ardamax | 48a9d0ec9c09db1b2654e28c7100591ff7beb1d1fd6b45bd16c0f5c42ce5ff0e

General

Target

59cc4a0016162b1afd863eb6a81e3c81_JaffaCakes118.exe
Size

541KB
MD5

59cc4a0016162b1afd863eb6a81e3c81
SHA1

e26e78eba39cd6f2771409ce7994c064a9bee967
SHA256

48a9d0ec9c09db1b2654e28c7100591ff7beb1d1fd6b45bd16c0f5c42ce5ff0e
SHA512

d5c4cce7d398252372d6e48f9192041ace3ec9ce0237ebe8e2e1c524cffc943f3b2db6e33096685738e086a6736c79e617ada59a3904821ed7b8391d043439dd
SSDEEP

12288:op1u4Z4zxVS4newVfbcaq2Dm4u+UScPByAyMeXAgQ4e:yk4W1VHVfbcr+US2ypXAL4e

Score

10^/10

ardamax discovery keylogger persistence stealer upx

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023456-12.dat	family_ardamax

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	59cc4a0016162b1afd863eb6a81e3c81_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
648	system32KHPD.exe
1240	CVV Done.exe

Loads dropped DLL 6 IoCs

pid	Process
1784	59cc4a0016162b1afd863eb6a81e3c81_JaffaCakes118.exe
648	system32KHPD.exe
648	system32KHPD.exe
648	system32KHPD.exe
1240	CVV Done.exe
1240	CVV Done.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023457-26.dat	upx
behavioral2/memory/1240-29-0x0000000000400000-0x00000000004A3000-memory.dmp	upx
behavioral2/memory/1240-42-0x0000000000400000-0x00000000004A3000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system32KHPD Agent = "C:\\Windows\\system32KHPD.exe"	system32KHPD.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32KHPD.001	59cc4a0016162b1afd863eb6a81e3c81_JaffaCakes118.exe
File created	C:\Windows\system32KHPD.006	59cc4a0016162b1afd863eb6a81e3c81_JaffaCakes118.exe
File created	C:\Windows\system32KHPD.007	59cc4a0016162b1afd863eb6a81e3c81_JaffaCakes118.exe
File created	C:\Windows\system32KHPD.exe	59cc4a0016162b1afd863eb6a81e3c81_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
5060	648	WerFault.exe	85
2096	1784	WerFault.exe	83
1716	1784	WerFault.exe	83

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	648	system32KHPD.exe
Token: SeIncBasePriorityPrivilege	648	system32KHPD.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
648	system32KHPD.exe
648	system32KHPD.exe
648	system32KHPD.exe
1240	CVV Done.exe
1240	CVV Done.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1784 wrote to memory of 648	1784	59cc4a0016162b1afd863eb6a81e3c81_JaffaCakes118.exe	85
PID 1784 wrote to memory of 648	1784	59cc4a0016162b1afd863eb6a81e3c81_JaffaCakes118.exe	85
PID 1784 wrote to memory of 648	1784	59cc4a0016162b1afd863eb6a81e3c81_JaffaCakes118.exe	85
PID 1784 wrote to memory of 1240	1784	59cc4a0016162b1afd863eb6a81e3c81_JaffaCakes118.exe	87
PID 1784 wrote to memory of 1240	1784	59cc4a0016162b1afd863eb6a81e3c81_JaffaCakes118.exe	87
PID 1784 wrote to memory of 1240	1784	59cc4a0016162b1afd863eb6a81e3c81_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\59cc4a0016162b1afd863eb6a81e3c81_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\59cc4a0016162b1afd863eb6a81e3c81_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1784
- C:\Windows\system32KHPD.exe
  "C:\Windows\system32KHPD.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:648
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 648 -s 808
    3⤵
    - Program crash
    PID:5060
- C:\Users\Admin\AppData\Local\Temp\CVV Done.exe
  "C:\Users\Admin\AppData\Local\Temp\CVV Done.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:1240
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 756
  2⤵
  - Program crash
  PID:2096
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 1032
  2⤵
  - Program crash
  PID:1716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1784 -ip 1784
1⤵
PID:1232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 648 -ip 648
1⤵
PID:1460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1784 -ip 1784
1⤵
PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@882B.tmp

Filesize
4KB

MD5
63eb54f0045c2fd627fcbc817d4c7c81

SHA1
67518aac1cc2466c819759c82c437ea14df01771

SHA256
3dc2e931be9087f54b3662cddf93eeace386050c4308df3e4221aaa3018c3942

SHA512
208cee64b8ec24d698231243e402cd4ccee38b65130f8cbb137db9bcda8e852d6ba7e8b5a39cb65b13fb4ec6355ac57554e0a8fd3cb324d5d68d3839cf29215e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CVV Done.exe

Filesize
241KB

MD5
b0cff1eb76b32171c3ea223fc88fa955

SHA1
e6e816c878582aef557e46ffaa6d5b3a5311c952

SHA256
b21c7f70ff08531eb7020440ccb7a614e6af5af47efee835df115a16fa725ef7

SHA512
8696374ca7b5e710a8c65c3696eb10d2da73a8b9990adb5c9493c9bc1d6c09d957f5311018b3274320f3dc1f3438eb58f374a6f5a2ff5e1535ee8b305bffefd7

Download Submit
C:\Windows\system32KHPD.001

Filesize
426B

MD5
edf8cda8db8dbb0010d4f39897782389

SHA1
7267ef799eef9f6efe677805463f93ef2cc28c18

SHA256
5f85a498ab85cfa70975637c278be5b3d0d040ee129a37583a4778a8ff1e62e7

SHA512
32ff7e5083c6fe157276efd6b0dd11cfb0c7824fc9cb71056788ecb53f79f73b63809607ecea84b5b35addb1078222581d68f8b8bc896b3efe19420e39417620

Download Submit
C:\Windows\system32KHPD.006

Filesize
7KB

MD5
a99d6feb2da75e8f1d9c9d46d4459a74

SHA1
7100341a9e32c7165530af547cb13e953b1119e5

SHA256
1622f91a7f3e2fdfc7cd706e83f0067e4727505135f18abdd3ad34d26ce8c460

SHA512
7b8671e4135f6c2b3e901ed9f55dc71ea02ea2556cc6a6592b8b105a2567063250b46a42553cd5cb7b16f50c3f9c99e7d7ffa817603544c94400ba71ef435ca9

Download Submit
C:\Windows\system32KHPD.007

Filesize
5KB

MD5
fa70ef8037bcf54709d6110d4478470d

SHA1
69d12082fab5f795571c9dc911b0d69a5291dbcc

SHA256
7eca5e4970644920b6bc5ba4d1ba6d68de9cc1305bd4d58b22686bb9f07b70ef

SHA512
ecc0e04e4bf333b3af9ece1c676bc9bd1d53240a56277cce8dde8b44cb19d1c13d8504ac9996c55f858468c24c2331b48786a3eeeb45d77ec01fe23cad5a41ec

Download Submit
C:\Windows\system32KHPD.exe

Filesize
471KB

MD5
0a030ecdc1eac77c8ff2ccf04ec8876b

SHA1
c6040db7b18fb3774dd8e0d177df83359831cc2d

SHA256
f6505512027e614bf93b1a324dee0f21d49b3b80a68f61160dd789013adbb1f4

SHA512
7a981b78635eadb02854e0bfb294b4f1ab79623802188d01c1a3ac71b06b0b42132e6e9544fd54aea8a56a238ac83e86f25382143141e2f6e064573f02662424

Download Submit
memory/648-30-0x0000000000930000-0x0000000000931000-memory.dmp

Filesize
4KB

Download
memory/648-44-0x0000000000930000-0x0000000000931000-memory.dmp

Filesize
4KB

Download
memory/1240-29-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1240-42-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads