ardamax | bcbfda4a835bb1dedb03fe6d518db0d9de7628c1bf6bfa433d5f2207276ec91a

General

Target

8fc1d5cf93bfd0b52ce6436665c1702c_JaffaCakes118.exe
Size

1.1MB
MD5

8fc1d5cf93bfd0b52ce6436665c1702c
SHA1

a59b1f611ee9f773430cf65f76d55689d0e72392
SHA256

bcbfda4a835bb1dedb03fe6d518db0d9de7628c1bf6bfa433d5f2207276ec91a
SHA512

4f4c19e418e0ddf19aaa3e09813edf50437985b22cf5ec4a11aaba8008c6189cf6fcdce330ac38ebccde465c2814b32571b3b83640a2cc7af07f3c49efa7fd1f
SSDEEP

24576:rk/AT8THratns/4B4R7gBOvzTxkY0ipPH8qOGRa8KxfrcGUMo94K91gYt:goTALaJMn8iNJxPcdfxTIRx9

Score

10^/10

ardamax defense_evasion discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0006000000019221-6.dat	family_ardamax

Executes dropped EXE 1 IoCs

pid	Process
1264	UKU.exe

Loads dropped DLL 2 IoCs

pid	Process
2420	8fc1d5cf93bfd0b52ce6436665c1702c_JaffaCakes118.exe
1264	UKU.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UKU Start = "C:\\Windows\\SysWOW64\\WDYDOS\\UKU.exe"	UKU.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WDYDOS\UKU.004	8fc1d5cf93bfd0b52ce6436665c1702c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WDYDOS\UKU.001	8fc1d5cf93bfd0b52ce6436665c1702c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WDYDOS\UKU.002	8fc1d5cf93bfd0b52ce6436665c1702c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WDYDOS\AKV.exe	8fc1d5cf93bfd0b52ce6436665c1702c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WDYDOS\UKU.exe	8fc1d5cf93bfd0b52ce6436665c1702c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WDYDOS\	UKU.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8fc1d5cf93bfd0b52ce6436665c1702c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UKU.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	1264	UKU.exe
Token: SeIncBasePriorityPrivilege	1264	UKU.exe
Token: SeIncBasePriorityPrivilege	1264	UKU.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1264	UKU.exe
1264	UKU.exe
1264	UKU.exe
1264	UKU.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 1264	2420	8fc1d5cf93bfd0b52ce6436665c1702c_JaffaCakes118.exe	30
PID 2420 wrote to memory of 1264	2420	8fc1d5cf93bfd0b52ce6436665c1702c_JaffaCakes118.exe	30
PID 2420 wrote to memory of 1264	2420	8fc1d5cf93bfd0b52ce6436665c1702c_JaffaCakes118.exe	30
PID 2420 wrote to memory of 1264	2420	8fc1d5cf93bfd0b52ce6436665c1702c_JaffaCakes118.exe	30
PID 1264 wrote to memory of 1316	1264	UKU.exe	31
PID 1264 wrote to memory of 1316	1264	UKU.exe	31
PID 1264 wrote to memory of 1316	1264	UKU.exe	31
PID 1264 wrote to memory of 1316	1264	UKU.exe	31

C:\Users\Admin\AppData\Local\Temp\8fc1d5cf93bfd0b52ce6436665c1702c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8fc1d5cf93bfd0b52ce6436665c1702c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Windows\SysWOW64\WDYDOS\UKU.exe
  "C:\Windows\system32\WDYDOS\UKU.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1264
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WDYDOS\UKU.exe > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

1

T1070

File Deletion

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\WDYDOS\AKV.exe

Filesize
465KB

MD5
7c261796de3262bb74be63fb8bda6e9a

SHA1
b1825184f9475d27dfd85f5117f8883b4ef694df

SHA256
9c188aa606974f583562f42839bed29b03c234d85792421f79fe9555cbd0fb2c

SHA512
f5b0a3d5e37dae83df9650c62f0569c29772ea4bb826ce2770acc9a9e7ad30df85ee1a08c50b1f90ac1696a9fb828b24c072e67b354e055615028507bfcac65d

Download Submit
C:\Windows\SysWOW64\WDYDOS\UKU.002

Filesize
43KB

MD5
77362b82823e1f2574eb03f5cb43cefc

SHA1
17aadb08e7baa4fa238e55711fbc76c34eb20e0c

SHA256
54826bef43b2eb9ee7e7a8111bb1c84f477a67f24dd458ea9519109bc8a3f0b3

SHA512
89b76a4cd7f6d24039d3bb1c8cb43bf161afd371a868afa29dd8575a76f0a324ad517697d0163f31703106c3cd5b1f3101850bc3ae268d538a15cbdd55e53630

Download Submit
C:\Windows\SysWOW64\WDYDOS\UKU.004

Filesize
1KB

MD5
2d820c382c6cb02adfaf7511dafc4307

SHA1
a07a8cc0d6c2f1853377e368259c2751733eff0e

SHA256
6bf6c4ba99f8e3021dfbbc341089c8fc17de1be4c8e45c832e8a505466828f3a

SHA512
f3ff905045eb6e1df882db8554a3b48350a3d9a69c1ff2ff86207cf5a0f051053bbc973f1a25984b37eddcf175f25d6e44c0633627fe88d10de93b2d10da0ab2

Download Submit
\Windows\SysWOW64\WDYDOS\UKU.001

Filesize
61KB

MD5
a8ebd13f731b0f5877365ab3df9d3302

SHA1
6deebee7c807e0230a89e5dbb2c77bce26908181

SHA256
a410e1f5b3d0fbcd488c62c29d73b8fe6fd7d491c5de883e8e6c1851016c2db3

SHA512
380422365036b4af0ea9177d2c6b6190cd2b21a63f8621888d3b7cb05dfadebba8b541b17a57381b9c526a322d3b93442a2ecef39596e82c69c5af7fe133de2d

Download Submit
\Windows\SysWOW64\WDYDOS\UKU.exe

Filesize
1.5MB

MD5
4c6099a9c55efb8db04c30d4d7718481

SHA1
21261f03ea185be15a23b50af041af321579c9b7

SHA256
058ff4371212574f0afbd3ca3d9265d744ac84e4d6230df7f032336da619d67a

SHA512
c99d75fe853745d59ebffd316c956eee520aaf84e977130f7743c01bb33b6ced434f1ceeac635ef2c622d452c646fcfc52fdcb659f3a1ff630373aba6d32e0a5

Download Submit
memory/1264-15-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1264-17-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads