ardamax | 803cadabc649c4a225fb0176a93e265a1ec4ca97a0b20a545087a2755dfd89f2

General

Target

7b3b6d0f461c023b5e98b7fc0c3945a1_JaffaCakes118.exe
Size

163KB
MD5

7b3b6d0f461c023b5e98b7fc0c3945a1
SHA1

e39af91eb316b1053ded0978d6366976e54e5892
SHA256

803cadabc649c4a225fb0176a93e265a1ec4ca97a0b20a545087a2755dfd89f2
SHA512

371271c376a6b567fcb38b19bb30479599cb1dc31260b6faca50cf3ae90b87d00a037ff01200d1c70dc65016c5042dbde6468e7175f982779172463aaec43477
SSDEEP

3072:LCNmpyGkNdVux3lCi/BTrN5fmQczJrORqRjetDcnUvUgIk4Tj:kmpyGkNqdRrfmdJ/9GYnpk4Tj

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

Processes:

resource	yara_rule
C:\Windows\SysWOW64\system32.exe	family_ardamax

Executes dropped EXE 1 IoCs

Processes:

system32.exe

pid process

2060 system32.exe

pid	process
2060	system32.exe

Loads dropped DLL 3 IoCs

Processes:

7b3b6d0f461c023b5e98b7fc0c3945a1_JaffaCakes118.exe

pid	process
2872	7b3b6d0f461c023b5e98b7fc0c3945a1_JaffaCakes118.exe
2872	7b3b6d0f461c023b5e98b7fc0c3945a1_JaffaCakes118.exe
2872	7b3b6d0f461c023b5e98b7fc0c3945a1_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

system32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system32 = "C:\\Windows\\SysWOW64\\system32.exe"	system32.exe

Drops file in System32 directory 5 IoCs

Processes:

7b3b6d0f461c023b5e98b7fc0c3945a1_JaffaCakes118.exesystem32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\system32.001	7b3b6d0f461c023b5e98b7fc0c3945a1_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\system32.006	7b3b6d0f461c023b5e98b7fc0c3945a1_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\system32.007	7b3b6d0f461c023b5e98b7fc0c3945a1_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\system32.exe	7b3b6d0f461c023b5e98b7fc0c3945a1_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\system32.001	system32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

7b3b6d0f461c023b5e98b7fc0c3945a1_JaffaCakes118.exesystem32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7b3b6d0f461c023b5e98b7fc0c3945a1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system32.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

7b3b6d0f461c023b5e98b7fc0c3945a1_JaffaCakes118.exe

description	pid	process	target process
PID 2872 wrote to memory of 2060	2872	7b3b6d0f461c023b5e98b7fc0c3945a1_JaffaCakes118.exe	system32.exe
PID 2872 wrote to memory of 2060	2872	7b3b6d0f461c023b5e98b7fc0c3945a1_JaffaCakes118.exe	system32.exe
PID 2872 wrote to memory of 2060	2872	7b3b6d0f461c023b5e98b7fc0c3945a1_JaffaCakes118.exe	system32.exe
PID 2872 wrote to memory of 2060	2872	7b3b6d0f461c023b5e98b7fc0c3945a1_JaffaCakes118.exe	system32.exe

C:\Users\Admin\AppData\Local\Temp\7b3b6d0f461c023b5e98b7fc0c3945a1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7b3b6d0f461c023b5e98b7fc0c3945a1_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Windows\SysWOW64\system32.exe
  "C:\Windows\system32\system32.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:2060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\system32.001

Filesize
2KB

MD5
971b7ea62dd8f6305c8fac47dd60b8f3

SHA1
9bc950078ef82fa02358250e4b264546ba1f8625

SHA256
d3b79fc2c937d59459b2ab6ea28574b46c5c4c8879ce9cf70426f4375b606cda

SHA512
b491a627af210d3dc0771571adc0522f03eedebf34b6a7f5238df9e8a3e528a504833aad1c4b95cb1dd01ad6e75f43c3efe9719640815189c629e2467f2fba95

Download Submit
C:\Windows\SysWOW64\system32.exe

Filesize
274KB

MD5
c33abe6c3c8b935fa45226c1467e78c4

SHA1
634f54548daafc9258fc211c65e26406f66de201

SHA256
7975addf3af8ce986baaa5b977f5539653738f93444e1562ec9fce453dd1d371

SHA512
d08ebc621436057a549ea7f38047b6fd09b466ae01efc56928f7b7a9b80243831139a838f02de0a46b8866241a2f04b2ae1053e09b89ee973d8c49b87f9d14b1

Download Submit
\Users\Admin\AppData\Local\Temp\@315D.tmp

Filesize
4KB

MD5
45d47de748454b62b019b1deb97b9263

SHA1
159af46897bc8b3beb9df9900ec4ee4f62e84e61

SHA256
8a606741d8dd0fb17a6f4ec49b31c410e52de207bde429df1cbf6b50c5c6c051

SHA512
31934d4e14bc7314551c8ae9a87cc31afe0fceadb13b9e6ecc40c7180530f6f1a932c05d426284b24a5f00ef96f50a821b132710cdf0feb856e112d6446caaa8

Download Submit
memory/2060-19-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads