ardamax | ea856536cefde9ab373b1b47ed8f99648c758af7481aabbf516d78e89e13469d

General

Target

720dc8dc0fd07fe46ca5b4a737dd7b0c_JaffaCakes118.exe
Size

619KB
MD5

720dc8dc0fd07fe46ca5b4a737dd7b0c
SHA1

60991bb5c57b2273edf5a73acc55f83c92e4b1d4
SHA256

ea856536cefde9ab373b1b47ed8f99648c758af7481aabbf516d78e89e13469d
SHA512

a86ef98d6512c2e5d2e32267d701ad3dcf025d33c05fa90ed7c838d4d1137f0cc7bcc08bfd6f05eb7110c13004101142e24fb1e4fa92f386612ad390fdca495d
SSDEEP

12288:CnKHhWzSiTC+GwJ9C78A1wG9bIcNCq32TNpMcf9Y01xrTJZRxHXq:7hWzlxHK1webIcDSYoxdx6

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

Processes:

resource	yara_rule
\Windows\SysWOW64\Sys\HSRD.exe	family_ardamax

Executes dropped EXE 1 IoCs

Processes:

HSRD.exe

pid process

2592 HSRD.exe

pid	process
2592	HSRD.exe

Loads dropped DLL 8 IoCs

Processes:

720dc8dc0fd07fe46ca5b4a737dd7b0c_JaffaCakes118.exeHSRD.exeDllHost.exe

pid	process
1292	720dc8dc0fd07fe46ca5b4a737dd7b0c_JaffaCakes118.exe
1292	720dc8dc0fd07fe46ca5b4a737dd7b0c_JaffaCakes118.exe
1292	720dc8dc0fd07fe46ca5b4a737dd7b0c_JaffaCakes118.exe
2592	HSRD.exe
2768	DllHost.exe
2592	HSRD.exe
1292	720dc8dc0fd07fe46ca5b4a737dd7b0c_JaffaCakes118.exe
2768	DllHost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

HSRD.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HSRD Agent = "C:\\Windows\\SysWOW64\\Sys\\HSRD.exe"	HSRD.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

Processes:

720dc8dc0fd07fe46ca5b4a737dd7b0c_JaffaCakes118.exeHSRD.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Sys\AKV.exe	720dc8dc0fd07fe46ca5b4a737dd7b0c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Sys	HSRD.exe
File created	C:\Windows\SysWOW64\Sys\HSRD.001	720dc8dc0fd07fe46ca5b4a737dd7b0c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Sys\HSRD.006	720dc8dc0fd07fe46ca5b4a737dd7b0c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Sys\HSRD.007	720dc8dc0fd07fe46ca5b4a737dd7b0c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Sys\HSRD.exe	720dc8dc0fd07fe46ca5b4a737dd7b0c_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

720dc8dc0fd07fe46ca5b4a737dd7b0c_JaffaCakes118.exeHSRD.exeDllHost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	720dc8dc0fd07fe46ca5b4a737dd7b0c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HSRD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

HSRD.exe

description pid process

Token: 33 2592 HSRD.exe
Token: SeIncBasePriorityPrivilege 2592 HSRD.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

DllHost.exe

pid process

2768 DllHost.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

HSRD.exeDllHost.exe

pid process

2592 HSRD.exe
2592 HSRD.exe
2592 HSRD.exe
2592 HSRD.exe
2592 HSRD.exe
2768 DllHost.exe
2768 DllHost.exe

description	pid	process
Token: 33	2592	HSRD.exe
Token: SeIncBasePriorityPrivilege	2592	HSRD.exe

pid	process
2768	DllHost.exe

pid	process
2592	HSRD.exe
2592	HSRD.exe
2592	HSRD.exe
2592	HSRD.exe
2592	HSRD.exe
2768	DllHost.exe
2768	DllHost.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

720dc8dc0fd07fe46ca5b4a737dd7b0c_JaffaCakes118.exe

description	pid	process	target process
PID 1292 wrote to memory of 2592	1292	720dc8dc0fd07fe46ca5b4a737dd7b0c_JaffaCakes118.exe	HSRD.exe
PID 1292 wrote to memory of 2592	1292	720dc8dc0fd07fe46ca5b4a737dd7b0c_JaffaCakes118.exe	HSRD.exe
PID 1292 wrote to memory of 2592	1292	720dc8dc0fd07fe46ca5b4a737dd7b0c_JaffaCakes118.exe	HSRD.exe
PID 1292 wrote to memory of 2592	1292	720dc8dc0fd07fe46ca5b4a737dd7b0c_JaffaCakes118.exe	HSRD.exe

C:\Users\Admin\AppData\Local\Temp\720dc8dc0fd07fe46ca5b4a737dd7b0c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\720dc8dc0fd07fe46ca5b4a737dd7b0c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1292
- C:\Windows\SysWOW64\Sys\HSRD.exe
  "C:\Windows\system32\Sys\HSRD.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2592

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\carmel.jpg

Filesize
112KB

MD5
8991676a27e819e106efa1033587f89e

SHA1
15cc865bd0be0055af9df66455b8f61756a6385d

SHA256
0707234773f4d034370a19f9b5bd0c817fc38adcd9f9749d56c200d3c6de5971

SHA512
7533842b3c67f4398c2bac1d01593c958a0a2824827b727efc671b203753559741519055747e0f94cd1c53e93bc94f8d4ec8c06eadfe77b10e6b029eda484734

Download Submit
C:\Windows\SysWOW64\Sys\AKV.exe

Filesize
389KB

MD5
fcd92ab43a3ac19ca060a0b4d62ef5f1

SHA1
099cc5f1ec71cc73c23471dcc98543a54e008e2a

SHA256
3dfb79f950f069047d89110fc28fefd9d4856e7112f40bda2ccc0daa0d94b53a

SHA512
d1a317db049cfa16b2b5259d85b22d3fd3563e210a13bdf6d8eee12a665899f77c3b226b252a80ae1b68538dfb8ecf8561f06f428b5dd4ef96c5c8b37aa0bf21

Download Submit
C:\Windows\SysWOW64\Sys\HSRD.001

Filesize
444B

MD5
8732ea77e2251727cd1e4803f85e89d6

SHA1
15a0919c843f1ff8bea6f5f797baf2b4c76a3d20

SHA256
617c1c24cdcb8b75b0328cdccc566f209342da1e4750ad4b31217d384450a5a0

SHA512
b0901832e77ce8866726b6c6c7b8e63da1184fd5c10a49ad04b456d3d68616d546c71081e469bee022c9bf96dee83f1ca8e1d740a2aba906eaad583a9ca5ed7f

Download Submit
C:\Windows\SysWOW64\Sys\HSRD.006

Filesize
7KB

MD5
ab65e5da8d42c6b4e855e82c9696b3ad

SHA1
fb4cb29ee8b5277eaa432b18582c58d8f383b0df

SHA256
5a139a73799eb0c43dc65f4ad5004596751a01f3be7bab1e69a1ee0daaa607a4

SHA512
7d37b9efb2bae212015eb5e55ad11d579b66dfd0d2aa9614b0e225d4b0dedd705bfaabcb9eb887ec2274c812e8a4af587aef4c62ee3d8a73dbf54f15c8aba16a

Download Submit
C:\Windows\SysWOW64\Sys\HSRD.007

Filesize
5KB

MD5
cb619d0de6d26ae77e2ca1766d995272

SHA1
454725f63828e04b10f8e99c5374e86c407665ca

SHA256
ad657781b4e5c666461811fbd4b08ea689dc6953ea5e79f47ca72bdc99789121

SHA512
8bbd39817f3f3ae13dca07c233f1889a08a86e3ba353a455cad3e9a9fee81eda9d91cf20122dfc79725d69f97f5f8b163c97d2b8c38bb53aa4b9f6e32f7f6a59

Download Submit
\Users\Admin\AppData\Local\Temp\@B06B.tmp

Filesize
4KB

MD5
729fe329c303837d61fc42b2120afc00

SHA1
a0bdee5733e4820a7abb630014bba43200d27324

SHA256
ad2d3f261425139733e8f8a28b5b1cd1000d570eec994093efd0dc17fed35fac

SHA512
c61292b1ae57abc3926a0d912ee14ceb7031e5d1f5bde14b62c1cb65894e964e004365d6c8140511aa92bb39b1a09264c2501bb99299007b7bfa9aa58a28f67f

Download Submit
\Windows\SysWOW64\Sys\HSRD.exe

Filesize
476KB

MD5
b306ff9927251c40c34fe6bfef07756b

SHA1
8d6975fc095b7a96393d61a63fb610d71931666a

SHA256
65083234a079905c3b945cb178388dc287c2521ef59817885f1cc2e522a68db7

SHA512
08e633e2d43f13cb748f67378a777cc124f693815f63ed5a3a64ad2ebe11001145a01f83d9d3bddc0f9f590677ee6bcfeabeb5a259b10b426344961e333b3996

Download Submit
memory/1292-28-0x0000000002C20000-0x0000000002C22000-memory.dmp

Filesize
8KB

Download
memory/2592-23-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2592-35-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2768-29-0x00000000000B0000-0x00000000000B2000-memory.dmp

Filesize
8KB

Download
memory/2768-31-0x00000000772CF000-0x00000000772D0000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads