ardamax | e9813b538392c27b58741b0bedc381d4681d414596eb33c4a2aed8f4e5bbc723

General

Target

87f4271ae8d5c67a7211d57c5e1ff1a2_JaffaCakes118.exe
Size

480KB
MD5

87f4271ae8d5c67a7211d57c5e1ff1a2
SHA1

613cf83a84e324b3c04adf44e21f51dedbf5877d
SHA256

e9813b538392c27b58741b0bedc381d4681d414596eb33c4a2aed8f4e5bbc723
SHA512

fd03fa91ad489534654c4d6827c879958dea2e0936586df72b26c65ab59ff3b9eefe1ce71a72d46726578509116310678eecebf2f3204972f312b5d403b81139
SSDEEP

12288:u1QEAPL0LCySQ0Q1JoyTEYwfqEmQZ1uxrSgtgXq4peHb7gR77:BEAT0izfdnfqEvTuxTd77Yv

Score

10^/10

ardamax defense_evasion discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

Processes:

resource	yara_rule
\Windows\SysWOW64\Sys32\JNKW.exe	family_ardamax

Executes dropped EXE 1 IoCs

Processes:

JNKW.exe

pid process

1900 JNKW.exe

pid	process
1900	JNKW.exe

Loads dropped DLL 5 IoCs

Processes:

87f4271ae8d5c67a7211d57c5e1ff1a2_JaffaCakes118.exeJNKW.exe

pid	process
2132	87f4271ae8d5c67a7211d57c5e1ff1a2_JaffaCakes118.exe
2132	87f4271ae8d5c67a7211d57c5e1ff1a2_JaffaCakes118.exe
2132	87f4271ae8d5c67a7211d57c5e1ff1a2_JaffaCakes118.exe
1900	JNKW.exe
1900	JNKW.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

JNKW.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JNKW Agent = "C:\\Windows\\SysWOW64\\Sys32\\JNKW.exe"	JNKW.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 6 IoCs

Processes:

87f4271ae8d5c67a7211d57c5e1ff1a2_JaffaCakes118.exeJNKW.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Sys32\JNKW.001	87f4271ae8d5c67a7211d57c5e1ff1a2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Sys32\JNKW.006	87f4271ae8d5c67a7211d57c5e1ff1a2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Sys32\JNKW.007	87f4271ae8d5c67a7211d57c5e1ff1a2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Sys32\JNKW.exe	87f4271ae8d5c67a7211d57c5e1ff1a2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Sys32\AKV.exe	87f4271ae8d5c67a7211d57c5e1ff1a2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Sys32	JNKW.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

87f4271ae8d5c67a7211d57c5e1ff1a2_JaffaCakes118.exeJNKW.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	87f4271ae8d5c67a7211d57c5e1ff1a2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JNKW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

JNKW.exe

description pid process

Token: 33 1900 JNKW.exe
Token: SeIncBasePriorityPrivilege 1900 JNKW.exe
Token: SeIncBasePriorityPrivilege 1900 JNKW.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

JNKW.exe

pid process

1900 JNKW.exe
1900 JNKW.exe
1900 JNKW.exe
1900 JNKW.exe
1900 JNKW.exe

description	pid	process
Token: 33	1900	JNKW.exe
Token: SeIncBasePriorityPrivilege	1900	JNKW.exe
Token: SeIncBasePriorityPrivilege	1900	JNKW.exe

pid	process
1900	JNKW.exe
1900	JNKW.exe
1900	JNKW.exe
1900	JNKW.exe
1900	JNKW.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

87f4271ae8d5c67a7211d57c5e1ff1a2_JaffaCakes118.exeJNKW.exe

description	pid	process	target process
PID 2132 wrote to memory of 1900	2132	87f4271ae8d5c67a7211d57c5e1ff1a2_JaffaCakes118.exe	JNKW.exe
PID 2132 wrote to memory of 1900	2132	87f4271ae8d5c67a7211d57c5e1ff1a2_JaffaCakes118.exe	JNKW.exe
PID 2132 wrote to memory of 1900	2132	87f4271ae8d5c67a7211d57c5e1ff1a2_JaffaCakes118.exe	JNKW.exe
PID 2132 wrote to memory of 1900	2132	87f4271ae8d5c67a7211d57c5e1ff1a2_JaffaCakes118.exe	JNKW.exe
PID 1900 wrote to memory of 2332	1900	JNKW.exe	cmd.exe
PID 1900 wrote to memory of 2332	1900	JNKW.exe	cmd.exe
PID 1900 wrote to memory of 2332	1900	JNKW.exe	cmd.exe
PID 1900 wrote to memory of 2332	1900	JNKW.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\87f4271ae8d5c67a7211d57c5e1ff1a2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\87f4271ae8d5c67a7211d57c5e1ff1a2_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Windows\SysWOW64\Sys32\JNKW.exe
  "C:\Windows\system32\Sys32\JNKW.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\Sys32\JNKW.exe > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

1

T1070

File Deletion

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Sys32\AKV.exe

Filesize
391KB

MD5
75e14e922eeea4674c45a00335c28777

SHA1
f3268f7a91e0cef3ac1b03877daa694655e79fa1

SHA256
e103b85edbafbacc8e4ac50378ee4812b68ceccd2b6f2066243ac03674030f68

SHA512
b2c5e09c041bc235bf1be0a808c92dc5b8256447be95a0fb4bcfe9160123c63d14a4979eea28f5286a0f3f354c59f032c9a24586dfb7067150dae7339314f6fa

Download Submit
C:\Windows\SysWOW64\Sys32\JNKW.001

Filesize
536B

MD5
5ec6050d273da18b39bdb9f33cae5bc3

SHA1
9b20dfbb24b0adc7c30ec7cceffb373de6141ef4

SHA256
7b2801e8677f1615edd005b6a1e77e843fab84b2779e226eb1de82cedeb92aae

SHA512
fad7de77bdea94c31bb871380c558e72adf2e8bae5782d0978d0b2fa2cb54cc23747b6b677ea2b496457fac0d5be863fbaf09c5d09f5aac3ff79a98cd0322d20

Download Submit
C:\Windows\SysWOW64\Sys32\JNKW.006

Filesize
7KB

MD5
5001bd93dc919785a830ab883eefb04e

SHA1
eb4e7b7d42bf4669c1f011fcd0119012cfb957c0

SHA256
2027d2ecaa78d0ffdd4234ce531be60f230b8258ae6c001af587f6d73dba771c

SHA512
20f6a8fa9e2188aa29d101100edae17d77b4983f3e1dd4696c6fbcd47ef0bbcce392a0733c330dd7a707b0f5bb92720f684b04cdd8c0f1a0b186012001c477d8

Download Submit
C:\Windows\SysWOW64\Sys32\JNKW.007

Filesize
5KB

MD5
00c2e21155375b96338bf76afea81546

SHA1
9ec87a26f5a48db97c05b2e3990aedec0adaa999

SHA256
6f3c20f654f2f4aee0752b95d72d9f46ebf467422611b30e9baa5ad1d21a4534

SHA512
cbaf2efa919def1d351de8ad8b1e30af4bb754db833019f9d998f1c78a844b933b18c41e8764edd1632be2076fd23cd7f302cfaf3f8ed6538bc90db178db422a

Download Submit
\Users\Admin\AppData\Local\Temp\@A370.tmp

Filesize
4KB

MD5
74ff002e34aadbe8a9f7d88d2532c5d5

SHA1
3c11c399973d2db9a94ad7a089870d026c8c859d

SHA256
57d3fc3ef8934afd806d28d705c05637c0bd2d64b91a1a3e87e9bfbbf95f6e8e

SHA512
704c6520a7c89e6432776ad31c3334d22db390474c141974fc189c03b84e4618a35707f70f7ab7337bb63775a3cc04c2f70e88d9e3f921cf9ab2116305ed1bde

Download Submit
\Windows\SysWOW64\Sys32\JNKW.exe

Filesize
476KB

MD5
63ea07b550f22b1f5d5d6897f4d92894

SHA1
8107c9115d45c7857534f0e0b2d9837304f009f2

SHA256
729269e2ce40465fa2b512e2dfea0da818a2972070ae6fa57c92893a1276ea01

SHA512
c094235f36a1ecf1ce9082a22d34d33153595c91c941fb1e1bd9d3903e2142e6e7603db184dc19248258027e0b8377aa13f523b84a98c74c5645cd3e3c2cdf8c

Download Submit
memory/1900-24-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1900-27-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads