ardamax | d9f9b12f1ecc9bbcc8d5eef4f12978163ff31968ee4391840ad99739cc6aebeb

Analysis

max time kernel
122s
max time network
125s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29-11-2024 20:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b355c411a253c37f48d84aac1040c20f_JaffaCakes118.exe
Size

610KB
MD5

b355c411a253c37f48d84aac1040c20f
SHA1

0334fde6af352c24fe91432413e7aa14dd24abf3
SHA256

d9f9b12f1ecc9bbcc8d5eef4f12978163ff31968ee4391840ad99739cc6aebeb
SHA512

3202bd6b6c795a9a22c10db9d64b0222884d24964abf1495f3bb348c83e397dab41dc9d252fcbb7e4be3050e118cec6c6c5714283bd080c69ddcc80c13e63d61
SSDEEP

12288:vQHBLPUakcWb7ewCTpO6ekNyz0Ie8kgOLQZEYhQBVfI3795vx7O:vQHBLPJnWb70TyAF8VZ3QBS377x7O

Score

10^/10

ardamax defense_evasion discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x000a00000001749c-31.dat	family_ardamax

Executes dropped EXE 2 IoCs

pid	Process
2852	explore.exe
2596	WindowsONHD.exe

Loads dropped DLL 6 IoCs

pid	Process
2148	b355c411a253c37f48d84aac1040c20f_JaffaCakes118.exe
2148	b355c411a253c37f48d84aac1040c20f_JaffaCakes118.exe
2852	explore.exe
2852	explore.exe
2852	explore.exe
2852	explore.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsONHD Agent = "C:\\WindowsONHD.exe"	WindowsONHD.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WindowsONHD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b355c411a253c37f48d84aac1040c20f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3060	POWERPNT.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	2596	WindowsONHD.exe
Token: SeIncBasePriorityPrivilege	2596	WindowsONHD.exe
Token: SeIncBasePriorityPrivilege	2596	WindowsONHD.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2596	WindowsONHD.exe
2596	WindowsONHD.exe
2596	WindowsONHD.exe
2596	WindowsONHD.exe
2596	WindowsONHD.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 2852	2148	b355c411a253c37f48d84aac1040c20f_JaffaCakes118.exe	31
PID 2148 wrote to memory of 2852	2148	b355c411a253c37f48d84aac1040c20f_JaffaCakes118.exe	31
PID 2148 wrote to memory of 2852	2148	b355c411a253c37f48d84aac1040c20f_JaffaCakes118.exe	31
PID 2148 wrote to memory of 2852	2148	b355c411a253c37f48d84aac1040c20f_JaffaCakes118.exe	31
PID 2148 wrote to memory of 2852	2148	b355c411a253c37f48d84aac1040c20f_JaffaCakes118.exe	31
PID 2148 wrote to memory of 2852	2148	b355c411a253c37f48d84aac1040c20f_JaffaCakes118.exe	31
PID 2148 wrote to memory of 2852	2148	b355c411a253c37f48d84aac1040c20f_JaffaCakes118.exe	31
PID 2852 wrote to memory of 2596	2852	explore.exe	32
PID 2852 wrote to memory of 2596	2852	explore.exe	32
PID 2852 wrote to memory of 2596	2852	explore.exe	32
PID 2852 wrote to memory of 2596	2852	explore.exe	32
PID 2852 wrote to memory of 2596	2852	explore.exe	32
PID 2852 wrote to memory of 2596	2852	explore.exe	32
PID 2852 wrote to memory of 2596	2852	explore.exe	32
PID 2148 wrote to memory of 3060	2148	b355c411a253c37f48d84aac1040c20f_JaffaCakes118.exe	33
PID 2148 wrote to memory of 3060	2148	b355c411a253c37f48d84aac1040c20f_JaffaCakes118.exe	33
PID 2148 wrote to memory of 3060	2148	b355c411a253c37f48d84aac1040c20f_JaffaCakes118.exe	33
PID 2148 wrote to memory of 3060	2148	b355c411a253c37f48d84aac1040c20f_JaffaCakes118.exe	33
PID 2148 wrote to memory of 3060	2148	b355c411a253c37f48d84aac1040c20f_JaffaCakes118.exe	33
PID 2148 wrote to memory of 3060	2148	b355c411a253c37f48d84aac1040c20f_JaffaCakes118.exe	33
PID 2148 wrote to memory of 3060	2148	b355c411a253c37f48d84aac1040c20f_JaffaCakes118.exe	33
PID 2148 wrote to memory of 3060	2148	b355c411a253c37f48d84aac1040c20f_JaffaCakes118.exe	33
PID 2148 wrote to memory of 3060	2148	b355c411a253c37f48d84aac1040c20f_JaffaCakes118.exe	33
PID 3060 wrote to memory of 2592	3060	POWERPNT.EXE	34
PID 3060 wrote to memory of 2592	3060	POWERPNT.EXE	34
PID 3060 wrote to memory of 2592	3060	POWERPNT.EXE	34
PID 3060 wrote to memory of 2592	3060	POWERPNT.EXE	34
PID 2596 wrote to memory of 1236	2596	WindowsONHD.exe	35
PID 2596 wrote to memory of 1236	2596	WindowsONHD.exe	35
PID 2596 wrote to memory of 1236	2596	WindowsONHD.exe	35
PID 2596 wrote to memory of 1236	2596	WindowsONHD.exe	35
PID 2596 wrote to memory of 1236	2596	WindowsONHD.exe	35
PID 2596 wrote to memory of 1236	2596	WindowsONHD.exe	35
PID 2596 wrote to memory of 1236	2596	WindowsONHD.exe	35

C:\Users\Admin\AppData\Local\Temp\b355c411a253c37f48d84aac1040c20f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b355c411a253c37f48d84aac1040c20f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Users\Admin\AppData\Local\Temp\explore.exe
  "C:\Users\Admin\AppData\Local\Temp\explore.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\WindowsONHD.exe
    "C:\WindowsONHD.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2596
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\WINDOW~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1236
- C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" /s "C:\Users\Admin\AppData\Local\Temp\testdepersonalitate.pps"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\explore.exe

Filesize
503KB

MD5
7f926e863b7c34b003bb7fc5df173a33

SHA1
ad297d17335fc14cf906c919b4455692b76086e7

SHA256
c7390b9947df93a11386d25b4a4e2245e8be2ac40e57a49c2c5e6dcccce3ba26

SHA512
a2ad14e7a4e8670e74d3414cc511cafa0673ed8b09680f375a0ed3b7a4103c6b6da740fc19b8528fc8769f3ddafcc49272d89d0e7478a12b7bc80037abf6079d

Download Submit
C:\Users\Admin\AppData\Local\Temp\testdepersonalitate.pps

Filesize
238KB

MD5
12b4c4abf7268204beed8f9d90070299

SHA1
bcb0c3ff52103cc0a2842bb843be5155add21337

SHA256
35c4b64712ca242a779cc473b743df0a5beb3249b457ce059f15dd2906bca109

SHA512
4b2ece2639d5ddeff4ec95fca5ff1d7af837ad4bd914a41648958fc4bbcb3979ed9ef7b01f87e04f5017d52cccc410d50b4b934fcb85df1e895597681c1b526f

Download Submit
C:\WindowsONHD.exe

Filesize
471KB

MD5
3c06bbc025b61d2182ef5573f2852bda

SHA1
ebc1464c00b13fb5b3f80a59c80b595020e1fe7c

SHA256
e7f64e7215284cdeb8ef1eba28733f7aeae7f6977f82809d8de1e76a2e249085

SHA512
9d839ada211b85fc1efb1fe7bb3ce66fcf0e8069221d958234649c2ac5dc0f1bd06f1a016f9c727077af36fb46cac5409be9c8a8201d17f689c6b473aa01acdc

Download Submit
C:\\WindowsAKV.exe

Filesize
393KB

MD5
24781fcca21b8baca869cf2307d7f9f4

SHA1
148ed81fc561c9547ce4203926bf742162b177dd

SHA256
0e0aa9ae7d0ff11c8757768527ca3ae61f56d51cb645e88421d4905db14c5032

SHA512
e2769dc1194a909c9a9fc42faefc5c67c94297eded8cd95c8b4de5f1b5666ddbfd14fb5fdff0811c2840c6e318ff60b80693eaa78be3f7904887aa2122ae5b5a

Download Submit
C:\\WindowsONHD.001

Filesize
394B

MD5
37ce9749d0ff9e73669d780a2ec66975

SHA1
9abe12face6bb67c93856fe9620a944d12a5331e

SHA256
83df545731a98efd17eb197a5581995b925ada44b0c53dec376596d98ac26444

SHA512
49a79bbbb57428cb9c1f71edb13e3b08883048fc13f5b3083cf80da0f01038903c4dd6e04223e46c321e37c655de7b520f5fa73bce9f3f4cf34dd36bdc9e951f

Download Submit
C:\\WindowsONHD.006

Filesize
7KB

MD5
32dd7b4bc8b6f290b0ece3cc1c011c96

SHA1
b979683868b399c6a6204ebaed9fc9c784a0429a

SHA256
6dcce9bbba5c2de47eea3abf7597a9c4fb2e4d358efc3752fa65c169cccfa2a1

SHA512
9e0d720799fe816f7d09c8a722b762203b6f12a8625c1c93cd640219ecc35969bd641b4d9e6dc04ab6f95ceb73235a438eb7d48ee9402118db3618b5760551ea

Download Submit
C:\\WindowsONHD.007

Filesize
5KB

MD5
e8155b68775ed29590e14df80fdc0e9f

SHA1
ed449da02e648a524004c265f3c37496d2f07f1f

SHA256
b39ba894b0a9a3201461ddd9ee9b297928e793dff221a47f019e75c11df631f3

SHA512
b14e00c46cf9bed0aca0f85775f624ff064f2d2afe1fa68b61bee5729db73cf9a8eced669c52d7cbb9504ff1b369a9a16a0f36c71a70c13c0bd1eaf5e07ccc11

Download Submit
\Users\Admin\AppData\Local\Temp\@E659.tmp

Filesize
4KB

MD5
d9e02f226fc338d14df200ba9a700625

SHA1
414f134a16a309b31e418ed9e08c0c48aaf6e2bc

SHA256
8165757efb79acceb9fd0bfae6b2c19b8f087cc0461abb17941d460dbdf2e260

SHA512
13c73381602fe2593312d41ab4bc5cd5f922ac651f9e71e3fe3c58e7f0c5c73ecc9d79d61ec46f33a0a81cf73373421eeb510bd99650c0f53af30974ed61b8ca

Download Submit
memory/2596-39-0x00000000003F0000-0x00000000003F6000-memory.dmp

Filesize
24KB

Download
memory/2596-38-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/3060-36-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/3060-41-0x00000000006D0000-0x00000000006D6000-memory.dmp

Filesize
24KB

Download
memory/3060-40-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads