ardamax | 4f1667523fde33af5cc2137c11784818701c15ecd358483bb9454d3f6dfe98b5

General

Target

f035a0a6f353805580817f23bbd041bf_JaffaCakes118.exe
Size

2.8MB
MD5

f035a0a6f353805580817f23bbd041bf
SHA1

50f8371c2d70f0dde60f83204e09b1b5810092b1
SHA256

4f1667523fde33af5cc2137c11784818701c15ecd358483bb9454d3f6dfe98b5
SHA512

8bca80bb65bc36e55471fc96b04de5f305e6110c9ad8e7314b387e5b1344f5d45ff83dc43ea237cc0d1c0c76dde2dcf707396d533d98448580482b30bf510d84
SSDEEP

49152:9NnFlSS7jLjBm+0ZTvpUQOJrC5pghpXsYV:9Nn3SSjjBmH9RUQORm4pXsYV

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0008000000015d81-21.dat	family_ardamax

Executes dropped EXE 2 IoCs

pid	Process
3028	0jpz.exe
2864	AWCD.exe

Loads dropped DLL 5 IoCs

pid	Process
3028	0jpz.exe
3028	0jpz.exe
3028	0jpz.exe
2864	AWCD.exe
2864	AWCD.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AWCD Agent = "C:\\Windows\\SysWOW64\\Sys32\\AWCD.exe"	AWCD.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Sys32\AWCD.001	0jpz.exe
File created	C:\Windows\SysWOW64\Sys32\AWCD.006	0jpz.exe
File created	C:\Windows\SysWOW64\Sys32\AWCD.007	0jpz.exe
File created	C:\Windows\SysWOW64\Sys32\AWCD.exe	0jpz.exe
File opened for modification	C:\Windows\SysWOW64\Sys32	AWCD.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0jpz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AWCD.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2864	AWCD.exe
Token: SeIncBasePriorityPrivilege	2864	AWCD.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2864	AWCD.exe
2864	AWCD.exe
2864	AWCD.exe
2864	AWCD.exe
2864	AWCD.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1876 wrote to memory of 3028	1876	f035a0a6f353805580817f23bbd041bf_JaffaCakes118.exe	29
PID 1876 wrote to memory of 3028	1876	f035a0a6f353805580817f23bbd041bf_JaffaCakes118.exe	29
PID 1876 wrote to memory of 3028	1876	f035a0a6f353805580817f23bbd041bf_JaffaCakes118.exe	29
PID 1876 wrote to memory of 3028	1876	f035a0a6f353805580817f23bbd041bf_JaffaCakes118.exe	29
PID 3028 wrote to memory of 2864	3028	0jpz.exe	30
PID 3028 wrote to memory of 2864	3028	0jpz.exe	30
PID 3028 wrote to memory of 2864	3028	0jpz.exe	30
PID 3028 wrote to memory of 2864	3028	0jpz.exe	30

C:\Users\Admin\AppData\Local\Temp\f035a0a6f353805580817f23bbd041bf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f035a0a6f353805580817f23bbd041bf_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1876
- \??\c:\0jpz.exe
  c:\0jpz.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Windows\SysWOW64\Sys32\AWCD.exe
    "C:\Windows\system32\Sys32\AWCD.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\0jpz.exe

Filesize
273KB

MD5
1cec2e56a5eb2efdb07ed05ea4128837

SHA1
54799afe8f60c33b527faf437531ad6cceecc129

SHA256
1aa322ca8d21305d86ade138ef1b082a54cc5bf6f7dbf87b59e4b4b827b6fb83

SHA512
8b20060bbf897904aa7ef78543b2ee4e4b2aab2453bf7b8bb67bcd645145f49f1a01591073d0ff46afb10e1efca27b102bb76b2eb950efac87ad29a7cc6b9147

Download Submit
C:\Windows\SysWOW64\Sys32\AWCD.001

Filesize
408B

MD5
c282e63a3cbf71bc9454c3627db7d67e

SHA1
41e0d73acf497dc3772bafa97ccb5a52bd698b89

SHA256
dd5e948569ae0681c06c4d8c38538d21b3adbd4d83a6b2b63306e71bb92b391a

SHA512
86573aeaf9ace2c3d772cec610a8cf74723b0298a22c61ea5f84f8f3b40a5ebb2c0fe66e443564d92e028d917457f6de3fd56b97fa38c32d9920523036715e82

Download Submit
C:\Windows\SysWOW64\Sys32\AWCD.006

Filesize
7KB

MD5
928cc65dc793834c709a054ca57c19c8

SHA1
a1e5d8407199c1bd6a4b274044de640fe0d9e99b

SHA256
e3473d81a02ed30e4236591384136f41f17b6a4aae24b5468789644ccd4bf192

SHA512
f7c8f7a75c4f8a418630e2ac15676740a902449d9a3c4baf3184409f8701c9caa3e82304d141362d95503f1af6b693eed7b77f690d92ca0162f7ea3ecbc80fdf

Download Submit
C:\Windows\SysWOW64\Sys32\AWCD.007

Filesize
5KB

MD5
3e1f5d5a06cf97b0495b8d129fbe02e4

SHA1
b0de258a813f5edde85004f6865b6ed91f6d6f8f

SHA256
f49448fc7c567e64eaeb9cc4dbd3c8021a82b5d9df0a622a439f7b42dc2f26d7

SHA512
b0e0b81cb5776d298e96346aa61027c9799a47191c94de50be2209c32747774959d002ddeb98fd15556ee893b0d7bd1f0c8a901469dce4e3acf94e2c4c3e2bfd

Download Submit
\Users\Admin\AppData\Local\Temp\@C10E.tmp

Filesize
4KB

MD5
33303ca8abef9221cb410b8a232e9fe4

SHA1
0cdfc25dbf0e9ad7d4585cd9037dc2e6604be00c

SHA256
5110301dee966f0f26307ab1b430279d1e4999c2c4a0ea924ff32f1a9ded869a

SHA512
da29821045773ba776def985966b62e09e69bb5bf1786b16c2fff6feb68a03b9e22c5f7d081e3dd58d1785cd7ac64736497c043b7cf6c7149c3a54f8ef111800

Download Submit
\Windows\SysWOW64\Sys32\AWCD.exe

Filesize
476KB

MD5
ef52b540cb404d908338e9cbf7cff283

SHA1
778765e1736c0a197685978c3fee7a44e7bde419

SHA256
39d8bdb975fbfcbcec8fe63be4e9fe6ce39ae5d23a005118aeffa07b17a3f815

SHA512
596b77bf5b15455c326a5a2efd66bc69685eb625e3e211ea0341ad4d8920ada7618a7107e42f2c0963fe6c2d92f2acf47b641ef33071a7c42004e5874d5219a6

Download Submit
memory/1876-3-0x000007FEF646E000-0x000007FEF646F000-memory.dmp

Filesize
4KB

Download
memory/1876-0-0x000007FEF646E000-0x000007FEF646F000-memory.dmp

Filesize
4KB

Download
memory/1876-4-0x000007FEF61B0000-0x000007FEF6B4D000-memory.dmp

Filesize
9.6MB

Download
memory/1876-2-0x000007FEF61B0000-0x000007FEF6B4D000-memory.dmp

Filesize
9.6MB

Download
memory/1876-1-0x000007FEF61B0000-0x000007FEF6B4D000-memory.dmp

Filesize
9.6MB

Download
memory/1876-36-0x000007FEF61B0000-0x000007FEF6B4D000-memory.dmp

Filesize
9.6MB

Download
memory/2864-34-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2864-38-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads