ardamax | acc815c3d89e8ebb7a43e9696ec236c1a85a97a95eb8d3d2bb8c080869fedb1d

General

Target

2bc8b4cf72a3c41dab0db8daf05d1c5a_JaffaCakes118.exe
Size

478KB
MD5

2bc8b4cf72a3c41dab0db8daf05d1c5a
SHA1

467cf165a6bd2708741f4b06b8831f72ebfb1f70
SHA256

acc815c3d89e8ebb7a43e9696ec236c1a85a97a95eb8d3d2bb8c080869fedb1d
SHA512

a6e30d2af4ba8c35c06fc6abbcc7802c347706e2a2f39655c44af8230f10364f71ca91c637fc1fac00b6074702de98278ebb31cf77edfa130c29601ee2f6fdf2
SSDEEP

12288:tded9iJ3MRFdF2Wb8yF7Ib07X7FcNVjv5oP:ad9yedF2u8yF7tCvjv5oP

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x00090000000162e3-9.dat	family_ardamax

Executes dropped EXE 1 IoCs

pid	Process
1856	HHDH.exe

Loads dropped DLL 5 IoCs

pid	Process
1092	2bc8b4cf72a3c41dab0db8daf05d1c5a_JaffaCakes118.exe
1092	2bc8b4cf72a3c41dab0db8daf05d1c5a_JaffaCakes118.exe
1092	2bc8b4cf72a3c41dab0db8daf05d1c5a_JaffaCakes118.exe
1856	HHDH.exe
1856	HHDH.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HHDH Agent = "C:\\Windows\\SysWOW64\\Sys32\\HHDH.exe"	HHDH.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Sys32\HHDH.exe	2bc8b4cf72a3c41dab0db8daf05d1c5a_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Sys32\AKV.exe	2bc8b4cf72a3c41dab0db8daf05d1c5a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Sys32	HHDH.exe
File created	C:\Windows\SysWOW64\Sys32\HHDH.001	2bc8b4cf72a3c41dab0db8daf05d1c5a_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Sys32\HHDH.006	2bc8b4cf72a3c41dab0db8daf05d1c5a_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Sys32\HHDH.007	2bc8b4cf72a3c41dab0db8daf05d1c5a_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HHDH.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2bc8b4cf72a3c41dab0db8daf05d1c5a_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1856	HHDH.exe
Token: SeIncBasePriorityPrivilege	1856	HHDH.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1856	HHDH.exe
1856	HHDH.exe
1856	HHDH.exe
1856	HHDH.exe
1856	HHDH.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1092 wrote to memory of 1856	1092	2bc8b4cf72a3c41dab0db8daf05d1c5a_JaffaCakes118.exe	29
PID 1092 wrote to memory of 1856	1092	2bc8b4cf72a3c41dab0db8daf05d1c5a_JaffaCakes118.exe	29
PID 1092 wrote to memory of 1856	1092	2bc8b4cf72a3c41dab0db8daf05d1c5a_JaffaCakes118.exe	29
PID 1092 wrote to memory of 1856	1092	2bc8b4cf72a3c41dab0db8daf05d1c5a_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\2bc8b4cf72a3c41dab0db8daf05d1c5a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2bc8b4cf72a3c41dab0db8daf05d1c5a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1092
- C:\Windows\SysWOW64\Sys32\HHDH.exe
  "C:\Windows\system32\Sys32\HHDH.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Sys32\AKV.exe

Filesize
389KB

MD5
53a578b112aeb18c5993556d4440ade1

SHA1
e51f2fcc784def3cc5ff594edfee5e25f1e9818c

SHA256
9170ccd49c118818a83d6ec5264e58519a986671828a144b70d9f601afd29156

SHA512
31357e35a4d31483951a7fbd0d774dffd880c8451e2410226dcfb8f8b1c24422febba81ae91aa2e5bb482bc0e662060f772417239e7e7a11c3c36ff8d716f352

Download Submit
C:\Windows\SysWOW64\Sys32\HHDH.001

Filesize
386B

MD5
8bbcf9d09f56d292520c8a259668caaf

SHA1
88f36d03ceba2f8096413d47be71cfeaf6489517

SHA256
cdcfdbd80dd31ff31db5a6980660888cf167fed771ddc6f7fb7d5f9dc0dafc64

SHA512
2dae057aae060f7645b08a2a4ef51d929099080c358387a970e451e26282d934fcb60891c0735173cecda5385f233953614fffcef80fe1dbacdd18404d503bb2

Download Submit
C:\Windows\SysWOW64\Sys32\HHDH.006

Filesize
7KB

MD5
504f5a7e8447c65bc2218bb3d47c309b

SHA1
5d2d703cfa8b1c0fab1b13b01e2250e246e2eb44

SHA256
81f383d6a9a90d1587af3f2903d9fd4ce4b4843aa285928ba731a3ee8f60c39f

SHA512
b90427bc146e30a5db47aaea4d7ac559db679f64ce490eb2195106acbc3d266442d71a7c0b00762203010436ed86bc84ef59bc3269b7611f9a6b5025fc85190b

Download Submit
C:\Windows\SysWOW64\Sys32\HHDH.007

Filesize
5KB

MD5
22e9e9b13c2c676bec39178311d55253

SHA1
da60379e518feeb798005065dcf626a74afe1848

SHA256
3a77698cfcbbc40473f163c76838e6509c52bd6ffb97ba9d144ccd25ef5c7e14

SHA512
1d3b7eb4dcaa969a49786f1f55caa731e2e82dc79896985d50aa225fd7071bef521a6d85f56ee249db518cf0fc4a53f942299328bf54862307f742d3a6ca3dcc

Download Submit
\Users\Admin\AppData\Local\Temp\@9EA0.tmp

Filesize
3KB

MD5
14c3321783fac66161b308d34c5b0eac

SHA1
021b4f77e27d6e0b032158936a752e27cdde09fa

SHA256
09e6cfa1698ed3cd3592fa4ed36eb970fa599cb86ce6975f5ef90dfbaf6a2f21

SHA512
9ba6f2992164e7e98084e3c3b5a4cd231edeca22b784d01e5e98078ed19a1114ba9f837aa77ec3303bfcff6fa6a7a3b4588ee6e3a444eb35fc5e8c1d732825ad

Download Submit
\Windows\SysWOW64\Sys32\HHDH.exe

Filesize
475KB

MD5
9c3ff825312190802dc56c7b0d0ccebd

SHA1
58e200c00382b3d13c81c9e829da065ed45f5928

SHA256
e55fbc08da9dc8bfb13b1d649e117540ee2c416a678eafa40e49088c2864dcc4

SHA512
513f6e3ab1bc31d01c1730c04313a39df5f9a5e30db70699df0507fff4c82f36706a637d32f532985e551a5a835682ebdc077560fee2f9741cba7767a86b7968

Download Submit
memory/1856-24-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1856-27-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads