ardamax | 19dfe24aec0efdb03c06225689c27c7eb4a2a698a70e7de4257cddb0a911eb26

General

Target

2598d46fe6dff6ae5f9f0aa2ec2a219e_JaffaCakes118.exe
Size

256KB
MD5

2598d46fe6dff6ae5f9f0aa2ec2a219e
SHA1

a0f7a3b3ef1359e4994dad5dcf6808b2ae4776bd
SHA256

19dfe24aec0efdb03c06225689c27c7eb4a2a698a70e7de4257cddb0a911eb26
SHA512

5cac1743dc2ef8c5ba69547e70c179e18fb2457ed17dfa1ea75408c545f7cff0445904bee0518638a50311861e9e2f454fa8fb95c19da77594ca5f7b9a8d0384
SSDEEP

3072:hOyycQkox/59GaVHY8Gc4941G8XzFPF7TJEgXxTXub2escdXFoMi4Qp7zQQplwlN:G/5fG44is8JFXxCRsEvMNzH/A3Yh6

Score

10^/10

ardamax discovery keylogger stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0009000000017409-9.dat	family_ardamax

Executes dropped EXE 2 IoCs

pid	Process
2336	MapleStory.exe
2504	MapleGod.exe

Loads dropped DLL 6 IoCs

pid	Process
2308	2598d46fe6dff6ae5f9f0aa2ec2a219e_JaffaCakes118.exe
2308	2598d46fe6dff6ae5f9f0aa2ec2a219e_JaffaCakes118.exe
2308	2598d46fe6dff6ae5f9f0aa2ec2a219e_JaffaCakes118.exe
2308	2598d46fe6dff6ae5f9f0aa2ec2a219e_JaffaCakes118.exe
2308	2598d46fe6dff6ae5f9f0aa2ec2a219e_JaffaCakes118.exe
2504	MapleGod.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\MapleStory.001	2598d46fe6dff6ae5f9f0aa2ec2a219e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\MapleStory.006	2598d46fe6dff6ae5f9f0aa2ec2a219e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\MapleStory.007	2598d46fe6dff6ae5f9f0aa2ec2a219e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\MapleStory.exe	2598d46fe6dff6ae5f9f0aa2ec2a219e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\H@tKeysH@@k.DLL	MapleGod.exe
File created	C:\Windows\SysWOW64\H@tKeysH@@k.DLL	MapleGod.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2598d46fe6dff6ae5f9f0aa2ec2a219e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MapleStory.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MapleGod.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2504	MapleGod.exe
2504	MapleGod.exe
2504	MapleGod.exe
2504	MapleGod.exe
2504	MapleGod.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 2336	2308	2598d46fe6dff6ae5f9f0aa2ec2a219e_JaffaCakes118.exe	31
PID 2308 wrote to memory of 2336	2308	2598d46fe6dff6ae5f9f0aa2ec2a219e_JaffaCakes118.exe	31
PID 2308 wrote to memory of 2336	2308	2598d46fe6dff6ae5f9f0aa2ec2a219e_JaffaCakes118.exe	31
PID 2308 wrote to memory of 2336	2308	2598d46fe6dff6ae5f9f0aa2ec2a219e_JaffaCakes118.exe	31
PID 2308 wrote to memory of 2504	2308	2598d46fe6dff6ae5f9f0aa2ec2a219e_JaffaCakes118.exe	32
PID 2308 wrote to memory of 2504	2308	2598d46fe6dff6ae5f9f0aa2ec2a219e_JaffaCakes118.exe	32
PID 2308 wrote to memory of 2504	2308	2598d46fe6dff6ae5f9f0aa2ec2a219e_JaffaCakes118.exe	32
PID 2308 wrote to memory of 2504	2308	2598d46fe6dff6ae5f9f0aa2ec2a219e_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\2598d46fe6dff6ae5f9f0aa2ec2a219e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2598d46fe6dff6ae5f9f0aa2ec2a219e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Windows\SysWOW64\MapleStory.exe
  "C:\Windows\system32\MapleStory.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2336
- C:\Users\Admin\AppData\Local\Temp\MapleGod.exe
  "C:\Users\Admin\AppData\Local\Temp\MapleGod.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\MapleStory.001

Filesize
1KB

MD5
eb3063b94fc7e47412736d11cea87bc2

SHA1
6533a211937300fe247b53996380ab2e4cfda2c1

SHA256
240c8010c3b46480ca267cad0b5d93976530b6799fbf30043b1fd80fb8ef3bcb

SHA512
929ec2e1d6eb8d7959eaebcd4c38be12cbeff19c1fca7df63d61b4d834b7ab96b6227766b1b1d10098891573d1d5387579589a74c9356b43933e4658e7054e0d

Download Submit
\Users\Admin\AppData\Local\Temp\@E0CE.tmp

Filesize
4KB

MD5
ccfd350414f3804bbb32ddd7eb3f6153

SHA1
e91d270b8481d456a3beabf617ef3379a93f1137

SHA256
1dabedfe9c7cda2d8aa74c95ba57fb832a4066b20f4051c0330b4422de237eb3

SHA512
328e069aaced9217eb9f4b4f20e27cd7ef933427e3388b3a0829089d694ea2280a2e5511a9eb577cec2a7b409cf367b0f17d8654076931648e152936fad810bd

Download Submit
\Users\Admin\AppData\Local\Temp\MapleGod.exe

Filesize
214KB

MD5
d678972d03482d3fdd303fc5e26f553c

SHA1
1acac0d490c8db091631d8fbeee772e1fff98445

SHA256
81384187117337a3823465cfdf5fe8f6646848f67e39aa84ef66f43ce44bdc4e

SHA512
da88146c0b5f83bc78505068c1d90663ab8dbfc80fee1f3af825b9299e11db472f526066428bb81e82e1298dd5bc7cbe5e6ef119bccccc1f128e80dcbb04dff2

Download Submit
\Windows\SysWOW64\H@tKeysH@@k.DLL

Filesize
20KB

MD5
116ec20265b00cfe389518e2a0c7ed81

SHA1
d04c903ef681bb18dbf337ffa7ff2a9ccc8bedd6

SHA256
ef9d09e51c42bc04d48444b2517471ea07f2d8a6a6a2e67dd635b7bf95bf8b7a

SHA512
594f32c4e51a87294bcfa1735254d04d5d43a38ad2ab7a39f7157bac75b959ee327053df79ee2993a8a2f4e9faafb5c8868283ae2bac8745cb916d5565171cef

Download Submit
\Windows\SysWOW64\MapleStory.exe

Filesize
239KB

MD5
2bada91f44e2a5133a5c056b31866112

SHA1
9fbe664832d04d79f96fa090191b73d9811ef08d

SHA256
c742feab59b4e1b7b188b02ed91ab34eaeb83c87ac6babfb5f08649ed2b8cd02

SHA512
dc797a06061937f8dd657a34d4373d3069c9c1a6752752516042e5d135fc41257c7a3a6738b3accd626a02f1887476197eca0ab28cf568daf57269cbe9c8eb41

Download Submit

Analysis

Sharing