ardamax | bdc23b06f3d47cee429a63ec619177b9ccd895ced63e89ad42632c2c37e2d422

General

Target

4575045c95f494b2ec94f2388cda97e6_JaffaCakes118.exe
Size

1.5MB
MD5

4575045c95f494b2ec94f2388cda97e6
SHA1

01506b356aa3ebe240d950ead24bde12c76d8fa7
SHA256

bdc23b06f3d47cee429a63ec619177b9ccd895ced63e89ad42632c2c37e2d422
SHA512

b23c91631be6a82b75ade7997fd1fb1df85876cdcdc0f3cfbbfd35e857605ba8273025437aeeb0fca59ca79c8ec8db107d873f04d2ca1ca08530ea9042f649db
SSDEEP

24576:2sCS7MMHL9cPFx3EW0a44nVY/ZCL/h3CX81K/HW:2BapcPFx3i8u/ZCLp3CGK/HW

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000014fa6-13.dat	family_ardamax

Executes dropped EXE 3 IoCs

pid	Process
1664	Install.exe
2376	NVN.exe
280	Tcpview.exe

Loads dropped DLL 5 IoCs

pid	Process
2052	4575045c95f494b2ec94f2388cda97e6_JaffaCakes118.exe
1664	Install.exe
2052	4575045c95f494b2ec94f2388cda97e6_JaffaCakes118.exe
2376	NVN.exe
280	Tcpview.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NVN Start = "C:\\Windows\\SysWOW64\\EPFVWH\\NVN.exe"	NVN.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\EPFVWH\NVN.004	Install.exe
File created	C:\Windows\SysWOW64\EPFVWH\NVN.001	Install.exe
File created	C:\Windows\SysWOW64\EPFVWH\NVN.002	Install.exe
File created	C:\Windows\SysWOW64\EPFVWH\NVN.exe	Install.exe
File opened for modification	C:\Windows\SysWOW64\EPFVWH\	NVN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
280	Tcpview.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	2376	NVN.exe
Token: SeIncBasePriorityPrivilege	2376	NVN.exe
Token: SeIncBasePriorityPrivilege	2376	NVN.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2376	NVN.exe
2376	NVN.exe
2376	NVN.exe
2376	NVN.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2052 wrote to memory of 1664	2052	4575045c95f494b2ec94f2388cda97e6_JaffaCakes118.exe	28
PID 2052 wrote to memory of 1664	2052	4575045c95f494b2ec94f2388cda97e6_JaffaCakes118.exe	28
PID 2052 wrote to memory of 1664	2052	4575045c95f494b2ec94f2388cda97e6_JaffaCakes118.exe	28
PID 2052 wrote to memory of 1664	2052	4575045c95f494b2ec94f2388cda97e6_JaffaCakes118.exe	28
PID 2052 wrote to memory of 1664	2052	4575045c95f494b2ec94f2388cda97e6_JaffaCakes118.exe	28
PID 2052 wrote to memory of 1664	2052	4575045c95f494b2ec94f2388cda97e6_JaffaCakes118.exe	28
PID 2052 wrote to memory of 1664	2052	4575045c95f494b2ec94f2388cda97e6_JaffaCakes118.exe	28
PID 1664 wrote to memory of 2376	1664	Install.exe	29
PID 1664 wrote to memory of 2376	1664	Install.exe	29
PID 1664 wrote to memory of 2376	1664	Install.exe	29
PID 1664 wrote to memory of 2376	1664	Install.exe	29
PID 2052 wrote to memory of 280	2052	4575045c95f494b2ec94f2388cda97e6_JaffaCakes118.exe	30
PID 2052 wrote to memory of 280	2052	4575045c95f494b2ec94f2388cda97e6_JaffaCakes118.exe	30
PID 2052 wrote to memory of 280	2052	4575045c95f494b2ec94f2388cda97e6_JaffaCakes118.exe	30
PID 2052 wrote to memory of 280	2052	4575045c95f494b2ec94f2388cda97e6_JaffaCakes118.exe	30
PID 2376 wrote to memory of 2272	2376	NVN.exe	33
PID 2376 wrote to memory of 2272	2376	NVN.exe	33
PID 2376 wrote to memory of 2272	2376	NVN.exe	33
PID 2376 wrote to memory of 2272	2376	NVN.exe	33

C:\Users\Admin\AppData\Local\Temp\4575045c95f494b2ec94f2388cda97e6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4575045c95f494b2ec94f2388cda97e6_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2052
- C:\Users\Admin\AppData\Local\Temp\Install.exe
  "C:\Users\Admin\AppData\Local\Temp\Install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Windows\SysWOW64\EPFVWH\NVN.exe
    "C:\Windows\system32\EPFVWH\NVN.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2376
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\EPFVWH\NVN.exe > nul
      4⤵
      PID:2272
- C:\Users\Admin\AppData\Local\Temp\Tcpview.exe
  "C:\Users\Admin\AppData\Local\Temp\Tcpview.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  PID:280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Install.exe

Filesize
897KB

MD5
6535ce6c99debca984c31885e220a5af

SHA1
2a1bdde8c5667202ee71d400d4d45b321c2e3743

SHA256
d50c4191196368f9c7ed099ec5e2e0e7a9e3150167fe9d5e454c5078012df831

SHA512
e3f980a5d3b8aaacda88aeea3d74cd9b7f614f2e9a6f315e861dfc0e1000e4079a82a13856231aaa8fc70cea8af9ff15c805231a5fa8557b96e773a11d750ef7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tcpview.exe

Filesize
292KB

MD5
e567d97018bec01adf3ef18492d41617

SHA1
5213e144a7cf5e0d7faafa0584a58ba43c702fef

SHA256
51c2307fdb7f1481581c97ac47bf954d6d5424f1a4f3f0d06e8169df21ed30cf

SHA512
5047e19dd1a90538d72580943c0ab47feb7c093e276b7013ca1e711100f5e8c088782b8cc92142981351c927e0013aa79c6384e85b48f5c233fba7f36133eaf0

Download Submit
C:\Windows\SysWOW64\EPFVWH\NVN.002

Filesize
43KB

MD5
b2bcd668abf17ee408d232cc636614b2

SHA1
c354f941121515536c4f0d9ae49ed1a9b28534b4

SHA256
563f5e99f0beb961ecf6a8284bf41fee3e85d6f63cdff1669438f5a2168bfd99

SHA512
ba1be164de5919ae45f4bedfebe7e7799626b457f07b42fc43b8912f2932955833617b45e147e2e4d406f57f57f50c1869aa611db18a569919395e42fa53a702

Download Submit
C:\Windows\SysWOW64\EPFVWH\NVN.004

Filesize
1KB

MD5
f64503eadc437ca3db0b7d86f479fc47

SHA1
f0b4a7c274ec2c84cf36b66fe2f3b1b485525be2

SHA256
f95e4f8824bec4ca4307b6d54da564e656923c1e4c3e566b957cf5afbef7724d

SHA512
340260155e1cbd70e8f632907bfe8f1f1fc79c060213f70e0019cb9e23d292296cb18954e9c93d673ac189a3767c5de5a07acc5389b529827e500028d71e1727

Download Submit
\Windows\SysWOW64\EPFVWH\NVN.001

Filesize
61KB

MD5
7a5612cc859be918c5767487f8a6815a

SHA1
a855d3a3e6336ac0508a8099e8ace14680394c36

SHA256
643419bc7e3a46ecdd7196858b3489c806c5edc486b513ce58519a109544c9d1

SHA512
31c541870dbc695c34d132c4232accc2fe511f30188a4db33d5c41758cf5af00a4906b55b0a208b5848436313fd3d8ccf6be7f1af62ecedd3a5c4c301dc5e11d

Download Submit
\Windows\SysWOW64\EPFVWH\NVN.exe

Filesize
1.5MB

MD5
a9ea3f61a57b36cde9953afd91f18d34

SHA1
e7e931b96b6e39b64a2a38d704bbe9561a234cbc

SHA256
accbdc6de9b6b671e6dc5bda9f1f983fbfcaa07467fbf6eabd25b9d5314d82ec

SHA512
0a6a42a772a3afd66233d9d3abb962b3a8cbf3d6e0e719352795b6441a148617dbe788991f0cead29d4b1540726504c9c56bebd9836ae6263b82a121fafd89fc

Download Submit
memory/2376-30-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads