ardamax | a6eb6172bf85caadcbe2a2a602aa652106ab4c510d2acdb490cc68c4586e6b2f

Analysis

max time kernel
145s
max time network
126s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
28-11-2024 03:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aac9e11b8c8b56cd755ed43dfa602f1b_JaffaCakes118.exe
Size

1.5MB
MD5

aac9e11b8c8b56cd755ed43dfa602f1b
SHA1

a0baed9dda3a9f51c94aadfce7b1080bd885bf3f
SHA256

a6eb6172bf85caadcbe2a2a602aa652106ab4c510d2acdb490cc68c4586e6b2f
SHA512

01260bea8296e783310af7e4e407f4eef32e14e51e20627ce4454a31c3b55d7595a7e055e3308d618330f9e23837634a4f25e7c23c5965920a7c3ca5e7944310
SSDEEP

24576:JJDagZrAvGOYyNzpofa4Sr9kzGXWC0oqkASl3qbXKAhtKxYTOOCluuTqAx:L+gd6SyNFo+Yx0qpy6rKwxTL8BDx

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x00050000000195c6-626.dat	family_ardamax

Executes dropped EXE 2 IoCs

pid	Process
2580	Install.exe
2752	HWV.exe

Loads dropped DLL 8 IoCs

pid	Process
1976	aac9e11b8c8b56cd755ed43dfa602f1b_JaffaCakes118.exe
2580	Install.exe
2580	Install.exe
2752	HWV.exe
2752	HWV.exe
2752	HWV.exe
2752	HWV.exe
2752	HWV.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HWV Start = "C:\\Windows\\SysWOW64\\MXAWUL\\HWV.exe"	HWV.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\MXAWUL\HWV.004	Install.exe
File created	C:\Windows\SysWOW64\MXAWUL\HWV.001	Install.exe
File created	C:\Windows\SysWOW64\MXAWUL\HWV.002	Install.exe
File created	C:\Windows\SysWOW64\MXAWUL\AKV.exe	Install.exe
File created	C:\Windows\SysWOW64\MXAWUL\HWV.exe	Install.exe
File opened for modification	C:\Windows\SysWOW64\MXAWUL\	HWV.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aac9e11b8c8b56cd755ed43dfa602f1b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HWV.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2752	HWV.exe
2752	HWV.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: 33	1976	aac9e11b8c8b56cd755ed43dfa602f1b_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1976	aac9e11b8c8b56cd755ed43dfa602f1b_JaffaCakes118.exe
Token: 33	1976	aac9e11b8c8b56cd755ed43dfa602f1b_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1976	aac9e11b8c8b56cd755ed43dfa602f1b_JaffaCakes118.exe
Token: 33	1976	aac9e11b8c8b56cd755ed43dfa602f1b_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1976	aac9e11b8c8b56cd755ed43dfa602f1b_JaffaCakes118.exe
Token: 33	2580	Install.exe
Token: SeIncBasePriorityPrivilege	2580	Install.exe
Token: 33	2752	HWV.exe
Token: SeIncBasePriorityPrivilege	2752	HWV.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2752	HWV.exe
2752	HWV.exe
2752	HWV.exe
2752	HWV.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 2580	1976	aac9e11b8c8b56cd755ed43dfa602f1b_JaffaCakes118.exe	30
PID 1976 wrote to memory of 2580	1976	aac9e11b8c8b56cd755ed43dfa602f1b_JaffaCakes118.exe	30
PID 1976 wrote to memory of 2580	1976	aac9e11b8c8b56cd755ed43dfa602f1b_JaffaCakes118.exe	30
PID 1976 wrote to memory of 2580	1976	aac9e11b8c8b56cd755ed43dfa602f1b_JaffaCakes118.exe	30
PID 1976 wrote to memory of 2580	1976	aac9e11b8c8b56cd755ed43dfa602f1b_JaffaCakes118.exe	30
PID 1976 wrote to memory of 2580	1976	aac9e11b8c8b56cd755ed43dfa602f1b_JaffaCakes118.exe	30
PID 1976 wrote to memory of 2580	1976	aac9e11b8c8b56cd755ed43dfa602f1b_JaffaCakes118.exe	30
PID 2580 wrote to memory of 2752	2580	Install.exe	31
PID 2580 wrote to memory of 2752	2580	Install.exe	31
PID 2580 wrote to memory of 2752	2580	Install.exe	31
PID 2580 wrote to memory of 2752	2580	Install.exe	31
PID 2580 wrote to memory of 2752	2580	Install.exe	31
PID 2580 wrote to memory of 2752	2580	Install.exe	31
PID 2580 wrote to memory of 2752	2580	Install.exe	31

C:\Users\Admin\AppData\Local\Temp\aac9e11b8c8b56cd755ed43dfa602f1b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\aac9e11b8c8b56cd755ed43dfa602f1b_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Users\Admin\AppData\Local\Xenocode\Sandbox\scanner tools\20.11.1.06\2011.08.01T09.59\Virtual\STUBEXE\@APPDATALOCAL@\Temp\Install.exe
  "C:\Users\Admin\AppData\Local\Temp\Install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Users\Admin\AppData\Local\Xenocode\Sandbox\scanner tools\20.11.1.06\2011.08.01T09.59\Native\STUBEXE\@SYSTEM@\MXAWUL\HWV.exe
    "C:\Windows\system32\MXAWUL\HWV.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\MXAWUL\AKV.exe

Filesize
489KB

MD5
0725c70d7b45945089905464a2710dc8

SHA1
a47223eb378919afc8c2a6af6b031bca12eacaae

SHA256
5340cf0385c1ccf9a5f01e9bbcb68474d5760c1c60bd87772fbd8a498208a3c5

SHA512
3b95b3c582c2df9a59c2aaa5e9f04ea093dda8b53a7df4b966d46c6f61643e8beed3e3cca0e784301f5f14ea17e2520ecf10dca0ae805e5b31bd51ac94d10888

Download Submit
C:\Windows\SysWOW64\MXAWUL\HWV.001

Filesize
61KB

MD5
513c67ebf0379f75a6920540283a4579

SHA1
2fe191acb478d62026a8dbf63f65619d168ddee6

SHA256
8f636876880c59251548fca626731e648553e0b81b02f4667c22cbfadfbd6e30

SHA512
2330f5bbd8d7de91473430bc35a125fe13b261afa5b4ef9533d4d6ebcde6cfe27f705fccbdefa092eb9123eb33dcc1448deab72adab981726517afe458beb01d

Download Submit
C:\Windows\SysWOW64\MXAWUL\HWV.002

Filesize
44KB

MD5
1db8aa9ffda07a5f5559cbf25087147b

SHA1
eea77894bff8e24fb0861159927f67decb629184

SHA256
8cf369255b48195b8ecec1c7bf2e76924641880aa7311e6cf504ca534bbfcd62

SHA512
b9f80191dd8975c2e484eeec1bc7c6212d1b614061e69d96eda87b7a061a78a34de220f22607c3eb1c0fa37f152744a5c8f65a896e2884a9daf969db54a11704

Download Submit
C:\Windows\SysWOW64\MXAWUL\HWV.004

Filesize
1KB

MD5
cfea3e8a79fbaebcaad0e04723e35c7e

SHA1
d54db6c855a150cc67e9366cea59f7dcdb403883

SHA256
60dec7ee816cfb45018149b01c2b7c648139f43af159d318567294e2d8ed4466

SHA512
474f8f1adb15f0565a54a14c1599d7b2d5ea330e63b113802b0776990480bd45a4dd74545565107428723f918003d28e662b483b7f749a4795a3826333d60eda

Download Submit
C:\Windows\SysWOW64\MXAWUL\HWV.exe

Filesize
1.7MB

MD5
7dc8f94e34ad6f38e94f957043c39617

SHA1
081a26dc478bd3de6f2889b9c8da8b2e79723d8b

SHA256
618fb51d23c0ca116dbd24dc5e0240ebda862e405283d64871549321fde08202

SHA512
539c239670369f34e7907d072bdf6b91becb927454db3212b0c307363289b1900edffa2f9fac22d3d14435fcee28b7bdeee1f039f027d74f84627c85774b9f56

Download Submit
\Users\Admin\AppData\Local\Xenocode\Sandbox\scanner tools\20.11.1.06\2011.08.01T09.59\Native\STUBEXE\@SYSTEM@\MXAWUL\HWV.exe

Filesize
17KB

MD5
6c12dde03c841adf993fce8f4e4b7769

SHA1
319cb07bef797b7dc375280352b975b53cfe4710

SHA256
2e2e34855af6c0ea687d9766edbec5a48462000d5fd4165a47b4bf0f2209e4d7

SHA512
564b02e328924ba9937a7a75998d7cee359ae44047824a520defd986b8314a11a3a53054b62d3d4c74cbeaf6f2677bb0b0adb39819cd1231f408a311158333bb

Download Submit
\Users\Admin\AppData\Local\Xenocode\Sandbox\scanner tools\20.11.1.06\2011.08.01T09.59\Virtual\STUBEXE\@APPDATALOCAL@\Temp\Install.exe

Filesize
17KB

MD5
12b09314548b3e50e141181c1504ea3b

SHA1
8d5dc4880b2ff013b9c035fa915ce375f188e691

SHA256
0821e53c67596a80608dc5d48df3c0e52009575b7d1b20411b5c241b3efc2f3a

SHA512
bcbb065871a6e93a97482275dae7da57949ff8ab47787b6fa017f83651394bc5035aae144bd63a8ce5fd755dddcd4db08b35046ff476050b42a7c8498d8fbbcb

Download Submit
memory/1976-191-0x00000000005F0000-0x000000000065C000-memory.dmp

Filesize
432KB

Download
memory/1976-104-0x00000000005F0000-0x000000000065C000-memory.dmp

Filesize
432KB

Download
memory/1976-21-0x00000000005F0000-0x000000000065C000-memory.dmp

Filesize
432KB

Download
memory/1976-19-0x00000000005F0000-0x000000000065C000-memory.dmp

Filesize
432KB

Download
memory/1976-17-0x00000000005F0000-0x000000000065C000-memory.dmp

Filesize
432KB

Download
memory/1976-15-0x00000000005F0000-0x000000000065C000-memory.dmp

Filesize
432KB

Download
memory/1976-13-0x00000000005F0000-0x000000000065C000-memory.dmp

Filesize
432KB

Download
memory/1976-11-0x00000000005F0000-0x000000000065C000-memory.dmp

Filesize
432KB

Download
memory/1976-9-0x00000000005F0000-0x000000000065C000-memory.dmp

Filesize
432KB

Download
memory/1976-7-0x00000000005F0000-0x000000000065C000-memory.dmp

Filesize
432KB

Download
memory/1976-5-0x00000000005F0000-0x000000000065C000-memory.dmp

Filesize
432KB

Download
memory/1976-3-0x00000000005F0000-0x000000000065C000-memory.dmp

Filesize
432KB

Download
memory/1976-1-0x00000000005F0000-0x000000000065C000-memory.dmp

Filesize
432KB

Download
memory/1976-58-0x00000000005F0000-0x000000000065C000-memory.dmp

Filesize
432KB

Download
memory/1976-160-0x0000000077AC0000-0x0000000077AC1000-memory.dmp

Filesize
4KB

Download
memory/1976-195-0x00000000005F0000-0x000000000065C000-memory.dmp

Filesize
432KB

Download
memory/1976-209-0x00000000005F0000-0x000000000065C000-memory.dmp

Filesize
432KB

Download
memory/1976-202-0x00000000005F0000-0x000000000065C000-memory.dmp

Filesize
432KB

Download
memory/1976-194-0x0000000077AC0000-0x0000000077AC1000-memory.dmp

Filesize
4KB

Download
memory/1976-25-0x00000000005F0000-0x000000000065C000-memory.dmp

Filesize
432KB

Download
memory/1976-177-0x00000000005F0000-0x000000000065C000-memory.dmp

Filesize
432KB

Download
memory/1976-158-0x00000000005F0000-0x000000000065C000-memory.dmp

Filesize
432KB

Download
memory/1976-143-0x00000000005F0000-0x000000000065C000-memory.dmp

Filesize
432KB

Download
memory/1976-23-0x00000000005F0000-0x000000000065C000-memory.dmp

Filesize
432KB

Download
memory/1976-83-0x0000000077AC0000-0x0000000077AC1000-memory.dmp

Filesize
4KB

Download
memory/1976-80-0x00000000005F0000-0x000000000065C000-memory.dmp

Filesize
432KB

Download
memory/1976-63-0x00000000005F0000-0x000000000065C000-memory.dmp

Filesize
432KB

Download
memory/1976-64-0x00000000005F0000-0x000000000065C000-memory.dmp

Filesize
432KB

Download
memory/1976-61-0x00000000005F0000-0x000000000065C000-memory.dmp

Filesize
432KB

Download
memory/1976-59-0x00000000005F0000-0x000000000065C000-memory.dmp

Filesize
432KB

Download
memory/1976-55-0x00000000005F0000-0x000000000065C000-memory.dmp

Filesize
432KB

Download
memory/1976-53-0x00000000005F0000-0x000000000065C000-memory.dmp

Filesize
432KB

Download
memory/1976-51-0x00000000005F0000-0x000000000065C000-memory.dmp

Filesize
432KB

Download
memory/1976-49-0x00000000005F0000-0x000000000065C000-memory.dmp

Filesize
432KB

Download
memory/1976-47-0x00000000005F0000-0x000000000065C000-memory.dmp

Filesize
432KB

Download
memory/1976-43-0x00000000005F0000-0x000000000065C000-memory.dmp

Filesize
432KB

Download
memory/1976-41-0x00000000005F0000-0x000000000065C000-memory.dmp

Filesize
432KB

Download
memory/1976-39-0x00000000005F0000-0x000000000065C000-memory.dmp

Filesize
432KB

Download
memory/1976-37-0x00000000005F0000-0x000000000065C000-memory.dmp

Filesize
432KB

Download
memory/1976-35-0x00000000005F0000-0x000000000065C000-memory.dmp

Filesize
432KB

Download
memory/1976-27-0x00000000005F0000-0x000000000065C000-memory.dmp

Filesize
432KB

Download
memory/1976-0-0x00000000005F0000-0x000000000065C000-memory.dmp

Filesize
432KB

Download
memory/1976-33-0x00000000005F0000-0x000000000065C000-memory.dmp

Filesize
432KB

Download
memory/1976-32-0x0000000077AC0000-0x0000000077AC1000-memory.dmp

Filesize
4KB

Download
memory/1976-31-0x00000000005F0000-0x000000000065C000-memory.dmp

Filesize
432KB

Download
memory/1976-229-0x00000000005F0000-0x000000000065C000-memory.dmp

Filesize
432KB

Download
memory/1976-228-0x00000000005F0000-0x000000000065C000-memory.dmp

Filesize
432KB

Download
memory/1976-944-0x00000000005F0000-0x000000000065C000-memory.dmp

Filesize
432KB

Download