ardamax | c171fbe95038cdcb85608e60ae07015ad88b3e66287fa78f25e33e2ead9f5d98

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-12-2024 14:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d3049dfd8b7df5f039df994c2344b531_JaffaCakes118.exe
Size

1.3MB
MD5

d3049dfd8b7df5f039df994c2344b531
SHA1

2e6da8cac9a93cac39cd3524564170f62ceb0a41
SHA256

c171fbe95038cdcb85608e60ae07015ad88b3e66287fa78f25e33e2ead9f5d98
SHA512

82db5c64be3775c056e44f01adf4e4021a3a0a65302b7b28785aa2732b65503beee43cf62f6eb4ebc7da60a18c45acb07bcef183e320f2aefb0d96c35ac19502
SSDEEP

24576:xPQMmtv7LLjFh1RSPDRiDYbfGHCYXdzGNpM5IL8pWm/TTnG1D:pcjLt/gPDAY6HCGsNpMmrmH

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0006000000019279-21.dat	family_ardamax

Executes dropped EXE 4 IoCs

pid	Process
2476	d3049dfd8b7df5f039df994c2344b531_JaffaCakes118.TMP0
1856	VMOW.exe
2136	Instalação.exe
2276	is-IB28U.tmp

Loads dropped DLL 10 IoCs

pid	Process
1924	d3049dfd8b7df5f039df994c2344b531_JaffaCakes118.exe
1924	d3049dfd8b7df5f039df994c2344b531_JaffaCakes118.exe
1924	d3049dfd8b7df5f039df994c2344b531_JaffaCakes118.exe
2476	d3049dfd8b7df5f039df994c2344b531_JaffaCakes118.TMP0
2476	d3049dfd8b7df5f039df994c2344b531_JaffaCakes118.TMP0
2476	d3049dfd8b7df5f039df994c2344b531_JaffaCakes118.TMP0
2476	d3049dfd8b7df5f039df994c2344b531_JaffaCakes118.TMP0
2136	Instalação.exe
2276	is-IB28U.tmp
2276	is-IB28U.tmp

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VMOW Agent = "C:\\Windows\\SysWOW64\\28463\\VMOW.exe"	VMOW.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\VMOW.001	d3049dfd8b7df5f039df994c2344b531_JaffaCakes118.TMP0
File created	C:\Windows\SysWOW64\28463\VMOW.006	d3049dfd8b7df5f039df994c2344b531_JaffaCakes118.TMP0
File created	C:\Windows\SysWOW64\28463\VMOW.007	d3049dfd8b7df5f039df994c2344b531_JaffaCakes118.TMP0
File created	C:\Windows\SysWOW64\28463\VMOW.exe	d3049dfd8b7df5f039df994c2344b531_JaffaCakes118.TMP0
File created	C:\Windows\SysWOW64\28463\AKV.exe	d3049dfd8b7df5f039df994c2344b531_JaffaCakes118.TMP0

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1924 set thread context of 2476	1924	d3049dfd8b7df5f039df994c2344b531_JaffaCakes118.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3049dfd8b7df5f039df994c2344b531_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3049dfd8b7df5f039df994c2344b531_JaffaCakes118.TMP0
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VMOW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Instalação.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	is-IB28U.tmp

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	d3049dfd8b7df5f039df994c2344b531_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{25E609E1-B259-11CF-BFC7-444553540000}	d3049dfd8b7df5f039df994c2344b531_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	d3049dfd8b7df5f039df994c2344b531_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{25E609E0-B259-11CF-BFC7-444553540000}	d3049dfd8b7df5f039df994c2344b531_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 2476	1924	d3049dfd8b7df5f039df994c2344b531_JaffaCakes118.exe	30
PID 1924 wrote to memory of 2476	1924	d3049dfd8b7df5f039df994c2344b531_JaffaCakes118.exe	30
PID 1924 wrote to memory of 2476	1924	d3049dfd8b7df5f039df994c2344b531_JaffaCakes118.exe	30
PID 1924 wrote to memory of 2476	1924	d3049dfd8b7df5f039df994c2344b531_JaffaCakes118.exe	30
PID 1924 wrote to memory of 2476	1924	d3049dfd8b7df5f039df994c2344b531_JaffaCakes118.exe	30
PID 1924 wrote to memory of 2476	1924	d3049dfd8b7df5f039df994c2344b531_JaffaCakes118.exe	30
PID 2476 wrote to memory of 1856	2476	d3049dfd8b7df5f039df994c2344b531_JaffaCakes118.TMP0	31
PID 2476 wrote to memory of 1856	2476	d3049dfd8b7df5f039df994c2344b531_JaffaCakes118.TMP0	31
PID 2476 wrote to memory of 1856	2476	d3049dfd8b7df5f039df994c2344b531_JaffaCakes118.TMP0	31
PID 2476 wrote to memory of 1856	2476	d3049dfd8b7df5f039df994c2344b531_JaffaCakes118.TMP0	31
PID 2476 wrote to memory of 2136	2476	d3049dfd8b7df5f039df994c2344b531_JaffaCakes118.TMP0	32
PID 2476 wrote to memory of 2136	2476	d3049dfd8b7df5f039df994c2344b531_JaffaCakes118.TMP0	32
PID 2476 wrote to memory of 2136	2476	d3049dfd8b7df5f039df994c2344b531_JaffaCakes118.TMP0	32
PID 2476 wrote to memory of 2136	2476	d3049dfd8b7df5f039df994c2344b531_JaffaCakes118.TMP0	32
PID 2476 wrote to memory of 2136	2476	d3049dfd8b7df5f039df994c2344b531_JaffaCakes118.TMP0	32
PID 2476 wrote to memory of 2136	2476	d3049dfd8b7df5f039df994c2344b531_JaffaCakes118.TMP0	32
PID 2476 wrote to memory of 2136	2476	d3049dfd8b7df5f039df994c2344b531_JaffaCakes118.TMP0	32
PID 2136 wrote to memory of 2276	2136	Instalação.exe	33
PID 2136 wrote to memory of 2276	2136	Instalação.exe	33
PID 2136 wrote to memory of 2276	2136	Instalação.exe	33
PID 2136 wrote to memory of 2276	2136	Instalação.exe	33
PID 2136 wrote to memory of 2276	2136	Instalação.exe	33
PID 2136 wrote to memory of 2276	2136	Instalação.exe	33
PID 2136 wrote to memory of 2276	2136	Instalação.exe	33

C:\Users\Admin\AppData\Local\Temp\d3049dfd8b7df5f039df994c2344b531_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d3049dfd8b7df5f039df994c2344b531_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Users\Admin\AppData\Local\Temp\d3049dfd8b7df5f039df994c2344b531_JaffaCakes118.TMP0
  "C:\Users\Admin\AppData\Local\Temp\d3049dfd8b7df5f039df994c2344b531_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Windows\SysWOW64\28463\VMOW.exe
    "C:\Windows\system32\28463\VMOW.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:1856
- - C:\Users\Admin\AppData\Local\Temp\Instalação.exe
    "C:\Users\Admin\AppData\Local\Temp\Instalação.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2136
  - - C:\Users\Admin\AppData\Local\Temp\is-T78EL.tmp\is-IB28U.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-T78EL.tmp\is-IB28U.tmp" /SL4 $801BC "C:\Users\Admin\AppData\Local\Temp\Instalação.exe" 515504 57856
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\28463\AKV.exe

Filesize
395KB

MD5
b8fa30233794772b8b76b4b1d91c7321

SHA1
0cf9561be2528944285e536f41d502be24c3aa87

SHA256
14116fa79ccc105fabd312b4dff74933f8684c6b27db37e5e3a79d159092d29a

SHA512
10ce8b18e7afb8c7e30bb90b0a1f199ef0b77873fa7a9efc596606e151be6b516c0ec6222a9032bdcc527e80964f53d20a28fa1881a08b4df303b2e28204549d

Download Submit
C:\Windows\SysWOW64\28463\VMOW.001

Filesize
506B

MD5
9ae9266a119971c80e51260f18c7bcbe

SHA1
b38aa6988f1ce98d62d3ef49fb79b203bc529b65

SHA256
414a2e829a3675ba8f963e4d86f945ab5a02ad90f6bd12e33b694a1e27272862

SHA512
99ef050a6ea88328cd734d261cba086c7504b2e41fa19c9d3af1fb3167f650cad1e6d548ccc30ae6f582631a50ce2a640dde7d37697fb49cd6517fb8d9b0d212

Download Submit
C:\Windows\SysWOW64\28463\VMOW.006

Filesize
8KB

MD5
43f02e9974b1477c1e6388882f233db0

SHA1
f3e27b231193f8d5b2e1b09d05ae3a62795cf339

SHA256
3c9e56e51d5a7a1b9aefe853c12a98bf246039aa46db94227ea128f6331782ba

SHA512
e22d14735606fe75ee5e55204807c3f5531d3e0c4f63aa4a3b2d4bb6abda6128c7e2816753f2e64400ac6dae8f8ef1e013a7a464dff2a79ad9937c48821a067f

Download Submit
C:\Windows\SysWOW64\28463\VMOW.007

Filesize
5KB

MD5
b5a87d630436f958c6e1d82d15f98f96

SHA1
d3ff5e92198d4df0f98a918071aca53550bf1cff

SHA256
a895ad4d23e8b2c2dc552092f645ca309e62c36d4721ebfe7afd2eee7765d4b2

SHA512
fd7bae85a86bdaa12fec826d1d38728a90e2037cb3182ad7652d8a9f54c4b322734c587b62221e6f907fce24fcf2e0ae4cce1f5e3d8861661064b4da24bd87ce

Download Submit
\Users\Admin\AppData\Local\Temp\@BD27.tmp

Filesize
4KB

MD5
c3679c3ff636d1a6b8c65323540da371

SHA1
d184758721a426467b687bec2a4acc80fe44c6f8

SHA256
d4eba51c616b439a8819218bddf9a6fa257d55c9f04cf81441cc99cc945ad3eb

SHA512
494a0a32eef4392ecb54df6e1da7d93183473c4e45f4ac4bd6ec3b0ed8c85c58303a0d36edec41420d05ff624195f08791b6b7e018419a3251b7e71ec9b730e7

Download Submit
\Users\Admin\AppData\Local\Temp\ArmB960.tmp

Filesize
64KB

MD5
cdf9f21934221a77a7d3903378101f9b

SHA1
9f4d5dc0c2332a3c253666a64370aeba3b678287

SHA256
3648ce2ea7bdfce9c03df670088cbed0a5411513ad5a9d0d8e997483ad52c845

SHA512
904bdb088c03ac5d869148d7461775731f25724f14331a1ca6d78969293f6f20052a31a19bb263245931374bee4e3c3a873043310d3096c815feac2225b41ee7

Download Submit
\Users\Admin\AppData\Local\Temp\Instalação.exe

Filesize
739KB

MD5
c7149f2278d7d0e8d365ed3d1231522b

SHA1
4ea7cf500fcff031e9ed8aaef61880f5b42124fd

SHA256
7db64c578ec504a4314aa009e56ec92b410e710864f5d7066c684dbdf81d724e

SHA512
68551f23b74c235c1fa8c4a1b62dbbde25f32c3912350726e5497a7696b5f24c828c7fee170160a8fa844b16b9eba476ef6983c7e1e808a92f97936cb90d4b64

Download Submit
\Users\Admin\AppData\Local\Temp\d3049dfd8b7df5f039df994c2344b531_JaffaCakes118.TMP0

Filesize
1.2MB

MD5
63a6cb339c6c767b1cfb953bf348349e

SHA1
b80b295b7f7ed4e1a220ab30915da9c99fe531d4

SHA256
82269aeaba8a142daf07df618a58b0701a21214e3a425d5351c13c57dae8369c

SHA512
9bdbe2fa6c7dbefa56b7e9ca54edc946526867f80ea10c70c680cd1258a996f7ffaccbd6eaaa9ce533a952a392dc83e7b6ad1f845ab94d0e310b9297e572ebed

Download Submit
\Users\Admin\AppData\Local\Temp\is-PS0LR.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-T78EL.tmp\is-IB28U.tmp

Filesize
658KB

MD5
e711094d2b48a25473d89db23441e0a9

SHA1
9079041a9c1500ac3a3f76dd2f59053314889fca

SHA256
b56ea3b68cc5678ab082e48c3a2696381dd8cac7dd549016897b0bcc9d8052be

SHA512
eef3228bef9a2d444b6bacee72c8b31803da4c912bf03c8271c5b9c21859dcd9b918639d98b85dee01dbb822b99fa15a2c0e23008cebee46f18b4b18f0e15eae

Download Submit
\Windows\SysWOW64\28463\VMOW.exe

Filesize
473KB

MD5
17535dddecf8cb1efdba1f1952126547

SHA1
a862a9a3eb6c201751be1038537522a5281ea6cb

SHA256
1a3d28ac6359e58aa656f4734f9f36b6c09badadcf9fb900b9b118d90c38a9dd

SHA512
b4f31b552ab3bb3dafa365aa7a31f58674ae7ee82ce1d23457f2e7047431430b00abb3b5498491725639daf583b526b278a737168cfdc4e9ec796dfbc14a53d8

Download Submit
memory/1856-42-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2136-43-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2136-60-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2276-61-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2276-63-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2276-65-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2276-67-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2276-69-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2276-71-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2276-73-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2276-75-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2276-77-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2276-79-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2276-81-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2276-83-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2276-85-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2276-87-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads