ardamax | ce3a44c2e4e03c465ea022d6b8b28b680088d0dcf899934da94da894eae42750

General

Target

a2a5e09f8ab3e116a51e1e6b968e1ec9_JaffaCakes118.exe
Size

494KB
MD5

a2a5e09f8ab3e116a51e1e6b968e1ec9
SHA1

3df06912a734a1a883b558e926ac478499be59aa
SHA256

ce3a44c2e4e03c465ea022d6b8b28b680088d0dcf899934da94da894eae42750
SHA512

23f39124321faf71830823051c7ccda43332dc05cd5a11244e98ae5dc157ac129335e72bf42b2b5e450f61472c6917d5b8e6d520148ef8b00ded6b4c75655028
SSDEEP

12288:RbezHjnVySxaWOIxZESa4NbZEAahLn53xWQc6qt9N:wntZrxJa4nol3xWQc6qtz

Score

10^/10

ardamax defense_evasion discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0008000000016ea4-9.dat	family_ardamax

Executes dropped EXE 1 IoCs

pid	Process
1712	AUFP.exe

Loads dropped DLL 8 IoCs

pid	Process
2068	a2a5e09f8ab3e116a51e1e6b968e1ec9_JaffaCakes118.exe
2068	a2a5e09f8ab3e116a51e1e6b968e1ec9_JaffaCakes118.exe
2068	a2a5e09f8ab3e116a51e1e6b968e1ec9_JaffaCakes118.exe
1712	AUFP.exe
1740	DllHost.exe
2068	a2a5e09f8ab3e116a51e1e6b968e1ec9_JaffaCakes118.exe
1712	AUFP.exe
1740	DllHost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AUFP Agent = "C:\\Windows\\SysWOW64\\Sys32\\AUFP.exe"	AUFP.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Sys32\AUFP.006	a2a5e09f8ab3e116a51e1e6b968e1ec9_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Sys32\AUFP.007	a2a5e09f8ab3e116a51e1e6b968e1ec9_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Sys32\AUFP.exe	a2a5e09f8ab3e116a51e1e6b968e1ec9_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Sys32\AKV.exe	a2a5e09f8ab3e116a51e1e6b968e1ec9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Sys32	AUFP.exe
File created	C:\Windows\SysWOW64\Sys32\AUFP.001	a2a5e09f8ab3e116a51e1e6b968e1ec9_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a2a5e09f8ab3e116a51e1e6b968e1ec9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AUFP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	1712	AUFP.exe
Token: SeIncBasePriorityPrivilege	1712	AUFP.exe
Token: SeIncBasePriorityPrivilege	1712	AUFP.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1740	DllHost.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1712	AUFP.exe
1712	AUFP.exe
1712	AUFP.exe
1712	AUFP.exe
1712	AUFP.exe
1740	DllHost.exe
1740	DllHost.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 1712	2068	a2a5e09f8ab3e116a51e1e6b968e1ec9_JaffaCakes118.exe	30
PID 2068 wrote to memory of 1712	2068	a2a5e09f8ab3e116a51e1e6b968e1ec9_JaffaCakes118.exe	30
PID 2068 wrote to memory of 1712	2068	a2a5e09f8ab3e116a51e1e6b968e1ec9_JaffaCakes118.exe	30
PID 2068 wrote to memory of 1712	2068	a2a5e09f8ab3e116a51e1e6b968e1ec9_JaffaCakes118.exe	30
PID 1712 wrote to memory of 2360	1712	AUFP.exe	33
PID 1712 wrote to memory of 2360	1712	AUFP.exe	33
PID 1712 wrote to memory of 2360	1712	AUFP.exe	33
PID 1712 wrote to memory of 2360	1712	AUFP.exe	33

C:\Users\Admin\AppData\Local\Temp\a2a5e09f8ab3e116a51e1e6b968e1ec9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a2a5e09f8ab3e116a51e1e6b968e1ec9_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Windows\SysWOW64\Sys32\AUFP.exe
  "C:\Windows\system32\Sys32\AUFP.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1712
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\Sys32\AUFP.exe > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2360

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

1

T1070

File Deletion

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\P2K.jpg

Filesize
27KB

MD5
fd3740a2eff7c52711ab0c0d24679f36

SHA1
fdb47235d09c8d6ca62a86417baad55d4d6fdf4e

SHA256
cb9ce1811d72d2622131005f34e3bd41a6ef71bce248e64216bd69e9312765a5

SHA512
65de09aebf1c97d7390498f383175348f131583fe232c7c730b071626d383ca56764af07ed53fc51edc39363ce87823dba9bc1fa7a324d7938b1d2bba175f718

Download Submit
C:\Windows\SysWOW64\Sys32\AKV.exe

Filesize
389KB

MD5
40f15729e871733ee4e3b526a72f0725

SHA1
43f4f1bb97a6e722ec796027aebd219199136833

SHA256
4ab6592bff060a990b7820e9ee412b4318fb47e85eb01c069fa797399991b472

SHA512
0f8b4bb24813334941d8cdcf137bdc7f4904648b97e5b92c448c053005a29d63c5ddfc6a7fdf1d3a7c1185b8c9dea15d13668bad963b651df6088dcfc32b7967

Download Submit
C:\Windows\SysWOW64\Sys32\AUFP.001

Filesize
390B

MD5
41c04f9466c6d2d50a640fe34033bee8

SHA1
e0d60726ea3953f0223039d36ae9d2317b61aca2

SHA256
2adba05a9143a08bba7cb48114947b6fde23bf4d1d19942a3fc32e28ae3bf95c

SHA512
9dc17a0d90fb1e4dac6af029996b154f1054a4a01f20ea70f7f7a99998c937234a85395388a88f64c228c6cc982d839fd53bf6e0f8752ee04c2e70d0dc0a30f9

Download Submit
C:\Windows\SysWOW64\Sys32\AUFP.006

Filesize
7KB

MD5
489d664845e0e001de7e6a87fb355366

SHA1
c0b339c9b8d18dad3b6f425b0eba2833ed313202

SHA256
aab3b216ae3c1415739d487c3d6df9af2b5d055959c289cd803e872b835d55fd

SHA512
7e403f33d0717a3e30664f9702de589c8065690dc423cf69245122e96db346c8112ed15ba53d6ab26c538a1fea9e63dd29a01e2f18be8c1ad439a5466d066be3

Download Submit
C:\Windows\SysWOW64\Sys32\AUFP.007

Filesize
5KB

MD5
8148ef191adcb3a30fbf777b1642dd06

SHA1
79027d2c6b2b14da631a133eeba2a0a102914e39

SHA256
ce5f8b7b0c338711fbc5359ed79c12139c6cdce2a5cdbb53797287800239c2e0

SHA512
8b285260652ce586fc4c8dd8ab26f726634fd50208e9278767461c37f9f4d98857a867322e312ee3b5bcbb9b33d9ff9cb055af7ec9318c2419244c2efcbb2153

Download Submit
\Users\Admin\AppData\Local\Temp\@CBE7.tmp

Filesize
3KB

MD5
1af114b264a783148f112ae8a4392450

SHA1
bf5493d1c7794cc9e44f219a5038990215494fd4

SHA256
3071cfecb4af30dbfef855370ed538f332338c35b5f6d5d14045c144796f7ff9

SHA512
b9c833cca0adfad35cbe4392b170cb4820c50874f7b6cf1717a67007c95878e1980c2cbd283ffa671feec0c8794ac229551c5f0b38700d932840a7073f562355

Download Submit
\Windows\SysWOW64\Sys32\AUFP.exe

Filesize
475KB

MD5
f7f2f0d8ed270a51c6bce37645b0e8dc

SHA1
3f48aff739c3add1bd951e28c4d11ec24e345adf

SHA256
fa0921f68dec9797bff50e5f3e466c01702eeeff254070c1705ced427edc725b

SHA512
a9c948ad52df9cd83cb4972938b1e1a1751e316d61303eb571ea47e3175d823545ec15951701173f40f1577cc644d1f612e477376730a5fb5d375f2683cc9092

Download Submit
memory/1712-23-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1712-34-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1740-28-0x00000000000B0000-0x00000000000B2000-memory.dmp

Filesize
8KB

Download
memory/2068-27-0x0000000002BE0000-0x0000000002BE2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.