ardamax | bc5a7972e6052e50bdd90f9354ec544161bfd549b97ac04edd784b9361cfc1de

General

Target

78a39875a0adb110cf3c7de3a0d1384c_JaffaCakes118.exe
Size

1.1MB
MD5

78a39875a0adb110cf3c7de3a0d1384c
SHA1

005b0e034adefc7f1b9b1817951db843b5451eb1
SHA256

bc5a7972e6052e50bdd90f9354ec544161bfd549b97ac04edd784b9361cfc1de
SHA512

a4ccd748a00f43a7559b624602fc6ced33cc48a2381ff7e56866600fda9a1b021530e5bd67d682170b8d34ded3adbf48d9007199d316b1c9b83827b9f1c74910
SSDEEP

24576:wU/pT7XFrnzP+55U4bASv6XhV8SBptFNrnNHTwXig6Tu6bvmEgP9:xRT7X1nj+rbASv038SBprNrNwXiNTu6G

Score

10^/10

ardamax defense_evasion discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x00070000000160db-6.dat	family_ardamax

Executes dropped EXE 1 IoCs

pid	Process
2796	HNI.exe

Loads dropped DLL 2 IoCs

pid	Process
2384	78a39875a0adb110cf3c7de3a0d1384c_JaffaCakes118.exe
2796	HNI.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HNI Start = "C:\\Windows\\SysWOW64\\MUWOCI\\HNI.exe"	HNI.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\MUWOCI\HNI.002	78a39875a0adb110cf3c7de3a0d1384c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\MUWOCI\AKV.exe	78a39875a0adb110cf3c7de3a0d1384c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\MUWOCI\HNI.exe	78a39875a0adb110cf3c7de3a0d1384c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\MUWOCI\	HNI.exe
File created	C:\Windows\SysWOW64\MUWOCI\HNI.008	HNI.exe
File opened for modification	C:\Windows\SysWOW64\MUWOCI\HNI.008	HNI.exe
File created	C:\Windows\SysWOW64\MUWOCI\HNI.004	78a39875a0adb110cf3c7de3a0d1384c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\MUWOCI\HNI.001	78a39875a0adb110cf3c7de3a0d1384c_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	78a39875a0adb110cf3c7de3a0d1384c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HNI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	2796	HNI.exe
Token: SeIncBasePriorityPrivilege	2796	HNI.exe
Token: SeIncBasePriorityPrivilege	2796	HNI.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2796	HNI.exe
2796	HNI.exe
2796	HNI.exe
2796	HNI.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 2796	2384	78a39875a0adb110cf3c7de3a0d1384c_JaffaCakes118.exe	30
PID 2384 wrote to memory of 2796	2384	78a39875a0adb110cf3c7de3a0d1384c_JaffaCakes118.exe	30
PID 2384 wrote to memory of 2796	2384	78a39875a0adb110cf3c7de3a0d1384c_JaffaCakes118.exe	30
PID 2384 wrote to memory of 2796	2384	78a39875a0adb110cf3c7de3a0d1384c_JaffaCakes118.exe	30
PID 2796 wrote to memory of 584	2796	HNI.exe	32
PID 2796 wrote to memory of 584	2796	HNI.exe	32
PID 2796 wrote to memory of 584	2796	HNI.exe	32
PID 2796 wrote to memory of 584	2796	HNI.exe	32

C:\Users\Admin\AppData\Local\Temp\78a39875a0adb110cf3c7de3a0d1384c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\78a39875a0adb110cf3c7de3a0d1384c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\SysWOW64\MUWOCI\HNI.exe
  "C:\Windows\system32\MUWOCI\HNI.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\MUWOCI\HNI.exe > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

1

T1070

File Deletion

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\MUWOCI\AKV.exe

Filesize
465KB

MD5
4061e424a7e62d613aa16201364593c9

SHA1
84e5f41196523eddd24b62670ec8100632dbc933

SHA256
d39b682a1de3541ce4858727a3206a0fb78d1e070e4dd60fab43c2537d1adfd9

SHA512
3290348c02db1d9125d80b6e240544d51b0805240e113397d85a3fbdf3421172c8dd23e5631525db9258b7eedcdc228df3082041a017c664593eac698773f5fa

Download Submit
C:\Windows\SysWOW64\MUWOCI\HNI.001

Filesize
61KB

MD5
4eb04b9187bbf3e3c33bf95e74eb6262

SHA1
ca5dcaea5ef4ba48c0bb06635c0b5abed4f0f342

SHA256
cf84d5704b350beaf1f2b46dc44bd372141d7554a8958ce22c0a84a3f21f2fe7

SHA512
aeaa608cd4f66ba817a7e8698d17f9801c9cedf99875decff39bc18cebdec3947f02566bdf21d9096e5a6a6b740717ab06d46a2a9605bf8e8fa0fee12fe17e81

Download Submit
C:\Windows\SysWOW64\MUWOCI\HNI.002

Filesize
43KB

MD5
1aed6fee0870288cdb607393fc2f33a1

SHA1
584fd8d5ffbced19dd09b8b71cee9026c0ac65c6

SHA256
02c4eef7045896258d00077e123719aa256c606f4e38c417965ba5f64d48e180

SHA512
15e5b7843b07bcb4a638057b05712c66b285d70ace24ab3a4c125d24d538ace20cfac179accefa417d7790f7a095327affd3cd73d9eacaa632356f95a9fde3b8

Download Submit
C:\Windows\SysWOW64\MUWOCI\HNI.004

Filesize
1KB

MD5
7690a88abc761948e638a6e6f50697ea

SHA1
2dc45f1f25be26ab783d3a201300c1746b145770

SHA256
77f417a2a0f720d3d732fd2586819282b4230fbbf14fa317f413511ee272e1a0

SHA512
8ec1287bdffddad148e6d502b062d78bb16b9ebddfd88bb3e4c88c63cb1f9a821adcc6e55b37a40b795ca08f4d7cbbc0230338cb939ea45c40ac8fda4fae2c43

Download Submit
\Windows\SysWOW64\MUWOCI\HNI.exe

Filesize
1.5MB

MD5
865b02aa4fb68ac150953986e6f63f1c

SHA1
214190642d67f02c349e68f3f3c6ef0e9c2212d7

SHA256
fac58547e80a1b9598261b6d2aa5175653831e507c57b6860bc5d04d2e754dff

SHA512
473dc55a8a8f11d8445cef9cd8cabf8a9b227a6e47994ecfe9c86d41062641668d858e61b7ade1ad2801c5daa13d0630159b7ad241379e111c83564030c0a40e

Download Submit
memory/2796-15-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2796-17-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads