ardamax | 913715e56ec7145f019b09858d7cbf0530a49a1b7e87daae589dbf887f8e304e

General

Target

3d4abfa90c621d3726e8f5593c52020a_JaffaCakes118.exe
Size

1.6MB
MD5

3d4abfa90c621d3726e8f5593c52020a
SHA1

15bda26ef77264a1e3e65450a09410bcb3f71899
SHA256

913715e56ec7145f019b09858d7cbf0530a49a1b7e87daae589dbf887f8e304e
SHA512

62f030e9398a8d3cbfbc2c877725b5a9c79cf20fb84df31225a287f5c064daa1061f7ef77732f924cba92c6fd291fbacb1cdd1c8a3b344f1243315dbd0e9d57f
SSDEEP

24576:TbPTelA95idLapveRf+Z1W3o7MQOFqD4LdbqPuiIEnkA2lssK966MlPThPr5GeQx:T7TXdWRk15iW4hGPuZEkHs9atUF

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000017466-6.dat	family_ardamax

Executes dropped EXE 2 IoCs

pid	Process
3008	OVL.exe
1940	Injcetor 1.3.exe

Loads dropped DLL 4 IoCs

pid	Process
620	3d4abfa90c621d3726e8f5593c52020a_JaffaCakes118.exe
620	3d4abfa90c621d3726e8f5593c52020a_JaffaCakes118.exe
3008	OVL.exe
1940	Injcetor 1.3.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OVL Start = "C:\\Windows\\SysWOW64\\RJSUCV\\OVL.exe"	OVL.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\RJSUCV\OVL.004	3d4abfa90c621d3726e8f5593c52020a_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\RJSUCV\OVL.001	3d4abfa90c621d3726e8f5593c52020a_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\RJSUCV\OVL.002	3d4abfa90c621d3726e8f5593c52020a_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\RJSUCV\AKV.exe	3d4abfa90c621d3726e8f5593c52020a_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\RJSUCV\OVL.exe	3d4abfa90c621d3726e8f5593c52020a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\RJSUCV\	OVL.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Injcetor 1.3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3d4abfa90c621d3726e8f5593c52020a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OVL.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1940	Injcetor 1.3.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	3008	OVL.exe
Token: SeIncBasePriorityPrivilege	3008	OVL.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3008	OVL.exe
3008	OVL.exe
3008	OVL.exe
3008	OVL.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 620 wrote to memory of 3008	620	3d4abfa90c621d3726e8f5593c52020a_JaffaCakes118.exe	30
PID 620 wrote to memory of 3008	620	3d4abfa90c621d3726e8f5593c52020a_JaffaCakes118.exe	30
PID 620 wrote to memory of 3008	620	3d4abfa90c621d3726e8f5593c52020a_JaffaCakes118.exe	30
PID 620 wrote to memory of 3008	620	3d4abfa90c621d3726e8f5593c52020a_JaffaCakes118.exe	30
PID 620 wrote to memory of 1940	620	3d4abfa90c621d3726e8f5593c52020a_JaffaCakes118.exe	31
PID 620 wrote to memory of 1940	620	3d4abfa90c621d3726e8f5593c52020a_JaffaCakes118.exe	31
PID 620 wrote to memory of 1940	620	3d4abfa90c621d3726e8f5593c52020a_JaffaCakes118.exe	31
PID 620 wrote to memory of 1940	620	3d4abfa90c621d3726e8f5593c52020a_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\3d4abfa90c621d3726e8f5593c52020a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3d4abfa90c621d3726e8f5593c52020a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:620
- C:\Windows\SysWOW64\RJSUCV\OVL.exe
  "C:\Windows\system32\RJSUCV\OVL.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3008
- C:\Users\Admin\AppData\Local\Temp\Injcetor 1.3.exe
  "C:\Users\Admin\AppData\Local\Temp\Injcetor 1.3.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Injcetor 1.3.exe

Filesize
1.2MB

MD5
1c7dd9ee1372bad79a0ff4329c49ef11

SHA1
76968059a53d61c041d9f1b0e18327cd02d88863

SHA256
c858baa3fc47fa2f6b77b38436a25fada4121af675fb66cf8b8efcc2294c34f1

SHA512
a4759a76965b8033fe3ff021f173566de2ada08b3131437a3b285490193d77301a304ab6bcede0c0bcc94722237b178b148e61594c8c4a4c739e4309d935b3e9

Download Submit
C:\Windows\SysWOW64\RJSUCV\AKV.exe

Filesize
449KB

MD5
83fec9657eb13e74504a6efb3f1aad0e

SHA1
cb2f84288a5435bab248716c0855601ee66a5983

SHA256
8ca4fb9f3830165b3e03b6797ba5f1147fa884e4c4a5f16f6d64620ba670d50d

SHA512
ea7cce2c602497c8c6da31a00f90fb08a4b27d3593ca330dc16937dff518fbb22c89fbd47396a5c8cc740dd2589d2db577b570aaf898bb44c57999512a6f05b7

Download Submit
C:\Windows\SysWOW64\RJSUCV\OVL.001

Filesize
61KB

MD5
1d6f0b3843d17046be7669262085fb67

SHA1
703b2d00731920b77041908ee4ec44ed10d6f8f9

SHA256
88c91de925b84024367fd2a0a2597ef884c16f424771ca1a17780fb4cff7c591

SHA512
23c6e8c94908bce7400527c7ad4bdd030074d45c48421140eeee6a9e156571d5a31c4ad7bb0f2042b2dfceab14f36044c433c0b2d4cdee4dfed1dccb9b28188a

Download Submit
C:\Windows\SysWOW64\RJSUCV\OVL.002

Filesize
43KB

MD5
4207e94e5371e60c5a1c8a3a1bf7169a

SHA1
469d55baaed9f93dd74bdf41383a760fd8690342

SHA256
0caf0bcee50026d048e8c02345be9d6aa387db5245d99c2dcc255c75eccbcec5

SHA512
c85ed60aefd0bc7105760df5d969ab606e1d6775de20b11ef14b454fc27f1308e91111786895e42c38b019f286425f980ac113086809ed3c6babc778af5deec1

Download Submit
C:\Windows\SysWOW64\RJSUCV\OVL.004

Filesize
662B

MD5
2afec883938b6c55315a5218a6d9243c

SHA1
0cc87a3f722edf6bbbb4c99217e61796efe91cab

SHA256
ae15f711daa1248872bd4ce8e66cfa3875532f539fa2fb992c06243a9ba36bab

SHA512
3db5ee34e9ed409639f46f61ef6fa06f41ca19e93786dcbd2f1fdf3fa59cd1341c7d78b310c1472f29f0266607cb13c9b5bafe286d8e5a96d81a5c0dcbccf8df

Download Submit
\Windows\SysWOW64\RJSUCV\OVL.exe

Filesize
1.4MB

MD5
3c0034d74caf9846686a2d93fd3079ac

SHA1
949adf7912c74ca8517d70f30b823264a5a7e067

SHA256
55750ec7e5c987dbe2585f0e4b1728999b3bb94d5efd458f4aed75efa960855b

SHA512
5c25cfbbdb2f794a484a2a1d9a454d9b13ab90cba0313ce995330e97516b422524cd388a357d211addfdfcec06d681edf131a3b98839a3f6d3d9863d97ad1399

Download Submit
memory/1940-22-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1940-27-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1940-26-0x0000000000400000-0x0000000000539000-memory.dmp

Filesize
1.2MB

Download
memory/3008-21-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/3008-25-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads