ardamax | bcdd8253acad7e3c700c5731562757bbb6bf2ab1cdc6b017f7eeb2f9d08b1c1e

General

Target

9268d5734eeba88a56547bc5d7f6034a_JaffaCakes118.exe
Size

202KB
MD5

9268d5734eeba88a56547bc5d7f6034a
SHA1

66e053262d241698f2c611203fd1697f8837d806
SHA256

bcdd8253acad7e3c700c5731562757bbb6bf2ab1cdc6b017f7eeb2f9d08b1c1e
SHA512

8a6fd5938c8a5f3ba8bc1a8c5a14148a1ed351c6d2b9f2365d686045cb8a8309cec87ff036fd67d970fabaf002a186033924782a807e0598c7967d692f5eb29e
SSDEEP

6144:BmpyGoO2g8XQRMzzRrWvLqdTXSG1YVDmdIZxN6t:B3gRMzxWvLq4G18Xz6t

Score

10^/10

ardamax discovery keylogger stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x00070000000190c6-9.dat	family_ardamax

Executes dropped EXE 1 IoCs

Processes:

NIH.exe

pid	Process
1932	NIH.exe

Loads dropped DLL 5 IoCs

Processes:

9268d5734eeba88a56547bc5d7f6034a_JaffaCakes118.exeNIH.exe

pid	Process
2104	9268d5734eeba88a56547bc5d7f6034a_JaffaCakes118.exe
2104	9268d5734eeba88a56547bc5d7f6034a_JaffaCakes118.exe
2104	9268d5734eeba88a56547bc5d7f6034a_JaffaCakes118.exe
1932	NIH.exe
1932	NIH.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 4 IoCs

Processes:

9268d5734eeba88a56547bc5d7f6034a_JaffaCakes118.exe

description	ioc	Process
File created	C:\Windows\SysWOW64\NIH.exe	9268d5734eeba88a56547bc5d7f6034a_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NIH.001	9268d5734eeba88a56547bc5d7f6034a_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NIH.006	9268d5734eeba88a56547bc5d7f6034a_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NIH.007	9268d5734eeba88a56547bc5d7f6034a_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

Processes:

NIH.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64	NIH.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

9268d5734eeba88a56547bc5d7f6034a_JaffaCakes118.exeNIH.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9268d5734eeba88a56547bc5d7f6034a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NIH.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

NIH.exe

description	pid	Process
Token: 33	1932	NIH.exe
Token: SeIncBasePriorityPrivilege	1932	NIH.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

NIH.exe

pid	Process
1932	NIH.exe
1932	NIH.exe
1932	NIH.exe
1932	NIH.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

9268d5734eeba88a56547bc5d7f6034a_JaffaCakes118.exe

description	pid	Process	procid_target
PID 2104 wrote to memory of 1932	2104	9268d5734eeba88a56547bc5d7f6034a_JaffaCakes118.exe	30
PID 2104 wrote to memory of 1932	2104	9268d5734eeba88a56547bc5d7f6034a_JaffaCakes118.exe	30
PID 2104 wrote to memory of 1932	2104	9268d5734eeba88a56547bc5d7f6034a_JaffaCakes118.exe	30
PID 2104 wrote to memory of 1932	2104	9268d5734eeba88a56547bc5d7f6034a_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\9268d5734eeba88a56547bc5d7f6034a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9268d5734eeba88a56547bc5d7f6034a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\SysWOW64\NIH.exe
  "C:\Windows\system32\NIH.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\NIH.001

Filesize
2KB

MD5
0230f432bc8e345d53965fce1fc78a5d

SHA1
fa2e5cc7e7ce41c73e7bdb2e7c354a3fe3ef2a2a

SHA256
8a1b706aa5dde542e6dcbe562a4d37513779f8c9b32ee17e040d232b594c9b4f

SHA512
0c6044b85424994e7130ff8d4b5ed0c2ffde827e28bc63068957a0719cf651bcfabae9c0d250e8c24f6d32fa81ff88d8388e39f6ba6251e0ac67984983609615

Download Submit
C:\Windows\SysWOW64\NIH.006

Filesize
5KB

MD5
e98ae645054f00269eaad44b95c4e37c

SHA1
59bcfb291cb15f521e6e5982c12913052b5755b1

SHA256
028e4ef0ed6a7d9792ad2694c56b41ba247e72ef690089142c47bb6e1a693221

SHA512
ae4b1316c9785623944a0bc1884648f1382f3f8fb494927e7c872a72b0786fb5a1d090ebc2d5e468b91c8eef7663b43f73be4a1f65f7d8dd9bdaa6dfc694a35e

Download Submit
C:\Windows\SysWOW64\NIH.007

Filesize
4KB

MD5
ea32497496dd6b80be1c47fe5fac1fcf

SHA1
2bf9bee8e0f83b6785188a91047695ebcdf342da

SHA256
370a94fec91220668a370c2dcd0d2ac10c3f0a1d1befc7fee50db6f5e0b99676

SHA512
353d11071b695fe23080bc6d5cb5dc557b59b152b42921daec6f4124f9e8bb58555ac30c5ec96dae31871ff3d2416e91690b5f862d4feb5e7b038a996c8a1ff3

Download Submit
\Users\Admin\AppData\Local\Temp\@C7B2.tmp

Filesize
4KB

MD5
3e52aef4a9e1bbf25dc611e0f5c45934

SHA1
91862bee5ac57eb719cf9bc14c69f9ef5affcbbf

SHA256
1b881b4299a8555f785088bd0e1b6969e76dc470f1f67429678a678c5f8b349d

SHA512
e4bc9fab4d1c555a896936927ff5866634885401a41f2eade5a976311dad3cdc40c0c7229c61925a8b32ae7b69c4c99537dc10baf292375a82a885a7a908a807

Download Submit
\Windows\SysWOW64\NIH.exe

Filesize
295KB

MD5
decf3769c920a9b642f56e24933cdf81

SHA1
930ddaf6b310fa2b3569580ff671e91d80b8b11b

SHA256
46a451f14816a0dc46d392158d1507f5806fe76e9fc9f0080d00d0b3dd26183b

SHA512
2807345e5ae0438c0bd41c3d0b6b09e3d1c04d0397e5e990d614125a14b6100de3c3f5bebab168f5654d6823eef5dbfd5a878aa0de64eec13bb546c8c32b8cb2

Download Submit
memory/1932-19-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1932-24-0x00000000777AF000-0x00000000777B0000-memory.dmp

Filesize
4KB

Download
memory/1932-25-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads