ardamax | a7460898a0b55f5f4b8d892767301ea61d88e3925d0021523ed483363f9cf142

General

Target

6e2e461add2ab4077e204f6de8cc8428_JaffaCakes118.exe
Size

1.1MB
MD5

6e2e461add2ab4077e204f6de8cc8428
SHA1

44808bb38b5df224fa9ab2ad763d9d1a6f6308ef
SHA256

a7460898a0b55f5f4b8d892767301ea61d88e3925d0021523ed483363f9cf142
SHA512

eff93c2346252fc59064e1dc67158995eb3003188c18449caf207cdd31fb0192256e254997a26722b5ac9ef45caeb14060a23d7633eabfd29aebf0c0c9a93c5a
SSDEEP

24576:K/4EUWxjPeFSUzS74VbIeldUHn8dNysJSnRgSH0lMBdJw:K40jcSUzS74FFoHzslSH0++

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x00060000000171a8-32.dat	family_ardamax

Executes dropped EXE 1 IoCs

pid	Process
2812	JYK.exe

Loads dropped DLL 2 IoCs

pid	Process
2764	6e2e461add2ab4077e204f6de8cc8428_JaffaCakes118.exe
2812	JYK.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JYK Start = "C:\\Windows\\SysWOW64\\FJMUOI\\JYK.exe"	JYK.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\FJMUOI\JYK.004	6e2e461add2ab4077e204f6de8cc8428_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\FJMUOI\JYK.001	6e2e461add2ab4077e204f6de8cc8428_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\FJMUOI\JYK.002	6e2e461add2ab4077e204f6de8cc8428_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\FJMUOI\JYK.exe	6e2e461add2ab4077e204f6de8cc8428_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\FJMUOI\	JYK.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3024 set thread context of 2764	3024	6e2e461add2ab4077e204f6de8cc8428_JaffaCakes118.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6e2e461add2ab4077e204f6de8cc8428_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6e2e461add2ab4077e204f6de8cc8428_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JYK.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2812	JYK.exe
2812	JYK.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2812	JYK.exe
Token: SeIncBasePriorityPrivilege	2812	JYK.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3024	6e2e461add2ab4077e204f6de8cc8428_JaffaCakes118.exe
2812	JYK.exe
2812	JYK.exe
2812	JYK.exe
2812	JYK.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 2764	3024	6e2e461add2ab4077e204f6de8cc8428_JaffaCakes118.exe	31
PID 3024 wrote to memory of 2764	3024	6e2e461add2ab4077e204f6de8cc8428_JaffaCakes118.exe	31
PID 3024 wrote to memory of 2764	3024	6e2e461add2ab4077e204f6de8cc8428_JaffaCakes118.exe	31
PID 3024 wrote to memory of 2764	3024	6e2e461add2ab4077e204f6de8cc8428_JaffaCakes118.exe	31
PID 3024 wrote to memory of 2764	3024	6e2e461add2ab4077e204f6de8cc8428_JaffaCakes118.exe	31
PID 3024 wrote to memory of 2764	3024	6e2e461add2ab4077e204f6de8cc8428_JaffaCakes118.exe	31
PID 3024 wrote to memory of 2764	3024	6e2e461add2ab4077e204f6de8cc8428_JaffaCakes118.exe	31
PID 3024 wrote to memory of 2764	3024	6e2e461add2ab4077e204f6de8cc8428_JaffaCakes118.exe	31
PID 3024 wrote to memory of 2764	3024	6e2e461add2ab4077e204f6de8cc8428_JaffaCakes118.exe	31
PID 3024 wrote to memory of 2764	3024	6e2e461add2ab4077e204f6de8cc8428_JaffaCakes118.exe	31
PID 3024 wrote to memory of 2764	3024	6e2e461add2ab4077e204f6de8cc8428_JaffaCakes118.exe	31
PID 2764 wrote to memory of 2812	2764	6e2e461add2ab4077e204f6de8cc8428_JaffaCakes118.exe	32
PID 2764 wrote to memory of 2812	2764	6e2e461add2ab4077e204f6de8cc8428_JaffaCakes118.exe	32
PID 2764 wrote to memory of 2812	2764	6e2e461add2ab4077e204f6de8cc8428_JaffaCakes118.exe	32
PID 2764 wrote to memory of 2812	2764	6e2e461add2ab4077e204f6de8cc8428_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\6e2e461add2ab4077e204f6de8cc8428_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6e2e461add2ab4077e204f6de8cc8428_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Users\Admin\AppData\Local\Temp\6e2e461add2ab4077e204f6de8cc8428_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\6e2e461add2ab4077e204f6de8cc8428_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\SysWOW64\FJMUOI\JYK.exe
    "C:\Windows\system32\FJMUOI\JYK.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\FJMUOI\JYK.001

Filesize
61KB

MD5
93c2eac6b4d476a04730266ec1523f8a

SHA1
d53544650a95769d90c89fa90039399cb8d7e054

SHA256
898d4ed4dc6b52db670bf57bd859ae6e1c25230b28a69e7d0e548bae6941cba8

SHA512
9dc516552c08af9600ebabb025bfed1b9a8f16aafbf1cb7530af7254847264399a118a3bbf980e54ad01542fb4c0df55699d207ac44d85bd0eb94067b1a0bae0

Download Submit
C:\Windows\SysWOW64\FJMUOI\JYK.002

Filesize
44KB

MD5
92fc2d978e3dcc66dbbe6ddde516dd75

SHA1
2e31d1a209193872fc7f494274b17f582bb137c0

SHA256
a89bebf2e88c1055b1d38bb715a7efeef93c18d5ec1d32a171ae354ccba4087c

SHA512
50d859f3abaf2d2bcf563a0bf0f47b3be0d1ea0f345fc69f5c9a3635d359798c068e4516803c7b8bd0a61b01b3bb1ece0a4703a278144acfa877311317a959ba

Download Submit
C:\Windows\SysWOW64\FJMUOI\JYK.004

Filesize
1KB

MD5
2cb43a32ba11c3280e46455cb80cc8ef

SHA1
06594be031b8e29122987b6e9a27b27f97fb708b

SHA256
21f92538c8e3ec71d45c000a992db54cea6fd2d8dcb8b1bec03a2205cf3c6c15

SHA512
f9c8610f6d5a53cdc441e9177c9a07541ddd623b324fe5cacc1919d9afd4f566cfcef3afe9ed26652b0fee02a535a5f7092913f4371e7f26ea1560d8be0b55b6

Download Submit
\Windows\SysWOW64\FJMUOI\JYK.exe

Filesize
1.7MB

MD5
851f20b20b52b01ee3e1000c89b47c93

SHA1
f46b94a834d6ba980b096747d725bd975d5d0dbc

SHA256
10b92386e4d23ae4fecbe8f5114bf494cf6012d379a1dd694b5130d5900e7651

SHA512
0eedbd7be28f504c87308552c780b9597d19b9cf220e3995f0d6f351ce21cf2a16f9969d4ed22170151373b5e0c8b9fa62b5b3feb7ecf335606d5d0e7ca6761e

Download Submit
memory/2764-22-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/2764-37-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/2764-25-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/2764-24-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/2812-45-0x0000000000400000-0x00000000005C1000-memory.dmp

Filesize
1.8MB

Download
memory/2812-43-0x0000000000400000-0x00000000005C1000-memory.dmp

Filesize
1.8MB

Download
memory/3024-15-0x0000000000430000-0x0000000000440000-memory.dmp

Filesize
64KB

Download
memory/3024-4-0x0000000000250000-0x0000000000260000-memory.dmp

Filesize
64KB

Download
memory/3024-14-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/3024-3-0x0000000000240000-0x0000000000250000-memory.dmp

Filesize
64KB

Download
memory/3024-0-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3024-18-0x0000000000460000-0x0000000000470000-memory.dmp

Filesize
64KB

Download
memory/3024-17-0x0000000000450000-0x0000000000460000-memory.dmp

Filesize
64KB

Download
memory/3024-16-0x0000000000440000-0x0000000000450000-memory.dmp

Filesize
64KB

Download
memory/3024-13-0x00000000003A0000-0x00000000003B0000-memory.dmp

Filesize
64KB

Download
memory/3024-12-0x0000000000390000-0x00000000003A0000-memory.dmp

Filesize
64KB

Download
memory/3024-5-0x0000000000260000-0x0000000000270000-memory.dmp

Filesize
64KB

Download
memory/3024-26-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3024-6-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download
memory/3024-7-0x0000000000340000-0x0000000000350000-memory.dmp

Filesize
64KB

Download
memory/3024-11-0x0000000000380000-0x0000000000390000-memory.dmp

Filesize
64KB

Download
memory/3024-9-0x0000000000360000-0x0000000000370000-memory.dmp

Filesize
64KB

Download
memory/3024-10-0x0000000000370000-0x0000000000380000-memory.dmp

Filesize
64KB

Download
memory/3024-8-0x0000000000350000-0x0000000000360000-memory.dmp

Filesize
64KB

Download
memory/3024-2-0x0000000000230000-0x0000000000240000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads