ardamax | 125d86f0d7cd8c22d44f3f7c5cc02ad658aace1243be5b85af2fe7a211f711a4

General

Target

0c4d69452fe818fd0117ec239c2943eb_JaffaCakes118.exe
Size

196KB
MD5

0c4d69452fe818fd0117ec239c2943eb
SHA1

72db664da6857c647dbe32501d94c0ee38afcdec
SHA256

125d86f0d7cd8c22d44f3f7c5cc02ad658aace1243be5b85af2fe7a211f711a4
SHA512

fa5a57ed9f4e8f914283aa34526ed4ced1361c0f82bf3ca9f6ca351eabe3788afa59ac6ffd79d06c9815385050cefe6fe0dbf2202f5f27488623d99f03da71ac
SSDEEP

3072:7zCNmpyGzKOrzdZj+xYo0+DUmKXSmm6hoiHJZS75tkAPaWWOc62j14E:7smpyGjrzd9Z+bKfmWXrS7rVPaWlcKE

Score

10^/10

ardamax discovery keylogger stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000018bf3-9.dat	family_ardamax

Executes dropped EXE 1 IoCs

pid	Process
2908	HJB.exe

Loads dropped DLL 5 IoCs

pid	Process
2384	0c4d69452fe818fd0117ec239c2943eb_JaffaCakes118.exe
2384	0c4d69452fe818fd0117ec239c2943eb_JaffaCakes118.exe
2384	0c4d69452fe818fd0117ec239c2943eb_JaffaCakes118.exe
2908	HJB.exe
2908	HJB.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Sys\HJB.001	0c4d69452fe818fd0117ec239c2943eb_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Sys\HJB.006	0c4d69452fe818fd0117ec239c2943eb_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Sys\HJB.007	0c4d69452fe818fd0117ec239c2943eb_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Sys\HJB.exe	0c4d69452fe818fd0117ec239c2943eb_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Sys	HJB.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0c4d69452fe818fd0117ec239c2943eb_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HJB.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2908	HJB.exe
Token: SeIncBasePriorityPrivilege	2908	HJB.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2908	HJB.exe
2908	HJB.exe
2908	HJB.exe
2908	HJB.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 2908	2384	0c4d69452fe818fd0117ec239c2943eb_JaffaCakes118.exe	31
PID 2384 wrote to memory of 2908	2384	0c4d69452fe818fd0117ec239c2943eb_JaffaCakes118.exe	31
PID 2384 wrote to memory of 2908	2384	0c4d69452fe818fd0117ec239c2943eb_JaffaCakes118.exe	31
PID 2384 wrote to memory of 2908	2384	0c4d69452fe818fd0117ec239c2943eb_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\0c4d69452fe818fd0117ec239c2943eb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0c4d69452fe818fd0117ec239c2943eb_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\SysWOW64\Sys\HJB.exe
  "C:\Windows\system32\Sys\HJB.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Sys\HJB.001

Filesize
2KB

MD5
e8fe6fe4a5e3b52319702a250d1c2bf1

SHA1
aaedc44abbc7a39e8de9f0aafadc3d723828bb4e

SHA256
8c300e587eb9af3498b8f2cf1bc5a1620c1bd8e1d542261656112bb75295006d

SHA512
40ccc6ee78e480d7e4f5d0522feda43c3d7b9c2bbc7037f185df699f61532c760575d441c9da52b1a1cc29f99e76b0ed0e967717bd40a8734918d257bc2afb18

Download Submit
C:\Windows\SysWOW64\Sys\HJB.006

Filesize
5KB

MD5
74caf5b74ba47e2856c0ec7328772622

SHA1
4a542a3c8d7a5ae626d84698202c482a9d340525

SHA256
ca4e77e8c938dd7516b6869542b836072870e80d28e49fd6bf3f8818ade1fa05

SHA512
d179d5052873061a1cda91918ccbc5013c510683addc65c319bd663e5faa451fdbe3a4b1b412c9b91990b60c891b33b358d2b146b97c0f146f153e54ebb3c8cc

Download Submit
C:\Windows\SysWOW64\Sys\HJB.007

Filesize
4KB

MD5
40987586e4cc322efcc1945e3cabfff9

SHA1
0a70fa4a9c33cdd2e3b1b406b26105d0bbdf5405

SHA256
5d0cf6ca55aff3dfc11b43e7dc193cfa337be2da785acb20d185b9d0f8a552c7

SHA512
218fa37041b8191d84835d348b9671f6dbb05acdee0b6cec295e388ffd5f175979211a2f09d30c7fc5754847479a0c828ca308934229fdbd21fdaaac1162b45a

Download Submit
\Users\Admin\AppData\Local\Temp\@D8D2.tmp

Filesize
4KB

MD5
3cd32c2807889a8670908c19babf58a3

SHA1
08e7dbf58a06536a9bd1f09154db8cbc3d2b94d2

SHA256
d1cb352518d223ce610287f4538968a362c0ffd018c6978758daaeb09730ad1e

SHA512
1d0b6fb389aa9bd14fda66faec228771ca6f8d10e76f4fa9712df768dd66158e3d338d1560637496f932f2b8200d739e26f65f8d0cb93466edd396130cc97fef

Download Submit
\Windows\SysWOW64\Sys\HJB.exe

Filesize
298KB

MD5
2d7c66e3bd54bbe29b6510fd413e845c

SHA1
0e0d5956298d2cfee29697600ada8064afa1d17a

SHA256
2452b71820e2e1c1c4a9b8250349df71106e520b25a531c81df54412d3c1335f

SHA512
ffe5dad0472bf07b570aec36707632eb13d71aa8e0434ac47bcdeb5c7e92b6a02689136274c020f9d5eb7a6e0ea34e141368fb17e14b83af3c0a280b12ae906d

Download Submit
memory/2908-22-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2908-25-0x000000007762F000-0x0000000077630000-memory.dmp

Filesize
4KB

Download
memory/2908-26-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing