ardamax | 0a39f47d1752afc54fc62f09161f568624de3525dffd811ee3a793618846771a

General

Target

4ef708812af1e63df7275a8789729603_JaffaCakes118.exe
Size

3.5MB
MD5

4ef708812af1e63df7275a8789729603
SHA1

bcaccfa513f7fbd846d524c6c2234dc0108aa854
SHA256

0a39f47d1752afc54fc62f09161f568624de3525dffd811ee3a793618846771a
SHA512

900e4c7ee079ad9ca7481e2c960c958c11dc6392c112b233322eb846d34a627ff87b12fb16fc1db2531c73edb57f268a89731f72be0b0c404e7a78a43a668988
SSDEEP

98304:L/LLXaagzX7WMT286/LLXaagzX7WMT286/LLXaagzX7WMT28:LHidqFHidqFHidq

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000015ff5-6.dat	family_ardamax

Executes dropped EXE 1 IoCs

pid	Process
1672	OYW.exe

Loads dropped DLL 4 IoCs

pid	Process
1680	4ef708812af1e63df7275a8789729603_JaffaCakes118.exe
1672	OYW.exe
2808	DllHost.exe
1680	4ef708812af1e63df7275a8789729603_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OYW Start = "C:\\Windows\\SysWOW64\\WFJNKU\\OYW.exe"	OYW.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WFJNKU\OYW.001	4ef708812af1e63df7275a8789729603_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WFJNKU\OYW.002	4ef708812af1e63df7275a8789729603_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WFJNKU\AKV.exe	4ef708812af1e63df7275a8789729603_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WFJNKU\OYW.exe	4ef708812af1e63df7275a8789729603_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WFJNKU\	OYW.exe
File created	C:\Windows\SysWOW64\WFJNKU\OYW.004	4ef708812af1e63df7275a8789729603_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4ef708812af1e63df7275a8789729603_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OYW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1672	OYW.exe
Token: SeIncBasePriorityPrivilege	1672	OYW.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2808	DllHost.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1672	OYW.exe
1672	OYW.exe
1672	OYW.exe
1672	OYW.exe
2808	DllHost.exe
2808	DllHost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 1672	1680	4ef708812af1e63df7275a8789729603_JaffaCakes118.exe	30
PID 1680 wrote to memory of 1672	1680	4ef708812af1e63df7275a8789729603_JaffaCakes118.exe	30
PID 1680 wrote to memory of 1672	1680	4ef708812af1e63df7275a8789729603_JaffaCakes118.exe	30
PID 1680 wrote to memory of 1672	1680	4ef708812af1e63df7275a8789729603_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\4ef708812af1e63df7275a8789729603_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4ef708812af1e63df7275a8789729603_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Windows\SysWOW64\WFJNKU\OYW.exe
  "C:\Windows\system32\WFJNKU\OYW.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1672

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\pool-party.jpg

Filesize
43KB

MD5
60888e60884ead1ca7973b036ce735d6

SHA1
9a8cf4cdadd135ac5ade014e008099bb61e23d7c

SHA256
4a5a796adb2887ee122d6f56ee92a013b08bc72755bdd9deba9d33dbd46e4308

SHA512
c2898a66ba6a9961fbdee80ace6287590c8355fd816c105312fb873a62d0245e22d640378d33ade9a5348e3ebb6bcb80b6cd8ef751d020abb85db8c18e422030

Download Submit
C:\Windows\SysWOW64\WFJNKU\AKV.exe

Filesize
463KB

MD5
eb916da4abe4ff314662089013c8f832

SHA1
1e7e611cc6922a2851bcf135806ab51cdb499efa

SHA256
96af80e7ba0f3997d59ebcb5ecef619f980d71ca29113e2cd2f2e8adcdea3061

SHA512
d0dbe1d1612982b9cd2a3ed3cbd3e3b5be49237f580f91d5e5d5b6d20ed4dc0babb69a666c19bf4e0f10776a43b9b1dcda91a4cd381ce3705b1795ef9d731c8b

Download Submit
C:\Windows\SysWOW64\WFJNKU\OYW.001

Filesize
61KB

MD5
425ff37c76030ca0eb60321eedd4afdd

SHA1
7dde5e9ce5c4057d3db149f323fa43ed29d90e09

SHA256
70b00b09ae76a7ecfd6680ab22df546b17826755087c069fc87d14895e1a4e24

SHA512
ef5ff97c0d682b6155eff8f92dace1789cf01ca8bca55af1c1d0f2243b5e18bc12a657bb2bb12601b51ef9e1b942f02feb8462644da291fd1b2239c34ef2b59b

Download Submit
C:\Windows\SysWOW64\WFJNKU\OYW.002

Filesize
43KB

MD5
12fb4f589942682a478b7c7881dfcba2

SHA1
a3d490c6cda965708a1ff6a0dc4e88037e0d6336

SHA256
4de0c277800ae36b85a11ed9765f732a73578d4dce053ff7179f96ab776fb60d

SHA512
dd1c6a4ea5bc9698701ec941c4e90fe8dfb0993dc321edc052d1a80cc49bc46be665a85ec678876e698de60cda5dbf1d6279742a16d648f9d18e642a3ea33ddd

Download Submit
C:\Windows\SysWOW64\WFJNKU\OYW.004

Filesize
1KB

MD5
077507046dd1ad58ef1ac45b880170fa

SHA1
44c169d656e604c5396c489b0f9a8dcd15a8311d

SHA256
cd07d4bb5ced7d13955caad219f76f492486b78554a15ee3009889d19dcf375b

SHA512
a77f4c040072420211ef7b9fa016065f3ff407867ea3956e56afa21df75199d5e21c396824d0f35dd326e19b4e5d0f2605a58f10ea8b48179d9c56478962b8fb

Download Submit
\Windows\SysWOW64\WFJNKU\OYW.exe

Filesize
1.5MB

MD5
f8530f0dfe90c7c1e20239b0a7643041

SHA1
3e0208ab84b8444a69c8d62ad0b81c4186395802

SHA256
734439c4049ae1a832b4cc5c8d227112106406945d1a7cbb355e11a3f5e356c4

SHA512
5cb01517938789e006e00d69729ae7d73ad480f1ae17a80059bf81ee5d9cebb1263a35732c84f03d742684a650b116b13e6731ca80b0b9cdb3908e5588649399

Download Submit
memory/1672-16-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1672-23-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1680-20-0x0000000000340000-0x0000000000342000-memory.dmp

Filesize
8KB

Download
memory/2808-21-0x0000000000240000-0x0000000000242000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads