ardamax | 97ac7654e6110373718e5f6791f4d5966853447f746c7468d75d5c33695520bd

General

Target

d6b89d01974061e0bc182589c9925ab0_JaffaCakes118.exe
Size

1.0MB
MD5

d6b89d01974061e0bc182589c9925ab0
SHA1

2e40321120aa79b3246dc770a51c70dc3d342593
SHA256

97ac7654e6110373718e5f6791f4d5966853447f746c7468d75d5c33695520bd
SHA512

2e2e369af2809469457a2f282c426705b9b982638432efe88056f92ea76db7f32149c82157b673c21f06772e7cac257c6e0d26fae21999c1003bcaec8a568c61
SSDEEP

24576:jjXTuTV5nmIWSyhFvSE7NLtTc83agabRhLZuFJZnfjfrgMHyK3i8LCfr:jDTwUFvn7NBc8KnLMrxfHZHyN8LYr

Score

10^/10

ardamax defense_evasion discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x00070000000174f7-6.dat	family_ardamax

Executes dropped EXE 1 IoCs

pid	Process
2684	PTL.exe

Loads dropped DLL 2 IoCs

pid	Process
2668	d6b89d01974061e0bc182589c9925ab0_JaffaCakes118.exe
2684	PTL.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PTL Start = "C:\\Windows\\ENKBNE\\PTL.exe"	PTL.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\ENKBNE\PTL.001	d6b89d01974061e0bc182589c9925ab0_JaffaCakes118.exe
File created	C:\Windows\ENKBNE\PTL.002	d6b89d01974061e0bc182589c9925ab0_JaffaCakes118.exe
File created	C:\Windows\ENKBNE\AKV.exe	d6b89d01974061e0bc182589c9925ab0_JaffaCakes118.exe
File created	C:\Windows\ENKBNE\PTL.exe	d6b89d01974061e0bc182589c9925ab0_JaffaCakes118.exe
File opened for modification	C:\Windows\ENKBNE	PTL.exe
File created	C:\Windows\ENKBNE\PTL.004	d6b89d01974061e0bc182589c9925ab0_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PTL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d6b89d01974061e0bc182589c9925ab0_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Web3.5 = "1725900371"	PTL.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	2684	PTL.exe
Token: SeIncBasePriorityPrivilege	2684	PTL.exe
Token: SeIncBasePriorityPrivilege	2684	PTL.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2684	PTL.exe
2684	PTL.exe
2684	PTL.exe
2684	PTL.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 2684	2668	d6b89d01974061e0bc182589c9925ab0_JaffaCakes118.exe	30
PID 2668 wrote to memory of 2684	2668	d6b89d01974061e0bc182589c9925ab0_JaffaCakes118.exe	30
PID 2668 wrote to memory of 2684	2668	d6b89d01974061e0bc182589c9925ab0_JaffaCakes118.exe	30
PID 2668 wrote to memory of 2684	2668	d6b89d01974061e0bc182589c9925ab0_JaffaCakes118.exe	30
PID 2684 wrote to memory of 2164	2684	PTL.exe	31
PID 2684 wrote to memory of 2164	2684	PTL.exe	31
PID 2684 wrote to memory of 2164	2684	PTL.exe	31
PID 2684 wrote to memory of 2164	2684	PTL.exe	31

C:\Users\Admin\AppData\Local\Temp\d6b89d01974061e0bc182589c9925ab0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d6b89d01974061e0bc182589c9925ab0_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Windows\ENKBNE\PTL.exe
  "C:\Windows\ENKBNE\PTL.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Windows\ENKBNE\PTL.exe > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

1

T1070

File Deletion

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\ENKBNE\AKV.exe

Filesize
490KB

MD5
7c945f8ff017b9c3e00fb23e47c05b88

SHA1
c5808f4a6494f5f619584ce1eea3bd63fab41675

SHA256
0beb5579a7321017b3efe319e40af7ad940c4d64916295929fe0e88bdd35e848

SHA512
feb202e2c63be69ad77160716bcf4f83bd90571349c6115955fb2ea584d8913dd153ca782974e3b50c9a8cd58df01ade6c88339f0c43c2af5778fc3457132246

Download Submit
C:\Windows\ENKBNE\PTL.001

Filesize
60KB

MD5
256d32d205671ac8ed51e56c5c5d2d56

SHA1
c0e98db79b026a2ba7c4838bf11d6e8775a10262

SHA256
064d8c21bd0cf41315cef61af65be92327275633fbdf37771c3d996202909a9a

SHA512
197a6c0d27550d4756c124b41310ae39e546449da3254c15d0070bfeec4600d12f4e653f12e4a554c69eeab615f3e159960805c029f9b4abb197b64af78c5581

Download Submit
C:\Windows\ENKBNE\PTL.002

Filesize
42KB

MD5
ecb9e8c27d6cc6ffd1e857767b9c6f24

SHA1
10a9a5054e6f1c8d1bda456b9ecb5bf359faf010

SHA256
5d948e3a55e9b1de0e9f8f89d0dd3a769bbd8d178f3297cc02864f5688dbcb29

SHA512
259ae145a962426b9b60d585d939caf86043b9031480b472ab8ee91eada3d1d7d6fc502718fbbc07ac9600368e81f87e68fd10d5fa039a85a1d4a8ddfde1968e

Download Submit
C:\Windows\ENKBNE\PTL.004

Filesize
846B

MD5
ed4e0de1ed85d42c7fe4eeca0e6f56a3

SHA1
fdbd15d39091d37d31e90fd6a87cf9218f570656

SHA256
6eb5c8f489970f93ea7a9e86e58ade58b7048005e28078decac75904a68828ba

SHA512
dcc84d31c1204096faa971a0d64cff455e394ffaf6f2fbef9d6f1f20efb41e00768e440f07515fa6351b834b01b6284f2309e41d589fe43eb8266d6ee8455256

Download Submit
\Windows\ENKBNE\PTL.exe

Filesize
1.3MB

MD5
6c94881041df04b34498298262be0095

SHA1
a55cf3e5b3d04cbc3fff689219bb4176db698afa

SHA256
b8e1a7f773703fd5b7e7658bc3f54fd50e4ea6502f9ed3b996c3ef9c977b3d9f

SHA512
dba2ad2dcb51d7dc9e01e668e91132fbb22c6c1423c3dc96c081a1bcc2614987e4091d99c9035abf4c1c2b485c36095a06cfaea67431e1d18a83c186bcea4fbf

Download Submit
memory/2684-15-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2684-17-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads