ardamax | 09b38fa968b81d88adb26785878e7db9e363bfe8c40222eb29444e87cbdb3e5a

General

Target

43936d2c54f69b300e33d0b97143eae9_JaffaCakes118.exe
Size

464KB
MD5

43936d2c54f69b300e33d0b97143eae9
SHA1

c00c89731061463ae09fda77372a1f45e33c4d92
SHA256

09b38fa968b81d88adb26785878e7db9e363bfe8c40222eb29444e87cbdb3e5a
SHA512

036d9f18584edd6807d75341412acbaafc92b0b1e0409d9e6b53e857644d36deaf4cf8eaff4161386ca2b74b5b4c7b36fa708ecc43914bb9bc6dc984897a9812
SSDEEP

12288:+0Ps1xthKdR6Ho7G+DmdCqhK1vDuQkMTa:v8T2R6Y9DUMGMTa

Score

10^/10

ardamax discovery keylogger stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x00070000000173a3-9.dat	family_ardamax

Executes dropped EXE 2 IoCs

pid	Process
2760	Exe.exe
2844	Nudge_Madness.exe

Loads dropped DLL 8 IoCs

pid	Process
2168	43936d2c54f69b300e33d0b97143eae9_JaffaCakes118.exe
2168	43936d2c54f69b300e33d0b97143eae9_JaffaCakes118.exe
2168	43936d2c54f69b300e33d0b97143eae9_JaffaCakes118.exe
2168	43936d2c54f69b300e33d0b97143eae9_JaffaCakes118.exe
2168	43936d2c54f69b300e33d0b97143eae9_JaffaCakes118.exe
2760	Exe.exe
2844	Nudge_Madness.exe
2760	Exe.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Sys\Exe.001	43936d2c54f69b300e33d0b97143eae9_JaffaCakes118.exe
File created	C:\Windows\Sys\Exe.006	43936d2c54f69b300e33d0b97143eae9_JaffaCakes118.exe
File created	C:\Windows\Sys\Exe.007	43936d2c54f69b300e33d0b97143eae9_JaffaCakes118.exe
File created	C:\Windows\Sys\Exe.exe	43936d2c54f69b300e33d0b97143eae9_JaffaCakes118.exe
File opened for modification	C:\Windows\Sys	Exe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nudge_Madness.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	43936d2c54f69b300e33d0b97143eae9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Exe.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2760	Exe.exe
Token: SeIncBasePriorityPrivilege	2760	Exe.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2844	Nudge_Madness.exe
2760	Exe.exe
2760	Exe.exe
2760	Exe.exe
2760	Exe.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 2760	2168	43936d2c54f69b300e33d0b97143eae9_JaffaCakes118.exe	30
PID 2168 wrote to memory of 2760	2168	43936d2c54f69b300e33d0b97143eae9_JaffaCakes118.exe	30
PID 2168 wrote to memory of 2760	2168	43936d2c54f69b300e33d0b97143eae9_JaffaCakes118.exe	30
PID 2168 wrote to memory of 2760	2168	43936d2c54f69b300e33d0b97143eae9_JaffaCakes118.exe	30
PID 2168 wrote to memory of 2844	2168	43936d2c54f69b300e33d0b97143eae9_JaffaCakes118.exe	31
PID 2168 wrote to memory of 2844	2168	43936d2c54f69b300e33d0b97143eae9_JaffaCakes118.exe	31
PID 2168 wrote to memory of 2844	2168	43936d2c54f69b300e33d0b97143eae9_JaffaCakes118.exe	31
PID 2168 wrote to memory of 2844	2168	43936d2c54f69b300e33d0b97143eae9_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\43936d2c54f69b300e33d0b97143eae9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\43936d2c54f69b300e33d0b97143eae9_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Windows\Sys\Exe.exe
  "C:\Windows\Sys\Exe.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2760
- C:\Users\Admin\AppData\Local\Temp\Nudge_Madness.exe
  "C:\Users\Admin\AppData\Local\Temp\Nudge_Madness.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Nudge_Madness.exe

Filesize
220KB

MD5
fa2872e1a28b31fb2ccd92746397448d

SHA1
1b63649caaa88562f257c183c86acb983eb93b25

SHA256
b2db7a4401fb56d23770290bb9a10fdca6e40daa24f54fca339bc5cdf49fa8ec

SHA512
20ca0bc8c5d0122dac5b844a3174b8ef7fb12c134af89bf1d1806b67aa84e218af786fdec27afc1f9b1d77589776ca686f101455797c575d01d0579015c9b513

Download Submit
C:\Windows\Sys\Exe.001

Filesize
3KB

MD5
654a9e6b0dcd630ac38f96b31805829b

SHA1
f1c31cd85c13a8ac9456c20b12e7306f5fcf9114

SHA256
da5203b44ec966ef3a0c1875ed7d288085a34201c91cc368747a113833b6ceae

SHA512
634cecad87d797be3df7b3403c820d7484322b57704eb6204107a80ac46bd027a786318254274447606a22a0681c921e24040480790ae756f2a828416b365f27

Download Submit
C:\Windows\Sys\Exe.006

Filesize
5KB

MD5
81684ae4865ec5f66d24e892b03cdb28

SHA1
71e0129317001cbf9fc0876a6ea15886c0caa987

SHA256
b036f867ef31023198260a6610a57cc9148a547103b17de934e607aca580eb23

SHA512
adac78672fa35ad5aef8afac26c6360f06f98783fc3527c558b6fcadfd6d22b06ef4a8c0f6c076da3b270f83265eb4d20d58fc514932ad3d16554c3fd33f4fec

Download Submit
C:\Windows\Sys\Exe.007

Filesize
4KB

MD5
ac152720163090f4c0fb7f5c7e1638dc

SHA1
4fec3f24e3f9221c7c7cf918d7507586bf0cf48a

SHA256
fdc0467059610b4055818e2e499c1ed17705397383a61245917bb93ba0f8e3ef

SHA512
d62d827530d421735e95620f57230b1d7376a1055ddfb32d00db8df7764618f442a5166bdb765babf85695b7138ac7c4c71c231e5c745ed7d8113e6394acd301

Download Submit
\Users\Admin\AppData\Local\Temp\@57B1.tmp

Filesize
4KB

MD5
fec74da36beb4457716675804f74221c

SHA1
1c02ce33852f00dd896b4bb1d93fbba663dd329d

SHA256
e47ac7649f18595fbd2281a8cdff82a2b488b8dd56bc1ae88930b521f24b1c89

SHA512
64b1d6912b2d6336f2ec7abd240215c842970eece0007afb4c939cf40becb437d6d6708d840035c935d96742918de07b52a96708388cbcda438e8c56d49ede06

Download Submit
\Windows\Sys\Exe.exe

Filesize
459KB

MD5
b7a532f4b00925d636882e80f49305a8

SHA1
ae88858ea8c3a7ba2ed373cb104ef2152fb44b54

SHA256
f417f9088e6c39c418ecf8efbf0038362945788838bd7e67efd89199ada15ccd

SHA512
551fe3425b17f29b1c8157b2fdf6c6c0ed15c655bc14e9b73ec38209c55191444762eeef61ae933047079243b9487f92b649f5852b3f22d4bac5d070f523b706

Download Submit
memory/2760-32-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2760-37-0x000000007772F000-0x0000000077730000-memory.dmp

Filesize
4KB

Download
memory/2760-38-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing