ardamax | 3879f28977fafaa790600a25b87790c0587a819397e8f417b46c44eb0647dbfc

General

Target

fb8b426c1bbe5e50b0ce67ecd8fc4208_JaffaCakes118.exe
Size

1.6MB
MD5

fb8b426c1bbe5e50b0ce67ecd8fc4208
SHA1

278872041ab902c9f404fec712a22807148ede8b
SHA256

3879f28977fafaa790600a25b87790c0587a819397e8f417b46c44eb0647dbfc
SHA512

7075dd00cdb114d317f61a7b6d4f34d174a880f4cf2c9676cb2e0d75327389a255567b05adbc25b86116d5c55de7692ca004a6dd08c7454e0f250b7a1ffc7b30
SSDEEP

24576:ebFV9FLeM2aXcCgskP1LwZbaLq5jmoSxi08i/DFjQJtH09eQoZsgOXPuuAz:OV7WaMCgskdOeijm/xsi/BQJ10wDk3A

Score

10^/10

ardamax discovery evasion keylogger persistence stealer themida

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x000600000001878c-8.dat	family_ardamax

Executes dropped EXE 1 IoCs

pid	Process
2556	DDP.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	fb8b426c1bbe5e50b0ce67ecd8fc4208_JaffaCakes118.exe

Loads dropped DLL 2 IoCs

pid	Process
1600	fb8b426c1bbe5e50b0ce67ecd8fc4208_JaffaCakes118.exe
2556	DDP.exe

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/1600-0-0x0000000000400000-0x00000000005A9000-memory.dmp	themida
behavioral1/memory/1600-13-0x0000000000400000-0x00000000005A9000-memory.dmp	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DDP Start = "C:\\Windows\\SysWOW64\\OHBIUH\\DDP.exe"	DDP.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\OHBIUH\AKV.exe	fb8b426c1bbe5e50b0ce67ecd8fc4208_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\OHBIUH\DDP.exe	fb8b426c1bbe5e50b0ce67ecd8fc4208_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\OHBIUH\	DDP.exe
File created	C:\Windows\SysWOW64\OHBIUH\DDP.004	fb8b426c1bbe5e50b0ce67ecd8fc4208_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\OHBIUH\DDP.001	fb8b426c1bbe5e50b0ce67ecd8fc4208_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\OHBIUH\DDP.002	fb8b426c1bbe5e50b0ce67ecd8fc4208_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fb8b426c1bbe5e50b0ce67ecd8fc4208_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DDP.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2556	DDP.exe
Token: SeIncBasePriorityPrivilege	2556	DDP.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2556	DDP.exe
2556	DDP.exe
2556	DDP.exe
2556	DDP.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1600 wrote to memory of 2556	1600	fb8b426c1bbe5e50b0ce67ecd8fc4208_JaffaCakes118.exe	30
PID 1600 wrote to memory of 2556	1600	fb8b426c1bbe5e50b0ce67ecd8fc4208_JaffaCakes118.exe	30
PID 1600 wrote to memory of 2556	1600	fb8b426c1bbe5e50b0ce67ecd8fc4208_JaffaCakes118.exe	30
PID 1600 wrote to memory of 2556	1600	fb8b426c1bbe5e50b0ce67ecd8fc4208_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\fb8b426c1bbe5e50b0ce67ecd8fc4208_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fb8b426c1bbe5e50b0ce67ecd8fc4208_JaffaCakes118.exe"
1⤵
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Windows\SysWOW64\OHBIUH\DDP.exe
  "C:\Windows\system32\OHBIUH\DDP.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\OHBIUH\AKV.exe

Filesize
461KB

MD5
eed8ebfafcd3dcb0f88b237388fba8df

SHA1
620767d6de979bf360e3a188ed03534c769f337b

SHA256
dc3c5152d69547ffb583574707025eee74af46882cdf851221f66b1e81d2ed90

SHA512
28148a2bfdbcaf61f5f664c6b4dd0377d151d775ad001818da2bba6327f02020fabb016a4c8aaa5f841ea1dc1a6d8419bca55bc74924a657476e15abbd8dabb3

Download Submit
C:\Windows\SysWOW64\OHBIUH\DDP.001

Filesize
61KB

MD5
34c92b717ae97bc926f56ba56a44f24a

SHA1
ccaf3c6bf0c73564d0bf19c92b8d25008ffffbfa

SHA256
6e60d85b35f5e9222375f606e4116b38364a4a943596ddb0d914cf1cf4791774

SHA512
2a9eb63837db128c9e036976d903ebd925e6952ab6bf4efa0e370e79f9fefe0ed6e44e4ab444f56ace1149f4dd14797f568e8827e7cebd1e5581dcf309f9745a

Download Submit
C:\Windows\SysWOW64\OHBIUH\DDP.002

Filesize
43KB

MD5
246761f047f6aa98d6eaad66a2f883b9

SHA1
42474a5b23d03e094103b62fd7e820457cf807c4

SHA256
3774021a3cdf32d23fd5921cea4de8c26b08f0d601f3097550a7e8af7b00f111

SHA512
d39d0913975ca2f8d585b72667d76de09ce7817f6de26ef21a8b62edc25d7fab39785f036992d19ca5700f5fc2ee377e696142c41529f23f503e8eefff393144

Download Submit
C:\Windows\SysWOW64\OHBIUH\DDP.004

Filesize
1KB

MD5
865a8c4df28c387d4e793f858d3c472a

SHA1
5bfbeb6bcf85c81d3e5518322ff3a61fc44c66ea

SHA256
1ec2bb5815b1a5d0f3cc950285868a116ea21ea83aabfae06e6fc96b22ae6797

SHA512
e79b1638d4148f1bb13c5f3b5df5d8fdee10abaa606830e60fb566d89f9053bb8a3fe804e794905faa9e927d64ad75026d5059d7c4782a51d8a10de87c56e0d1

Download Submit
\Windows\SysWOW64\OHBIUH\DDP.exe

Filesize
1.5MB

MD5
9ab9b7b74790b7bb2798dd2b26f4a913

SHA1
e8ffa981a0149aa6441dcb0dd42f7baf6eb773a2

SHA256
df1c8d608ebd300889cf21c3bda6d5dd2574d68e1f530cc5a885449a22177a75

SHA512
ffffe21d8cc244aacaaba2eb13cc77ad800a196ecf6f77637a8a1f6d456cabb8331970ab358ab21dcf9832343379b4f0486da3990d45eb2f2765e55b7404739e

Download Submit
memory/1600-0-0x0000000000400000-0x00000000005A9000-memory.dmp

Filesize
1.7MB

Download
memory/1600-1-0x0000000000401000-0x0000000000412000-memory.dmp

Filesize
68KB

Download
memory/1600-14-0x0000000000401000-0x0000000000412000-memory.dmp

Filesize
68KB

Download
memory/1600-13-0x0000000000400000-0x00000000005A9000-memory.dmp

Filesize
1.7MB

Download
memory/2556-20-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2556-22-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads