ardamax | 9b15ac1b8cfbb0ba074be5845c28920a1fd9704b04233becd657fd31afbcd681

General

Target

26ab0665501836a80ddda68cb938d228_JaffaCakes118.exe
Size

807KB
MD5

26ab0665501836a80ddda68cb938d228
SHA1

5e0e62cf589487819b2d46a3099190ebafea7702
SHA256

9b15ac1b8cfbb0ba074be5845c28920a1fd9704b04233becd657fd31afbcd681
SHA512

ce247203e98e4ab10e3e28b69f78e3f606245ac90d027f3ab9cbab03ee90ffa126df233cb7b45ac2bf98e8c1f4d38ac0ed1ff9c77088c5abd01f12e875212891
SSDEEP

24576:UCzL/L/2vehrgp3N0Htq16Qo24aa31+tC++b64ijeu:UC//22hUVN0HtaxC1+tS2reu

Score

10^/10

ardamax discovery keylogger stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x000800000001451d-32.dat	family_ardamax

Executes dropped EXE 3 IoCs

pid	Process
2752	Install.exe
2084	bioritmai.exe
2732	UMOO.exe

Loads dropped DLL 19 IoCs

pid	Process
2248	26ab0665501836a80ddda68cb938d228_JaffaCakes118.exe
2248	26ab0665501836a80ddda68cb938d228_JaffaCakes118.exe
2248	26ab0665501836a80ddda68cb938d228_JaffaCakes118.exe
2752	Install.exe
2752	Install.exe
2752	Install.exe
2752	Install.exe
2084	bioritmai.exe
2084	bioritmai.exe
2084	bioritmai.exe
2752	Install.exe
2752	Install.exe
2732	UMOO.exe
2732	UMOO.exe
2732	UMOO.exe
2732	UMOO.exe
2084	bioritmai.exe
2732	UMOO.exe
2084	bioritmai.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\UMOO.006	Install.exe
File created	C:\Windows\SysWOW64\28463\UMOO.007	Install.exe
File created	C:\Windows\SysWOW64\28463\UMOO.exe	Install.exe
File created	C:\Windows\SysWOW64\28463\AKV.exe	Install.exe
File opened for modification	C:\Windows\SysWOW64\28463	UMOO.exe
File created	C:\Windows\SysWOW64\28463\UMOO.001	Install.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2084	bioritmai.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2732	UMOO.exe
Token: SeIncBasePriorityPrivilege	2732	UMOO.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2732	UMOO.exe
2732	UMOO.exe
2732	UMOO.exe
2732	UMOO.exe
2732	UMOO.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 2752	2248	26ab0665501836a80ddda68cb938d228_JaffaCakes118.exe	28
PID 2248 wrote to memory of 2752	2248	26ab0665501836a80ddda68cb938d228_JaffaCakes118.exe	28
PID 2248 wrote to memory of 2752	2248	26ab0665501836a80ddda68cb938d228_JaffaCakes118.exe	28
PID 2248 wrote to memory of 2752	2248	26ab0665501836a80ddda68cb938d228_JaffaCakes118.exe	28
PID 2248 wrote to memory of 2752	2248	26ab0665501836a80ddda68cb938d228_JaffaCakes118.exe	28
PID 2248 wrote to memory of 2752	2248	26ab0665501836a80ddda68cb938d228_JaffaCakes118.exe	28
PID 2248 wrote to memory of 2752	2248	26ab0665501836a80ddda68cb938d228_JaffaCakes118.exe	28
PID 2248 wrote to memory of 2084	2248	26ab0665501836a80ddda68cb938d228_JaffaCakes118.exe	29
PID 2248 wrote to memory of 2084	2248	26ab0665501836a80ddda68cb938d228_JaffaCakes118.exe	29
PID 2248 wrote to memory of 2084	2248	26ab0665501836a80ddda68cb938d228_JaffaCakes118.exe	29
PID 2248 wrote to memory of 2084	2248	26ab0665501836a80ddda68cb938d228_JaffaCakes118.exe	29
PID 2248 wrote to memory of 2084	2248	26ab0665501836a80ddda68cb938d228_JaffaCakes118.exe	29
PID 2248 wrote to memory of 2084	2248	26ab0665501836a80ddda68cb938d228_JaffaCakes118.exe	29
PID 2248 wrote to memory of 2084	2248	26ab0665501836a80ddda68cb938d228_JaffaCakes118.exe	29
PID 2752 wrote to memory of 2732	2752	Install.exe	30
PID 2752 wrote to memory of 2732	2752	Install.exe	30
PID 2752 wrote to memory of 2732	2752	Install.exe	30
PID 2752 wrote to memory of 2732	2752	Install.exe	30
PID 2752 wrote to memory of 2732	2752	Install.exe	30
PID 2752 wrote to memory of 2732	2752	Install.exe	30
PID 2752 wrote to memory of 2732	2752	Install.exe	30

C:\Users\Admin\AppData\Local\Temp\26ab0665501836a80ddda68cb938d228_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\26ab0665501836a80ddda68cb938d228_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Users\Admin\AppData\Local\Temp\Install.exe
  "C:\Users\Admin\AppData\Local\Temp\Install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\SysWOW64\28463\UMOO.exe
    "C:\Windows\system32\28463\UMOO.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2732
- C:\Users\Admin\AppData\Local\Temp\bioritmai.exe
  "C:\Users\Admin\AppData\Local\Temp\bioritmai.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bioritmai.exe

Filesize
307KB

MD5
861c4003350651d778408caedfa7f9f6

SHA1
f72a1b6d25b0ee344dd1d88a73ec3c2f652fb42f

SHA256
9bd61f9b51edba561f586aa94f842519590b1a4c31cf44d46cfec506b6335489

SHA512
83653e54915181d557084404210680b500a5540bfff13b064f5c2065dd64f5a89dd354f47fcd578fc4ff834578ba183adc6aefb493d50fbdc8cdc7158aa1a211

Download Submit
C:\Windows\SysWOW64\28463\AKV.exe

Filesize
395KB

MD5
adabb1cc5c00784846c6f082f7e95f21

SHA1
0d1bf1674cd5b077e7e601874f3f438d2bcbc690

SHA256
9797854eb963309d21e33e4edb092c01859d00465d7da76aa26d28da54a5f0ed

SHA512
29ca5369514f53721099fd94d4cc50cd02b2815f255026611358c75e9161826fa17ba1043db6aae886adcd45be9616c19e706e405a14a11b24522e5278ca6f5f

Download Submit
C:\Windows\SysWOW64\28463\UMOO.001

Filesize
414B

MD5
b9d30f00a686d8311133fe4367c2150c

SHA1
9bccf96e75c5777b39a86b92e5a8862029f003b6

SHA256
5a40d3158cf29853352b0af51573a0f1bfc02d7a89ba8866bf11a4ada8d362f2

SHA512
4e0640800074de146eba2a6fb02cc42740c2238953b30cf88f55b09b45fd5f65495117459a8761fc7b89e874dec7350cfb16453f4da9c4c4d4eefe6063f002be

Download Submit
C:\Windows\SysWOW64\28463\UMOO.006

Filesize
8KB

MD5
20efb1eb38ad96b4b5e85ed073e21883

SHA1
b2680fe3698d768d1b72eab5afdd2d8b50a89c69

SHA256
dd8045ef5d36c1b053806cef96c77dd2a9ebe4d9e3dcd6c480ef3ec16ff1894f

SHA512
0f5fbe07a3a79f904456d3c112a8508cc2f37a328938b6fd2cef29c5183a404563a8fe21906d48318b5fef4f7326e48afe3d1213a4c913306070e5ebf263ad98

Download Submit
C:\Windows\SysWOW64\28463\UMOO.007

Filesize
5KB

MD5
84dd6324b3dce57f35d7c1d2d1a80492

SHA1
d332d0076613ef7c15f74a3a105b2249654855d3

SHA256
036a3db0118139b5e3767cb3a3714af80e508264ad97fbdeac7f4edf8c9561a9

SHA512
659bb8ed05760b159bef3f587b5c4bcd37dd5e492225a3e7199456381889bf30d0659c36deb4f49fa19347769e3ad9ef75331f300724d39df8fd2ef98c24d6cc

Download Submit
\Users\Admin\AppData\Local\Temp\@81C.tmp

Filesize
4KB

MD5
8ec77ec0a37da46ea4cfe747c450babd

SHA1
cbcdb4fae0aca8a33dae7c4639e1bdfe8480353d

SHA256
366e2c9fc249f38d5f0dda163488dc7c165def62421b34dfbe1c7a39d6bf0453

SHA512
14e7946d352baa8fe8cbacefb267d1de9d0c00af7361d712923bb67c66acc6ac28d4c1be30871676a9a7b1750f17db6ee4df203370b413ab4551faa7a8cc1eeb

Download Submit
\Users\Admin\AppData\Local\Temp\Install.exe

Filesize
480KB

MD5
211b4e2b8eeaa6e84868fe2b49794e8d

SHA1
8c753648ce5246e32c893a01a03351b7c3f0bcfc

SHA256
8dfb8588cf35f4240ec01f0f1fb46632ceadc2b61c2dfd40f4ab51324e087847

SHA512
4a1aab9fe1cdcbf36b4802579231dd68afbcce4d5e307521c5835fbd22cdbd81bafae9b3615c35c2b0f42bdf9460d046f1949c0d342f2e685505d34c8d352152

Download Submit
\Windows\SysWOW64\28463\UMOO.exe

Filesize
473KB

MD5
4d1b16621c0698cc15407296046c5f13

SHA1
895ad41339a41718bd8a7b49fe5f9df5861a5f62

SHA256
2e17c5b2ee80ea87344c586a2049fd96a5a69ef53d9211399f503c62743c181c

SHA512
5c2e431be346dd72e53b37817320f9c2df69823741e3b53313ffbe686266d4903633155f63812e81f605511320ec3b12b87b586bc930393716382af0be474ff8

Download Submit
memory/2084-54-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2084-55-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download

Analysis

Sharing