ardamax | 973c3045b2113af75e965c5c02703bb492da27784a35eec9daec4f612afa3631

General

Target

9cb7c5cad5a958f471389a61cbac67e9_JaffaCakes118.exe
Size

1.1MB
MD5

9cb7c5cad5a958f471389a61cbac67e9
SHA1

e486d6fb3396c91cbc4e1335abcb6a4b8b22d233
SHA256

973c3045b2113af75e965c5c02703bb492da27784a35eec9daec4f612afa3631
SHA512

97943409bc9d6763e527f14c4149673a4b3201897bd6c60752aa83fb8dbbd92bf36c7cc41da1e8ccbf543acc1286c6cc91511505efd7682f3f2b7493d1103275
SSDEEP

24576:PU4oTwAv5mwNTUmbZnBBYv/cgfNGhpoYYbgTVkluYXaVNF9vz1FGVi0jS:PULTwCumzBYXcgX3bSV+xwF9vfGN

Score

10^/10

ardamax defense_evasion discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x00070000000174af-6.dat	family_ardamax

Executes dropped EXE 1 IoCs

pid	Process
2240	CPA.exe

Loads dropped DLL 2 IoCs

pid	Process
2520	9cb7c5cad5a958f471389a61cbac67e9_JaffaCakes118.exe
2240	CPA.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CPA Start = "C:\\Windows\\SysWOW64\\LLEHQU\\CPA.exe"	CPA.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\LLEHQU\CPA.exe	9cb7c5cad5a958f471389a61cbac67e9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\LLEHQU\	CPA.exe
File created	C:\Windows\SysWOW64\LLEHQU\CPA.004	9cb7c5cad5a958f471389a61cbac67e9_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\LLEHQU\CPA.001	9cb7c5cad5a958f471389a61cbac67e9_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\LLEHQU\CPA.002	9cb7c5cad5a958f471389a61cbac67e9_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\LLEHQU\AKV.exe	9cb7c5cad5a958f471389a61cbac67e9_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9cb7c5cad5a958f471389a61cbac67e9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CPA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	2240	CPA.exe
Token: SeIncBasePriorityPrivilege	2240	CPA.exe
Token: SeIncBasePriorityPrivilege	2240	CPA.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2240	CPA.exe
2240	CPA.exe
2240	CPA.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 2240	2520	9cb7c5cad5a958f471389a61cbac67e9_JaffaCakes118.exe	30
PID 2520 wrote to memory of 2240	2520	9cb7c5cad5a958f471389a61cbac67e9_JaffaCakes118.exe	30
PID 2520 wrote to memory of 2240	2520	9cb7c5cad5a958f471389a61cbac67e9_JaffaCakes118.exe	30
PID 2520 wrote to memory of 2240	2520	9cb7c5cad5a958f471389a61cbac67e9_JaffaCakes118.exe	30
PID 2240 wrote to memory of 2820	2240	CPA.exe	32
PID 2240 wrote to memory of 2820	2240	CPA.exe	32
PID 2240 wrote to memory of 2820	2240	CPA.exe	32
PID 2240 wrote to memory of 2820	2240	CPA.exe	32

C:\Users\Admin\AppData\Local\Temp\9cb7c5cad5a958f471389a61cbac67e9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9cb7c5cad5a958f471389a61cbac67e9_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Windows\SysWOW64\LLEHQU\CPA.exe
  "C:\Windows\system32\LLEHQU\CPA.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2240
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\LLEHQU\CPA.exe > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

1

T1070

File Deletion

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\LLEHQU\AKV.exe

Filesize
456KB

MD5
48cfaed4d566c34716326302b49bdad2

SHA1
566e0989b6bc7ed205f9ae250ea98e3a4d7fba52

SHA256
54c2e10de3ed7135d20c239a7f656c6ff57d1158607fa4c6779e042681de87ea

SHA512
96c871ed9af039142aab5904021d3ef3f75a58c5cc1fdf4d59e40e3699fd03e7cff384b788f7359a1de519ebdcafdad55891fef4f67e2c216ea89ebc945996a0

Download Submit
C:\Windows\SysWOW64\LLEHQU\CPA.002

Filesize
43KB

MD5
daabecdfba287a3333b60ae82211acd7

SHA1
e67b4c7bf0dd71ad47263a58bb60be4bce504b84

SHA256
12981c35adf6f00c7dddbc3ab23c04c30133cc5be107015dab9fd7ba4e8b4173

SHA512
937f551f959bd823292fe5983bbfb1c3a6dd86426a5da228dc7ddba38138c898599bc713d707b9d3463b20825cee0783d92c1c19019cd0328986a8aef5c1222f

Download Submit
C:\Windows\SysWOW64\LLEHQU\CPA.004

Filesize
1KB

MD5
1374cf35ddad830df70beb1668a6d6dc

SHA1
6616aa81b04d9b25f8c8a3696067474a481509e7

SHA256
ac9f7bfdecefb8670a6dcaa5d6d82dc0cf48bf032f49322f1098a3ea4685072b

SHA512
32e16c076d7e95b1516f67bebf1fd9f15ae7aa0fa4383fb67db2c1599a296ec1d8de570fbda5aeefbc2010f1fa47adb8442ce5acad728bd99e939e10d3d35aab

Download Submit
\Windows\SysWOW64\LLEHQU\CPA.001

Filesize
60KB

MD5
a15c556f17d7db8287e023138942d5db

SHA1
880bf8ec944120830dc2e2e040e5996e4e0e6c83

SHA256
f3716810ab011a4cb7693d31b69cd540380ef2a067724e0d568070c8a558694e

SHA512
930339711e3d73e5af0778367a648c94411c20d23bf4c27ec5d72222e76b8902eb3fc0992d70cc4141600c19087159514246d42f1e762c98dad306f8e0bd99cd

Download Submit
\Windows\SysWOW64\LLEHQU\CPA.exe

Filesize
1.7MB

MD5
f3819a6cab8ae058254c4abb3844d87e

SHA1
0f8b1a74af87f1823ec0d76e21a8d54d55a53a8b

SHA256
3d656d1364b4b2382020f64990a2c630b7b9422ca7b7fe2c30646fda3303e6c9

SHA512
dfe9d342f3ad543fec8bd278e21ac5059b1c36ed3f735734e9b92d639cb25609f9307862ab2b35ea3e88713f4a652abe5863871225f915462c79d493ac5e1f57

Download Submit
memory/2240-15-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2240-17-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads