ardamax | 48a9d0ec9c09db1b2654e28c7100591ff7beb1d1fd6b45bd16c0f5c42ce5ff0e

General

Target

59cc4a0016162b1afd863eb6a81e3c81_JaffaCakes118.exe
Size

541KB
MD5

59cc4a0016162b1afd863eb6a81e3c81
SHA1

e26e78eba39cd6f2771409ce7994c064a9bee967
SHA256

48a9d0ec9c09db1b2654e28c7100591ff7beb1d1fd6b45bd16c0f5c42ce5ff0e
SHA512

d5c4cce7d398252372d6e48f9192041ace3ec9ce0237ebe8e2e1c524cffc943f3b2db6e33096685738e086a6736c79e617ada59a3904821ed7b8391d043439dd
SSDEEP

12288:op1u4Z4zxVS4newVfbcaq2Dm4u+UScPByAyMeXAgQ4e:yk4W1VHVfbcr+US2ypXAL4e

Score

10^/10

ardamax discovery keylogger persistence stealer upx

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000016d49-11.dat	family_ardamax

Executes dropped EXE 2 IoCs

pid	Process
2948	system32KHPD.exe
2240	CVV Done.exe

Loads dropped DLL 3 IoCs

pid	Process
1672	59cc4a0016162b1afd863eb6a81e3c81_JaffaCakes118.exe
1672	59cc4a0016162b1afd863eb6a81e3c81_JaffaCakes118.exe
1672	59cc4a0016162b1afd863eb6a81e3c81_JaffaCakes118.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000016d51-23.dat	upx
behavioral1/memory/2240-28-0x0000000000400000-0x00000000004A3000-memory.dmp	upx
behavioral1/memory/2240-41-0x0000000000400000-0x00000000004A3000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system32KHPD Agent = "C:\\Windows\\system32KHPD.exe"	system32KHPD.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32KHPD.001	59cc4a0016162b1afd863eb6a81e3c81_JaffaCakes118.exe
File created	C:\Windows\system32KHPD.006	59cc4a0016162b1afd863eb6a81e3c81_JaffaCakes118.exe
File created	C:\Windows\system32KHPD.007	59cc4a0016162b1afd863eb6a81e3c81_JaffaCakes118.exe
File created	C:\Windows\system32KHPD.exe	59cc4a0016162b1afd863eb6a81e3c81_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	CVV Done.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	CVV Done.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	CVV Done.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main	CVV Done.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	CVV Done.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	CVV Done.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\International\CpMRU	CVV Done.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	CVV Done.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2948	system32KHPD.exe
Token: SeIncBasePriorityPrivilege	2948	system32KHPD.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2948	system32KHPD.exe
2948	system32KHPD.exe
2948	system32KHPD.exe
2240	CVV Done.exe
2240	CVV Done.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 2948	1672	59cc4a0016162b1afd863eb6a81e3c81_JaffaCakes118.exe	30
PID 1672 wrote to memory of 2948	1672	59cc4a0016162b1afd863eb6a81e3c81_JaffaCakes118.exe	30
PID 1672 wrote to memory of 2948	1672	59cc4a0016162b1afd863eb6a81e3c81_JaffaCakes118.exe	30
PID 1672 wrote to memory of 2948	1672	59cc4a0016162b1afd863eb6a81e3c81_JaffaCakes118.exe	30
PID 1672 wrote to memory of 2240	1672	59cc4a0016162b1afd863eb6a81e3c81_JaffaCakes118.exe	31
PID 1672 wrote to memory of 2240	1672	59cc4a0016162b1afd863eb6a81e3c81_JaffaCakes118.exe	31
PID 1672 wrote to memory of 2240	1672	59cc4a0016162b1afd863eb6a81e3c81_JaffaCakes118.exe	31
PID 1672 wrote to memory of 2240	1672	59cc4a0016162b1afd863eb6a81e3c81_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\59cc4a0016162b1afd863eb6a81e3c81_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\59cc4a0016162b1afd863eb6a81e3c81_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Windows\system32KHPD.exe
  "C:\Windows\system32KHPD.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2948
- C:\Users\Admin\AppData\Local\Temp\CVV Done.exe
  "C:\Users\Admin\AppData\Local\Temp\CVV Done.exe"
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CVV Done.exe

Filesize
241KB

MD5
b0cff1eb76b32171c3ea223fc88fa955

SHA1
e6e816c878582aef557e46ffaa6d5b3a5311c952

SHA256
b21c7f70ff08531eb7020440ccb7a614e6af5af47efee835df115a16fa725ef7

SHA512
8696374ca7b5e710a8c65c3696eb10d2da73a8b9990adb5c9493c9bc1d6c09d957f5311018b3274320f3dc1f3438eb58f374a6f5a2ff5e1535ee8b305bffefd7

Download Submit
C:\Windows\system32KHPD.001

Filesize
426B

MD5
edf8cda8db8dbb0010d4f39897782389

SHA1
7267ef799eef9f6efe677805463f93ef2cc28c18

SHA256
5f85a498ab85cfa70975637c278be5b3d0d040ee129a37583a4778a8ff1e62e7

SHA512
32ff7e5083c6fe157276efd6b0dd11cfb0c7824fc9cb71056788ecb53f79f73b63809607ecea84b5b35addb1078222581d68f8b8bc896b3efe19420e39417620

Download Submit
C:\Windows\system32KHPD.006

Filesize
7KB

MD5
a99d6feb2da75e8f1d9c9d46d4459a74

SHA1
7100341a9e32c7165530af547cb13e953b1119e5

SHA256
1622f91a7f3e2fdfc7cd706e83f0067e4727505135f18abdd3ad34d26ce8c460

SHA512
7b8671e4135f6c2b3e901ed9f55dc71ea02ea2556cc6a6592b8b105a2567063250b46a42553cd5cb7b16f50c3f9c99e7d7ffa817603544c94400ba71ef435ca9

Download Submit
C:\Windows\system32KHPD.007

Filesize
5KB

MD5
fa70ef8037bcf54709d6110d4478470d

SHA1
69d12082fab5f795571c9dc911b0d69a5291dbcc

SHA256
7eca5e4970644920b6bc5ba4d1ba6d68de9cc1305bd4d58b22686bb9f07b70ef

SHA512
ecc0e04e4bf333b3af9ece1c676bc9bd1d53240a56277cce8dde8b44cb19d1c13d8504ac9996c55f858468c24c2331b48786a3eeeb45d77ec01fe23cad5a41ec

Download Submit
C:\Windows\system32KHPD.exe

Filesize
471KB

MD5
0a030ecdc1eac77c8ff2ccf04ec8876b

SHA1
c6040db7b18fb3774dd8e0d177df83359831cc2d

SHA256
f6505512027e614bf93b1a324dee0f21d49b3b80a68f61160dd789013adbb1f4

SHA512
7a981b78635eadb02854e0bfb294b4f1ab79623802188d01c1a3ac71b06b0b42132e6e9544fd54aea8a56a238ac83e86f25382143141e2f6e064573f02662424

Download Submit
\Users\Admin\AppData\Local\Temp\@7E73.tmp

Filesize
4KB

MD5
63eb54f0045c2fd627fcbc817d4c7c81

SHA1
67518aac1cc2466c819759c82c437ea14df01771

SHA256
3dc2e931be9087f54b3662cddf93eeace386050c4308df3e4221aaa3018c3942

SHA512
208cee64b8ec24d698231243e402cd4ccee38b65130f8cbb137db9bcda8e852d6ba7e8b5a39cb65b13fb4ec6355ac57554e0a8fd3cb324d5d68d3839cf29215e

Download Submit
memory/1672-27-0x0000000002A20000-0x0000000002AC3000-memory.dmp

Filesize
652KB

Download
memory/2240-28-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2240-42-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/2240-41-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2948-29-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2948-40-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads