ardamax | d3ab34e0c0049f3b032f2dab67d69c718499d1d23f56652be28cf5517e7232c8

General

Target

55391396d2dc9025a3b906ea80be96fe_JaffaCakes118.exe
Size

2.0MB
MD5

55391396d2dc9025a3b906ea80be96fe
SHA1

73f2365c5115f42d8be74eb64d77619deec814e9
SHA256

d3ab34e0c0049f3b032f2dab67d69c718499d1d23f56652be28cf5517e7232c8
SHA512

5304f5be5dc8fed7cee151b10e7827fb124516b0000699c5c91da7c8ee6bb31193f2674435cae64de24278163c0ab40ddeed295589fef4693442e8b752c30626
SSDEEP

49152:px+By0ELk6UFJ+BaSmqDXgZzfeuRf0rXVxgSIdhU:TgyrxNXmqTgZreuRLxfU

Score

10^/10

ardamax discovery evasion keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0009000000016ddf-17.dat	family_ardamax

Executes dropped EXE 2 IoCs

pid	Process
2404	Install.exe
2712	WFN.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Wine	55391396d2dc9025a3b906ea80be96fe_JaffaCakes118.exe

Loads dropped DLL 4 IoCs

pid	Process
2936	55391396d2dc9025a3b906ea80be96fe_JaffaCakes118.exe
2404	Install.exe
2712	WFN.exe
2748	POWERPNT.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WFN Start = "C:\\Windows\\SysWOW64\\CJFBTY\\WFN.exe"	WFN.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\CJFBTY\WFN.004	Install.exe
File created	C:\Windows\SysWOW64\CJFBTY\WFN.001	Install.exe
File created	C:\Windows\SysWOW64\CJFBTY\WFN.002	Install.exe
File created	C:\Windows\SysWOW64\CJFBTY\AKV.exe	Install.exe
File created	C:\Windows\SysWOW64\CJFBTY\WFN.exe	Install.exe
File opened for modification	C:\Windows\SysWOW64\CJFBTY\	WFN.exe
File created	C:\Windows\SysWOW64\CJFBTY\WFN.008	WFN.exe
File opened for modification	C:\Windows\SysWOW64\CJFBTY\WFN.008	WFN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2748	POWERPNT.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2712	WFN.exe
2712	WFN.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2712	WFN.exe
Token: SeIncBasePriorityPrivilege	2712	WFN.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2936	55391396d2dc9025a3b906ea80be96fe_JaffaCakes118.exe
2712	WFN.exe
2712	WFN.exe
2712	WFN.exe
2712	WFN.exe
2748	POWERPNT.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 2404	2936	55391396d2dc9025a3b906ea80be96fe_JaffaCakes118.exe	30
PID 2936 wrote to memory of 2404	2936	55391396d2dc9025a3b906ea80be96fe_JaffaCakes118.exe	30
PID 2936 wrote to memory of 2404	2936	55391396d2dc9025a3b906ea80be96fe_JaffaCakes118.exe	30
PID 2936 wrote to memory of 2404	2936	55391396d2dc9025a3b906ea80be96fe_JaffaCakes118.exe	30
PID 2936 wrote to memory of 2404	2936	55391396d2dc9025a3b906ea80be96fe_JaffaCakes118.exe	30
PID 2936 wrote to memory of 2404	2936	55391396d2dc9025a3b906ea80be96fe_JaffaCakes118.exe	30
PID 2936 wrote to memory of 2404	2936	55391396d2dc9025a3b906ea80be96fe_JaffaCakes118.exe	30
PID 2936 wrote to memory of 2748	2936	55391396d2dc9025a3b906ea80be96fe_JaffaCakes118.exe	31
PID 2936 wrote to memory of 2748	2936	55391396d2dc9025a3b906ea80be96fe_JaffaCakes118.exe	31
PID 2936 wrote to memory of 2748	2936	55391396d2dc9025a3b906ea80be96fe_JaffaCakes118.exe	31
PID 2936 wrote to memory of 2748	2936	55391396d2dc9025a3b906ea80be96fe_JaffaCakes118.exe	31
PID 2936 wrote to memory of 2748	2936	55391396d2dc9025a3b906ea80be96fe_JaffaCakes118.exe	31
PID 2936 wrote to memory of 2748	2936	55391396d2dc9025a3b906ea80be96fe_JaffaCakes118.exe	31
PID 2936 wrote to memory of 2748	2936	55391396d2dc9025a3b906ea80be96fe_JaffaCakes118.exe	31
PID 2936 wrote to memory of 2748	2936	55391396d2dc9025a3b906ea80be96fe_JaffaCakes118.exe	31
PID 2936 wrote to memory of 2748	2936	55391396d2dc9025a3b906ea80be96fe_JaffaCakes118.exe	31
PID 2404 wrote to memory of 2712	2404	Install.exe	32
PID 2404 wrote to memory of 2712	2404	Install.exe	32
PID 2404 wrote to memory of 2712	2404	Install.exe	32
PID 2404 wrote to memory of 2712	2404	Install.exe	32
PID 2748 wrote to memory of 2916	2748	POWERPNT.EXE	33
PID 2748 wrote to memory of 2916	2748	POWERPNT.EXE	33
PID 2748 wrote to memory of 2916	2748	POWERPNT.EXE	33
PID 2748 wrote to memory of 2916	2748	POWERPNT.EXE	33

C:\Users\Admin\AppData\Local\Temp\55391396d2dc9025a3b906ea80be96fe_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\55391396d2dc9025a3b906ea80be96fe_JaffaCakes118.exe"
1⤵
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Users\Admin\AppData\Local\Temp\Install.exe
  "C:\Users\Admin\AppData\Local\Temp\Install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2404
- - C:\Windows\SysWOW64\CJFBTY\WFN.exe
    "C:\Windows\system32\CJFBTY\WFN.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2712
- C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" /s "C:\Users\Admin\AppData\Local\Temp\Ser_Estrela.pps"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Ser_Estrela.pps

Filesize
97KB

MD5
3db9438cd00101ef702a16b03f3596fc

SHA1
026fc1908514db427ae13d5e8e4618a39e57c58f

SHA256
9970400ce8e11a5f9fb85ec833f051899b05144ab4e11dd01a102c34ee298375

SHA512
f15ad5a2e2fc2bae5994e8dc99f8d5a39f2b954a3715218979ec99793e624dfed79c482c97aec6d07f45d24fe0b566362ee10c60227c3d5312f46906c16172a0

Download Submit
C:\Windows\SysWOW64\CJFBTY\AKV.exe

Filesize
489KB

MD5
0725c70d7b45945089905464a2710dc8

SHA1
a47223eb378919afc8c2a6af6b031bca12eacaae

SHA256
5340cf0385c1ccf9a5f01e9bbcb68474d5760c1c60bd87772fbd8a498208a3c5

SHA512
3b95b3c582c2df9a59c2aaa5e9f04ea093dda8b53a7df4b966d46c6f61643e8beed3e3cca0e784301f5f14ea17e2520ecf10dca0ae805e5b31bd51ac94d10888

Download Submit
C:\Windows\SysWOW64\CJFBTY\WFN.001

Filesize
61KB

MD5
513c67ebf0379f75a6920540283a4579

SHA1
2fe191acb478d62026a8dbf63f65619d168ddee6

SHA256
8f636876880c59251548fca626731e648553e0b81b02f4667c22cbfadfbd6e30

SHA512
2330f5bbd8d7de91473430bc35a125fe13b261afa5b4ef9533d4d6ebcde6cfe27f705fccbdefa092eb9123eb33dcc1448deab72adab981726517afe458beb01d

Download Submit
C:\Windows\SysWOW64\CJFBTY\WFN.002

Filesize
44KB

MD5
1db8aa9ffda07a5f5559cbf25087147b

SHA1
eea77894bff8e24fb0861159927f67decb629184

SHA256
8cf369255b48195b8ecec1c7bf2e76924641880aa7311e6cf504ca534bbfcd62

SHA512
b9f80191dd8975c2e484eeec1bc7c6212d1b614061e69d96eda87b7a061a78a34de220f22607c3eb1c0fa37f152744a5c8f65a896e2884a9daf969db54a11704

Download Submit
C:\Windows\SysWOW64\CJFBTY\WFN.004

Filesize
1KB

MD5
eeec5a38e76b052f74adac504b60cbd2

SHA1
cb59d044cdb98efddd05fa8adc2b793242fe3a2d

SHA256
c4c239af40685799884ec36f9d234f1283e609fd22f1e247e191560c8746fe0c

SHA512
e86e0ec21f39889bab6982c09525b269ffc0d74b521a03eb493298f7d67b873f18d55857955642a4dfe8c36466d60d56c0fcd395b71cd0762931dbc91cdc89dc

Download Submit
C:\Windows\SysWOW64\CJFBTY\WFN.008

Filesize
321B

MD5
6b21aea300a5c509332f706e8d85f44e

SHA1
cbdd4ad5bc8f75faf0a98d1de218977ca8fe87f6

SHA256
dbb22bd7b2d383062d492cf369185b0943b500a62e1e22743e4bee9e5c2fd81b

SHA512
d9b4ee22bcc533c76e4c064b076b6ba79035b5448520a05b0d437df71b8ffc8b99c14d3a4f578b750f8f678b848193505fb7e66e242bdca954ab8f135c364f71

Download Submit
\Users\Admin\AppData\Local\Temp\Install.exe

Filesize
1.2MB

MD5
f71c9009359ba522382b0fb4ecf910a3

SHA1
e40eab1618042d0171942b1f36cb149880014fa4

SHA256
197544ca1ae5d15e5bca8c842ec9775e7f4523b40747f41f907512b867bbfb51

SHA512
934e39d8a52f254e299be4204b81012003d3ff11ff0f841045b0226bdc244478d591f12d9eac6f96c30b137f8192185e7103c56d16cfe01109bf4734bf88e15d

Download Submit
\Windows\SysWOW64\CJFBTY\WFN.exe

Filesize
1.7MB

MD5
7dc8f94e34ad6f38e94f957043c39617

SHA1
081a26dc478bd3de6f2889b9c8da8b2e79723d8b

SHA256
618fb51d23c0ca116dbd24dc5e0240ebda862e405283d64871549321fde08202

SHA512
539c239670369f34e7907d072bdf6b91becb927454db3212b0c307363289b1900edffa2f9fac22d3d14435fcee28b7bdeee1f039f027d74f84627c85774b9f56

Download Submit
memory/2748-32-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2748-33-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2936-23-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/2936-24-0x0000000000401000-0x0000000000407000-memory.dmp

Filesize
24KB

Download
memory/2936-0-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/2936-2-0x0000000000401000-0x0000000000407000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads