ardamax | 01d5ad53a552206782eb68c5943fe54d912a0ff82fd7eab5717a62f8e2d49256

General

Target

063643defd3570e52c17c861b84fcbe8_JaffaCakes118.exe
Size

1.4MB
MD5

063643defd3570e52c17c861b84fcbe8
SHA1

dbf771766ee437b90df7ba1c00e79115441775d6
SHA256

01d5ad53a552206782eb68c5943fe54d912a0ff82fd7eab5717a62f8e2d49256
SHA512

ecbb09c9236f6c8fb358489fbbd4134016b87e979bbcb367366450fb94c0744169109aa86416ce4a5a650c360e9fc58d9f76edf3e631623b60c58cbf5b007fdc
SSDEEP

24576:+Sin3jm3Nue3Pdiou9PwlLiukDvStE9DYtBoLnA7vEo+k2uCwktZYsj44zXR9/fV:+Zm3Nue31tkwlunDvSteYQLnAYTv1WIh

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x00080000000173da-27.dat	family_ardamax

Executes dropped EXE 2 IoCs

pid	Process
2764	KEYLOG_NAO_ABRA__python24_.exe
2188	PAWH.exe

Loads dropped DLL 9 IoCs

pid	Process
1400	063643defd3570e52c17c861b84fcbe8_JaffaCakes118.exe
1400	063643defd3570e52c17c861b84fcbe8_JaffaCakes118.exe
1400	063643defd3570e52c17c861b84fcbe8_JaffaCakes118.exe
1400	063643defd3570e52c17c861b84fcbe8_JaffaCakes118.exe
2764	KEYLOG_NAO_ABRA__python24_.exe
2764	KEYLOG_NAO_ABRA__python24_.exe
2764	KEYLOG_NAO_ABRA__python24_.exe
2188	PAWH.exe
2188	PAWH.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PAWH Agent = "C:\\Windows\\SysWOW64\\28463\\PAWH.exe"	PAWH.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\PAWH.006	KEYLOG_NAO_ABRA__python24_.exe
File created	C:\Windows\SysWOW64\28463\PAWH.007	KEYLOG_NAO_ABRA__python24_.exe
File created	C:\Windows\SysWOW64\28463\PAWH.exe	KEYLOG_NAO_ABRA__python24_.exe
File created	C:\Windows\SysWOW64\28463\AKV.exe	KEYLOG_NAO_ABRA__python24_.exe
File opened for modification	C:\Windows\SysWOW64\28463	PAWH.exe
File created	C:\Windows\SysWOW64\28463\PAWH.001	KEYLOG_NAO_ABRA__python24_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	063643defd3570e52c17c861b84fcbe8_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KEYLOG_NAO_ABRA__python24_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PAWH.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2188	PAWH.exe
Token: SeIncBasePriorityPrivilege	2188	PAWH.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2188	PAWH.exe
2188	PAWH.exe
2188	PAWH.exe
2188	PAWH.exe
2188	PAWH.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1400 wrote to memory of 2764	1400	063643defd3570e52c17c861b84fcbe8_JaffaCakes118.exe	31
PID 1400 wrote to memory of 2764	1400	063643defd3570e52c17c861b84fcbe8_JaffaCakes118.exe	31
PID 1400 wrote to memory of 2764	1400	063643defd3570e52c17c861b84fcbe8_JaffaCakes118.exe	31
PID 1400 wrote to memory of 2764	1400	063643defd3570e52c17c861b84fcbe8_JaffaCakes118.exe	31
PID 2764 wrote to memory of 2188	2764	KEYLOG_NAO_ABRA__python24_.exe	32
PID 2764 wrote to memory of 2188	2764	KEYLOG_NAO_ABRA__python24_.exe	32
PID 2764 wrote to memory of 2188	2764	KEYLOG_NAO_ABRA__python24_.exe	32
PID 2764 wrote to memory of 2188	2764	KEYLOG_NAO_ABRA__python24_.exe	32

C:\Users\Admin\AppData\Local\Temp\063643defd3570e52c17c861b84fcbe8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\063643defd3570e52c17c861b84fcbe8_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1400
- C:\Users\Admin\AppData\Local\Temp\KEYLOG_NAO_ABRA__python24_.exe
  "C:\Users\Admin\AppData\Local\Temp\KEYLOG_NAO_ABRA__python24_.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\SysWOW64\28463\PAWH.exe
    "C:\Windows\system32\28463\PAWH.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\28463\AKV.exe

Filesize
395KB

MD5
adbec81b510dcfe49835f95940ef961d

SHA1
77940f6e46fbd5f53de23bd49afe9172470769d0

SHA256
466efb4b00255f21075b340fc2d2444f182947ab90270840543658c5fd3a9b95

SHA512
ef4324a06fbe960933f5551ea6ac587cd87cb6025bc6879a2b81a4d1033cfe87e244b6a87fb5db5ad065321ccbe8035cf24a668452d5b0c6a4063a355a12b2a7

Download Submit
C:\Windows\SysWOW64\28463\PAWH.001

Filesize
486B

MD5
ef811b7bebd24f1fdb31bd3ead6d3c9e

SHA1
493c512ccb4e55d9058a5363e5a8539a7a0aaa8f

SHA256
8a9bfcb3cbd12e706ed798ff05c399d4f41ee39a64353afc61e0cf2ebf4d9d79

SHA512
88c940ff2c587f90cd3f5dad77041d8653608080f59482511714b8a4ef5717d3b0d541fa0e9ceda4a6c46cba2ed8bee95f8efc290b6ab691228a8283403d2a28

Download Submit
\Users\Admin\AppData\Local\Temp\@E946.tmp

Filesize
4KB

MD5
13e10cd76f11d6cb43182dcba7370171

SHA1
e6b8ce329e49ff09f1cb529c60fc466cb9a579c8

SHA256
f1265c88f0077009eaa18db413f156cc7ad8d41dc9d797dd1032b0e0ae9c40d5

SHA512
ee32ef3f50838936417e51dfd365b166456900e327dbe51902700bb3d562dea22e6fbd9009c822ba0562687001802a2e61d38123f81ae19f7b3d05bb1fd5cda8

Download Submit
\Users\Admin\AppData\Local\Temp\KEYLOG_NAO_ABRA__python24_.exe

Filesize
1.3MB

MD5
ae0d6138bad24ec3566b7c657dce646b

SHA1
d5f4057cb04f3df95262867bb9edd320240ab30f

SHA256
c5033f23d3fbec1a24ce43bb1f1e12001b149e0214663c13da4738bed71c4ea7

SHA512
4c52f4f843c86d0ec11496992132feb4caffc9262ca45bb0284e1aa2b9d00f9bbd1e345e6ebdf77199427e1c3bab15f4d205288b20667d5083cc31fd1789d445

Download Submit
\Windows\SysWOW64\28463\PAWH.006

Filesize
8KB

MD5
f5eff4f716427529b003207d5c953df5

SHA1
79696d6c8d67669ea690d240ef8978672e3d151c

SHA256
ac54ebb9eec3212f294462ce012fdc42f4b0896d785d776a5a2cc3599dc5bcde

SHA512
5a48599a5855f06c3e7d6f89c4e06bab1f4381b9d30cf3824c465b8fd6c142b316e6bd6aaad73d1f9b3e84d96113fb5e7374831bf503744013c9e1a0632a0caf

Download Submit
\Windows\SysWOW64\28463\PAWH.007

Filesize
5KB

MD5
bc75eddaa64823014fef0fe70bd34ffc

SHA1
15cd2ace3b68257faed33c78b794b2333eab7c0a

SHA256
9eada36d17635bedb85ce96a62cb019dbfee696b9986f69de7d5b5bc1f44df5d

SHA512
20db25f32f9cfdbffa4f30c0065125052c6e20b7dcc147fa7ebff38e37b51f6a43e48e486f148d7ee11671479b9fb0bbe1c6df151101af3b50c65fd334d13baa

Download Submit
\Windows\SysWOW64\28463\PAWH.exe

Filesize
473KB

MD5
3c90d45b1c004e86a7f7a7a340f1abc8

SHA1
10602c450bcbda2735dc036f2e399646f0c64f4c

SHA256
f6d9c3bba7fc4dfa681cadf68f41093e3c431501c6789e891e599719e5d2781c

SHA512
85457be4c2aa76ede288cd185131d46e5f0b37187313f3a54fe789e28929ec6e44282f4ba0981f46354705cd5da83990586c8846f52fcdb807908254c8719cc1

Download Submit
memory/1400-1-0x0000000000400000-0x000000000056E044-memory.dmp

Filesize
1.4MB

Download
memory/1400-17-0x0000000000400000-0x000000000056E044-memory.dmp

Filesize
1.4MB

Download
memory/2188-41-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2188-46-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads