ardamax | fec3db3dd2e8087c7765139b99831978c2b8c71c75af3a801246d29145a3fc95

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2024 19:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d347be73f1fd688c67099e42ddf00a35_JaffaCakes118.exe
Size

1.5MB
MD5

d347be73f1fd688c67099e42ddf00a35
SHA1

500ccf5d0a8e0f11c8981e26d0d17debf6fb88f4
SHA256

fec3db3dd2e8087c7765139b99831978c2b8c71c75af3a801246d29145a3fc95
SHA512

81e485ab518d540a2e8e80310628e09bbf0586da93a1f5b921f70ccf578ecdb188d066ed64a73821ffb8906e66edb55709d246f807c4006e81365f9688399758
SSDEEP

49152:itiVS1IQp+dmf0gC0HviHxgl924oMpsL8KlwCU:dVS1I879Pie8/Ks3lwh

Score

10^/10

ardamax defense_evasion discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023ca2-15.dat	family_ardamax

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	CND.exe

Executes dropped EXE 3 IoCs

pid	Process
4224	Install.exe
4852	CND.exe
4788	Loader.exe

Loads dropped DLL 2 IoCs

pid	Process
4852	CND.exe
4788	Loader.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d347be73f1fd688c67099e42ddf00a35_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CND Start = "C:\\Windows\\SysWOW64\\LNJPYR\\CND.exe"	CND.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\LNJPYR\CND.004	Install.exe
File created	C:\Windows\SysWOW64\LNJPYR\CND.001	Install.exe
File created	C:\Windows\SysWOW64\LNJPYR\CND.002	Install.exe
File created	C:\Windows\SysWOW64\LNJPYR\AKV.exe	Install.exe
File created	C:\Windows\SysWOW64\LNJPYR\CND.exe	Install.exe
File opened for modification	C:\Windows\SysWOW64\LNJPYR\	CND.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d347be73f1fd688c67099e42ddf00a35_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CND.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4852	CND.exe
4852	CND.exe
4788	Loader.exe
4788	Loader.exe
4788	Loader.exe
4788	Loader.exe
4788	Loader.exe
4788	Loader.exe
4788	Loader.exe
4788	Loader.exe
4788	Loader.exe
4788	Loader.exe
4788	Loader.exe
4788	Loader.exe
4788	Loader.exe
4788	Loader.exe
4788	Loader.exe
4788	Loader.exe
4788	Loader.exe
4788	Loader.exe
4788	Loader.exe
4788	Loader.exe
4788	Loader.exe
4788	Loader.exe
4788	Loader.exe
4788	Loader.exe
4788	Loader.exe
4788	Loader.exe
4788	Loader.exe
4788	Loader.exe
4788	Loader.exe
4788	Loader.exe
4788	Loader.exe
4788	Loader.exe
4788	Loader.exe
4788	Loader.exe
4788	Loader.exe
4788	Loader.exe
4788	Loader.exe
4788	Loader.exe
4788	Loader.exe
4788	Loader.exe
4788	Loader.exe
4788	Loader.exe
4788	Loader.exe
4788	Loader.exe
4788	Loader.exe
4788	Loader.exe
4788	Loader.exe
4788	Loader.exe
4788	Loader.exe
4788	Loader.exe
4788	Loader.exe
4788	Loader.exe
4788	Loader.exe
4788	Loader.exe
4788	Loader.exe
4788	Loader.exe
4788	Loader.exe
4788	Loader.exe
4788	Loader.exe
4788	Loader.exe
4788	Loader.exe
4788	Loader.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	4852	CND.exe
Token: SeIncBasePriorityPrivilege	4852	CND.exe
Token: SeIncBasePriorityPrivilege	4852	CND.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4852	CND.exe
4852	CND.exe
4852	CND.exe
4852	CND.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3400 wrote to memory of 4224	3400	d347be73f1fd688c67099e42ddf00a35_JaffaCakes118.exe	83
PID 3400 wrote to memory of 4224	3400	d347be73f1fd688c67099e42ddf00a35_JaffaCakes118.exe	83
PID 3400 wrote to memory of 4224	3400	d347be73f1fd688c67099e42ddf00a35_JaffaCakes118.exe	83
PID 4224 wrote to memory of 4852	4224	Install.exe	84
PID 4224 wrote to memory of 4852	4224	Install.exe	84
PID 4224 wrote to memory of 4852	4224	Install.exe	84
PID 3400 wrote to memory of 4788	3400	d347be73f1fd688c67099e42ddf00a35_JaffaCakes118.exe	85
PID 3400 wrote to memory of 4788	3400	d347be73f1fd688c67099e42ddf00a35_JaffaCakes118.exe	85
PID 3400 wrote to memory of 4788	3400	d347be73f1fd688c67099e42ddf00a35_JaffaCakes118.exe	85
PID 4852 wrote to memory of 320	4852	CND.exe	95
PID 4852 wrote to memory of 320	4852	CND.exe	95
PID 4852 wrote to memory of 320	4852	CND.exe	95

C:\Users\Admin\AppData\Local\Temp\d347be73f1fd688c67099e42ddf00a35_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d347be73f1fd688c67099e42ddf00a35_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3400
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4224
- - C:\Windows\SysWOW64\LNJPYR\CND.exe
    "C:\Windows\system32\LNJPYR\CND.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4852
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\LNJPYR\CND.exe > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:320
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Loader.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Loader.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe

Filesize
1.2MB

MD5
057e2a64a58fe7a57a1d6ac4fa9cec3d

SHA1
f18dffd6d8334ff0ea46d1c4521023d7be4dc09d

SHA256
f44bc416bb4310c6ba8ad84f7adccf4401af491142ca43050bb1b347d9210307

SHA512
9e0c73d5c97f2f22be39557e42b6c739e320f31ec20c5f5ac6dbbaeb91a2530c53556589dded162d999f51a845dda4458a333fa9dc4d5a27be037308f90439fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Loader.exe

Filesize
908KB

MD5
584d2fa266b49529367230afb154000e

SHA1
6ba7777536f6dbdbb9b775145dce75b9b7b8a3fc

SHA256
ea72850fa9177984ca6e9a9c343c2e0e650d3164ecc03751c045a311c9ce3ef3

SHA512
94706fe404c0dce2521f4e4cf6b048b87959307d2d0f7834831bb485dc98a99a97e9f2229cbf6186e71bda10ed5bd0e7c8caa6fa31c53195b10e75e32ab5edea

Download Submit
C:\Windows\SysWOW64\LNJPYR\AKV.exe

Filesize
485KB

MD5
b905540561802896d1609a5709c38795

SHA1
a265f7c1d428ccece168d36ae1a5f50abfb69e37

SHA256
ce666ce776c30251bb1b465d47826c23efaa86ec5ee50b2a4d23a4ceb343ed53

SHA512
7663654f134f47a8092bae1f3f9d46732d2541ab955e7604d43a0def1e61e2bc039a6753e94d99f1d04b69f55a86f1fb937513671019f1bdf100edb97b24badc

Download Submit
C:\Windows\SysWOW64\LNJPYR\CND.001

Filesize
61KB

MD5
0e7e847fb96b4faa6cb4d3707a96887e

SHA1
896fd4064044e271312e9128e874108eec69521f

SHA256
c0f3e18ed0020dae5f75d3338b51f9c8de26d8af0a4d31904ba77cb1d112bbca

SHA512
ad680ed30b0cabe1be4e7237b8e620060de9c5f64d088d21a6acf6f293551ab4abc10f8f959aa6041e19aeaea538e72beeecc29b7669546a9a151141d4e73684

Download Submit
C:\Windows\SysWOW64\LNJPYR\CND.002

Filesize
43KB

MD5
f195701cf2c54d6ceadad943cf5135b8

SHA1
9beb03fc097fc58d7375b0511b87ced98a423a08

SHA256
177c1dcc7f13158445f0b99713e9cad205da86e764940a48d43dc375565b0dec

SHA512
f78def1ab431bb2b7b647ec76c063c30a87cabd22605f94cbe4fbb6f757fd54ddf7861d3842a0e369abfce94b68d41dec0fe2322a74f67d9875f561f92b20025

Download Submit
C:\Windows\SysWOW64\LNJPYR\CND.004

Filesize
1KB

MD5
4de3414223391970c91274ad74d19903

SHA1
36c49c2758a88fc82bbcb625701e1800bf75fcfe

SHA256
366cce19084fced0e1ba6d5eb3152e4a2007ddbefbca4ce001b15d2c31b77bf5

SHA512
7515c753cff477eebbdd818eeefe626b7259f2fb17bb27afc0bf094672599df5141690a61be430d0d9f24e1ca54624db7ccdd6def46a96dfbb7f269ad7f2dc4e

Download Submit
C:\Windows\SysWOW64\LNJPYR\CND.exe

Filesize
1.7MB

MD5
d95623e481661c678a0546e02f10f24c

SHA1
b6949e68a19b270873764585eb1e82448d1e0717

SHA256
cecfadce6fb09b3977c20d15fb40f8f66a1d7e488a4794451d048a598c3417da

SHA512
dee02644d92ed30e88bb10e9dcdba97abd9949b230059ec20cf5d93061f9cdb77b1e793e5f69d0b51595c30077c3ddd093348d22b070ce898ccefe28b8062591

Download Submit
memory/4788-29-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/4852-24-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/4852-30-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download