ardamax | ceaeb3ebae2d64b7b476f5c6bdec6f1c93c5fed833f4ab30c1a17e542063f2c1

General

Target

662417b46493c6ddadbcec43ffd0c5c8_JaffaCakes118.exe
Size

787KB
MD5

662417b46493c6ddadbcec43ffd0c5c8
SHA1

b151d91665fe8b639839ca440f7cfdd7182ebfca
SHA256

ceaeb3ebae2d64b7b476f5c6bdec6f1c93c5fed833f4ab30c1a17e542063f2c1
SHA512

20cb222eead9c09c3ff3c9c4f14c93fce96272ae6e28511540854a7631a511b9e67e0ce6e0d48e6dc511c0e39870b6bb49b2a3710ff762ee8923b8cc70f89f28
SSDEEP

24576:hL/MMpnaSWJeAtg08kBESyi+BJYA5ufOyE:hwiazJJre9BKY

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

Processes:

resource	yara_rule
C:\Windows\SysWOW64\Sys32\CRNQ.exe	family_ardamax

Executes dropped EXE 1 IoCs

Processes:

CRNQ.exe

pid process

2520 CRNQ.exe

pid	process
2520	CRNQ.exe

Loads dropped DLL 8 IoCs

Processes:

662417b46493c6ddadbcec43ffd0c5c8_JaffaCakes118.exeCRNQ.exeDllHost.exe

pid	process
2160	662417b46493c6ddadbcec43ffd0c5c8_JaffaCakes118.exe
2160	662417b46493c6ddadbcec43ffd0c5c8_JaffaCakes118.exe
2160	662417b46493c6ddadbcec43ffd0c5c8_JaffaCakes118.exe
2520	CRNQ.exe
2520	CRNQ.exe
2816	DllHost.exe
2816	DllHost.exe
2160	662417b46493c6ddadbcec43ffd0c5c8_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

CRNQ.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CRNQ Agent = "C:\\Windows\\SysWOW64\\Sys32\\CRNQ.exe"	CRNQ.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

Processes:

662417b46493c6ddadbcec43ffd0c5c8_JaffaCakes118.exeCRNQ.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Sys32\CRNQ.exe	662417b46493c6ddadbcec43ffd0c5c8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Sys32\AKV.exe	662417b46493c6ddadbcec43ffd0c5c8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Sys32	CRNQ.exe
File created	C:\Windows\SysWOW64\Sys32\CRNQ.001	662417b46493c6ddadbcec43ffd0c5c8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Sys32\CRNQ.006	662417b46493c6ddadbcec43ffd0c5c8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Sys32\CRNQ.007	662417b46493c6ddadbcec43ffd0c5c8_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

DllHost.exe662417b46493c6ddadbcec43ffd0c5c8_JaffaCakes118.exeCRNQ.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	662417b46493c6ddadbcec43ffd0c5c8_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CRNQ.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

CRNQ.exe

description pid process

Token: 33 2520 CRNQ.exe
Token: SeIncBasePriorityPrivilege 2520 CRNQ.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

DllHost.exe

pid process

2816 DllHost.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

CRNQ.exeDllHost.exe

pid process

2520 CRNQ.exe
2520 CRNQ.exe
2520 CRNQ.exe
2520 CRNQ.exe
2520 CRNQ.exe
2816 DllHost.exe
2816 DllHost.exe

description	pid	process
Token: 33	2520	CRNQ.exe
Token: SeIncBasePriorityPrivilege	2520	CRNQ.exe

pid	process
2816	DllHost.exe

pid	process
2520	CRNQ.exe
2520	CRNQ.exe
2520	CRNQ.exe
2520	CRNQ.exe
2520	CRNQ.exe
2816	DllHost.exe
2816	DllHost.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

662417b46493c6ddadbcec43ffd0c5c8_JaffaCakes118.exe

description	pid	process	target process
PID 2160 wrote to memory of 2520	2160	662417b46493c6ddadbcec43ffd0c5c8_JaffaCakes118.exe	CRNQ.exe
PID 2160 wrote to memory of 2520	2160	662417b46493c6ddadbcec43ffd0c5c8_JaffaCakes118.exe	CRNQ.exe
PID 2160 wrote to memory of 2520	2160	662417b46493c6ddadbcec43ffd0c5c8_JaffaCakes118.exe	CRNQ.exe
PID 2160 wrote to memory of 2520	2160	662417b46493c6ddadbcec43ffd0c5c8_JaffaCakes118.exe	CRNQ.exe

C:\Users\Admin\AppData\Local\Temp\662417b46493c6ddadbcec43ffd0c5c8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\662417b46493c6ddadbcec43ffd0c5c8_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Windows\SysWOW64\Sys32\CRNQ.exe
  "C:\Windows\system32\Sys32\CRNQ.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2520

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\untitled.bmp

Filesize
560KB

MD5
55dd0223531e402e2a63aeeaf37601a1

SHA1
99a463d4973ce184914a64f90cafc1d13f6e3b08

SHA256
d5e7f337eca4ed4a62a740a4c2d01a443d35d9bfd3dfd2327c986afa3e2864fa

SHA512
4fbe2dd432feb0f3d2317456c8cf1eb1b8e78f5f16a9438b06b52a45c2cabc684f38db03a4c4596693faf975803bcbcc3bde069448771001088a97dc9a67a8e7

Download Submit
C:\Windows\SysWOW64\Sys32\AKV.exe

Filesize
389KB

MD5
0a4d2002c7355a6c0d8e846fe02e7e89

SHA1
cc1bf70d3d718d3d3dc1b43405d36285933feac7

SHA256
be2cc3bda4c0e231ebae65a7c79ed1313d422e5fb2f871330080f8ca1792e455

SHA512
9e229232bbc8e4faa0ea63e1069000c2e1582a5d7b72abb5535b003d339a0984b08a34a86b36e17dad61277f0456fe98fab2dbcd2db493feee927892ef7cba57

Download Submit
C:\Windows\SysWOW64\Sys32\CRNQ.001

Filesize
486B

MD5
07d95812b7382c7cb4feb4866f8e20c6

SHA1
bb975979ebde3c08c4b6dee13c3809f7c708c725

SHA256
665f0b45be3e704f9af97a4cf3238d28f64c49b8d81a622447722b95cf4f7522

SHA512
d2a8b1b3b91603bcf6efd6767860ffcc5ad788a4faf4325b1efc4743cc70e3888688ae0537c98bc17784bfe7fc9eb8571a42e74d73e676879fe96e31a17ef34c

Download Submit
C:\Windows\SysWOW64\Sys32\CRNQ.006

Filesize
7KB

MD5
8013928e1446be1b8e77ca35211fd17e

SHA1
c03a6c0516d1763bacc4da535383d3b4ddb506c3

SHA256
d82bb0b7a29a9500a79e52b2ea84ea244f250cc7ff25174aa4ed5826d6b9c828

SHA512
d5e55bb8dda7f44918bafb16098d39e363237053f84377d5d591d9010b0f14a6eb2260f9dd356e32e133ab2a42c1debed0424fbe7de932d8d363ac8a09a7660f

Download Submit
C:\Windows\SysWOW64\Sys32\CRNQ.007

Filesize
5KB

MD5
bb3520f108916b0967e74a9167b44925

SHA1
29dd637355ec7d38955af75775a72ac32903d40c

SHA256
f9be7b7c760a59f4d98213f4f80d45e405d1d0ac564d4f880ec820da178d45e5

SHA512
7700bf7e8fd15df753bc83b8e243e4b62095824b8bea3f40d7213a5c6307f17d9fbab2f6c737e19ede5330539014ba6c583b25bd2d58b05f05f23683affe1d53

Download Submit
C:\Windows\SysWOW64\Sys32\CRNQ.exe

Filesize
475KB

MD5
3d9eaf31ec5138624f1cf21706264bd6

SHA1
f2c397f042c38862034333ed3c142a54896e0305

SHA256
17c47ecc3481cb85c0336e7bd58f141f54fa1bbe604892c41d3e6a1945b43811

SHA512
a849c329950bb015cc32624968c39c9f3f70fb37500e0292bbccb79a6413d4088d68d481e3c8c2ac0b8975b885387abe581d597892d906e357ac573c3525ed9e

Download Submit
\Users\Admin\AppData\Local\Temp\@B348.tmp

Filesize
3KB

MD5
2faa832b62991d302b56093477a76363

SHA1
2a26e0173a78c9c106ea799cce92ea163b44a345

SHA256
a2076664d1267efa8b69a307b0cbde8521631f2789e06f5caa96799e7f34de48

SHA512
20da18fb1350a441517498a1efeae9a21ead7592f9cdae724973c58385765100a2de5651fa991cdcc4668be777fe26bfba969dbc9706f16a54f5be258a84f347

Download Submit
memory/2160-31-0x0000000000760000-0x0000000000762000-memory.dmp

Filesize
8KB

Download
memory/2520-33-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2520-23-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2816-29-0x000000007724F000-0x0000000077250000-memory.dmp

Filesize
4KB

Download
memory/2816-27-0x000000007724F000-0x0000000077250000-memory.dmp

Filesize
4KB

Download
memory/2816-32-0x00000000001F0000-0x00000000001F2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads