ardamax | 1e015c01fc64bad487f2cef9b06b2a5c5d1d5f7df4512f485ae333216266e377

General

Target

31f958f8624db5b61538fd012e6f87d6_JaffaCakes118.exe
Size

1.6MB
MD5

31f958f8624db5b61538fd012e6f87d6
SHA1

8b9780bea5aefad8ce478d76a47defb9fda2264b
SHA256

1e015c01fc64bad487f2cef9b06b2a5c5d1d5f7df4512f485ae333216266e377
SHA512

b9c128060b0818ec6fbdc9f7d523ce8e36d409ed123354eb4d4372818aa5dda180f83b18911e649b52d97af14096a11134b20330e76d495573bed7fdfc411f89
SSDEEP

24576:ULKPaiIAzt2Thhafz7qeKcCO7Osr6QxU5orKnXypKyAjVMCJLEXICQ7aIbfMe:qVeKdkU5dH+pWaI

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0006000000018b89-36.dat	family_ardamax

Executes dropped EXE 2 IoCs

pid	Process
1632	process32.exe
2672	DGR.exe

Loads dropped DLL 6 IoCs

pid	Process
2388	31f958f8624db5b61538fd012e6f87d6_JaffaCakes118.exe
2388	31f958f8624db5b61538fd012e6f87d6_JaffaCakes118.exe
1632	process32.exe
2672	DGR.exe
2388	31f958f8624db5b61538fd012e6f87d6_JaffaCakes118.exe
2288	DllHost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DGR Start = "C:\\Windows\\SysWOW64\\NLEJDX\\DGR.exe"	DGR.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\mZOeZABoKJ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tempfile.exe\""	31f958f8624db5b61538fd012e6f87d6_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\NLEJDX\DGR.004	process32.exe
File created	C:\Windows\SysWOW64\NLEJDX\DGR.001	process32.exe
File created	C:\Windows\SysWOW64\NLEJDX\DGR.002	process32.exe
File created	C:\Windows\SysWOW64\NLEJDX\AKV.exe	process32.exe
File created	C:\Windows\SysWOW64\NLEJDX\DGR.exe	process32.exe
File opened for modification	C:\Windows\SysWOW64\NLEJDX\	DGR.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2388 set thread context of 1632	2388	31f958f8624db5b61538fd012e6f87d6_JaffaCakes118.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2388	31f958f8624db5b61538fd012e6f87d6_JaffaCakes118.exe
Token: 33	2672	DGR.exe
Token: SeIncBasePriorityPrivilege	2672	DGR.exe
Token: SeIncBasePriorityPrivilege	2672	DGR.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2288	DllHost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2672	DGR.exe
2672	DGR.exe
2672	DGR.exe
2672	DGR.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 1632	2388	31f958f8624db5b61538fd012e6f87d6_JaffaCakes118.exe	29
PID 2388 wrote to memory of 1632	2388	31f958f8624db5b61538fd012e6f87d6_JaffaCakes118.exe	29
PID 2388 wrote to memory of 1632	2388	31f958f8624db5b61538fd012e6f87d6_JaffaCakes118.exe	29
PID 2388 wrote to memory of 1632	2388	31f958f8624db5b61538fd012e6f87d6_JaffaCakes118.exe	29
PID 2388 wrote to memory of 1632	2388	31f958f8624db5b61538fd012e6f87d6_JaffaCakes118.exe	29
PID 2388 wrote to memory of 1632	2388	31f958f8624db5b61538fd012e6f87d6_JaffaCakes118.exe	29
PID 2388 wrote to memory of 1632	2388	31f958f8624db5b61538fd012e6f87d6_JaffaCakes118.exe	29
PID 2388 wrote to memory of 1632	2388	31f958f8624db5b61538fd012e6f87d6_JaffaCakes118.exe	29
PID 2388 wrote to memory of 1632	2388	31f958f8624db5b61538fd012e6f87d6_JaffaCakes118.exe	29
PID 2388 wrote to memory of 1632	2388	31f958f8624db5b61538fd012e6f87d6_JaffaCakes118.exe	29
PID 2388 wrote to memory of 1632	2388	31f958f8624db5b61538fd012e6f87d6_JaffaCakes118.exe	29
PID 1632 wrote to memory of 2672	1632	process32.exe	30
PID 1632 wrote to memory of 2672	1632	process32.exe	30
PID 1632 wrote to memory of 2672	1632	process32.exe	30
PID 1632 wrote to memory of 2672	1632	process32.exe	30
PID 2672 wrote to memory of 2696	2672	DGR.exe	32
PID 2672 wrote to memory of 2696	2672	DGR.exe	32
PID 2672 wrote to memory of 2696	2672	DGR.exe	32
PID 2672 wrote to memory of 2696	2672	DGR.exe	32

C:\Users\Admin\AppData\Local\Temp\31f958f8624db5b61538fd012e6f87d6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\31f958f8624db5b61538fd012e6f87d6_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Users\Admin\AppData\Local\Temp\process32.exe
  C:\Users\Admin\AppData\Local\Temp\\process32.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1632
- - C:\Windows\SysWOW64\NLEJDX\DGR.exe
    "C:\Windows\system32\NLEJDX\DGR.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\NLEJDX\DGR.exe > nul
      4⤵
      PID:2696

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:2288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Autoaimer fix icon.ico

Filesize
9KB

MD5
302943afa67e762092ceda6adf4204d8

SHA1
fd3cb0097cc5dfbcf01fcbfd092a1aefb9e9178e

SHA256
ea1f1cff369723643726ed146acf95b504d0633d8c683fc505d483582ee93d3e

SHA512
eab7c422dd833a32f4dee8a9960108ce452068752e73671d09826f1f520f3cc8be66a496c0f1717b11557b728d029633830b568777d7d55070cd9b011fd666bc

Download Submit
C:\Windows\SysWOW64\NLEJDX\AKV.exe

Filesize
456KB

MD5
48cfaed4d566c34716326302b49bdad2

SHA1
566e0989b6bc7ed205f9ae250ea98e3a4d7fba52

SHA256
54c2e10de3ed7135d20c239a7f656c6ff57d1158607fa4c6779e042681de87ea

SHA512
96c871ed9af039142aab5904021d3ef3f75a58c5cc1fdf4d59e40e3699fd03e7cff384b788f7359a1de519ebdcafdad55891fef4f67e2c216ea89ebc945996a0

Download Submit
C:\Windows\SysWOW64\NLEJDX\DGR.001

Filesize
60KB

MD5
a15c556f17d7db8287e023138942d5db

SHA1
880bf8ec944120830dc2e2e040e5996e4e0e6c83

SHA256
f3716810ab011a4cb7693d31b69cd540380ef2a067724e0d568070c8a558694e

SHA512
930339711e3d73e5af0778367a648c94411c20d23bf4c27ec5d72222e76b8902eb3fc0992d70cc4141600c19087159514246d42f1e762c98dad306f8e0bd99cd

Download Submit
C:\Windows\SysWOW64\NLEJDX\DGR.002

Filesize
43KB

MD5
daabecdfba287a3333b60ae82211acd7

SHA1
e67b4c7bf0dd71ad47263a58bb60be4bce504b84

SHA256
12981c35adf6f00c7dddbc3ab23c04c30133cc5be107015dab9fd7ba4e8b4173

SHA512
937f551f959bd823292fe5983bbfb1c3a6dd86426a5da228dc7ddba38138c898599bc713d707b9d3463b20825cee0783d92c1c19019cd0328986a8aef5c1222f

Download Submit
C:\Windows\SysWOW64\NLEJDX\DGR.004

Filesize
1KB

MD5
582420171cce708889ad8410d95009f0

SHA1
01df12e2c7078138dabac3a89bf29c71a9242d2c

SHA256
b01610c91dd84d9bf228071a268e2f26929f75cf585fb640ac70942d082b41a3

SHA512
8c26a48c168a067640415a7783bcef7ec9f6d9ef7bc8d24e68a386a5adc244219c595eb9e5568d2a1f4cb98ab13ddc9fc884d07a0ff285cd49d052e75ec45b91

Download Submit
\Users\Admin\AppData\Local\Temp\process32.exe

Filesize
5KB

MD5
d2ed8fa3208e702b7d61728af768eed1

SHA1
54094aa272cb866a46c2ca5b56f4a094e0f48ffb

SHA256
9236208e312b2f47a0ef40e59fc0f364fc8e401717e1e46555c26bec8ab3de1f

SHA512
42442dc0b98f2abaea0c6516602d80df8a2a680278ecdc2b96fe5ce44685f7442347fd4ad13d9d99e0330cf0be7c0e9bbf22bd78c0173066221e430203c76313

Download Submit
\Windows\SysWOW64\NLEJDX\DGR.exe

Filesize
1.7MB

MD5
f3819a6cab8ae058254c4abb3844d87e

SHA1
0f8b1a74af87f1823ec0d76e21a8d54d55a53a8b

SHA256
3d656d1364b4b2382020f64990a2c630b7b9422ca7b7fe2c30646fda3303e6c9

SHA512
dfe9d342f3ad543fec8bd278e21ac5059b1c36ed3f735734e9b92d639cb25609f9307862ab2b35ea3e88713f4a652abe5863871225f915462c79d493ac5e1f57

Download Submit
memory/1632-26-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/1632-10-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/1632-16-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/1632-15-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/1632-12-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/1632-23-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/1632-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1632-20-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/1632-42-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/1632-18-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/1632-32-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/2288-52-0x0000000000320000-0x0000000000322000-memory.dmp

Filesize
8KB

Download
memory/2388-2-0x0000000074650000-0x0000000074BFB000-memory.dmp

Filesize
5.7MB

Download
memory/2388-0-0x0000000074651000-0x0000000074652000-memory.dmp

Filesize
4KB

Download
memory/2388-51-0x00000000023E0000-0x00000000023E2000-memory.dmp

Filesize
8KB

Download
memory/2388-53-0x0000000074650000-0x0000000074BFB000-memory.dmp

Filesize
5.7MB

Download
memory/2388-1-0x0000000074650000-0x0000000074BFB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads