ardamax | 64e55e5730994d0952a6f5948a07cefbf2354da46a5cfd8068ba7affbd25aaf2

General

Target

2a5e4b9e6d3db5f60bba82d23d4c0884_JaffaCakes118.exe
Size

384KB
MD5

2a5e4b9e6d3db5f60bba82d23d4c0884
SHA1

a7effc7df85213e38ec730a6681919a5edb58c58
SHA256

64e55e5730994d0952a6f5948a07cefbf2354da46a5cfd8068ba7affbd25aaf2
SHA512

a15d20fc344612bcc266ed5c304e5e855d2c0a1d8c54275db09aca9b7afa1951b552b9b4f14009178ddb445792e942d0e96daaa7e7aca086fd26b4cf80338e56
SSDEEP

6144:xRXp9QioW5BBk3IfXHVUH+alDhS3Ec0Um2dTcy3hl5bbls6FOB:191RBjf6H+aes9GPhl5NZFOB

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0009000000016c5a-26.dat	family_ardamax

Executes dropped EXE 3 IoCs

pid	Process
2408	Install.exe
2172	Habbox Scriptor V2.11.4.exe
1648	WARW.exe

Loads dropped DLL 13 IoCs

pid	Process
1496	2a5e4b9e6d3db5f60bba82d23d4c0884_JaffaCakes118.exe
1496	2a5e4b9e6d3db5f60bba82d23d4c0884_JaffaCakes118.exe
2408	Install.exe
2408	Install.exe
2408	Install.exe
2408	Install.exe
2408	Install.exe
2408	Install.exe
1648	WARW.exe
1648	WARW.exe
1648	WARW.exe
1648	WARW.exe
1648	WARW.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WARW Agent = "C:\\Windows\\SysWOW64\\28463\\WARW.exe"	WARW.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\WARW.001	Install.exe
File created	C:\Windows\SysWOW64\28463\WARW.006	Install.exe
File created	C:\Windows\SysWOW64\28463\WARW.007	Install.exe
File created	C:\Windows\SysWOW64\28463\WARW.exe	Install.exe
File opened for modification	C:\Windows\SysWOW64\28463	WARW.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1648	WARW.exe
Token: SeIncBasePriorityPrivilege	1648	WARW.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1648	WARW.exe
1648	WARW.exe
1648	WARW.exe
1648	WARW.exe
1648	WARW.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1496 wrote to memory of 2408	1496	2a5e4b9e6d3db5f60bba82d23d4c0884_JaffaCakes118.exe	30
PID 1496 wrote to memory of 2408	1496	2a5e4b9e6d3db5f60bba82d23d4c0884_JaffaCakes118.exe	30
PID 1496 wrote to memory of 2408	1496	2a5e4b9e6d3db5f60bba82d23d4c0884_JaffaCakes118.exe	30
PID 1496 wrote to memory of 2408	1496	2a5e4b9e6d3db5f60bba82d23d4c0884_JaffaCakes118.exe	30
PID 1496 wrote to memory of 2408	1496	2a5e4b9e6d3db5f60bba82d23d4c0884_JaffaCakes118.exe	30
PID 1496 wrote to memory of 2408	1496	2a5e4b9e6d3db5f60bba82d23d4c0884_JaffaCakes118.exe	30
PID 1496 wrote to memory of 2408	1496	2a5e4b9e6d3db5f60bba82d23d4c0884_JaffaCakes118.exe	30
PID 1496 wrote to memory of 2172	1496	2a5e4b9e6d3db5f60bba82d23d4c0884_JaffaCakes118.exe	31
PID 1496 wrote to memory of 2172	1496	2a5e4b9e6d3db5f60bba82d23d4c0884_JaffaCakes118.exe	31
PID 1496 wrote to memory of 2172	1496	2a5e4b9e6d3db5f60bba82d23d4c0884_JaffaCakes118.exe	31
PID 1496 wrote to memory of 2172	1496	2a5e4b9e6d3db5f60bba82d23d4c0884_JaffaCakes118.exe	31
PID 2408 wrote to memory of 1648	2408	Install.exe	32
PID 2408 wrote to memory of 1648	2408	Install.exe	32
PID 2408 wrote to memory of 1648	2408	Install.exe	32
PID 2408 wrote to memory of 1648	2408	Install.exe	32
PID 2408 wrote to memory of 1648	2408	Install.exe	32
PID 2408 wrote to memory of 1648	2408	Install.exe	32
PID 2408 wrote to memory of 1648	2408	Install.exe	32

C:\Users\Admin\AppData\Local\Temp\2a5e4b9e6d3db5f60bba82d23d4c0884_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2a5e4b9e6d3db5f60bba82d23d4c0884_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1496
- C:\Users\Admin\AppData\Local\Temp\Install.exe
  "C:\Users\Admin\AppData\Local\Temp\Install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2408
- - C:\Windows\SysWOW64\28463\WARW.exe
    "C:\Windows\system32\28463\WARW.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1648
- C:\Users\Admin\AppData\Local\Temp\Habbox Scriptor V2.11.4.exe
  "C:\Users\Admin\AppData\Local\Temp\Habbox Scriptor V2.11.4.exe"
  2⤵
  - Executes dropped EXE
  PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\28463\WARW.001

Filesize
390B

MD5
b24be27e37a735b0892408c3f7d5012e

SHA1
5f397ceeac75ce14f513511b369c267b12ca8a3a

SHA256
b282aae37076556412aab14366e98f6e1fe9a2ea5c4a0d2879a49c7ad74580d9

SHA512
570bec391de6dee898a808ce8f1cb82b7323ffce8268cfa9d75ae0471bfe2d52747eb85303132aa050bdcaec7c790c5a8b826259e0804b9dc5f520da03db8895

Download Submit
C:\Windows\SysWOW64\28463\WARW.006

Filesize
8KB

MD5
aae8ccee5d5eed5748d13f474123efea

SHA1
6da78da4de3b99a55fad00be2ec53a3ad3bd06ae

SHA256
10c464d1675774e0282171555d59fb8975ed6c0e6a781182490f48e66823a5b8

SHA512
d370e1ffeeb81b3f07b83a9cf1e3b44635fde7aa6ac999bccafece8091dbf96f0a78257bb0e03b3689dc47fb4e96ec7deac7848a43ddef62afc9b8cc665ee8bd

Download Submit
C:\Windows\SysWOW64\28463\WARW.007

Filesize
5KB

MD5
40685d22d05d92462a2cfc1bba9a81b7

SHA1
f0e19012d0ed000148898b1e1264736bed438da8

SHA256
cdca1e5bc4c5129caa8eeddf637c820b6241c8790ce1a341e38e8324ae95afa0

SHA512
21961d2dd118b45bde4cf00b4570712791a22769d05afb5b6c54355b0aaee9b7f7de00b357845349ef957807452365134d51e11181d2d45f98ed0cc9402de90b

Download Submit
\Users\Admin\AppData\Local\Temp\@9D87.tmp

Filesize
4KB

MD5
27092ec75c1839f36bfe900a38acc484

SHA1
fe14b750a0ed653246c5f358891f8c1241913bb2

SHA256
e6e29699840ae26c452227f9a1c9fd0e3cda0c2413c4255df9fc066c47af0e07

SHA512
815477e8681e38dd3110171adbaf06738eb9d63839671a959a296ec1a1fb17d788682dde5e6a1f0bffa3b4deda4577292ffa37ce10b95ad14276ffcd0795ac0b

Download Submit
\Users\Admin\AppData\Local\Temp\Habbox Scriptor V2.11.4.exe

Filesize
44KB

MD5
a9277ad3eaacb0c9c4a7d348d8474ce6

SHA1
c104b037671d0a3ba68b4cb4d43e2621f7c6ed94

SHA256
a409541fd1d9de9d3b5b193843bbcc44d9f7ae96baae562820c627e5cac3a58f

SHA512
6d69f899114c4aa19305fd3f9535a4e9487622bdd29718d4977ab283a9ec8a2d5041d15562630e548b11f67cca8612143518a211d1f7d1cbfa432c658660ebd4

Download Submit
\Users\Admin\AppData\Local\Temp\Install.exe

Filesize
429KB

MD5
ccf359953565928994825c2edab6f5f6

SHA1
f4b785599aab90973e77a7bbd38580c41b6f50ab

SHA256
4d756080763e6600461849c7f02f492420a7a26690bdb18fe1fc67f26b34a0ba

SHA512
891b86bb667b5fa8fc9b7b9d6545265b993c4db6ea1081eb29c62a78439aac94b1ce3d453864a6f2b4bc40291dad8f31ff1119e3accc4d5cd36a10dc06be72de

Download Submit
\Windows\SysWOW64\28463\WARW.exe

Filesize
473KB

MD5
339ae4ce820cda75bbb363b2ed1c06fd

SHA1
62399c6102cc98ed66cbcd88a63ff870cf7b2100

SHA256
1e4a463ac0d463cee1f52f9529474484157c85d671aea1ab5f4173df12de01b6

SHA512
5da8b333a839c4b169c6f4c9a1929918f166a895af7818c8223df7ed22279aac3b6ef88f89ee083a4f475f82ec6078f8e9800a9afc9547712245d090636a284a

Download Submit
memory/2172-22-0x000007FEF5EAE000-0x000007FEF5EAF000-memory.dmp

Filesize
4KB

Download
memory/2172-39-0x000007FEF5BF0000-0x000007FEF658D000-memory.dmp

Filesize
9.6MB

Download
memory/2172-40-0x000007FEF5BF0000-0x000007FEF658D000-memory.dmp

Filesize
9.6MB

Download
memory/2172-46-0x000007FEF5BF0000-0x000007FEF658D000-memory.dmp

Filesize
9.6MB

Download
memory/2172-47-0x000007FEF5EAE000-0x000007FEF5EAF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads