ardamax | fb598e3bf618d597221a3b53cdeb7dc6de89d489435f6c49c1a4330d8788c36f

General

Target

e17fa88e77674357c33bc11528a6491c_JaffaCakes118.exe
Size

1.0MB
MD5

e17fa88e77674357c33bc11528a6491c
SHA1

6d19521225ad11073bb049250340966a17b7ce3f
SHA256

fb598e3bf618d597221a3b53cdeb7dc6de89d489435f6c49c1a4330d8788c36f
SHA512

6d6cdc7788f8513d9a5c33bbcc8d21188657c87ec3e4571e5080448228ea3777cd7e9b5ba5f5dff122b833b6db8abc247989963a281e63ead30d2dc406ac547f
SSDEEP

24576:jBaTPZKilZZMG2lCzslCja1L+SI6+DwmcrK0O7U:jYTBNlZmJCja0LEmcZO

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0006000000019217-6.dat	family_ardamax

Executes dropped EXE 1 IoCs

pid	Process
2128	NVT.exe

Loads dropped DLL 2 IoCs

pid	Process
2968	e17fa88e77674357c33bc11528a6491c_JaffaCakes118.exe
2128	NVT.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NVT Start = "C:\\Windows\\SysWOW64\\COLICU\\NVT.exe"	NVT.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\COLICU\NVT.004	e17fa88e77674357c33bc11528a6491c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\COLICU\NVT.001	e17fa88e77674357c33bc11528a6491c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\COLICU\NVT.002	e17fa88e77674357c33bc11528a6491c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\COLICU\AKV.exe	e17fa88e77674357c33bc11528a6491c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\COLICU\NVT.exe	e17fa88e77674357c33bc11528a6491c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\COLICU\	NVT.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e17fa88e77674357c33bc11528a6491c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NVT.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2128	NVT.exe
Token: SeIncBasePriorityPrivilege	2128	NVT.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2128	NVT.exe
2128	NVT.exe
2128	NVT.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2968 wrote to memory of 2128	2968	e17fa88e77674357c33bc11528a6491c_JaffaCakes118.exe	30
PID 2968 wrote to memory of 2128	2968	e17fa88e77674357c33bc11528a6491c_JaffaCakes118.exe	30
PID 2968 wrote to memory of 2128	2968	e17fa88e77674357c33bc11528a6491c_JaffaCakes118.exe	30
PID 2968 wrote to memory of 2128	2968	e17fa88e77674357c33bc11528a6491c_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\e17fa88e77674357c33bc11528a6491c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e17fa88e77674357c33bc11528a6491c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Windows\SysWOW64\COLICU\NVT.exe
  "C:\Windows\system32\COLICU\NVT.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\COLICU\AKV.exe

Filesize
439KB

MD5
b6f067d8cbe8f570879b0ec97a00e9d9

SHA1
57cfc7bb9386956796ca8bd57d42c70027dbe716

SHA256
57785904b380980f4c65b1ffe052ad9e4cd0d270b14176244b8129f0c78c4034

SHA512
dced303f3d316ec2988d3f46ae6af2045d4d054d80b30350ffc4126c5c2979e2914f7586f3dde7cb4718141a75bc10cb211ebdc1d2b91ed61a97b8465e0e961d

Download Submit
C:\Windows\SysWOW64\COLICU\NVT.001

Filesize
61KB

MD5
d7ab0bd450bbb9c9a080ef462fee6294

SHA1
c407c9ec0cbcc0de96f44b54a3ebda9bcde7521f

SHA256
5f6b4fd853d0b887dec7f1cb19e7888720d288f01c762d8f83aa88adb9c26d6a

SHA512
11369b86f347be2614523caf9dac4caea2cec15705a710706cbfad1e1f49de24ffee6ba4f16bdf4c8a8aa5e440e51fda959dafa90a7b32332151917e4c7e82ba

Download Submit
C:\Windows\SysWOW64\COLICU\NVT.002

Filesize
43KB

MD5
fe922952228e14b29160444d20cd12ca

SHA1
cab385224fa717fbc24d790d8b4c888dcbb8cf12

SHA256
a17c9e61994dac89f3945ec0744be6f44e4982e5b2fe2c336af2d2675ed94b2f

SHA512
37d23ad969a647f515749ecdd86410a47331fd424dc8f851270bb30e05e624bdf0c627bf2475d22838692fdb648daba0e85547734e926f3dd3b192af583d4847

Download Submit
C:\Windows\SysWOW64\COLICU\NVT.004

Filesize
660B

MD5
c04d7216f1780b7eb8b0e7ba52e74f0f

SHA1
13fbebd76f037504f316a4122383636fc6253bf9

SHA256
7bdd36ca5789a5fcb7cfc675dfc9bd733f7b639ea0f429e986dd7a0cfa6936d5

SHA512
94079acc4437d3ef124b78d1f5d7e0571d775f0470395d7e665041ffea900a93f69b0a0d04f57275709627c05741ea1ebb0ddac674822d75ce14019e281d9d14

Download Submit
\Windows\SysWOW64\COLICU\NVT.exe

Filesize
1.4MB

MD5
291cbc9a00f52d4b3e0129f6e649b857

SHA1
d30127f960c7aa374c31685275e8e6142ee9b8ba

SHA256
f63ca7832cbca9474e10266e9b4b31f1309d977b6f0dd7886f03ef7bac7e7d26

SHA512
80ec35905e85f7f4ee3573cfc2f54a2a25a668450f71a12f228d3f42da4c3be91e0f3ad47275c98c522ee38c503876b74ca11456f96885fb32a9f5f83301d394

Download Submit
memory/2128-15-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2128-17-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads