ardamax | e8ac6b3824d1bed128fdd94217c2ed21afc24f7660ef5da10e56aa072ad6179f

General

Target

a5388a0dafc6e7bbdfbf06e8d8aa06f1_JaffaCakes118.exe
Size

1.9MB
MD5

a5388a0dafc6e7bbdfbf06e8d8aa06f1
SHA1

8d4955a7b85b384e4a242dd60287283ac0d7c8b0
SHA256

e8ac6b3824d1bed128fdd94217c2ed21afc24f7660ef5da10e56aa072ad6179f
SHA512

e3192e9ef2860b00104406f33a7621fbc2dad168d8a266b33f33022c94ea83e72d0d329f65b343095956af6cf6884a767a7a01e9e88f5aec668a970fcd540ab9
SSDEEP

49152:QeqsMfH0R8/71XvXlcxUV83mEfrCtKvFVRX1:qsU0R8j1fX+xUqlSKdrX1

Score

10^/10

ardamax defense_evasion discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000016dc7-8.dat	family_ardamax

Executes dropped EXE 2 IoCs

pid	Process
2852	OWX.exe
2252	Mu BSK.exe

Loads dropped DLL 4 IoCs

pid	Process
2564	a5388a0dafc6e7bbdfbf06e8d8aa06f1_JaffaCakes118.exe
2852	OWX.exe
2564	a5388a0dafc6e7bbdfbf06e8d8aa06f1_JaffaCakes118.exe
2564	a5388a0dafc6e7bbdfbf06e8d8aa06f1_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OWX Start = "C:\\Windows\\SysWOW64\\BIYDOY\\OWX.exe"	OWX.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\BIYDOY\OWX.004	a5388a0dafc6e7bbdfbf06e8d8aa06f1_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\BIYDOY\OWX.001	a5388a0dafc6e7bbdfbf06e8d8aa06f1_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\BIYDOY\OWX.002	a5388a0dafc6e7bbdfbf06e8d8aa06f1_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\BIYDOY\AKV.exe	a5388a0dafc6e7bbdfbf06e8d8aa06f1_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\BIYDOY\OWX.exe	a5388a0dafc6e7bbdfbf06e8d8aa06f1_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\BIYDOY\	OWX.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a5388a0dafc6e7bbdfbf06e8d8aa06f1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OWX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	2852	OWX.exe
Token: SeIncBasePriorityPrivilege	2852	OWX.exe
Token: SeIncBasePriorityPrivilege	2852	OWX.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2852	OWX.exe
2852	OWX.exe
2852	OWX.exe
2852	OWX.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2564 wrote to memory of 2852	2564	a5388a0dafc6e7bbdfbf06e8d8aa06f1_JaffaCakes118.exe	30
PID 2564 wrote to memory of 2852	2564	a5388a0dafc6e7bbdfbf06e8d8aa06f1_JaffaCakes118.exe	30
PID 2564 wrote to memory of 2852	2564	a5388a0dafc6e7bbdfbf06e8d8aa06f1_JaffaCakes118.exe	30
PID 2564 wrote to memory of 2852	2564	a5388a0dafc6e7bbdfbf06e8d8aa06f1_JaffaCakes118.exe	30
PID 2564 wrote to memory of 2252	2564	a5388a0dafc6e7bbdfbf06e8d8aa06f1_JaffaCakes118.exe	31
PID 2564 wrote to memory of 2252	2564	a5388a0dafc6e7bbdfbf06e8d8aa06f1_JaffaCakes118.exe	31
PID 2564 wrote to memory of 2252	2564	a5388a0dafc6e7bbdfbf06e8d8aa06f1_JaffaCakes118.exe	31
PID 2564 wrote to memory of 2252	2564	a5388a0dafc6e7bbdfbf06e8d8aa06f1_JaffaCakes118.exe	31
PID 2564 wrote to memory of 2252	2564	a5388a0dafc6e7bbdfbf06e8d8aa06f1_JaffaCakes118.exe	31
PID 2564 wrote to memory of 2252	2564	a5388a0dafc6e7bbdfbf06e8d8aa06f1_JaffaCakes118.exe	31
PID 2564 wrote to memory of 2252	2564	a5388a0dafc6e7bbdfbf06e8d8aa06f1_JaffaCakes118.exe	31
PID 2852 wrote to memory of 684	2852	OWX.exe	33
PID 2852 wrote to memory of 684	2852	OWX.exe	33
PID 2852 wrote to memory of 684	2852	OWX.exe	33
PID 2852 wrote to memory of 684	2852	OWX.exe	33

C:\Users\Admin\AppData\Local\Temp\a5388a0dafc6e7bbdfbf06e8d8aa06f1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a5388a0dafc6e7bbdfbf06e8d8aa06f1_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Windows\SysWOW64\BIYDOY\OWX.exe
  "C:\Windows\system32\BIYDOY\OWX.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\BIYDOY\OWX.exe > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:684
- C:\Users\Admin\AppData\Local\Temp\Mu BSK.exe
  "C:\Users\Admin\AppData\Local\Temp\Mu BSK.exe"
  2⤵
  - Executes dropped EXE
  PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

1

T1070

File Deletion

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\BIYDOY\AKV.exe

Filesize
463KB

MD5
eb916da4abe4ff314662089013c8f832

SHA1
1e7e611cc6922a2851bcf135806ab51cdb499efa

SHA256
96af80e7ba0f3997d59ebcb5ecef619f980d71ca29113e2cd2f2e8adcdea3061

SHA512
d0dbe1d1612982b9cd2a3ed3cbd3e3b5be49237f580f91d5e5d5b6d20ed4dc0babb69a666c19bf4e0f10776a43b9b1dcda91a4cd381ce3705b1795ef9d731c8b

Download Submit
C:\Windows\SysWOW64\BIYDOY\OWX.001

Filesize
61KB

MD5
425ff37c76030ca0eb60321eedd4afdd

SHA1
7dde5e9ce5c4057d3db149f323fa43ed29d90e09

SHA256
70b00b09ae76a7ecfd6680ab22df546b17826755087c069fc87d14895e1a4e24

SHA512
ef5ff97c0d682b6155eff8f92dace1789cf01ca8bca55af1c1d0f2243b5e18bc12a657bb2bb12601b51ef9e1b942f02feb8462644da291fd1b2239c34ef2b59b

Download Submit
C:\Windows\SysWOW64\BIYDOY\OWX.002

Filesize
43KB

MD5
12fb4f589942682a478b7c7881dfcba2

SHA1
a3d490c6cda965708a1ff6a0dc4e88037e0d6336

SHA256
4de0c277800ae36b85a11ed9765f732a73578d4dce053ff7179f96ab776fb60d

SHA512
dd1c6a4ea5bc9698701ec941c4e90fe8dfb0993dc321edc052d1a80cc49bc46be665a85ec678876e698de60cda5dbf1d6279742a16d648f9d18e642a3ea33ddd

Download Submit
C:\Windows\SysWOW64\BIYDOY\OWX.004

Filesize
1KB

MD5
219fe566b733eddf78f9fc40f4bfe314

SHA1
b50c6e8d39624e04c1506356bb81cc933ab381f4

SHA256
2ab52aa157374c124ee84f672f5b02d7a051da6cee8283172b65ba770b183879

SHA512
415983e859544500119a391ab583a474062884929d268e6d2a48a01be4e2434dccc407216b2d5242b60198b3daec9fb38b4b174f12d8b945381d5e04100987e2

Download Submit
\Users\Admin\AppData\Local\Temp\Mu BSK.exe

Filesize
2.9MB

MD5
aa9d8df49d37f7fff1e2d1f21c157e87

SHA1
56ac7c0e7baed038f9b7976ec7de3b83302e0513

SHA256
c1a638943ca053da4774f6c55a7f0994828fa1b49efac143aa8cf75a97dc98b4

SHA512
a2b8df8546a387ca20f50fa66b49346d68e18a3d32221ed32064b3f90aaabf83306bd4f796eb3fed3a2e28cdde393e3cb803b5bcd6aaa3d6a21258d40b02a785

Download Submit
\Windows\SysWOW64\BIYDOY\OWX.exe

Filesize
1.5MB

MD5
f8530f0dfe90c7c1e20239b0a7643041

SHA1
3e0208ab84b8444a69c8d62ad0b81c4186395802

SHA256
734439c4049ae1a832b4cc5c8d227112106406945d1a7cbb355e11a3f5e356c4

SHA512
5cb01517938789e006e00d69729ae7d73ad480f1ae17a80059bf81ee5d9cebb1263a35732c84f03d742684a650b116b13e6731ca80b0b9cdb3908e5588649399

Download Submit
memory/2564-1-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2564-0-0x00000000010C0000-0x00000000012B7000-memory.dmp

Filesize
2.0MB

Download
memory/2564-27-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2564-26-0x00000000010C0000-0x00000000012B7000-memory.dmp

Filesize
2.0MB

Download
memory/2852-17-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2852-28-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads