ardamax | c34c0141f2b507e35e2dcea93590f6f4469f88b6e3f1a1fb4e6dd413b15e3016

General

Target

cb0aece11bd855007f841f0b2753fe1b_JaffaCakes118.exe
Size

1.0MB
MD5

cb0aece11bd855007f841f0b2753fe1b
SHA1

61df7c13b1ad83f2ab8181fee97161defe0572af
SHA256

c34c0141f2b507e35e2dcea93590f6f4469f88b6e3f1a1fb4e6dd413b15e3016
SHA512

e26463ff4430c335b7cb97c05a5d15b67c0336a2de4a05b0528f05e90386cabc65cb84cc73c8c8801a98d5107aaef2ee5d8bea158dce0d0ceb8f0fe899f401b2
SSDEEP

12288:hKUrnfUmLgckgwt+oYAK7CL3kVjy8E5IPvts7sL9M/GmQIpcmJ:h5rnsmnwt+oPiokFkIHO7s2/GfkcmJ

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0009000000016c88-25.dat	family_ardamax

Executes dropped EXE 3 IoCs

pid	Process
2500	Job.v523.dll
2860	system32KEGJ.exe
2796	Selamla.exe

Loads dropped DLL 5 IoCs

pid	Process
2984	cb0aece11bd855007f841f0b2753fe1b_JaffaCakes118.exe
2984	cb0aece11bd855007f841f0b2753fe1b_JaffaCakes118.exe
2500	Job.v523.dll
2500	Job.v523.dll
2500	Job.v523.dll

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system32KEGJ Agent = "C:\\Windows\\system32KEGJ.exe"	system32KEGJ.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\system32KEGJ.001	Job.v523.dll
File created	C:\Windows\system32KEGJ.006	Job.v523.dll
File created	C:\Windows\system32KEGJ.007	Job.v523.dll
File created	C:\Windows\system32KEGJ.exe	Job.v523.dll
File created	C:\Windows\system32AKV.exe	Job.v523.dll

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb0aece11bd855007f841f0b2753fe1b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Job.v523.dll
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system32KEGJ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Selamla.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2860	system32KEGJ.exe
Token: SeIncBasePriorityPrivilege	2860	system32KEGJ.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2984	cb0aece11bd855007f841f0b2753fe1b_JaffaCakes118.exe
2860	system32KEGJ.exe
2860	system32KEGJ.exe
2860	system32KEGJ.exe
2860	system32KEGJ.exe
2860	system32KEGJ.exe
2796	Selamla.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 2500	2984	cb0aece11bd855007f841f0b2753fe1b_JaffaCakes118.exe	30
PID 2984 wrote to memory of 2500	2984	cb0aece11bd855007f841f0b2753fe1b_JaffaCakes118.exe	30
PID 2984 wrote to memory of 2500	2984	cb0aece11bd855007f841f0b2753fe1b_JaffaCakes118.exe	30
PID 2984 wrote to memory of 2500	2984	cb0aece11bd855007f841f0b2753fe1b_JaffaCakes118.exe	30
PID 2500 wrote to memory of 2860	2500	Job.v523.dll	31
PID 2500 wrote to memory of 2860	2500	Job.v523.dll	31
PID 2500 wrote to memory of 2860	2500	Job.v523.dll	31
PID 2500 wrote to memory of 2860	2500	Job.v523.dll	31
PID 2500 wrote to memory of 2796	2500	Job.v523.dll	32
PID 2500 wrote to memory of 2796	2500	Job.v523.dll	32
PID 2500 wrote to memory of 2796	2500	Job.v523.dll	32
PID 2500 wrote to memory of 2796	2500	Job.v523.dll	32

C:\Users\Admin\AppData\Local\Temp\cb0aece11bd855007f841f0b2753fe1b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cb0aece11bd855007f841f0b2753fe1b_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Users\Admin\AppData\Local\Temp\Job.v523.dll
  C:\Users\Admin\AppData\Local\Temp\Job.v523.dll
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Windows\system32KEGJ.exe
    "C:\Windows\system32KEGJ.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2860
- - C:\Users\Admin\AppData\Local\Temp\Selamla.exe
    "C:\Users\Admin\AppData\Local\Temp\Selamla.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Selamla.exe

Filesize
16KB

MD5
17e2fd7c20f4eec6c3ca84c3db660ea9

SHA1
1118a2f602a8e0350ad5c681c3d896b5aae44a90

SHA256
c11145cb46c00dcebeee513e14e1629f93c1d64522e3df64db982a7539360933

SHA512
8fd50e0ac295feee4da2781f660f198068c47a68b3d36f53f54003ba42fd1d7e86afe173e01475273681e5a9db2fad725f49e5bda7be4a10f91add48ab2b3bf6

Download Submit
C:\Windows\system32KEGJ.001

Filesize
402B

MD5
43a968d8aa6c7dbea937b2027681f263

SHA1
5d3bd320ffef7be3c9dd4032ab88c36bcff9978c

SHA256
f5cb4211dc8f4daa761345735ba71f3a686e98e0ebbcadff6bcb501ccad3f1a1

SHA512
65bb1043477aec0de696737c73cecd94ec25c8e4415b7fc421e1b43070691c15e660f846581acc98a2d4a66e8a772463e5653aad273f7c48f571744243576ce3

Download Submit
C:\Windows\system32KEGJ.006

Filesize
7KB

MD5
87ccf7eb039971590aac6f254b2c788a

SHA1
3095496ffd364b32cdbe63ba4dd2f477fd848515

SHA256
59973b04dd9bec56a7ff9d898fda25e9214ee7652f2687ba409b435ae07e554b

SHA512
d5f9f7855725021522fae819a855d3d2d2cf028b0ea3ac191ad02039cbb688af42b191a1ec4f1868365e2f7de36acca2b7ba3bee0a7b8447820c4521e942d8d2

Download Submit
C:\Windows\system32KEGJ.007

Filesize
5KB

MD5
81938df0dbfee60828e9ce953bdf62e6

SHA1
b1182a051011e901c17eab2e28727bec8db475fb

SHA256
982e2e47e8af4384a6b71937fb4e678a61fbc354f6816204e14a01d325529a98

SHA512
64ebe41c17f55f725aeb946b1a7843ad27062490a3e9cc49df7ecb3e5e408444c766236642986cbe499e876e91d1d95d4aafe7d044fda3f5370bbe5f71532143

Download Submit
C:\Windows\system32KEGJ.exe

Filesize
471KB

MD5
912c55621b4c3f0fb2daef5b4f4f5f4c

SHA1
735701c75569b7563950508afc8948b52e7bf4b2

SHA256
41ecb7a6e3e9c32ce1bbfdff8fe381f6c21fc1f601f7e9be9fcfa2678d2420a0

SHA512
65a08579e959d4beebb5ad026cab451d381e147621be8a0707baca748eaee22050c020e3d54f312376eaf6f20a1fc3713e5e07cc9d4ee7f32b7c17dc15c80d05

Download Submit
\Users\Admin\AppData\Local\Temp\@A296.tmp

Filesize
4KB

MD5
b7ea0bc4bb833ab77dce179f16039c14

SHA1
b05cc205aa6ffc60a5316c1d5d3831def5a60c20

SHA256
e7bc62fb964bacd8e3189f22a8d64a27bddeb90007a38da3d3e6b58f6d8a2dba

SHA512
5a4ad9b469c7502a930158ca2db814b0b84880b2658a6a6dcca9fee60e6c8dc5f8a3c8d09e280a026d63e3d48b5291074827d16f3e680ce87645d8aad996a652

Download Submit
\Users\Admin\AppData\Local\Temp\Job.v523.dll

Filesize
482KB

MD5
9eea7a42f3439339f2e5246214b9144b

SHA1
ca802753241e6854889c5725c480627a3fad44cc

SHA256
f4bbd4d3d838a27721c93157b2e5ee1a377f4b49be236710c4de0666526badc6

SHA512
5913bbb70ba5634f61d8073dffde9ab38a8363f4d8d1e7c0744a877bd0e24919b33e088782894600289e11cc72d35de6d53c0ee78f39e0c7208e69e2311c0920

Download Submit
memory/2500-44-0x00000000028D0000-0x00000000028D6000-memory.dmp

Filesize
24KB

Download
memory/2500-42-0x000000007754F000-0x0000000077550000-memory.dmp

Filesize
4KB

Download
memory/2500-45-0x00000000028C0000-0x00000000028C6000-memory.dmp

Filesize
24KB

Download
memory/2500-38-0x00000000028C0000-0x00000000028C9000-memory.dmp

Filesize
36KB

Download
memory/2500-41-0x00000000028C0000-0x00000000028C9000-memory.dmp

Filesize
36KB

Download
memory/2796-48-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2796-52-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2796-58-0x00000000002B0000-0x00000000002B6000-memory.dmp

Filesize
24KB

Download
memory/2796-57-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/2860-28-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2860-51-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2860-55-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/2860-56-0x0000000001CD0000-0x0000000001CD6000-memory.dmp

Filesize
24KB

Download
memory/2984-46-0x000000007754F000-0x0000000077550000-memory.dmp

Filesize
4KB

Download
memory/2984-54-0x0000000003F00000-0x0000000003F06000-memory.dmp

Filesize
24KB

Download
memory/2984-53-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads