429bb8922961015ff8995a258dd2b132b8a855fd60295b62ced031bb11e763733428

Download Submit
C:\Users\Admin\AppData\Local\Temp\plugtpm\HTV.003

Filesize
4KB

MD5
ac2120f3b2fb824a5c1f3752dc944d21

SHA1
8bfbf3887103e886736e0802f88ed860a450856e

SHA256
fd9c203a32eec0afe4ab1e3ae02c68ac27649120bb3f0af68852ba487384ecaf

SHA512
474d77a27e3553aa58b394e77317a770f700f59580820741269e6c4746e664ce483a33a51baecd45ef4ac1a13e451a2c47d95c9abb79c7bc5cf902646f78c90f

Download Submit
C:\Users\Admin\AppData\Local\Temp\plugtpm\HTV.004

Filesize
14KB

MD5
63449cfad50b3f5669f0da2a84789489

SHA1
a76f624701c41d8b38b67664411f9eae8c6da071

SHA256
23048dadf243aa6c88a42784cf774622a51637292eb4a83b6d8c3cbc02003ca8

SHA512
42aa6929d775354d2ca3c77cf257efbed30b4dba65ec14d547b14bda0dcf3aa5234a120d11525f9b6cc9d491691047aad21a4e3652a98e3ab3a3c265edb9eda9

Download Submit
C:\Users\Admin\AppData\Local\Temp\plugtpm\HTV.006

Filesize
8KB

MD5
8499922ab422c17e550a724083be50c7

SHA1
914aa24da69f9882d12d7d7cceae38de4dbcad1c

SHA256
894ff0262900acdc5b0266f75b2db829d3dec9a059f28888d5c0997d5b76db8a

SHA512
9d2e7619c7e8e459449a7f70d581ae52a1d33ba1c90b2a14812c2a44474451dc06e78a8e410aae5e7caf9306bbe739b1eeca1a1bc167498a982d9f1320dbbd1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\plugtpm\HTV.007

Filesize
5KB

MD5
b128c2f3eafaff6725ed554a2a21b72f

SHA1
377c206483b5348eb4b657363d29cae830be0b8c

SHA256
b9939a330a7cf6d9947a2b3ffb52170a35d5927e401016e7694fdd24ba1aa4ef

SHA512
3de5ec44becf7520d7ae32764b4636a1d727ab92d192fd92d725d6d308067e331f88e62f3cd9a4a334eb1d9e2ea44bf30f14ebd4e4f2877cdbd6b7bf0ed771c8

Download Submit
\Users\Admin\AppData\Local\Temp\is-20CCN.tmp\is-TF4BA.tmp

Filesize
647KB

MD5
b683339ce008e97a0243a0f83bca1e09

SHA1
a8a4c078225ec9d94912762bda3a745d83dbe8f4

SHA256
5c6b8a1ab73cd03140040a3093e0d8466c666cd3fe17e8660dbc1a30d0b6f925

SHA512
c39b2501f5887c363633c94b04d58396a0d285ff65963ed513e99ff2dd7f36da323904278c6a64b9f1f637aaeed17e3d9d40540baa9805369cc664a32c62c780

Download Submit
\Users\Admin\AppData\Local\Temp\is-EJ0FT.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\plugtmp\Speedhack.exe

Filesize
812KB

MD5
32fdc92dd010396955ebbcb6ec020799

SHA1
f34f26f8b17c6ceb045b7c338f8a39e273a052bd

SHA256
4cac304ec01cddbdfc46cd46ca7d3aeb89c02db15ba9c000edd8ffa395d4d5ba

SHA512
c0aae0e60eb6977d1e37fc70aef8c5f43e176d8aa89b5b024d93701111cb066986384388244ff895264baf875c7fe2050bb3e3849f038a781fd73836c9524f32

Download Submit
\Users\Admin\AppData\Local\Temp\plugtpm\HTV.exe

Filesize
513KB

MD5
0c7a714b8e1d2ead2afc90dcc43bbe18

SHA1
66736613f22771f5da5606ed8c80b572b3f5c103

SHA256
800bdf00e09f302a17e22d26dffbea037e3c077ef9f6d1d585c114f079397a9e

SHA512
35db0de86c168eb6302dcbaa1e1f9ec96b5a8814e7067e1a7bb682e9f35fc06c51148a08e6f7df1e8caeb2effde555c53966a8922e8fef6b7ce194dc81c984b4

Download Submit
memory/2340-94-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2340-88-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2340-106-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2340-104-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2340-102-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2340-80-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2340-82-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2340-84-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2340-86-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2340-100-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2340-90-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2340-92-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2340-98-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2340-96-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2652-10-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2916-36-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2928-56-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2996-60-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2996-79-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads