ardamax | 8b4ed262efa19f8b56abde205b1039e3f772093a340a6a6957fb11d970044ca8

General

Target

6d855db8cedf0f404b3aac1d3eaeb8cf_JaffaCakes118.exe
Size

682KB
MD5

6d855db8cedf0f404b3aac1d3eaeb8cf
SHA1

8db3a2599cbd77db162e7ab29e473fb9610907c6
SHA256

8b4ed262efa19f8b56abde205b1039e3f772093a340a6a6957fb11d970044ca8
SHA512

152ae2a56411822dcdc549cd2ce9a43bc13d97773d518ff35d05bfac92fbe0a33158c8b97f221039226b11ff7067fc20a53d5ba4b86924c6378b71beee50f7ca
SSDEEP

12288:IUz2mZnbPeI99Ejik9rX3T5RC2ytdihgNDmpEENbsz0hts7vY24sXn4ji:bzvpbGI9aX3T5RC2ytdRNmOiozyO7v7b

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x00080000000162e3-26.dat	family_ardamax

Executes dropped EXE 2 IoCs

pid	Process
2824	sxe52A4.tmp
2784	system32TTKD.exe

Loads dropped DLL 4 IoCs

pid	Process
2480	6d855db8cedf0f404b3aac1d3eaeb8cf_JaffaCakes118.exe
2480	6d855db8cedf0f404b3aac1d3eaeb8cf_JaffaCakes118.exe
2480	6d855db8cedf0f404b3aac1d3eaeb8cf_JaffaCakes118.exe
2824	sxe52A4.tmp

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system32TTKD Agent = "C:\\Windows\\system32TTKD.exe"	system32TTKD.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\system32TTKD.007	sxe52A4.tmp
File created	C:\Windows\system32TTKD.exe	sxe52A4.tmp
File created	C:\Windows\system32AKV.exe	sxe52A4.tmp
File created	C:\Windows\system32TTKD.001	sxe52A4.tmp
File created	C:\Windows\system32TTKD.006	sxe52A4.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6d855db8cedf0f404b3aac1d3eaeb8cf_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sxe52A4.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system32TTKD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2784	system32TTKD.exe
Token: SeIncBasePriorityPrivilege	2784	system32TTKD.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1920	DllHost.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2784	system32TTKD.exe
2784	system32TTKD.exe
2784	system32TTKD.exe
2784	system32TTKD.exe
2784	system32TTKD.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 2824	2480	6d855db8cedf0f404b3aac1d3eaeb8cf_JaffaCakes118.exe	30
PID 2480 wrote to memory of 2824	2480	6d855db8cedf0f404b3aac1d3eaeb8cf_JaffaCakes118.exe	30
PID 2480 wrote to memory of 2824	2480	6d855db8cedf0f404b3aac1d3eaeb8cf_JaffaCakes118.exe	30
PID 2480 wrote to memory of 2824	2480	6d855db8cedf0f404b3aac1d3eaeb8cf_JaffaCakes118.exe	30
PID 2480 wrote to memory of 2824	2480	6d855db8cedf0f404b3aac1d3eaeb8cf_JaffaCakes118.exe	30
PID 2480 wrote to memory of 2824	2480	6d855db8cedf0f404b3aac1d3eaeb8cf_JaffaCakes118.exe	30
PID 2480 wrote to memory of 2824	2480	6d855db8cedf0f404b3aac1d3eaeb8cf_JaffaCakes118.exe	30
PID 2824 wrote to memory of 2784	2824	sxe52A4.tmp	31
PID 2824 wrote to memory of 2784	2824	sxe52A4.tmp	31
PID 2824 wrote to memory of 2784	2824	sxe52A4.tmp	31
PID 2824 wrote to memory of 2784	2824	sxe52A4.tmp	31
PID 2824 wrote to memory of 2784	2824	sxe52A4.tmp	31
PID 2824 wrote to memory of 2784	2824	sxe52A4.tmp	31
PID 2824 wrote to memory of 2784	2824	sxe52A4.tmp	31

C:\Users\Admin\AppData\Local\Temp\6d855db8cedf0f404b3aac1d3eaeb8cf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6d855db8cedf0f404b3aac1d3eaeb8cf_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Users\Admin\AppData\Local\Temp\sxe52A4.tmp
  "C:\Users\Admin\AppData\Local\Temp\sxe52A4.tmp"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\system32TTKD.exe
    "C:\Windows\system32TTKD.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2784

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:1920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3.JPG

Filesize
50KB

MD5
371f6e8bdbc3cc30160c45ca5cd7d908

SHA1
34de4c638edee0eefb6a74e1e45b726377b1d075

SHA256
8ca32094e55c796691fcd38244bb65b6c3f885a633d14be37f9daef8c75e9b2e

SHA512
7daf11a8d1d921c989ee3c649f4f3a878c0ee5dd41e55b1f1a0e241897952f56cfb508edfc88a0aa2bed9a6f5a34159791395a326cb16ca65501a6322306b41b

Download Submit
C:\Windows\system32TTKD.001

Filesize
400B

MD5
20264c0df8eb2d69e6016fb791e3f146

SHA1
37fff22f166111d44fb9b8e160d78dc357b262b0

SHA256
c3fdb4fa5b54480cb214a683b7a8118a79951db6c4ed8408e9e2d768cbd28bbc

SHA512
83d3c51683de8f09489a21446f5171009c41a7b0d89edf0dbe63487b25ff7b6b139aa3c0f64a45033547988d2da6bd75fd1508f6e99b25d387c37458edd5d74d

Download Submit
C:\Windows\system32TTKD.006

Filesize
7KB

MD5
87ccf7eb039971590aac6f254b2c788a

SHA1
3095496ffd364b32cdbe63ba4dd2f477fd848515

SHA256
59973b04dd9bec56a7ff9d898fda25e9214ee7652f2687ba409b435ae07e554b

SHA512
d5f9f7855725021522fae819a855d3d2d2cf028b0ea3ac191ad02039cbb688af42b191a1ec4f1868365e2f7de36acca2b7ba3bee0a7b8447820c4521e942d8d2

Download Submit
C:\Windows\system32TTKD.007

Filesize
5KB

MD5
81938df0dbfee60828e9ce953bdf62e6

SHA1
b1182a051011e901c17eab2e28727bec8db475fb

SHA256
982e2e47e8af4384a6b71937fb4e678a61fbc354f6816204e14a01d325529a98

SHA512
64ebe41c17f55f725aeb946b1a7843ad27062490a3e9cc49df7ecb3e5e408444c766236642986cbe499e876e91d1d95d4aafe7d044fda3f5370bbe5f71532143

Download Submit
C:\Windows\system32TTKD.exe

Filesize
471KB

MD5
912c55621b4c3f0fb2daef5b4f4f5f4c

SHA1
735701c75569b7563950508afc8948b52e7bf4b2

SHA256
41ecb7a6e3e9c32ce1bbfdff8fe381f6c21fc1f601f7e9be9fcfa2678d2420a0

SHA512
65a08579e959d4beebb5ad026cab451d381e147621be8a0707baca748eaee22050c020e3d54f312376eaf6f20a1fc3713e5e07cc9d4ee7f32b7c17dc15c80d05

Download Submit
\Users\Admin\AppData\Local\Temp\@52E1.tmp

Filesize
4KB

MD5
b7ea0bc4bb833ab77dce179f16039c14

SHA1
b05cc205aa6ffc60a5316c1d5d3831def5a60c20

SHA256
e7bc62fb964bacd8e3189f22a8d64a27bddeb90007a38da3d3e6b58f6d8a2dba

SHA512
5a4ad9b469c7502a930158ca2db814b0b84880b2658a6a6dcca9fee60e6c8dc5f8a3c8d09e280a026d63e3d48b5291074827d16f3e680ce87645d8aad996a652

Download Submit
\Users\Admin\AppData\Local\Temp\sxe52A2.tmp

Filesize
15KB

MD5
bd815b61f9948f93aface4033fbb4423

SHA1
b5391484009b39053fc8b1bba63d444969bafcfa

SHA256
b018bf9e9f8b6d945e6a2a25984970634884afabc580af2b4e855730520d5d76

SHA512
a363abe97b5a44e5d36af859e8d484daffe1d8e321c87969a75d1bfaa4288a5e6be1922a02c6d72937c84e81a79a1c7f6c9f2a44a995cac3f993ed5608afcd71

Download Submit
\Users\Admin\AppData\Local\Temp\sxe52A4.tmp

Filesize
740KB

MD5
c61cd043b2353595e0497a1d7916126a

SHA1
2644ad6dd86e78835947438acf19bd0ebe732d15

SHA256
c7d8268a8cccccd09665aaef23db71dbf8c3accaa92954847b83992a2147e687

SHA512
f4206cffe12b38d550f44bea5ebee10d4b29c6caf71fb1711a47e8b9fcf8c5ef5ec7f955114a33f761c7f1090fe782f01099e7efac35cc82009b609e5382d064

Download Submit
memory/1920-43-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/1920-44-0x00000000001F0000-0x00000000001F6000-memory.dmp

Filesize
24KB

Download
memory/1920-36-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/2784-41-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/2784-42-0x0000000000330000-0x0000000000336000-memory.dmp

Filesize
24KB

Download
memory/2784-34-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2824-39-0x00000000004C0000-0x00000000004C6000-memory.dmp

Filesize
24KB

Download
memory/2824-35-0x00000000004D0000-0x00000000004D2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads