ardamax | 1e48e0a89ad24b9273a92b3bb707e07ecf0635b609f14768e59c8ca9249c5a70

Analysis

max time kernel
149s
max time network
125s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-10-2024 09:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69d723338b992ee153027b1b159d9ec1_JaffaCakes118.exe
Size

1.3MB
MD5

69d723338b992ee153027b1b159d9ec1
SHA1

febc1a6fdb5b81e73f15a68f4bee2b3e058e65a5
SHA256

1e48e0a89ad24b9273a92b3bb707e07ecf0635b609f14768e59c8ca9249c5a70
SHA512

1089c03af40963a23a79bf3d4711b96d5ac94e84f8db59a522f3efe7b689266af6b4cab6815f9bdeebb35778b90d76e9d41f5fc76010e7f76e69e2ad354f0681
SSDEEP

24576:elTV5nFNJ4fmEST3LfeS5I8t/bY+I1ynqvB/L6tt1R8oc+I1C1+v5ZR69tFRva:edzzpDLV5i+8ynpt18+8C1ntFY

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0008000000016d47-30.dat	family_ardamax

Executes dropped EXE 5 IoCs

pid	Process
3040	INSTALL.EXE
2220	SETUP_AKL.EXE
2340	YXFG.exe
2288	setup_akl.exe
1456	HTV.exe

Loads dropped DLL 36 IoCs

pid	Process
2696	69d723338b992ee153027b1b159d9ec1_JaffaCakes118.exe
2696	69d723338b992ee153027b1b159d9ec1_JaffaCakes118.exe
2220	SETUP_AKL.EXE
2220	SETUP_AKL.EXE
3040	INSTALL.EXE
2220	SETUP_AKL.EXE
3040	INSTALL.EXE
3040	INSTALL.EXE
3040	INSTALL.EXE
3040	INSTALL.EXE
3040	INSTALL.EXE
2340	YXFG.exe
2340	YXFG.exe
2340	YXFG.exe
3040	INSTALL.EXE
2340	YXFG.exe
2288	setup_akl.exe
2288	setup_akl.exe
2288	setup_akl.exe
2288	setup_akl.exe
2340	YXFG.exe
2288	setup_akl.exe
2220	SETUP_AKL.EXE
2220	SETUP_AKL.EXE
2220	SETUP_AKL.EXE
2220	SETUP_AKL.EXE
2220	SETUP_AKL.EXE
2220	SETUP_AKL.EXE
2220	SETUP_AKL.EXE
1456	HTV.exe
1456	HTV.exe
1456	HTV.exe
1456	HTV.exe
1456	HTV.exe
2332	IEXPLORE.EXE
2332	IEXPLORE.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\YXFG Agent = "C:\\Windows\\SysWOW64\\28463\\YXFG.exe"	YXFG.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\YXFG.001	INSTALL.EXE
File created	C:\Windows\SysWOW64\28463\YXFG.006	INSTALL.EXE
File created	C:\Windows\SysWOW64\28463\YXFG.007	INSTALL.EXE
File created	C:\Windows\SysWOW64\28463\YXFG.exe	INSTALL.EXE
File created	C:\Windows\SysWOW64\28463\AKV.exe	INSTALL.EXE
File opened for modification	C:\Windows\SysWOW64\28463	YXFG.exe

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\HTV\HTV.006	SETUP_AKL.EXE
File created	C:\Program Files (x86)\HTV\HTV.003	SETUP_AKL.EXE
File created	C:\Program Files (x86)\HTV\HTV.004	SETUP_AKL.EXE
File created	C:\Program Files (x86)\HTV\AKV.exe	SETUP_AKL.EXE
File created	C:\Program Files (x86)\HTV\qs.html	SETUP_AKL.EXE
File created	C:\Program Files (x86)\HTV\HTV.chm	SETUP_AKL.EXE
File created	C:\Program Files (x86)\HTV\HTV.exe	SETUP_AKL.EXE
File created	C:\Program Files (x86)\HTV\tray.gif	SETUP_AKL.EXE
File created	C:\Program Files (x86)\HTV\menu.gif	SETUP_AKL.EXE
File created	C:\Program Files (x86)\HTV\Uninstall.exe	SETUP_AKL.EXE
File created	C:\Program Files (x86)\HTV\HTV.007	SETUP_AKL.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	69d723338b992ee153027b1b159d9ec1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	INSTALL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SETUP_AKL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YXFG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_akl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HTV.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x0009000000016cfe-14.dat	nsis_installer_1
behavioral1/files/0x00050000000193be-88.dat	nsis_installer_1

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10473c8a6324db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B541D381-9056-11EF-81B8-46BBF83CD43C} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd300000000020000000000106600000001000020000000ec56fa3f839cae6fe07eec39715fe5a01ac867ed38efb51ac7de0416e9ce01bd000000000e8000000002000020000000c67395bfb014f85f1730e9a635fa084d6fbcdf67d41255be781abe86ea2aa55620000000cc3a2eb78dac351e44eb347181492f7f8b86c22453fa52e199ba451cf1135e7140000000960566fa1e59c8ce599329ee495016fe483bb92df875a713aab0d2baf58bb5a0da8a7c645151eb9edb2ac41f125c72ab912fb9287835ae976c896474df056301	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd30000000002000000000010660000000100002000000051dc1b0778ea09bb8dfb682cf34fce2f4f0249f6f66e13b3bcea1fcd0444770d000000000e8000000002000020000000ca846ae4b4432f0bc76d5737583458709ecf6f7f34ef502bab732985a6ce9c4a90000000572d0c2e78866abff3f526b3be0e58e965e1317957e0811967308545faa68b0595e5c4387aaa621d7d3cdc27e68f051ec374fd109a22fed5fa24cecc6f5eedd24500a5a9f426c68d946d15ff89e1ffaf982bfe6360990fd5dcf21988477fe7542fd89e6f1b2eafef4f29a663232f602c89986784b1afe65c6eedd126497dc05770bd799c99ac6b8488c79f02bd1e3b7240000000cf8030250ecd8e6a618bfca7826ff38659584d5d6586cf24a4f143d89a0f2c2627b10f75c7acd214e47609eec49a590e3f34ee2b6c8c75b190c02761271d09c2	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "435750623"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2288	setup_akl.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2340	YXFG.exe
Token: SeIncBasePriorityPrivilege	2340	YXFG.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1600	iexplore.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
2340	YXFG.exe
2340	YXFG.exe
2340	YXFG.exe
2340	YXFG.exe
2340	YXFG.exe
1600	iexplore.exe
1600	iexplore.exe
2332	IEXPLORE.EXE
2332	IEXPLORE.EXE
2332	IEXPLORE.EXE
2332	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 3040	2696	69d723338b992ee153027b1b159d9ec1_JaffaCakes118.exe	30
PID 2696 wrote to memory of 3040	2696	69d723338b992ee153027b1b159d9ec1_JaffaCakes118.exe	30
PID 2696 wrote to memory of 3040	2696	69d723338b992ee153027b1b159d9ec1_JaffaCakes118.exe	30
PID 2696 wrote to memory of 3040	2696	69d723338b992ee153027b1b159d9ec1_JaffaCakes118.exe	30
PID 2696 wrote to memory of 3040	2696	69d723338b992ee153027b1b159d9ec1_JaffaCakes118.exe	30
PID 2696 wrote to memory of 3040	2696	69d723338b992ee153027b1b159d9ec1_JaffaCakes118.exe	30
PID 2696 wrote to memory of 3040	2696	69d723338b992ee153027b1b159d9ec1_JaffaCakes118.exe	30
PID 2696 wrote to memory of 2220	2696	69d723338b992ee153027b1b159d9ec1_JaffaCakes118.exe	31
PID 2696 wrote to memory of 2220	2696	69d723338b992ee153027b1b159d9ec1_JaffaCakes118.exe	31
PID 2696 wrote to memory of 2220	2696	69d723338b992ee153027b1b159d9ec1_JaffaCakes118.exe	31
PID 2696 wrote to memory of 2220	2696	69d723338b992ee153027b1b159d9ec1_JaffaCakes118.exe	31
PID 2696 wrote to memory of 2220	2696	69d723338b992ee153027b1b159d9ec1_JaffaCakes118.exe	31
PID 2696 wrote to memory of 2220	2696	69d723338b992ee153027b1b159d9ec1_JaffaCakes118.exe	31
PID 2696 wrote to memory of 2220	2696	69d723338b992ee153027b1b159d9ec1_JaffaCakes118.exe	31
PID 3040 wrote to memory of 2340	3040	INSTALL.EXE	32
PID 3040 wrote to memory of 2340	3040	INSTALL.EXE	32
PID 3040 wrote to memory of 2340	3040	INSTALL.EXE	32
PID 3040 wrote to memory of 2340	3040	INSTALL.EXE	32
PID 3040 wrote to memory of 2340	3040	INSTALL.EXE	32
PID 3040 wrote to memory of 2340	3040	INSTALL.EXE	32
PID 3040 wrote to memory of 2340	3040	INSTALL.EXE	32
PID 3040 wrote to memory of 2288	3040	INSTALL.EXE	33
PID 3040 wrote to memory of 2288	3040	INSTALL.EXE	33
PID 3040 wrote to memory of 2288	3040	INSTALL.EXE	33
PID 3040 wrote to memory of 2288	3040	INSTALL.EXE	33
PID 3040 wrote to memory of 2288	3040	INSTALL.EXE	33
PID 3040 wrote to memory of 2288	3040	INSTALL.EXE	33
PID 3040 wrote to memory of 2288	3040	INSTALL.EXE	33
PID 2220 wrote to memory of 1456	2220	SETUP_AKL.EXE	35
PID 2220 wrote to memory of 1456	2220	SETUP_AKL.EXE	35
PID 2220 wrote to memory of 1456	2220	SETUP_AKL.EXE	35
PID 2220 wrote to memory of 1456	2220	SETUP_AKL.EXE	35
PID 2220 wrote to memory of 1456	2220	SETUP_AKL.EXE	35
PID 2220 wrote to memory of 1456	2220	SETUP_AKL.EXE	35
PID 2220 wrote to memory of 1456	2220	SETUP_AKL.EXE	35
PID 2220 wrote to memory of 1600	2220	SETUP_AKL.EXE	36
PID 2220 wrote to memory of 1600	2220	SETUP_AKL.EXE	36
PID 2220 wrote to memory of 1600	2220	SETUP_AKL.EXE	36
PID 2220 wrote to memory of 1600	2220	SETUP_AKL.EXE	36
PID 1600 wrote to memory of 2332	1600	iexplore.exe	37
PID 1600 wrote to memory of 2332	1600	iexplore.exe	37
PID 1600 wrote to memory of 2332	1600	iexplore.exe	37
PID 1600 wrote to memory of 2332	1600	iexplore.exe	37
PID 1600 wrote to memory of 2332	1600	iexplore.exe	37
PID 1600 wrote to memory of 2332	1600	iexplore.exe	37
PID 1600 wrote to memory of 2332	1600	iexplore.exe	37

C:\Users\Admin\AppData\Local\Temp\69d723338b992ee153027b1b159d9ec1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\69d723338b992ee153027b1b159d9ec1_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Users\Admin\AppData\Local\Temp\INSTALL.EXE
  "C:\Users\Admin\AppData\Local\Temp\INSTALL.EXE"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Windows\SysWOW64\28463\YXFG.exe
    "C:\Windows\system32\28463\YXFG.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2340
- - C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
    "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2288
- C:\Users\Admin\AppData\Local\Temp\SETUP_AKL.EXE
  "C:\Users\Admin\AppData\Local\Temp\SETUP_AKL.EXE"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Program Files (x86)\HTV\HTV.exe
    "C:\Program Files (x86)\HTV\HTV.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1456
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Program Files (x86)\HTV\qs.html
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1600
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1600 CREDAT:275457 /prefetch:2
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\HTV\Uninstall.exe

Filesize
43KB

MD5
916ced19a86ac3006f26ea60719dd648

SHA1
68278a4c3d5202fff273844d8e4b488fc1daddcd

SHA256
3dc70f9fc553517666be9008ebcfab2b044ff711036d49e40144e0dd97910734

SHA512
9c08cbca52a17f810f3892d66a72ff37c3af5a60ebe34f56e3937c933e265ae0e4207410f7778434cb203a76e36dc62df09a08f3b3f4338d35b44d5c5bc8bb28

Download Submit
C:\Program Files (x86)\HTV\menu.gif

Filesize
22KB

MD5
20fe009bce33b78dd40b48bc5f8accc6

SHA1
cd614d9b9e088eecb7e63722f61a39a0cf0ec196

SHA256
979c4b395172a53794b18d996df95c75c68d70ec3573aba66cdfe28c8d1cf0eb

SHA512
f6be54be78bfdf770c7c131c5d108b0b33376886b9b4a66598e2c92543a2e83ffafdaea36b9d749784a978d4327cdf52ce0ac6feb9a28d683162b0b3f2f40a37

Download Submit
C:\Program Files (x86)\HTV\qs.html

Filesize
1KB

MD5
40d00fa24b9cc44fbf2d724842808473

SHA1
c0852aa2fb916c051652a8b2142ffb9d8c7ac87a

SHA256
35b0f1bb808e1623ad534fbc1e72cea25ac28f71340e9c543f01d1bfdd094035

SHA512
9eb750e08ca9750988290626ae8ed32a2ecfa7c8ca021b3e26b3da0a94de952b991a9a6a0ad5729d7d5ccf7b3b36fb36fd24047f705d0468ad04908ba8a7154c

Download Submit
C:\Program Files (x86)\HTV\tray.gif

Filesize
7KB

MD5
0ac69330c3b9181b8a109fddb91fa128

SHA1
ef9698ccce041ce8ba3f4af37d0c2b577f19b375

SHA256
e675fecb791ed568aae7f1c24b159f7c0f7e23fe8a7ce76f72b3dd1a4ac00e9d

SHA512
3a74c04baf3e1e842c0a2568a6480e4ece05baef31171397763de638c6e5b0d26255cf1d7802ea53c355563b8e4b600d24d04afb5168fbc54f66414445327749

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a76bcbe28a79be18c8f0c9b662b681a0

SHA1
d5d48ea340a5684299b34643904e076e789cb9e6

SHA256
37532325af350c705827da806d336dc98c52e019bf9607e87f9446e6d0a27a4c

SHA512
499571a6cc12569309a22e4e88a781513633d949b0f57047e363207a7639cb9c0228595bf86535c81f6c8e5763b925c24a84ddaf0813c1fe69fe170371c7832b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a975e229991b66c25e9066ec1862df73

SHA1
85131fc44b95e9e11ff6aaff49957089b5c4b090

SHA256
7555d186d423df055dd9f6352828395a6ccbcc8bd346b928cafc617bed9a6573

SHA512
7d75cea3d9dcdc473326b7ad8af1921c780e6516ebc1942f4c47f8601518933de867afe9c666cc0ed6367ded3ecff53c9755046d999b8bd98b3edbd3d0661b12

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9316434a17de92297bf79ce6f0c3251b

SHA1
f3a0a67a844533984243754377224ecfc8e06c1f

SHA256
09bdfdd312b8d4fe1081043647fb6ce8b18428e3a63ba00c57b6c6830a9b98ee

SHA512
24660743cfbfec3b5cd2651cf8df274f0016684d5f06a2cf435ace2630d738acbd7e1c295dc5ab73687caa3197d36cf7c764fbaaafc322825589f8b0137917fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a135d103282663a99a8dea5ce9d8aed4

SHA1
7d4bb472b9a66941608dedac5061e4c850e91aac

SHA256
ae98acc0cbb1b1235904506b5b06567ccc3c868b2a777705bfad7592e32508cf

SHA512
309cf188fb9017bc9b3a506df42740fe081b1f6ef7a035c53845b9084a1c0eb13c1546f9bc9c48686401717122307d1610bc87dbb9b49c5819ac7db10ce8837f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
df63a60e24b0afea532e17832bcf69c0

SHA1
da5b44dda5a3a56cf0a673b5f349d67dcd0c2dfe

SHA256
d1b9d4d8524e48ae68f2f0a884556bdecdacdbbc173b43586249a91d7ad376e3

SHA512
0256d32cd06a81386c976a033f061f7c61a4c93b052440675f02096e9c987846cbdf77ea45806260e304993a12dba8e2bb807bbebf1a6ca1d6db1d6559803b44

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
74af4001472ae6f83484da2932aa7159

SHA1
98459a1fbe03347efbab3d28faf15646d24fbe12

SHA256
b04b5c231a013cc954596c104f5e1a45bfb9c0e605ab1355261ef7a01860c615

SHA512
61a76ce807c16fb430a6b30e936e6ffa6e8509e78fb6f76f336b6888895f1b8e9347d5be5a76cee5b14bdd6b7a27a1119fedabeab3b827d9df3e11b4b1281de6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1b552fe1ecdb3f3e7ae4a6823839697b

SHA1
d04a0b91811dde1bf20468a699a34d143e70aa50

SHA256
94467c4a0f5f6106db6a411652a230152e78e244dcb5436e18f5933c54ec5a0a

SHA512
8e8e1f381ef62c583a39fddb376d69760e9c78b56ad323950dce9cea36ee55430c43292b2f7d23bace1c6a07f2ab052833c618032986d9d59a372c1b92e5145b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dfbf62ffef71cc250da1ad5b1bff19f7

SHA1
b0952f75b13fcee7f3e7c0a0759cf73c45c8b686

SHA256
09f48e1d5d785dc32c28bc4259c3eb8a816006d50b23585b03746f3cf166de55

SHA512
b29611f8150b23f9e1009ee4ed7a9e01b1e5c44e14a01a258e3e7907ebcbdfebc0a684014a1b5b7495e1bde903bf849aa7439ff9b2c875c547c08f722754cd7c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
84df20f594f839e83220a2dbdcb3bbb2

SHA1
11ded9c1ff1d15be55537daf525f45c5b4fd6c1c

SHA256
0e5ba64cf07fc8a636881f31dc9acc9e1ff70036fe0327d4c7a3cf359b816a4b

SHA512
69aa0054444e30b613962d1eb180442e423496a91a722a6a48fb51e7617d73439bc44826dbb16e10a33bf40038ab3ef603c7f528ad10d04567e145d6c63062d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f70c7e4bbe249245bb4ae70ad70df95d

SHA1
c04e7247114515edfd24509bfeb980c2dc2ab4ab

SHA256
6d41da28bc6123bab7ff14073cb92469b68e7fb24b889344ec82a3247897ca03

SHA512
e34ff014b8333a8a12b7dd159e716fe150bd179ff7a8396121304285ec81ce5650494fd122805f1a143194757655d5f1dfd4f3724f6b986e4198015e1016087d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
28f8f02615599ac5f5089224841cefce

SHA1
80d43936523dcad133497f9938461b30d8a924a0

SHA256
0adad4c9b7b8b3bb991ff56e9334bd736f4fecb26c8f2e41f2afd61aafcb3fad

SHA512
1234e89817c46903261a5bf021870a5555e2b7f9299137552166ce3392d37fc5358894f15acc2411cd4d6d846d1b7b865b2f7e7c9158ddd5b032c0967c7c0af7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7d0a938bcfa383fbc1b42731ba80b501

SHA1
dcf3f0f2c75ac924e0ea3d47e6a31473f48a7470

SHA256
0fec18316a340d3ab973dc2913cc60ef993aefebc976244834dbf48b6aed0f66

SHA512
5e52e59a92d015f0a6b17f094db0fc0d156158f5cf0f71bc949a24a1d298876ba1801e4185531da8a8d9ef00559e0429ef46be3badea310bf8b8b5ac6a9e8d88

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
108a2bbc5e722f3377fa892a2f35c0a7

SHA1
24200ee716b71b0bec3340f91016c30701125190

SHA256
d2eceb44bca391094f0c606561994e6c0f2d4a6398b9df36041507fc431458ef

SHA512
de1ae66285e53a43bfd2b5a2d96ab337ff58159007c5e411a2e832d665f1d50f0420e2968bcbe3ccd24838bbc00afcacd23e1e037fd269277323e99dfdac6896

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
053372d264dcafe6dabd9ccf5924d3d3

SHA1
4774254809f23341473d3515e8b42197a38b8cee

SHA256
7fc60ada9fa38e2589a22c42dfe319953030cab0db3cabbcfacd60cc298fc55e

SHA512
2f84086d87009ac0ad8c6b1cac2726fac28317d5882ea34c83d1185529592890631c07067aeed4602ec50a14dd78bf4068bbc9e58aec77f2fd5a1529b5e5e64c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
15f85ffd17f4255c358b265ff093f351

SHA1
a112e8977d3835266ab759580c3614105429e169

SHA256
5d518acd11df3bce13fd5c036b723f0c24c54fa56defd7d4d478c956d5e298af

SHA512
d5381f011f5612e8f571b998d36faeae232019e9a60b8617092a6877aff3418283de049a089991db3d6f84e31872b4ecc8ced03656295520334d6c3e63cc2493

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8404eb2ec95249d99202703a116bc774

SHA1
356118c8ecf2b3f0eb0cc037680cf3c45c9a2722

SHA256
385ee20ff00f39bff50e839b20a42f995dfd3567d489bd2567dc97a1d7b5b579

SHA512
88f2659149e5cb1c3595ec090a69e30611b4a437889d1f3e6ab1a6276eba1e2f64678853e5e9d2b85a676ef2d27a368fd0eacd51260e7d073959b313ff0d98de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a75d25bcd7230906f60cd0a3a156acc4

SHA1
db519684f1324c7c621f144a7c304b8212caec28

SHA256
00c0c97fb2cd9351a233da4abf5f615ca26329866147cec5ca48d0aebf26a354

SHA512
ea6e3c3ee35e1674bae3ae4bba8113897785d0177584ae625ab7fcd0cba49aa150983c9839320454507cb86d377d42209a74acf7388d67a8690f51d8466edad6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0ffb9581f85521f404fa6b03bdb32547

SHA1
8ae14c2823faa4b91220ab25b1303e5edd929ea6

SHA256
9fe116023a73591a55dc60c7b32b11a6c034cf67f69443fe93da1cfcc20066ba

SHA512
aa629c977ad64bc817610d56b2f12fd2054af27ea6fa912e76814852d8aec83ff227a48530aa443dd6688166e7a7028fdfed2cb51b9e199c7364a5bcccc2c7b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eadd0add7ed99d994dd6019568667b8e

SHA1
6a3c8fcc7333e1bec3b4564c0e2a8e3dcf33c467

SHA256
126f4da0e8139103acf39eb6165c78160c6bebb4554cc649c7f7dbab4a15d05b

SHA512
e28d2e484e56c42ecaddd22f6f74f157e6b7b5b8c21b49a523575dd016cdb0618a326298c328c46997f70c11c7433923aec55362bac5a553c1c6f1ad6134580c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2AF9.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_AKL.EXE

Filesize
418KB

MD5
15c01ad46f1143036a3cc727549b305e

SHA1
263b6fdfb4ac98e60fcdfe570e31143d3b502b31

SHA256
b4ba83d0ebb2540014dfcf8e51192296f62880639ad1d4204a898d03a60715f4

SHA512
6236f0af354dcf890528b14ba4c63d6980bdd8d1a7d460618bfe4f046dfeb26fc91420dc3d8c3253d84faf8cfd0157338ce44b9781fbd0e379fa844844a66a1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2B5A.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdA42D.tmp\ioSpecial.ini

Filesize
784B

MD5
677f5b614682f52484a3d3c2069f153f

SHA1
bafebd66b9ae22b0b947cc957372e647942e1b67

SHA256
87a10d93bb4589a0db27cfaafa0b250cf7a8ca476dc879d347d46a5e2af3fa40

SHA512
bd59e11e46e89ab8ef8ba04a62a39bd8f183b2d8cba71cf0c764d40b06f0865e523dac8a4f47b43e984b18f1333337b4ee676ee2952341c188a63e5a0a306067

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdA42D.tmp\ioSpecial.ini

Filesize
719B

MD5
cda457050c2e8d5e9a69014ce8e8ebbb

SHA1
f223b535e1b07fbcc3dc234e53a7ce22bec84efd

SHA256
6b66921f3c83990f002e55b4df5b6a7b56424c175a889108be7ea7cc9cede28a

SHA512
00edaa4c9d70a44cdca720e8eb0ac1fb4413f8262e9f6d9958fced3dcadf45d5f735e3e31f2086ced61d023bab3d81fde54510b2afc3000ece02c2fea91db4d5

Download Submit
C:\Windows\SysWOW64\28463\AKV.exe

Filesize
395KB

MD5
adbec81b510dcfe49835f95940ef961d

SHA1
77940f6e46fbd5f53de23bd49afe9172470769d0

SHA256
466efb4b00255f21075b340fc2d2444f182947ab90270840543658c5fd3a9b95

SHA512
ef4324a06fbe960933f5551ea6ac587cd87cb6025bc6879a2b81a4d1033cfe87e244b6a87fb5db5ad065321ccbe8035cf24a668452d5b0c6a4063a355a12b2a7

Download Submit
C:\Windows\SysWOW64\28463\YXFG.001

Filesize
408B

MD5
9ddf8eddb967987e43e178ea731a13e6

SHA1
112c08c25188b785f6317d374e64d45a9d2b14c7

SHA256
6033734f4772db3b3d4e908f3e2ae2989cfb6cbadbe85875860e46daa3a78651

SHA512
8160599d4a57b2a62ac156855885c6b864abda0947e5cf1e9400eeac432ea34bc9e349ba5746d43dbb90cf591327ac6e8a59f55e30bc7a31cf89c69624866137

Download Submit
\Users\Admin\AppData\Local\Temp\@A370.tmp

Filesize
4KB

MD5
13e10cd76f11d6cb43182dcba7370171

SHA1
e6b8ce329e49ff09f1cb529c60fc466cb9a579c8

SHA256
f1265c88f0077009eaa18db413f156cc7ad8d41dc9d797dd1032b0e0ae9c40d5

SHA512
ee32ef3f50838936417e51dfd365b166456900e327dbe51902700bb3d562dea22e6fbd9009c822ba0562687001802a2e61d38123f81ae19f7b3d05bb1fd5cda8

Download Submit
\Users\Admin\AppData\Local\Temp\INSTALL.EXE

Filesize
907KB

MD5
27844d86bbb80d1ec89adfb288259b80

SHA1
a15ec161b39f04a4c817ab60f6977624a491df2d

SHA256
ba24bf9749aa2c37c2109a43406e01f4a9d8a3455b88b39816743351e2761a71

SHA512
7bed01dcfb93396e6d19ef008d0cbca2be9d6845a53b19988ad63fb3de449d82207458915cf72f7c5edbb95e5d5c122b48c5e5c50a84e9a2e0adbc9a11e7513c

Download Submit
\Users\Admin\AppData\Local\Temp\nsdA42D.tmp\InstallOptions.dll

Filesize
14KB

MD5
296a5f3179fa8d7a7a855eaf696ede44

SHA1
57aa5b71553ed282dd22c768e039a187f5c13f63

SHA256
ee0ad77e681c4d0fdf1d67df5f4ca03e6bdd8e3b05dfb47a83ad5c733ed62960

SHA512
bc527d1485f468e8d098057e0e38e8cb7aa6eb64d4ca30927b99b1552a3177b132b989015ff95bdf2ca046bf11a54b4b456f51e024fbc734fbb548c3499e53f6

Download Submit
\Windows\SysWOW64\28463\YXFG.006

Filesize
8KB

MD5
f5eff4f716427529b003207d5c953df5

SHA1
79696d6c8d67669ea690d240ef8978672e3d151c

SHA256
ac54ebb9eec3212f294462ce012fdc42f4b0896d785d776a5a2cc3599dc5bcde

SHA512
5a48599a5855f06c3e7d6f89c4e06bab1f4381b9d30cf3824c465b8fd6c142b316e6bd6aaad73d1f9b3e84d96113fb5e7374831bf503744013c9e1a0632a0caf

Download Submit
\Windows\SysWOW64\28463\YXFG.007

Filesize
5KB

MD5
bc75eddaa64823014fef0fe70bd34ffc

SHA1
15cd2ace3b68257faed33c78b794b2333eab7c0a

SHA256
9eada36d17635bedb85ce96a62cb019dbfee696b9986f69de7d5b5bc1f44df5d

SHA512
20db25f32f9cfdbffa4f30c0065125052c6e20b7dcc147fa7ebff38e37b51f6a43e48e486f148d7ee11671479b9fb0bbe1c6df151101af3b50c65fd334d13baa

Download Submit
\Windows\SysWOW64\28463\YXFG.exe

Filesize
473KB

MD5
3c90d45b1c004e86a7f7a7a340f1abc8

SHA1
10602c450bcbda2735dc036f2e399646f0c64f4c

SHA256
f6d9c3bba7fc4dfa681cadf68f41093e3c431501c6789e891e599719e5d2781c

SHA512
85457be4c2aa76ede288cd185131d46e5f0b37187313f3a54fe789e28929ec6e44282f4ba0981f46354705cd5da83990586c8846f52fcdb807908254c8719cc1

Download Submit
memory/2696-12-0x0000000010000000-0x0000000010154000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads