ardamax | 836afd076b599f14e976ef06cebbcd7b72b35b4122c79cd89de33495d3ff63fb

General

Target

a54a4fd833ecce0adc7068e76ff24858_JaffaCakes118.exe
Size

1.3MB
MD5

a54a4fd833ecce0adc7068e76ff24858
SHA1

7349d70dce9523094d2841b01a66c8081a0644c6
SHA256

836afd076b599f14e976ef06cebbcd7b72b35b4122c79cd89de33495d3ff63fb
SHA512

bcaa6d11eab2bd1e0321653bf48cb64543d7ad02b079b316882e70e7bc26ab604d726d9c75116cb9ccd7e5c8e4c930126fb3bf3eab8c721a040ca3756423de35
SSDEEP

24576:/sJ3+6PBzjkLuQ3M9BZ8/etvcoG7EQM8eqblNwTr1cX1gMpQ0ZQg3bXmXJa:/CXzj489BZ8GiHJeSYuyMpn3bXCc

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x000500000001951e-27.dat	family_ardamax

Executes dropped EXE 3 IoCs

pid	Process
1448	justin facebook freezer.EXE
2412	Install.exe
2756	TQU.exe

Loads dropped DLL 9 IoCs

pid	Process
2136	a54a4fd833ecce0adc7068e76ff24858_JaffaCakes118.exe
2136	a54a4fd833ecce0adc7068e76ff24858_JaffaCakes118.exe
1448	justin facebook freezer.EXE
1448	justin facebook freezer.EXE
2412	Install.exe
2412	Install.exe
2756	TQU.exe
2756	TQU.exe
1448	justin facebook freezer.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	justin facebook freezer.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TQU Start = "C:\\Windows\\SysWOW64\\JCVLTI\\TQU.exe"	TQU.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\JCVLTI\	TQU.exe
File created	C:\Windows\SysWOW64\JCVLTI\TQU.004	Install.exe
File created	C:\Windows\SysWOW64\JCVLTI\TQU.001	Install.exe
File created	C:\Windows\SysWOW64\JCVLTI\TQU.002	Install.exe
File created	C:\Windows\SysWOW64\JCVLTI\AKV.exe	Install.exe
File created	C:\Windows\SysWOW64\JCVLTI\TQU.exe	Install.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	justin facebook freezer.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TQU.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a54a4fd833ecce0adc7068e76ff24858_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2756	TQU.exe
Token: SeIncBasePriorityPrivilege	2756	TQU.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2756	TQU.exe
2756	TQU.exe
2756	TQU.exe
2756	TQU.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 1448	2136	a54a4fd833ecce0adc7068e76ff24858_JaffaCakes118.exe	30
PID 2136 wrote to memory of 1448	2136	a54a4fd833ecce0adc7068e76ff24858_JaffaCakes118.exe	30
PID 2136 wrote to memory of 1448	2136	a54a4fd833ecce0adc7068e76ff24858_JaffaCakes118.exe	30
PID 2136 wrote to memory of 1448	2136	a54a4fd833ecce0adc7068e76ff24858_JaffaCakes118.exe	30
PID 2136 wrote to memory of 1448	2136	a54a4fd833ecce0adc7068e76ff24858_JaffaCakes118.exe	30
PID 2136 wrote to memory of 1448	2136	a54a4fd833ecce0adc7068e76ff24858_JaffaCakes118.exe	30
PID 2136 wrote to memory of 1448	2136	a54a4fd833ecce0adc7068e76ff24858_JaffaCakes118.exe	30
PID 1448 wrote to memory of 2412	1448	justin facebook freezer.EXE	32
PID 1448 wrote to memory of 2412	1448	justin facebook freezer.EXE	32
PID 1448 wrote to memory of 2412	1448	justin facebook freezer.EXE	32
PID 1448 wrote to memory of 2412	1448	justin facebook freezer.EXE	32
PID 1448 wrote to memory of 2412	1448	justin facebook freezer.EXE	32
PID 1448 wrote to memory of 2412	1448	justin facebook freezer.EXE	32
PID 1448 wrote to memory of 2412	1448	justin facebook freezer.EXE	32
PID 2412 wrote to memory of 2756	2412	Install.exe	33
PID 2412 wrote to memory of 2756	2412	Install.exe	33
PID 2412 wrote to memory of 2756	2412	Install.exe	33
PID 2412 wrote to memory of 2756	2412	Install.exe	33
PID 2412 wrote to memory of 2756	2412	Install.exe	33
PID 2412 wrote to memory of 2756	2412	Install.exe	33
PID 2412 wrote to memory of 2756	2412	Install.exe	33

C:\Users\Admin\AppData\Local\Temp\a54a4fd833ecce0adc7068e76ff24858_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a54a4fd833ecce0adc7068e76ff24858_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Users\Admin\AppData\Local\Temp\justin facebook freezer.EXE
  "C:\Users\Admin\AppData\Local\Temp\justin facebook freezer.EXE"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1448
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2412
  - - C:\Windows\SysWOW64\JCVLTI\TQU.exe
      "C:\Windows\system32\JCVLTI\TQU.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\JCVLTI\AKV.exe

Filesize
456KB

MD5
48cfaed4d566c34716326302b49bdad2

SHA1
566e0989b6bc7ed205f9ae250ea98e3a4d7fba52

SHA256
54c2e10de3ed7135d20c239a7f656c6ff57d1158607fa4c6779e042681de87ea

SHA512
96c871ed9af039142aab5904021d3ef3f75a58c5cc1fdf4d59e40e3699fd03e7cff384b788f7359a1de519ebdcafdad55891fef4f67e2c216ea89ebc945996a0

Download Submit
C:\Windows\SysWOW64\JCVLTI\TQU.001

Filesize
60KB

MD5
a15c556f17d7db8287e023138942d5db

SHA1
880bf8ec944120830dc2e2e040e5996e4e0e6c83

SHA256
f3716810ab011a4cb7693d31b69cd540380ef2a067724e0d568070c8a558694e

SHA512
930339711e3d73e5af0778367a648c94411c20d23bf4c27ec5d72222e76b8902eb3fc0992d70cc4141600c19087159514246d42f1e762c98dad306f8e0bd99cd

Download Submit
C:\Windows\SysWOW64\JCVLTI\TQU.002

Filesize
43KB

MD5
daabecdfba287a3333b60ae82211acd7

SHA1
e67b4c7bf0dd71ad47263a58bb60be4bce504b84

SHA256
12981c35adf6f00c7dddbc3ab23c04c30133cc5be107015dab9fd7ba4e8b4173

SHA512
937f551f959bd823292fe5983bbfb1c3a6dd86426a5da228dc7ddba38138c898599bc713d707b9d3463b20825cee0783d92c1c19019cd0328986a8aef5c1222f

Download Submit
C:\Windows\SysWOW64\JCVLTI\TQU.004

Filesize
1KB

MD5
1c96f0825d09ad188bd7bda81beb3b78

SHA1
dcf2d0314da5b10a97e2790ba4911f15ad91d9c6

SHA256
c85b3a0150df0728f0b172fb2903b799b50545db131b8a7dbff2da6f5bfcfbfe

SHA512
0daa0a2ffdbe383b3caad7ae596bd733ebb8c2cd68a0ddd0d5200c82c8a630d0ba4836661caca3170ff244b528209471f7c130ff35dfe6d9422f51021ec88bf7

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe

Filesize
1.2MB

MD5
bfc110a567f3ea4ea5308b5e1eced1f5

SHA1
bd8ad8d37a5fffd1d78ada5097d3be99ede4e17c

SHA256
fd283b415991b4d720d207524b6738ca202332f9d20181d5250474a22eca2a94

SHA512
ec8967f4b090472552a1ca0e66692bb037fd0777fbde0180261f22c3aec8e6868b3eaed644f7db1061c976ecb82a1c9fc7ab9a58b94e16f07bdbec2d19372312

Download Submit
\Users\Admin\AppData\Local\Temp\justin facebook freezer.EXE

Filesize
1.2MB

MD5
7356fc49bd92531a8dad539a4222fb54

SHA1
ae6e53acfed990da057f67c3ce4a1551f4f86663

SHA256
d0cf0b29511686c1ac0ac40aba34876b173cbabce0bad73d7f028f666e18a211

SHA512
7e83d665b5ddd3a3546e9a60ce77003188c1bc4b5c91b7dd815d462275f6eeeb3db3e0ce0b12b3b39d949194588a9734a3032f0ffde09b30877299e49f3d8a8f

Download Submit
\Windows\SysWOW64\JCVLTI\TQU.exe

Filesize
1.7MB

MD5
f3819a6cab8ae058254c4abb3844d87e

SHA1
0f8b1a74af87f1823ec0d76e21a8d54d55a53a8b

SHA256
3d656d1364b4b2382020f64990a2c630b7b9422ca7b7fe2c30646fda3303e6c9

SHA512
dfe9d342f3ad543fec8bd278e21ac5059b1c36ed3f735734e9b92d639cb25609f9307862ab2b35ea3e88713f4a652abe5863871225f915462c79d493ac5e1f57

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads