ardamax | c1b4038d33cd9ff893b363969681e51c66382a2c38faed60ba1db884ee5b8948

General

Target

ed454da52205d617a86d28101aeb41ac_JaffaCakes118.exe
Size

1004KB
MD5

ed454da52205d617a86d28101aeb41ac
SHA1

3dbc93ce3f4719a91f9ec3224fad3959ccc4b9e5
SHA256

c1b4038d33cd9ff893b363969681e51c66382a2c38faed60ba1db884ee5b8948
SHA512

ba8e0492e14ad323f05f32f493ecdd6938a9e25709f957db98e85bd16941cf011cbf50dd0a7189fdbf441fc2c4b8c5ddc5cc58638aba223e49a72fd75e93c122
SSDEEP

24576:XjXTjx296XDo7lfiOQmoAFj8zcxibjreYhGNPnUn:XDTjx/OlfZP9p8zQiNcPnS

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000015d04-9.dat	family_ardamax

Executes dropped EXE 1 IoCs

pid	Process
2108	NDN.exe

Loads dropped DLL 4 IoCs

pid	Process
2404	ed454da52205d617a86d28101aeb41ac_JaffaCakes118.exe
2964	WerFault.exe
2964	WerFault.exe
2964	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NDN Start = "C:\\Windows\\SysWOW64\\XQOKIC\\NDN.exe"	NDN.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\XQOKIC\NDN.002	ed454da52205d617a86d28101aeb41ac_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\XQOKIC\AKV.exe	ed454da52205d617a86d28101aeb41ac_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\XQOKIC\NDN.exe	ed454da52205d617a86d28101aeb41ac_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\XQOKIC\NDN.004	ed454da52205d617a86d28101aeb41ac_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\XQOKIC\NDN.001	ed454da52205d617a86d28101aeb41ac_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2964	2108	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed454da52205d617a86d28101aeb41ac_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NDN.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 2108	2404	ed454da52205d617a86d28101aeb41ac_JaffaCakes118.exe	31
PID 2404 wrote to memory of 2108	2404	ed454da52205d617a86d28101aeb41ac_JaffaCakes118.exe	31
PID 2404 wrote to memory of 2108	2404	ed454da52205d617a86d28101aeb41ac_JaffaCakes118.exe	31
PID 2404 wrote to memory of 2108	2404	ed454da52205d617a86d28101aeb41ac_JaffaCakes118.exe	31
PID 2108 wrote to memory of 2964	2108	NDN.exe	32
PID 2108 wrote to memory of 2964	2108	NDN.exe	32
PID 2108 wrote to memory of 2964	2108	NDN.exe	32
PID 2108 wrote to memory of 2964	2108	NDN.exe	32

C:\Users\Admin\AppData\Local\Temp\ed454da52205d617a86d28101aeb41ac_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ed454da52205d617a86d28101aeb41ac_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Windows\SysWOW64\XQOKIC\NDN.exe
  "C:\Windows\system32\XQOKIC\NDN.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2108
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 276
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\XQOKIC\AKV.exe

Filesize
490KB

MD5
7c945f8ff017b9c3e00fb23e47c05b88

SHA1
c5808f4a6494f5f619584ce1eea3bd63fab41675

SHA256
0beb5579a7321017b3efe319e40af7ad940c4d64916295929fe0e88bdd35e848

SHA512
feb202e2c63be69ad77160716bcf4f83bd90571349c6115955fb2ea584d8913dd153ca782974e3b50c9a8cd58df01ade6c88339f0c43c2af5778fc3457132246

Download Submit
C:\Windows\SysWOW64\XQOKIC\NDN.001

Filesize
60KB

MD5
256d32d205671ac8ed51e56c5c5d2d56

SHA1
c0e98db79b026a2ba7c4838bf11d6e8775a10262

SHA256
064d8c21bd0cf41315cef61af65be92327275633fbdf37771c3d996202909a9a

SHA512
197a6c0d27550d4756c124b41310ae39e546449da3254c15d0070bfeec4600d12f4e653f12e4a554c69eeab615f3e159960805c029f9b4abb197b64af78c5581

Download Submit
C:\Windows\SysWOW64\XQOKIC\NDN.002

Filesize
42KB

MD5
ecb9e8c27d6cc6ffd1e857767b9c6f24

SHA1
10a9a5054e6f1c8d1bda456b9ecb5bf359faf010

SHA256
5d948e3a55e9b1de0e9f8f89d0dd3a769bbd8d178f3297cc02864f5688dbcb29

SHA512
259ae145a962426b9b60d585d939caf86043b9031480b472ab8ee91eada3d1d7d6fc502718fbbc07ac9600368e81f87e68fd10d5fa039a85a1d4a8ddfde1968e

Download Submit
C:\Windows\SysWOW64\XQOKIC\NDN.004

Filesize
764B

MD5
2be6a517ceadf19a61c007615def9c96

SHA1
430d68f4cfff2886dddeea37c4b6150e9eaaf028

SHA256
4d69585ac4174bcba7091293c4853697b30ec8d5323f7bbe1d72055284e6c931

SHA512
7047049e4bb5563692bb4faa856821c32dfc361db950a49422b3eaf4c24c5cabeb0284dc136b8d9591453efbcd19682352fd5fbfbecaa4e1346cf1325712f654

Download Submit
C:\Windows\SysWOW64\XQOKIC\NDN.exe

Filesize
1.3MB

MD5
6c94881041df04b34498298262be0095

SHA1
a55cf3e5b3d04cbc3fff689219bb4176db698afa

SHA256
b8e1a7f773703fd5b7e7658bc3f54fd50e4ea6502f9ed3b996c3ef9c977b3d9f

SHA512
dba2ad2dcb51d7dc9e01e668e91132fbb22c6c1423c3dc96c081a1bcc2614987e4091d99c9035abf4c1c2b485c36095a06cfaea67431e1d18a83c186bcea4fbf

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads