ardamax | 9ed1bd70a534d7389b8a03d94eb0c23da123e367629509dc97a40f3b63ca2a2b

General

Target

7243d2dd2c6160ce5ce29cfd5161b826_JaffaCakes118.exe
Size

572KB
MD5

7243d2dd2c6160ce5ce29cfd5161b826
SHA1

5d7701e0b1e3aef3ba950bc31585df418373ff64
SHA256

9ed1bd70a534d7389b8a03d94eb0c23da123e367629509dc97a40f3b63ca2a2b
SHA512

92adceb9141b717e43ed8ae2fddf7b1a3e7dba2ae13cf9bcec027885197c1f40ba0026faa52741bc9572a3a8b3ea83bce1766bbdaef17871de4954bca56ebb59
SSDEEP

6144:9ov67XgTTSjN81oqYcTq4A28FPzCsVyUhn8aZyMy1NT1lD1Hr0vuJ:yvTW8ppq4AZCsVphnzUM41LEuJ

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000016dc8-9.dat	family_ardamax

Executes dropped EXE 1 IoCs

pid	Process
2680	JLUW.exe

Loads dropped DLL 7 IoCs

pid	Process
2296	7243d2dd2c6160ce5ce29cfd5161b826_JaffaCakes118.exe
2296	7243d2dd2c6160ce5ce29cfd5161b826_JaffaCakes118.exe
2296	7243d2dd2c6160ce5ce29cfd5161b826_JaffaCakes118.exe
2680	JLUW.exe
2680	JLUW.exe
2896	AcroRd32.exe
2896	AcroRd32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JLUW Agent = "C:\\Windows\\SysWOW64\\28463\\JLUW.exe"	JLUW.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\JLUW.006	7243d2dd2c6160ce5ce29cfd5161b826_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\28463\JLUW.007	7243d2dd2c6160ce5ce29cfd5161b826_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\28463\JLUW.exe	7243d2dd2c6160ce5ce29cfd5161b826_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\28463	JLUW.exe
File created	C:\Windows\SysWOW64\28463\JLUW.001	7243d2dd2c6160ce5ce29cfd5161b826_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7243d2dd2c6160ce5ce29cfd5161b826_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JLUW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2896	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2680	JLUW.exe
Token: SeIncBasePriorityPrivilege	2680	JLUW.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2680	JLUW.exe
2680	JLUW.exe
2680	JLUW.exe
2680	JLUW.exe
2680	JLUW.exe
2896	AcroRd32.exe
2896	AcroRd32.exe
2896	AcroRd32.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 2680	2296	7243d2dd2c6160ce5ce29cfd5161b826_JaffaCakes118.exe	28
PID 2296 wrote to memory of 2680	2296	7243d2dd2c6160ce5ce29cfd5161b826_JaffaCakes118.exe	28
PID 2296 wrote to memory of 2680	2296	7243d2dd2c6160ce5ce29cfd5161b826_JaffaCakes118.exe	28
PID 2296 wrote to memory of 2680	2296	7243d2dd2c6160ce5ce29cfd5161b826_JaffaCakes118.exe	28
PID 2296 wrote to memory of 2896	2296	7243d2dd2c6160ce5ce29cfd5161b826_JaffaCakes118.exe	29
PID 2296 wrote to memory of 2896	2296	7243d2dd2c6160ce5ce29cfd5161b826_JaffaCakes118.exe	29
PID 2296 wrote to memory of 2896	2296	7243d2dd2c6160ce5ce29cfd5161b826_JaffaCakes118.exe	29
PID 2296 wrote to memory of 2896	2296	7243d2dd2c6160ce5ce29cfd5161b826_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\7243d2dd2c6160ce5ce29cfd5161b826_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7243d2dd2c6160ce5ce29cfd5161b826_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Windows\SysWOW64\28463\JLUW.exe
  "C:\Windows\system32\28463\JLUW.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2680
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\FortyMistakesMenMakeDuringSex.pdf"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FortyMistakesMenMakeDuringSex.pdf

Filesize
20KB

MD5
1bb4c745f5918abcc66d3302cdeb025f

SHA1
55b25bca8054c01ab5768af5f61d70a0669c5e94

SHA256
4c7bf01a3a1599875961eb513f644efc3b9adf379fb8965c7fbad9fb15978c97

SHA512
7baed4b35c504e0dab794659e42f12e1c7022c7db86c08a7336d8cebb9a3667f5a7fb6557144760f6806a0783abc395f11cad88d33b408ee16af23f554594afd

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
72fdf205f5afcfebe231cb3f6d78dca4

SHA1
11fc565b413c23efd14efc4046c5787269a855de

SHA256
7c0e1b9f3b50b28122c625e35520371b3ec30240ccf3d2e1ed3fa59a903cfd20

SHA512
891fe3f01054daf08483e46f74baab0e1fddaf5815fdb3478a44afb3be5f3edb923aa7a277133a67233dce30e8c435fe7b44734b19673674db274cc03ff42015

Download Submit
C:\Windows\SysWOW64\28463\JLUW.001

Filesize
454B

MD5
6bc1557a87952b4b59f6323a75700d3c

SHA1
3f0f6cce5e604d785344c978d9cb8088e45d54e9

SHA256
7b159c4485e83f94a0433dd141fcfac7f8eb7879c00da83089f37d63b499aa18

SHA512
ece0d7a4abafc8316e9de19070f76222803eede7f1c1e49a36be766ee61ade6b9ee60c99755a15f80ecee7d9913af64c428bba2816b94ee5f969f3482da0552f

Download Submit
C:\Windows\SysWOW64\28463\JLUW.006

Filesize
8KB

MD5
86d96c93965255cef35ca42413188b75

SHA1
9d77f203267febe047d049584e5c79f1c1801b2d

SHA256
b796bd1f5cdb1d1db91c3aca1ac700c015775b9caf2725fbf4b6089a096f21c5

SHA512
2db81080a16494ec549f4f39ee382580ba12cd5cbfe31632c8459ba94d767ce1ad3e9c0e6643f80530ae5e316fc42dca05708eeade7ce3c0341d669325cdb095

Download Submit
C:\Windows\SysWOW64\28463\JLUW.007

Filesize
5KB

MD5
b73942c11844487ca7fc3e78062c8abb

SHA1
28f4c4159528ccbe9d83b5cd5e157861d11ff04c

SHA256
4ba88f8964ee02a395d88974fd43b05610cf520b4ab40f36b3f98715ce1e0984

SHA512
d4c782f5abd91b3396b243345f968eb5a705a7aefeedf92e62047309f7ccf223c0825623c184de66e3667c22eb371f0329be97ea70f6d72b54f98b22042e1f9c

Download Submit
\Users\Admin\AppData\Local\Temp\@6EAB.tmp

Filesize
4KB

MD5
9dc64557fcebd521ca4b267da15c2914

SHA1
c2247f9e0f0c8d11c7b9ab93f43ed53943d0bdd2

SHA256
a49cb9cbab2a60418b2079d4110123682fc980bb6b46ac5ada144797b5fa2cf4

SHA512
00241a139ca307c5eb4d89fa8b6296833961091286282c3482746e4a3589ef61e6d007edb6aa6fa1ef812d57bf63a8e495e0db712e17decc77bbae2490cdbe01

Download Submit
\Windows\SysWOW64\28463\JLUW.exe

Filesize
472KB

MD5
324154483b20e6f67a3c1486e3fc7c6a

SHA1
d6630eb1d8555b48413434b4a5d54c8de819cbf8

SHA256
ded1c934280294375d7b926773511e4d5e6c8dbb22b0dd25a80a6b0b3af065d3

SHA512
36349f7c53b9989eac63e8c91b7fb009a5a0dce934242ae5956a5e3d3764949a87296adeba81f3da96b5e035f3755b4dd75de2ffa211b7db296313c52f6d478b

Download Submit
memory/2680-23-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2680-47-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads