ardamax | 7531cf8bbe5733fe5af0030860f9fa29d5b24720433a527e5512950a8dd08627

General

Target

e2f52c4c59decf0fccf06de586d96e21_JaffaCakes118.exe
Size

963KB
MD5

e2f52c4c59decf0fccf06de586d96e21
SHA1

97bfb9c37442a44080f3c0646e77349446e363bc
SHA256

7531cf8bbe5733fe5af0030860f9fa29d5b24720433a527e5512950a8dd08627
SHA512

4568350403b0b4a4c4ef3930e79d72bf908a6ebec618e9079d5b6699f1701f0ba4cdaa1fa241678019b75f835f5c856e7c6c3785707a881ceaf1e2bf5649dcf4
SSDEEP

24576:9iITL62wFHYwKpUSM0OT5YnuTbx25Mxsd1MXwMh2y6xD2:93TG2w2pbMr5iu/5sd1XMhT6N

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000016cec-5.dat	family_ardamax

Executes dropped EXE 1 IoCs

pid	Process
2476	GIN.exe

Loads dropped DLL 2 IoCs

pid	Process
2492	e2f52c4c59decf0fccf06de586d96e21_JaffaCakes118.exe
2476	GIN.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\GIN Start = "C:\\Windows\\SysWOW64\\GYJQKQ\\GIN.exe"	GIN.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\GYJQKQ\GIN.exe	e2f52c4c59decf0fccf06de586d96e21_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\GYJQKQ\	GIN.exe
File created	C:\Windows\SysWOW64\GYJQKQ\GIN.004	e2f52c4c59decf0fccf06de586d96e21_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\GYJQKQ\GIN.001	e2f52c4c59decf0fccf06de586d96e21_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\GYJQKQ\GIN.002	e2f52c4c59decf0fccf06de586d96e21_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e2f52c4c59decf0fccf06de586d96e21_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GIN.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2476	GIN.exe
2476	GIN.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2476	GIN.exe
Token: SeIncBasePriorityPrivilege	2476	GIN.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2476	GIN.exe
2476	GIN.exe
2476	GIN.exe
2476	GIN.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2492 wrote to memory of 2476	2492	e2f52c4c59decf0fccf06de586d96e21_JaffaCakes118.exe	30
PID 2492 wrote to memory of 2476	2492	e2f52c4c59decf0fccf06de586d96e21_JaffaCakes118.exe	30
PID 2492 wrote to memory of 2476	2492	e2f52c4c59decf0fccf06de586d96e21_JaffaCakes118.exe	30
PID 2492 wrote to memory of 2476	2492	e2f52c4c59decf0fccf06de586d96e21_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\e2f52c4c59decf0fccf06de586d96e21_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e2f52c4c59decf0fccf06de586d96e21_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Windows\SysWOW64\GYJQKQ\GIN.exe
  "C:\Windows\system32\GYJQKQ\GIN.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\GYJQKQ\GIN.001

Filesize
61KB

MD5
d02c94d02f324be4517cd570672a38eb

SHA1
af21c078c41fbc66aac65e7afc782d1dfb9684f0

SHA256
c6684fb800ddfaa11070587fc66c613eb96b00bf4534144a747fbc1b711cb965

SHA512
45dd3aeb10cd17901509dad15c1f3bf941cf1771671ff3cdc7743c790066aaa16c659b511fdf375d4908ab5347f0aa1005e950272ffa9f5f5564ff757e65a685

Download Submit
C:\Windows\SysWOW64\GYJQKQ\GIN.002

Filesize
44KB

MD5
8e7df9075891cde8051cd8e40eeeddf7

SHA1
8156fd5804ee054a3160ba7f511134355508b128

SHA256
30f963b1f86a713a53e6c3b9ec39f339158793e800406d245bfc9565272118d9

SHA512
56f835ff92fbb41cc6aac150e5a99dfaa6bb0221f7e4e503136d7ee1d29c13d235607498ee5bac84407a9b56af9f895fcfdd5795706d3a9b99d7a69a14c5d780

Download Submit
C:\Windows\SysWOW64\GYJQKQ\GIN.004

Filesize
1KB

MD5
70fa389b2bab90fe29840be1cb42589a

SHA1
f60e28bf4fdc91c32860d91c46559baefaf79a44

SHA256
fda318e03e17035db643d618ed19d33b9f14b71db9c338d8723b9b4bd3a4adbe

SHA512
961602568d192cfb3fad415a1cf37b8baa98f9da2d1adb5dbee1a0e5fd3905d11bd230c48803ab69f472c4a27f52548a1198156b45c58d9876555c03ed4aa264

Download Submit
\Windows\SysWOW64\GYJQKQ\GIN.exe

Filesize
1.7MB

MD5
91dcc602af4df48468e5f60724f2e6fb

SHA1
3f466e5628c80891fc10822f85ac547d461aee6e

SHA256
6067d9a2efd2176dcfc41db3d20cf6657cce911dba1bd6a08aac55bfea99830d

SHA512
d671d43977fb9a3e892354768c16393edfc7d462226c3986b350b9aa6267751ebf4b4bbb269a4372313befdd26a1edf0927efb14f22f6f1a5706aae87fc2f67a

Download Submit
memory/2476-13-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2476-15-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads