ardamax | b8a8717779ad21033ed5c7a9defe8aecb9c80428ea88a0b932eb0e5022c1862d

General

Target

1d303012b45217ff88702381c7d3b33e_JaffaCakes118.exe
Size

1.2MB
MD5

1d303012b45217ff88702381c7d3b33e
SHA1

b38ddb3e86f8b8e80863fe65405ec265c983c4cf
SHA256

b8a8717779ad21033ed5c7a9defe8aecb9c80428ea88a0b932eb0e5022c1862d
SHA512

c51b5dae2b1cedda6ad59de61e0f7b59718e085ece827e580cf392aa96517d6383c4a6942ea799a6f63bef7643c2ebc28ed9c860a1beb4ccbaf964d7e5e23e60
SSDEEP

24576:v0NzTpYaP4ZF4AHNxsm8Rsvzn7qiNI3rWS7o2H7o5dJYMhYqdP5jfy3QrSIgLIox:v0pTa9fsmHznGie7s2H76fmQ2Igkq

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0009000000016d2e-6.dat	family_ardamax

Executes dropped EXE 1 IoCs

pid	Process
1320	XYS.exe

Loads dropped DLL 2 IoCs

pid	Process
1724	1d303012b45217ff88702381c7d3b33e_JaffaCakes118.exe
1320	XYS.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\XYS Start = "C:\\Windows\\SysWOW64\\BBJJWP\\XYS.exe"	XYS.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\BBJJWP\	XYS.exe
File created	C:\Windows\SysWOW64\BBJJWP\XYS.004	1d303012b45217ff88702381c7d3b33e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\BBJJWP\XYS.001	1d303012b45217ff88702381c7d3b33e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\BBJJWP\XYS.002	1d303012b45217ff88702381c7d3b33e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\BBJJWP\AKV.exe	1d303012b45217ff88702381c7d3b33e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\BBJJWP\XYS.exe	1d303012b45217ff88702381c7d3b33e_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1d303012b45217ff88702381c7d3b33e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XYS.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1320	XYS.exe
1320	XYS.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1320	XYS.exe
Token: SeIncBasePriorityPrivilege	1320	XYS.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1320	XYS.exe
1320	XYS.exe
1320	XYS.exe
1320	XYS.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 1320	1724	1d303012b45217ff88702381c7d3b33e_JaffaCakes118.exe	30
PID 1724 wrote to memory of 1320	1724	1d303012b45217ff88702381c7d3b33e_JaffaCakes118.exe	30
PID 1724 wrote to memory of 1320	1724	1d303012b45217ff88702381c7d3b33e_JaffaCakes118.exe	30
PID 1724 wrote to memory of 1320	1724	1d303012b45217ff88702381c7d3b33e_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\1d303012b45217ff88702381c7d3b33e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1d303012b45217ff88702381c7d3b33e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Windows\SysWOW64\BBJJWP\XYS.exe
  "C:\Windows\system32\BBJJWP\XYS.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\BBJJWP\AKV.exe

Filesize
484KB

MD5
4f60429f20ac507bb61cb45998a73847

SHA1
c094a508b75c7c9a83cb04cd1fa9a547ab87fded

SHA256
65478b0bded54534eb7e1241a8da267c57b55c3da90adce2880c04b861c6ddc9

SHA512
e5f879e4e21051d91f7bf88e77dbbf1c288d595988d55a13ef703e242094e8a762c3262200cf478d55ac91d12cefcdd176646cffaf88439313d8e44b12c5fa91

Download Submit
C:\Windows\SysWOW64\BBJJWP\XYS.001

Filesize
61KB

MD5
0d52ec4abb6e5055a153d97eab5bc2da

SHA1
f01f83ac6741d9d53aa43501d456c5b003746fe9

SHA256
845e34cf0373b2e959d3d27cfe09d858283dd6a4b335014c3b82e4af1161b321

SHA512
5876e5a0401d9520678e733fc89147d6a6d7ef5bf6f8dbbb59276c79f8cf57301a49b3c20861a5696ee36337d6b151c32c3be2abcdb2990301bf0c616ff0be19

Download Submit
C:\Windows\SysWOW64\BBJJWP\XYS.002

Filesize
43KB

MD5
fab6c7c9f60f3a391f22754e221ba23f

SHA1
b885a44fa6a8d6c0f08069f202527de1e93d460e

SHA256
11c28e015fb748bf664203c92288252a90aa7119079094d5fed17bc6ebfc803b

SHA512
86c368b8d542ec4dde120effcdac80a03118b8296188f3e09dde81883903b6a51a1bb6b981d394e05ff21bdc1cdcda125a427bfdb76aa209e706a58666e342bb

Download Submit
C:\Windows\SysWOW64\BBJJWP\XYS.004

Filesize
1KB

MD5
aab7ce9019f6a00a9478685ee560ab6a

SHA1
4bb098cf44b873b7ac9a06bf5eed379badf27de0

SHA256
bafb74da2d4b957284cf4917c273578105e388dde2516f8539ffccc46541feb4

SHA512
84c65dbee7f825e514d036b5bf31cf95da0252cb7f08fb8f14c4cd5ab767ea6277789a839a20a57017c077bcd99bc105a8f67c455ce7980763a6d06c903f44b4

Download Submit
\Windows\SysWOW64\BBJJWP\XYS.exe

Filesize
1.7MB

MD5
cfeee152a39c265c34b5163548f8c59b

SHA1
5807f521bf8c48e8fb0abb657b6df7d21a533dc4

SHA256
0f86eb289dc6b99c7560607e4e8e84b134515cee05becae947056026bfd21844

SHA512
b50eafbade678e6a29dcae61e6eb251bcbc26d25427adf313aa7eb654de710d48236f1749e59cd0b19e28967b26a37bde364e584853b9b7f007d89c999d08ecd

Download Submit
memory/1320-15-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/1320-17-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads