ardamax | a2e197c6ace5e247762e2d1c22a7c32632a9f1782655926f59848334ea8a614f

General

Target

ff9f446a4af23885d757067139d209f5_JaffaCakes118.exe
Size

1.4MB
MD5

ff9f446a4af23885d757067139d209f5
SHA1

b55ca8bb0ee963b30a7e95db122e8544fe94a909
SHA256

a2e197c6ace5e247762e2d1c22a7c32632a9f1782655926f59848334ea8a614f
SHA512

eaf626ab69595c6c449e6ac46a82199f16e43a66726c22ebe892072eb64ef103abdac6960b1baa89c2b8174aa1ee1452468cb891e1ab32c350ba843f9ea2a047
SSDEEP

24576:sz+fCyfGk7wLbXiHLw4r6PZVxm6xyDCe7FriwK1M/OEXSpATadlQ/gDePz4ARhKI:sqfC4GJCWx/mLfFW310V/gDfG1RXkaoe

Score

10^/10

ardamax discovery keylogger stealer themida

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x000500000001941a-44.dat	family_ardamax

Deletes itself 1 IoCs

pid	Process
2440	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2696	aklremover.exe
2604	Install.exe
896	TND.exe

Loads dropped DLL 14 IoCs

pid	Process
2756	ff9f446a4af23885d757067139d209f5_JaffaCakes118.exe
2756	ff9f446a4af23885d757067139d209f5_JaffaCakes118.exe
2756	ff9f446a4af23885d757067139d209f5_JaffaCakes118.exe
2604	Install.exe
2604	Install.exe
2604	Install.exe
2604	Install.exe
2604	Install.exe
2604	Install.exe
896	TND.exe
896	TND.exe
896	TND.exe
896	TND.exe
896	TND.exe

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2756-4-0x0000000000400000-0x0000000000668000-memory.dmp	themida
behavioral1/memory/2756-5-0x0000000000400000-0x0000000000668000-memory.dmp	themida

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Sys	TND.exe
File created	C:\Windows\SysWOW64\Sys\TND.009	TND.exe
File opened for modification	C:\Windows\SysWOW64\Sys\TND.009	TND.exe
File created	C:\Windows\SysWOW64\Sys\TND.001	Install.exe
File created	C:\Windows\SysWOW64\Sys\TND.006	Install.exe
File created	C:\Windows\SysWOW64\Sys\TND.007	Install.exe
File created	C:\Windows\SysWOW64\Sys\TND.exe	Install.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TND.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ff9f446a4af23885d757067139d209f5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aklremover.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2756	ff9f446a4af23885d757067139d209f5_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	896	TND.exe
Token: SeIncBasePriorityPrivilege	896	TND.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
896	TND.exe
896	TND.exe
896	TND.exe
896	TND.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 2696	2756	ff9f446a4af23885d757067139d209f5_JaffaCakes118.exe	30
PID 2756 wrote to memory of 2696	2756	ff9f446a4af23885d757067139d209f5_JaffaCakes118.exe	30
PID 2756 wrote to memory of 2696	2756	ff9f446a4af23885d757067139d209f5_JaffaCakes118.exe	30
PID 2756 wrote to memory of 2696	2756	ff9f446a4af23885d757067139d209f5_JaffaCakes118.exe	30
PID 2756 wrote to memory of 2604	2756	ff9f446a4af23885d757067139d209f5_JaffaCakes118.exe	31
PID 2756 wrote to memory of 2604	2756	ff9f446a4af23885d757067139d209f5_JaffaCakes118.exe	31
PID 2756 wrote to memory of 2604	2756	ff9f446a4af23885d757067139d209f5_JaffaCakes118.exe	31
PID 2756 wrote to memory of 2604	2756	ff9f446a4af23885d757067139d209f5_JaffaCakes118.exe	31
PID 2756 wrote to memory of 2604	2756	ff9f446a4af23885d757067139d209f5_JaffaCakes118.exe	31
PID 2756 wrote to memory of 2604	2756	ff9f446a4af23885d757067139d209f5_JaffaCakes118.exe	31
PID 2756 wrote to memory of 2604	2756	ff9f446a4af23885d757067139d209f5_JaffaCakes118.exe	31
PID 2756 wrote to memory of 2440	2756	ff9f446a4af23885d757067139d209f5_JaffaCakes118.exe	32
PID 2756 wrote to memory of 2440	2756	ff9f446a4af23885d757067139d209f5_JaffaCakes118.exe	32
PID 2756 wrote to memory of 2440	2756	ff9f446a4af23885d757067139d209f5_JaffaCakes118.exe	32
PID 2756 wrote to memory of 2440	2756	ff9f446a4af23885d757067139d209f5_JaffaCakes118.exe	32
PID 2604 wrote to memory of 896	2604	Install.exe	34
PID 2604 wrote to memory of 896	2604	Install.exe	34
PID 2604 wrote to memory of 896	2604	Install.exe	34
PID 2604 wrote to memory of 896	2604	Install.exe	34
PID 2604 wrote to memory of 896	2604	Install.exe	34
PID 2604 wrote to memory of 896	2604	Install.exe	34
PID 2604 wrote to memory of 896	2604	Install.exe	34

C:\Users\Admin\AppData\Local\Temp\ff9f446a4af23885d757067139d209f5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ff9f446a4af23885d757067139d209f5_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Users\Admin\AppData\Local\Temp\aklremover.exe
  "C:\Users\Admin\AppData\Local\Temp\aklremover.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2696
- C:\Users\Admin\AppData\Local\Temp\Install.exe
  "C:\Users\Admin\AppData\Local\Temp\Install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Windows\SysWOW64\Sys\TND.exe
    "C:\Windows\system32\Sys\TND.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:896
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\x.bat" C:\Users\Admin\AppData\Local\Temp\ff9f446a4af23885d757067139d209f5_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\x.bat

Filesize
512B

MD5
354f82a525f732eb021d6cdeae7e2270

SHA1
3d83fb959ed8f87e80c4eb5d53d8a3ec16f79991

SHA256
57a48632d0ea858fef55d153797f69bbaa550c31f0c1d7ff9c04fe3ac073fcbc

SHA512
e307803351b5f905b4b5811156b82278bf4ac2535270d287921a9b7766357a92b23363c43f7d4eebfa90beac6c336e91d304931aa6699a6b80f795993f0b9dbb

Download Submit
C:\Windows\SysWOW64\Sys\TND.001

Filesize
3KB

MD5
b7b09a7421fc1a7875b7dae89baf87ad

SHA1
eca8a3f91ab7b88d519ab5f41ac401de839faace

SHA256
3c0362a5e97e79ec31cd3c90bc9a08599c3ed3cd856a2116e2d3259411591572

SHA512
2b5b05337865cac3cea263ad2defe6a8508ba3b3c05c9ed1f4634edd33a3051abaeec917f7197c97215651927c748915f260426f453b0e2544ad995eefbd6495

Download Submit
C:\Windows\SysWOW64\Sys\TND.006

Filesize
5KB

MD5
81684ae4865ec5f66d24e892b03cdb28

SHA1
71e0129317001cbf9fc0876a6ea15886c0caa987

SHA256
b036f867ef31023198260a6610a57cc9148a547103b17de934e607aca580eb23

SHA512
adac78672fa35ad5aef8afac26c6360f06f98783fc3527c558b6fcadfd6d22b06ef4a8c0f6c076da3b270f83265eb4d20d58fc514932ad3d16554c3fd33f4fec

Download Submit
C:\Windows\SysWOW64\Sys\TND.007

Filesize
4KB

MD5
ac152720163090f4c0fb7f5c7e1638dc

SHA1
4fec3f24e3f9221c7c7cf918d7507586bf0cf48a

SHA256
fdc0467059610b4055818e2e499c1ed17705397383a61245917bb93ba0f8e3ef

SHA512
d62d827530d421735e95620f57230b1d7376a1055ddfb32d00db8df7764618f442a5166bdb765babf85695b7138ac7c4c71c231e5c745ed7d8113e6394acd301

Download Submit
\Users\Admin\AppData\Local\Temp\@71B7.tmp

Filesize
4KB

MD5
fec74da36beb4457716675804f74221c

SHA1
1c02ce33852f00dd896b4bb1d93fbba663dd329d

SHA256
e47ac7649f18595fbd2281a8cdff82a2b488b8dd56bc1ae88930b521f24b1c89

SHA512
64b1d6912b2d6336f2ec7abd240215c842970eece0007afb4c939cf40becb437d6d6708d840035c935d96742918de07b52a96708388cbcda438e8c56d49ede06

Download Submit
\Users\Admin\AppData\Local\Temp\Install.exe

Filesize
265KB

MD5
be483dfdbee1be3831601ceecc0d8d3a

SHA1
b41f35e39c52013c59c39b04ada98809840ca894

SHA256
43a1a4bc433fdbb3fbf9838ec3c23333f151524fab7a1289462934e6a2d32988

SHA512
1c240d58836f48ca4bb199b37eeacfe082e28a7f3820a4690a780edfc68b640f1ebbf2e98e51cb11d6121c7c44741f10c4620a82afba8ec402fd209172e06a67

Download Submit
\Users\Admin\AppData\Local\Temp\aklremover.exe

Filesize
40KB

MD5
e9c593544bb6071b8853d2f7d4d5dbc9

SHA1
b3b5f5576dad83e358ea384d40912a74aecd5c5d

SHA256
9e90af01904e6b7a5779f0cbd6378668645108da14a562b89436b677b253b3b9

SHA512
2ff7d4e08c7518c422b2ecd03bec19bbb2da9f3afd7da8690f5453cb8e7c63cd3a35b94881e06c84e7fba10f921771bfa787f51039fb8991a1ec8f37c2495787

Download Submit
\Windows\SysWOW64\Sys\TND.exe

Filesize
459KB

MD5
b7a532f4b00925d636882e80f49305a8

SHA1
ae88858ea8c3a7ba2ed373cb104ef2152fb44b54

SHA256
f417f9088e6c39c418ecf8efbf0038362945788838bd7e67efd89199ada15ccd

SHA512
551fe3425b17f29b1c8157b2fdf6c6c0ed15c655bc14e9b73ec38209c55191444762eeef61ae933047079243b9487f92b649f5852b3f22d4bac5d070f523b706

Download Submit
memory/2696-16-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2756-1-0x00000000006E0000-0x00000000007BD000-memory.dmp

Filesize
884KB

Download
memory/2756-5-0x0000000000400000-0x0000000000668000-memory.dmp

Filesize
2.4MB

Download
memory/2756-4-0x0000000000400000-0x0000000000668000-memory.dmp

Filesize
2.4MB

Download
memory/2756-2-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/2756-0-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing