ardamax | cf7b2b68f82c522af77792d163076ae55efa43f11b293a2a51cce59c4ba60e93

Analysis

max time kernel
141s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-11-2024 03:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aeb56fe0e91582bf502e6ce21cc5be5b_JaffaCakes118.exe
Size

832KB
MD5

aeb56fe0e91582bf502e6ce21cc5be5b
SHA1

b2394be8100b5bbe11d5bd83f92b495c603fb188
SHA256

cf7b2b68f82c522af77792d163076ae55efa43f11b293a2a51cce59c4ba60e93
SHA512

dca167732348ce70b9ca4aa4aaeecb9fd2fb1ece9b80a612ecd601da99148df0124a366e2808db1e37f66b7499623bb148cf4ea1e183e63b82eef093727bc5ee
SSDEEP

24576:TNbuWqe4nJsNRkpNX7JCLmA3VDLywpfPh:0WqLqrkzVCLd3FLz3

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023c8b-22.dat	family_ardamax

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	X28.exe

Executes dropped EXE 2 IoCs

pid	Process
1852	X28.exe
4032	EFAK.exe

Loads dropped DLL 4 IoCs

pid	Process
1852	X28.exe
4032	EFAK.exe
4032	EFAK.exe
4032	EFAK.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\EFAK Agent = "C:\\Windows\\SysWOW64\\28463\\EFAK.exe"	EFAK.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\EFAK.001	X28.exe
File created	C:\Windows\SysWOW64\28463\EFAK.006	X28.exe
File created	C:\Windows\SysWOW64\28463\EFAK.007	X28.exe
File created	C:\Windows\SysWOW64\28463\EFAK.exe	X28.exe
File created	C:\Windows\SysWOW64\28463\key.bin	X28.exe
File created	C:\Windows\SysWOW64\28463\AKV.exe	X28.exe
File opened for modification	C:\Windows\SysWOW64\28463	EFAK.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aeb56fe0e91582bf502e6ce21cc5be5b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	X28.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EFAK.exe

Modifies registry class 30 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5AA767B-E3DE-4E4D-FEA4-794A57431BA5}\MiscStatus\ = "0"	EFAK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5AA767B-E3DE-4E4D-FEA4-794A57431BA5}\MiscStatus	EFAK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5AA767B-E3DE-4E4D-FEA4-794A57431BA5}\InProcServer32\	EFAK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C3A183CD-68AB-6697-E29A-8B430A858F2E}\1.0\0\win32\	EFAK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C3A183CD-68AB-6697-E29A-8B430A858F2E}\1.0\0\win32\ = "%systemroot%\\SysWow64\\certenc.dll"	EFAK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5AA767B-E3DE-4E4D-FEA4-794A57431BA5}\VersionIndependentProgID\	EFAK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5AA767B-E3DE-4E4D-FEA4-794A57431BA5}	EFAK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5AA767B-E3DE-4E4D-FEA4-794A57431BA5}\MiscStatus\	EFAK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C3A183CD-68AB-6697-E29A-8B430A858F2E}\1.0\	EFAK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5AA767B-E3DE-4E4D-FEA4-794A57431BA5}\VersionIndependentProgID	EFAK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5AA767B-E3DE-4E4D-FEA4-794A57431BA5}\ = "Jadidevwa.Ojiwehlor.Debin class"	EFAK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C3A183CD-68AB-6697-E29A-8B430A858F2E}\1.0\FLAGS\	EFAK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5AA767B-E3DE-4E4D-FEA4-794A57431BA5}\TypeLib\	EFAK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5AA767B-E3DE-4E4D-FEA4-794A57431BA5}\VersionIndependentProgID\ = "ShellNameSpace.ShellNameSpace"	EFAK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C3A183CD-68AB-6697-E29A-8B430A858F2E}\1.0	EFAK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C3A183CD-68AB-6697-E29A-8B430A858F2E}	EFAK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C3A183CD-68AB-6697-E29A-8B430A858F2E}\1.0\0	EFAK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C3A183CD-68AB-6697-E29A-8B430A858F2E}\1.0\0\win32	EFAK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5AA767B-E3DE-4E4D-FEA4-794A57431BA5}\InProcServer32	EFAK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C3A183CD-68AB-6697-E29A-8B430A858F2E}\	EFAK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C3A183CD-68AB-6697-E29A-8B430A858F2E}\1.0\ = "CertEnc 1.0 Type Library"	EFAK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C3A183CD-68AB-6697-E29A-8B430A858F2E}\1.0\0\	EFAK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C3A183CD-68AB-6697-E29A-8B430A858F2E}\1.0\FLAGS	EFAK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5AA767B-E3DE-4E4D-FEA4-794A57431BA5}\TypeLib\ = "{C3A183CD-68AB-6697-E29A-8B430A858F2E}"	EFAK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5AA767B-E3DE-4E4D-FEA4-794A57431BA5}\ProgID	EFAK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5AA767B-E3DE-4E4D-FEA4-794A57431BA5}\ProgID\	EFAK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C3A183CD-68AB-6697-E29A-8B430A858F2E}\1.0\FLAGS\ = "0"	EFAK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5AA767B-E3DE-4E4D-FEA4-794A57431BA5}\TypeLib	EFAK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5AA767B-E3DE-4E4D-FEA4-794A57431BA5}\InProcServer32\ = "C:\\Windows\\SysWOW64\\ieframe.dll"	EFAK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5AA767B-E3DE-4E4D-FEA4-794A57431BA5}\ProgID\ = "ShellNameSpace.ShellNameSpace.1"	EFAK.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4032	EFAK.exe
Token: SeIncBasePriorityPrivilege	4032	EFAK.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4032	EFAK.exe
4032	EFAK.exe
4032	EFAK.exe
4032	EFAK.exe
4032	EFAK.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4504 wrote to memory of 1852	4504	aeb56fe0e91582bf502e6ce21cc5be5b_JaffaCakes118.exe	82
PID 4504 wrote to memory of 1852	4504	aeb56fe0e91582bf502e6ce21cc5be5b_JaffaCakes118.exe	82
PID 4504 wrote to memory of 1852	4504	aeb56fe0e91582bf502e6ce21cc5be5b_JaffaCakes118.exe	82
PID 1852 wrote to memory of 4032	1852	X28.exe	83
PID 1852 wrote to memory of 4032	1852	X28.exe	83
PID 1852 wrote to memory of 4032	1852	X28.exe	83

C:\Users\Admin\AppData\Local\Temp\aeb56fe0e91582bf502e6ce21cc5be5b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\aeb56fe0e91582bf502e6ce21cc5be5b_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4504
- C:\Users\Admin\AppData\Local\Temp\X28.exe
  C:\Users\Admin\AppData\Local\Temp\X28.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1852
- - C:\Windows\SysWOW64\28463\EFAK.exe
    "C:\Windows\system32\28463\EFAK.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@9FE9.tmp

Filesize
4KB

MD5
ccf39f70a662f70e7cae4cfc81255c44

SHA1
00177d41252c2a5322be8e54567a845217072e2c

SHA256
4c9cca81f2f2d91b636c0ec747e96821749788368c48981bf04accfeb5c2e5d0

SHA512
2cc006d3bd6af737f31707b457caaa267ee1361cfd0afab0be8b74be8587d02b20909962d138e137fe79252e0d112bd3be091a98ba50863520b5bbf21bb9501d

Download Submit
C:\Users\Admin\AppData\Local\Temp\X28.exe

Filesize
785KB

MD5
9d52dbee2f408a105ff122730ede9cb7

SHA1
602ad40a4c0ab9d53c515d8199c600ec24d3c493

SHA256
632cffe2ae4edba93cd11bfb921b420ad8abf59fe3ad0a70f0522af6807560e3

SHA512
59f99b1b4f8b3a316433c5855eb3be3b2eb00a229bfcb5d6d20ea0f106b76918e450bc733e0bae63028f075c99759c3bd818a7ed500b2867d2c45082b18cf8ed

Download Submit
C:\Windows\SysWOW64\28463\AKV.exe

Filesize
457KB

MD5
828586f5f9fd7e6bd99401fe7cece954

SHA1
8eb70f4af2cec3c3dd3ec1491913369e99b7b874

SHA256
02b8379b1838ea70f7f17e0785aaaedb7c721d9b6e262577723bba9492748d0c

SHA512
16b64be59cf9ae403fb3b7e1fc8da98cb2a5db84aef0e352910172796ecf96dcf86a7e16afe78fa7e22b7b6948e8a1fa027da7161d5a0ad98e76175d764ed6a7

Download Submit
C:\Windows\SysWOW64\28463\EFAK.001

Filesize
510B

MD5
87ee8d6452097adf270b44337fb30727

SHA1
74a1ce5c2830b46039753cd9b534c9cd5556a9c3

SHA256
0c4979aa6f1d56b2c51cc4250df791c5e058bc3c220cb1e3f85bdda2d3216af9

SHA512
095354cd7cea15ad6f2d9968853682fc6f46faa91a96730ed1fb7f19da8a4e7a611dfa7ec2c0902cbc185e5a8162fe74ea1df4fbb8edf95fea02bc826e811360

Download Submit
C:\Windows\SysWOW64\28463\EFAK.006

Filesize
8KB

MD5
69db8c925f2dd8136d956a086ed1ee41

SHA1
9d0f653cc7ab881eb45fe93490a9c096f2dec6cf

SHA256
984da5476c2c69a779bc99d0901569347cc605a36499e2284706cda3ed6e13f3

SHA512
fa5cedd539dca3631511488aea8bcb7821db1d53452c1b61ee663cb5700bb9919b092593a7f5eb7a3c3a75f801b2980f817de4a66bf8aa51093ced4b30ffd068

Download Submit
C:\Windows\SysWOW64\28463\EFAK.007

Filesize
5KB

MD5
9e9da4c851850726c789bb4b94a41bb3

SHA1
1e2fd71f1d1a3ac15d3c820d8459635cd775cf24

SHA256
94f6502a4e94de0301ae07befd63767a4de35d9b2d2d00687a3130e883ab1963

SHA512
4c60e951056c5773d769a9c88245fc4a597949deb72a1a7546991488e85ffc4ff2a34840ad227595bcdc105cf187207721b57c457ac832ee0159dd0e1d9be063

Download Submit
C:\Windows\SysWOW64\28463\EFAK.exe

Filesize
648KB

MD5
c5ca2c96edc99cf9edf0f861d784209a

SHA1
6cb654b3eb20c85224a4849c4cc30012cabbdbaa

SHA256
0ca27dfe22971bfb19c7f3d6fe03cd398816a88fc50943ba9821fa6b91be7807

SHA512
aeb36bbbf68c7b733ddd856f8f0cdd9548ff597843a22611757c98f69a589035410fecfa692bb83c740823ddae6432d3be5cb66f4309a9d0f5fedeb7b017ff36

Download Submit
C:\Windows\SysWOW64\28463\key.bin

Filesize
106B

MD5
639d75ab6799987dff4f0cf79fa70c76

SHA1
be2678476d07f78bb81e8813c9ee2bfff7cc7efb

SHA256
fc42ab050ffdfed8c8c7aac6d7e4a7cad4696218433f7ca327bcfdf9f318ac98

SHA512
4b511d0330d7204af948ce7b15615d745e8d4ea0a73bbece4e00fb23ba2635dd99e4fa54a76236d6f74bdbcdba57d32fd4c36b608d52628e72d11d5ed6f8cde2

Download Submit
memory/4032-36-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download
memory/4032-31-0x00000000021B0000-0x000000000220A000-memory.dmp

Filesize
360KB

Download
memory/4032-40-0x0000000003260000-0x0000000003261000-memory.dmp

Filesize
4KB

Download
memory/4032-39-0x0000000003210000-0x0000000003213000-memory.dmp

Filesize
12KB

Download
memory/4032-38-0x0000000003220000-0x0000000003221000-memory.dmp

Filesize
4KB

Download
memory/4032-37-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/4032-61-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4032-35-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/4032-34-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/4032-33-0x0000000002410000-0x0000000002411000-memory.dmp

Filesize
4KB

Download
memory/4032-32-0x00000000023C0000-0x00000000023C1000-memory.dmp

Filesize
4KB

Download
memory/4032-42-0x0000000003260000-0x0000000003261000-memory.dmp

Filesize
4KB

Download
memory/4032-46-0x0000000000B00000-0x0000000000B01000-memory.dmp

Filesize
4KB

Download
memory/4032-47-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/4032-45-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/4032-43-0x0000000003260000-0x0000000003261000-memory.dmp

Filesize
4KB

Download
memory/4032-41-0x0000000003260000-0x0000000003261000-memory.dmp

Filesize
4KB

Download
memory/4032-26-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4032-57-0x0000000003260000-0x0000000003261000-memory.dmp

Filesize
4KB

Download
memory/4032-55-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4032-56-0x00000000021B0000-0x000000000220A000-memory.dmp

Filesize
360KB

Download
memory/4504-18-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/4504-0-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads