ardamax | d7d630d23fd4926ccb8c57b2837d7d7f08b51039119e7ee634cab733b5af7b77

General

Target

46e297b3bc53bbe517166f409f6c00c0_JaffaCakes118.exe
Size

678KB
MD5

46e297b3bc53bbe517166f409f6c00c0
SHA1

0196dd35ef8d29771b123999ef690de849da64b5
SHA256

d7d630d23fd4926ccb8c57b2837d7d7f08b51039119e7ee634cab733b5af7b77
SHA512

b5329fdf989262fc48273ac763e93d10786baefcda39c19ac28d785debdca7ff1927c081106117f0f6388a217dbc1c50c313e4155e004e493f2daf1e51202e50
SSDEEP

12288:IrMMMMMMcFrGoU1FQT6snE9A8D9YW2yJrM+yZueogfnm9YAMFnftalD6TRprhp1+:0MMMMMMAiL0T6sE9A8D93RrRyZuqn0HZ

Score

10^/10

ardamax defense_evasion discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000016caa-9.dat	family_ardamax

Executes dropped EXE 2 IoCs

pid	Process
2548	KCUX.exe
2788	Unpack.exe

Loads dropped DLL 9 IoCs

pid	Process
2220	46e297b3bc53bbe517166f409f6c00c0_JaffaCakes118.exe
2220	46e297b3bc53bbe517166f409f6c00c0_JaffaCakes118.exe
2220	46e297b3bc53bbe517166f409f6c00c0_JaffaCakes118.exe
2220	46e297b3bc53bbe517166f409f6c00c0_JaffaCakes118.exe
2220	46e297b3bc53bbe517166f409f6c00c0_JaffaCakes118.exe
2548	KCUX.exe
2788	Unpack.exe
2548	KCUX.exe
2548	KCUX.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\KCUX Agent = "C:\\Windows\\SysWOW64\\28463\\KCUX.exe"	KCUX.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\KCUX.exe	46e297b3bc53bbe517166f409f6c00c0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\28463\AKV.exe	46e297b3bc53bbe517166f409f6c00c0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\28463	KCUX.exe
File created	C:\Windows\SysWOW64\28463\KCUX.001	46e297b3bc53bbe517166f409f6c00c0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\28463\KCUX.006	46e297b3bc53bbe517166f409f6c00c0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\28463\KCUX.007	46e297b3bc53bbe517166f409f6c00c0_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	46e297b3bc53bbe517166f409f6c00c0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KCUX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unpack.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	2548	KCUX.exe
Token: SeIncBasePriorityPrivilege	2548	KCUX.exe
Token: SeIncBasePriorityPrivilege	2548	KCUX.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2548	KCUX.exe
2548	KCUX.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2548	KCUX.exe
2548	KCUX.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2548	KCUX.exe
2548	KCUX.exe
2548	KCUX.exe
2548	KCUX.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2548	2220	46e297b3bc53bbe517166f409f6c00c0_JaffaCakes118.exe	30
PID 2220 wrote to memory of 2548	2220	46e297b3bc53bbe517166f409f6c00c0_JaffaCakes118.exe	30
PID 2220 wrote to memory of 2548	2220	46e297b3bc53bbe517166f409f6c00c0_JaffaCakes118.exe	30
PID 2220 wrote to memory of 2548	2220	46e297b3bc53bbe517166f409f6c00c0_JaffaCakes118.exe	30
PID 2220 wrote to memory of 2788	2220	46e297b3bc53bbe517166f409f6c00c0_JaffaCakes118.exe	31
PID 2220 wrote to memory of 2788	2220	46e297b3bc53bbe517166f409f6c00c0_JaffaCakes118.exe	31
PID 2220 wrote to memory of 2788	2220	46e297b3bc53bbe517166f409f6c00c0_JaffaCakes118.exe	31
PID 2220 wrote to memory of 2788	2220	46e297b3bc53bbe517166f409f6c00c0_JaffaCakes118.exe	31
PID 2548 wrote to memory of 2372	2548	KCUX.exe	32
PID 2548 wrote to memory of 2372	2548	KCUX.exe	32
PID 2548 wrote to memory of 2372	2548	KCUX.exe	32
PID 2548 wrote to memory of 2372	2548	KCUX.exe	32

C:\Users\Admin\AppData\Local\Temp\46e297b3bc53bbe517166f409f6c00c0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\46e297b3bc53bbe517166f409f6c00c0_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\SysWOW64\28463\KCUX.exe
  "C:\Windows\system32\28463\KCUX.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\28463\KCUX.exe > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2372
- C:\Users\Admin\AppData\Local\Temp\Unpack.exe
  "C:\Users\Admin\AppData\Local\Temp\Unpack.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

1

T1070

File Deletion

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\28463\AKV.exe

Filesize
393KB

MD5
1e13f68fd4258a545d262c77e38c76cd

SHA1
b8f6710c83e52ad354d8763a1b51293ee5758956

SHA256
d7785409d6e2512d9d907670f79b313192a85138707c6ca0cc59a71f8fd6a247

SHA512
938880407818a1489ecb9911cf05d4c9b69ecb2e0f908c3d3b8ba87b8c437ae16916e46bdf780bba24c38ad2c3981a5dcd4d3acd8ea227ac4dced12f1ca21eb3

Download Submit
C:\Windows\SysWOW64\28463\KCUX.001

Filesize
504B

MD5
7af77e48248ca889bb6d825418bc2de4

SHA1
e50f63d94eaf6e39a4222cc172de324346d8c92d

SHA256
c809bcc3f36f1661383637b27ac6b12c811ff9108dc090019330a5d9ed0ec987

SHA512
a5490e41bb1fefe81d8ace4be5ff1fd22e4568130716a31fe3e8a39a3fa8a6f30545bb58255e7448eaa3b991c8d65da222db0929050f6cc35d5e72c4e14217fe

Download Submit
C:\Windows\SysWOW64\28463\KCUX.006

Filesize
7KB

MD5
46e0f5831dfe24c3105ef20190c5f0d7

SHA1
dbd701062695f9df971bffc1fa433eb18ef61727

SHA256
d7c7932d10e19ebde38c50583b4f5a0215a0ac88a2b131ea1b2a97824af759f9

SHA512
3dbe9e90f989ae3939d304f9f7822c3886e2d76ef575162e6a0518b61f5a52fcd8d0c63e06bbcf920c6f8298cb918ef5f3c0b92d42e99fa3eaabd787fc686a61

Download Submit
C:\Windows\SysWOW64\28463\KCUX.007

Filesize
5KB

MD5
70c68ec7e4e7f18abf35d47976a47f0f

SHA1
f1263f67e712760e055833d3030ed4583611ad6f

SHA256
cb8664787c631611643518ca2853f10ba9d460c25e476f55fb1b9f79838801fb

SHA512
80cad83643c9c83be70809eebb4b662f58a323cbd5f1bfbc328722fbfa16f1a846f9ef159552a066850f12157cb7388d6ab37ea6f4e7563fff7cc26258b77a81

Download Submit
\Users\Admin\AppData\Local\Temp\@A17D.tmp

Filesize
4KB

MD5
a33680859a24229dc931c0e8a82ae84a

SHA1
dff1e7e7160ffbfaae221cd3a85de40722fddde6

SHA256
d5913b88289154f5979c03325b29f00d1d8c6a1e5f6195df915d96a46d0f71f3

SHA512
a419214699ab3478926fbb7f621a616e192eae22db20e72c83a4b529ba5307ab4dc906e0b1286bc4e4cb13ba1e28fb93fa4918c3ff7345273197e39c206c10bf

Download Submit
\Users\Admin\AppData\Local\Temp\Unpack.exe

Filesize
375KB

MD5
7c64fb737a593f295f9de7878976468a

SHA1
dbcf02f23af1c1b4569ccacf33fe7fd6cd00cdfa

SHA256
d220f110942a08e1942ea8262f0911abe6b481eb57140219c651d68ca9a50d2d

SHA512
305556a57958a897fd3ec8340071f84e3243a191861828da5c33936513a142b750e52e62fdf64062acdf6e7f2ede2ae6c31157c148c0bdab3090905b31122170

Download Submit
\Windows\SysWOW64\28463\KCUX.exe

Filesize
471KB

MD5
328ef8c28309203cfbe5655274d5ea48

SHA1
403399787e94f7d4e3c8e237e25399263e9f4047

SHA256
0f92918405d195ce10b0c897f07a73493d06e9e49505371a525d50cea75213bb

SHA512
93dde6ab2d06af2d09b7f52619f2f475912152bbfd4b4ff93796eeffe7363f0ee777f4a46edb808039466fe0f82036dc291a378d4a8c6e407f0e1d4f3f6ea40a

Download Submit
memory/2548-34-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2548-43-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2788-28-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2788-41-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2788-42-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads