ardamax | b93fee87ce907c8915acc68b08c436f494af40d93e04a2cbfe30808882856e79

General

Target

49611940363b3ade59162fb625e0d7cd_JaffaCakes118.exe
Size

1.0MB
MD5

49611940363b3ade59162fb625e0d7cd
SHA1

4da611cef59a246ab8a29076538e17342a9dbd99
SHA256

b93fee87ce907c8915acc68b08c436f494af40d93e04a2cbfe30808882856e79
SHA512

146a42039700fb51a943def8a3f90d953de57dcb8b9f68b086562ac33e3c4ffd94f8034dde5a4e1b4aae9b7944460fc6a2ad596875960ddf8c0677660283e38a
SSDEEP

24576:ujXTx80EKGKmO3RN0X65argTKFd5+5vegDfE:uDTxzpmO3RHGZS2oE

Score

10^/10

ardamax defense_evasion discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000016cc8-6.dat	family_ardamax

Executes dropped EXE 1 IoCs

pid	Process
2396	IPG.exe

Loads dropped DLL 2 IoCs

pid	Process
236	49611940363b3ade59162fb625e0d7cd_JaffaCakes118.exe
2396	IPG.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\IPG Start = "C:\\Windows\\SysWOW64\\OYAIJG\\IPG.exe"	IPG.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\OYAIJG\IPG.002	49611940363b3ade59162fb625e0d7cd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\OYAIJG\AKV.exe	49611940363b3ade59162fb625e0d7cd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\OYAIJG\IPG.exe	49611940363b3ade59162fb625e0d7cd_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\OYAIJG	IPG.exe
File created	C:\Windows\SysWOW64\OYAIJG\IPG.004	49611940363b3ade59162fb625e0d7cd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\OYAIJG\IPG.001	49611940363b3ade59162fb625e0d7cd_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	49611940363b3ade59162fb625e0d7cd_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IPG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Web3.5 = "1729017303"	IPG.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	2396	IPG.exe
Token: SeIncBasePriorityPrivilege	2396	IPG.exe
Token: SeIncBasePriorityPrivilege	2396	IPG.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2396	IPG.exe
2396	IPG.exe
2396	IPG.exe
2396	IPG.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 236 wrote to memory of 2396	236	49611940363b3ade59162fb625e0d7cd_JaffaCakes118.exe	30
PID 236 wrote to memory of 2396	236	49611940363b3ade59162fb625e0d7cd_JaffaCakes118.exe	30
PID 236 wrote to memory of 2396	236	49611940363b3ade59162fb625e0d7cd_JaffaCakes118.exe	30
PID 236 wrote to memory of 2396	236	49611940363b3ade59162fb625e0d7cd_JaffaCakes118.exe	30
PID 2396 wrote to memory of 1776	2396	IPG.exe	32
PID 2396 wrote to memory of 1776	2396	IPG.exe	32
PID 2396 wrote to memory of 1776	2396	IPG.exe	32
PID 2396 wrote to memory of 1776	2396	IPG.exe	32

C:\Users\Admin\AppData\Local\Temp\49611940363b3ade59162fb625e0d7cd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\49611940363b3ade59162fb625e0d7cd_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:236
- C:\Windows\SysWOW64\OYAIJG\IPG.exe
  "C:\Windows\system32\OYAIJG\IPG.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\OYAIJG\IPG.exe > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

1

T1070

File Deletion

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\OYAIJG\AKV.exe

Filesize
490KB

MD5
7c945f8ff017b9c3e00fb23e47c05b88

SHA1
c5808f4a6494f5f619584ce1eea3bd63fab41675

SHA256
0beb5579a7321017b3efe319e40af7ad940c4d64916295929fe0e88bdd35e848

SHA512
feb202e2c63be69ad77160716bcf4f83bd90571349c6115955fb2ea584d8913dd153ca782974e3b50c9a8cd58df01ade6c88339f0c43c2af5778fc3457132246

Download Submit
C:\Windows\SysWOW64\OYAIJG\IPG.002

Filesize
42KB

MD5
ecb9e8c27d6cc6ffd1e857767b9c6f24

SHA1
10a9a5054e6f1c8d1bda456b9ecb5bf359faf010

SHA256
5d948e3a55e9b1de0e9f8f89d0dd3a769bbd8d178f3297cc02864f5688dbcb29

SHA512
259ae145a962426b9b60d585d939caf86043b9031480b472ab8ee91eada3d1d7d6fc502718fbbc07ac9600368e81f87e68fd10d5fa039a85a1d4a8ddfde1968e

Download Submit
C:\Windows\SysWOW64\OYAIJG\IPG.004

Filesize
800B

MD5
3749238257a2a3fab2bd8a144acd9de9

SHA1
184ce77a4b35486d99cb819efd647f6cd1735197

SHA256
2d1daa653b187f9898616eedd722c23607c3521ce0a1e08cef86425e4662fc90

SHA512
f77f947d2c50d72984547d6810b841af9a28e927353887537f4ed2f88b5db31d9a15bc757a2e87531b3890fde932d960ce009876b36ef7c28c5a7388fe595915

Download Submit
\Windows\SysWOW64\OYAIJG\IPG.001

Filesize
60KB

MD5
256d32d205671ac8ed51e56c5c5d2d56

SHA1
c0e98db79b026a2ba7c4838bf11d6e8775a10262

SHA256
064d8c21bd0cf41315cef61af65be92327275633fbdf37771c3d996202909a9a

SHA512
197a6c0d27550d4756c124b41310ae39e546449da3254c15d0070bfeec4600d12f4e653f12e4a554c69eeab615f3e159960805c029f9b4abb197b64af78c5581

Download Submit
\Windows\SysWOW64\OYAIJG\IPG.exe

Filesize
1.3MB

MD5
6c94881041df04b34498298262be0095

SHA1
a55cf3e5b3d04cbc3fff689219bb4176db698afa

SHA256
b8e1a7f773703fd5b7e7658bc3f54fd50e4ea6502f9ed3b996c3ef9c977b3d9f

SHA512
dba2ad2dcb51d7dc9e01e668e91132fbb22c6c1423c3dc96c081a1bcc2614987e4091d99c9035abf4c1c2b485c36095a06cfaea67431e1d18a83c186bcea4fbf

Download Submit
memory/2396-15-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2396-17-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads