ardamax | dd4da34e1824487755b6f25abe47461ab8a62126f59857bb01a8a21ecce000cc

General

Target

0c3f9600cf2e2caca46b95a6a4eef62e_JaffaCakes118.exe
Size

176KB
MD5

0c3f9600cf2e2caca46b95a6a4eef62e
SHA1

a8bc9078892e87071d03e130d3888fb68524b8f1
SHA256

dd4da34e1824487755b6f25abe47461ab8a62126f59857bb01a8a21ecce000cc
SHA512

89cad159b5b3497c3be499181bb9216bc1922529b2f32bb019b67c2b3eedd14c87c4da57b0e99b5d989e65bf5ac30a894e39b636373d0b09b6f1e1283a93f00e
SSDEEP

3072:DOrFCI2QqZFpl/lyvp1mJWyIxsNevedCj7XP3uJyWa8rrunqJrACL0UdZ9vneK/C:YNmLp7y3mHsfXXmJxdrunqxAS1X/kjuy

Score

10^/10

ardamax discovery keylogger stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000016593-9.dat	family_ardamax

Executes dropped EXE 1 IoCs

pid	Process
2876	TPD.exe

Loads dropped DLL 8 IoCs

pid	Process
1152	0c3f9600cf2e2caca46b95a6a4eef62e_JaffaCakes118.exe
1152	0c3f9600cf2e2caca46b95a6a4eef62e_JaffaCakes118.exe
1152	0c3f9600cf2e2caca46b95a6a4eef62e_JaffaCakes118.exe
2876	TPD.exe
2876	TPD.exe
2628	WerFault.exe
2628	WerFault.exe
2628	WerFault.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\TPD.001	0c3f9600cf2e2caca46b95a6a4eef62e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\TPD.006	0c3f9600cf2e2caca46b95a6a4eef62e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\TPD.007	0c3f9600cf2e2caca46b95a6a4eef62e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\TPD.exe	0c3f9600cf2e2caca46b95a6a4eef62e_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64	TPD.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2628	2876	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0c3f9600cf2e2caca46b95a6a4eef62e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TPD.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	2876	TPD.exe
Token: SeIncBasePriorityPrivilege	2876	TPD.exe
Token: SeIncBasePriorityPrivilege	2876	TPD.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2876	TPD.exe
2876	TPD.exe
2876	TPD.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 2876	1152	0c3f9600cf2e2caca46b95a6a4eef62e_JaffaCakes118.exe	30
PID 1152 wrote to memory of 2876	1152	0c3f9600cf2e2caca46b95a6a4eef62e_JaffaCakes118.exe	30
PID 1152 wrote to memory of 2876	1152	0c3f9600cf2e2caca46b95a6a4eef62e_JaffaCakes118.exe	30
PID 1152 wrote to memory of 2876	1152	0c3f9600cf2e2caca46b95a6a4eef62e_JaffaCakes118.exe	30
PID 2876 wrote to memory of 2628	2876	TPD.exe	32
PID 2876 wrote to memory of 2628	2876	TPD.exe	32
PID 2876 wrote to memory of 2628	2876	TPD.exe	32
PID 2876 wrote to memory of 2628	2876	TPD.exe	32

C:\Users\Admin\AppData\Local\Temp\0c3f9600cf2e2caca46b95a6a4eef62e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0c3f9600cf2e2caca46b95a6a4eef62e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Windows\SysWOW64\TPD.exe
  "C:\Windows\system32\TPD.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 512
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\TPD.001

Filesize
1KB

MD5
fef3884b1322b5e9af85b4c1597f859b

SHA1
fbb117c73ee39f4f0f4257b6601dee2c42c74882

SHA256
f11ebd77da27c71202c0068fbdcd5f08205ba79238ae2c4c9c7a0cd8001d9a70

SHA512
04ca9e5cf3fdfce9625205fd00207c705ae8e0d5a1a50088150c6c0bce278eb0ba768a226ca47afd82ac6da8b7fdf077a5631e65ac464d1f89672c58e4bd1eb0

Download Submit
C:\Windows\SysWOW64\TPD.006

Filesize
4KB

MD5
0868167c8915fb3d87d4e5a775a57ffd

SHA1
5f223134e003382fd8c191a1f4ca94922f1d802e

SHA256
6a28449ee15745e772f877b6133913325400a2ca3dbf829d76cf42e0c8d6da4c

SHA512
d9f82239d6990b3dcc261f99f5acf20d71965b08146821575f830698fa07a5ec7ba0553494bb779e427692ada39ed5973489d1077aeec5ddfdf5a73d9c91b058

Download Submit
C:\Windows\SysWOW64\TPD.007

Filesize
6KB

MD5
5e023770dfb9d9068706facc958c7d66

SHA1
9cf95074a78239da000452362c2167991970e972

SHA256
f16ca7e5533eb28fa882eb500add2a936f8d0a705cfc9f4e6c8f4c522a2cf6db

SHA512
a9621e77fe22b054686924cebee3c9a5c448b2f60bd1d4c8a6d6bda161ec270d9a5c76cbe07dcd1d0ee59fdc071de1d271344c629181e14c2c0a54cbac7831af

Download Submit
\Users\Admin\AppData\Local\Temp\@BF69.tmp

Filesize
4KB

MD5
ccfd350414f3804bbb32ddd7eb3f6153

SHA1
e91d270b8481d456a3beabf617ef3379a93f1137

SHA256
1dabedfe9c7cda2d8aa74c95ba57fb832a4066b20f4051c0330b4422de237eb3

SHA512
328e069aaced9217eb9f4b4f20e27cd7ef933427e3388b3a0829089d694ea2280a2e5511a9eb577cec2a7b409cf367b0f17d8654076931648e152936fad810bd

Download Submit
\Windows\SysWOW64\TPD.exe

Filesize
239KB

MD5
2bada91f44e2a5133a5c056b31866112

SHA1
9fbe664832d04d79f96fa090191b73d9811ef08d

SHA256
c742feab59b4e1b7b188b02ed91ab34eaeb83c87ac6babfb5f08649ed2b8cd02

SHA512
dc797a06061937f8dd657a34d4373d3069c9c1a6752752516042e5d135fc41257c7a3a6738b3accd626a02f1887476197eca0ab28cf568daf57269cbe9c8eb41

Download Submit
memory/2876-23-0x00000000775F1000-0x00000000775F2000-memory.dmp

Filesize
4KB

Download
memory/2876-24-0x00000000775F0000-0x000000007761A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing