ardamax | 6999a7cd0f68e943ae599e847fb923ffc86383a015a2d2d6f8a7d047951cc154

General

Target

ad86bab0367ee08b0ec25fd11c9abd24_JaffaCakes118.exe
Size

181KB
MD5

ad86bab0367ee08b0ec25fd11c9abd24
SHA1

b9b036f357807cf0df196604a121e3187669bbe5
SHA256

6999a7cd0f68e943ae599e847fb923ffc86383a015a2d2d6f8a7d047951cc154
SHA512

3495d3865a560c22ef9475a3cd5e74b5766ee358e58fc65fdde86c99927548d0a8d497d95202988624a136b7cdf14cad94d6b58b56256395370083a3ff78f3f6
SSDEEP

3072:/ONQRnks2NpaHrojQESAOlgpWKFETRj2ymLvsAPyLlgVZgAsbflS25yYGO2JEOWG:HlLoczflg7yTRijLkAPy/NDU25mYWh

Score

10^/10

ardamax discovery keylogger stealer upx

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000015e5b-9.dat	family_ardamax

Executes dropped EXE 2 IoCs

pid	Process
2448	NSK.exe
608	FuRiousSP.exe

Loads dropped DLL 8 IoCs

pid	Process
2120	ad86bab0367ee08b0ec25fd11c9abd24_JaffaCakes118.exe
2120	ad86bab0367ee08b0ec25fd11c9abd24_JaffaCakes118.exe
2120	ad86bab0367ee08b0ec25fd11c9abd24_JaffaCakes118.exe
2448	NSK.exe
2120	ad86bab0367ee08b0ec25fd11c9abd24_JaffaCakes118.exe
2120	ad86bab0367ee08b0ec25fd11c9abd24_JaffaCakes118.exe
2448	NSK.exe
608	FuRiousSP.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\NSK.001	ad86bab0367ee08b0ec25fd11c9abd24_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NSK.006	ad86bab0367ee08b0ec25fd11c9abd24_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NSK.007	ad86bab0367ee08b0ec25fd11c9abd24_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NSK.exe	ad86bab0367ee08b0ec25fd11c9abd24_JaffaCakes118.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/608-32-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral1/files/0x0009000000015eff-30.dat	upx
behavioral1/memory/608-38-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral1/memory/608-41-0x0000000000400000-0x0000000000417000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64	NSK.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ad86bab0367ee08b0ec25fd11c9abd24_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NSK.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FuRiousSP.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2448	NSK.exe
Token: SeIncBasePriorityPrivilege	2448	NSK.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2448	NSK.exe
2448	NSK.exe
2448	NSK.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2120 wrote to memory of 2448	2120	ad86bab0367ee08b0ec25fd11c9abd24_JaffaCakes118.exe	31
PID 2120 wrote to memory of 2448	2120	ad86bab0367ee08b0ec25fd11c9abd24_JaffaCakes118.exe	31
PID 2120 wrote to memory of 2448	2120	ad86bab0367ee08b0ec25fd11c9abd24_JaffaCakes118.exe	31
PID 2120 wrote to memory of 2448	2120	ad86bab0367ee08b0ec25fd11c9abd24_JaffaCakes118.exe	31
PID 2120 wrote to memory of 608	2120	ad86bab0367ee08b0ec25fd11c9abd24_JaffaCakes118.exe	32
PID 2120 wrote to memory of 608	2120	ad86bab0367ee08b0ec25fd11c9abd24_JaffaCakes118.exe	32
PID 2120 wrote to memory of 608	2120	ad86bab0367ee08b0ec25fd11c9abd24_JaffaCakes118.exe	32
PID 2120 wrote to memory of 608	2120	ad86bab0367ee08b0ec25fd11c9abd24_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\ad86bab0367ee08b0ec25fd11c9abd24_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ad86bab0367ee08b0ec25fd11c9abd24_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2120
- C:\Windows\SysWOW64\NSK.exe
  "C:\Windows\system32\NSK.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2448
- C:\Users\Admin\AppData\Local\Temp\FuRiousSP.exe
  "C:\Users\Admin\AppData\Local\Temp\FuRiousSP.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FuRiousSP.exe

Filesize
37KB

MD5
37218a3e17d6e0316d4161074df5fccc

SHA1
0cb049b9accb1508277c3019b952ae697ddfb4ba

SHA256
3ca76b21d6ffe717d0999f4313f06ea73e0a736a9f0b1bb881eb6381d5a4d17b

SHA512
07cacd77902d9fc21b5cb87f8893b67d06a7ab2dce0161222d08447991379a85e4564ff850d1050a6d99c76f9fd3e2b3814a64afda3a68a08308bfc1b6fef611

Download Submit
C:\Windows\SysWOW64\NSK.001

Filesize
1KB

MD5
d214d1bbe8f71d0f7328bf46fb2476d1

SHA1
e804ca6ae6419928ebc07548d744a47f88ef664e

SHA256
49b623f06c20493efa7962be98e7676a00aaf76c1b3d1c96b7924345be8077ce

SHA512
b30090e1d272cb0f8bb0ee59ff2e7ac89b352cbf0426f4fd2d86b9ac2a172197497b3ce9962f2a2940ac05daec4c0c48b44c895e77cd9eb3356c5c09a4babee9

Download Submit
C:\Windows\SysWOW64\NSK.006

Filesize
4KB

MD5
0868167c8915fb3d87d4e5a775a57ffd

SHA1
5f223134e003382fd8c191a1f4ca94922f1d802e

SHA256
6a28449ee15745e772f877b6133913325400a2ca3dbf829d76cf42e0c8d6da4c

SHA512
d9f82239d6990b3dcc261f99f5acf20d71965b08146821575f830698fa07a5ec7ba0553494bb779e427692ada39ed5973489d1077aeec5ddfdf5a73d9c91b058

Download Submit
\Users\Admin\AppData\Local\Temp\@165E.tmp

Filesize
4KB

MD5
ccfd350414f3804bbb32ddd7eb3f6153

SHA1
e91d270b8481d456a3beabf617ef3379a93f1137

SHA256
1dabedfe9c7cda2d8aa74c95ba57fb832a4066b20f4051c0330b4422de237eb3

SHA512
328e069aaced9217eb9f4b4f20e27cd7ef933427e3388b3a0829089d694ea2280a2e5511a9eb577cec2a7b409cf367b0f17d8654076931648e152936fad810bd

Download Submit
\Windows\SysWOW64\NSK.007

Filesize
6KB

MD5
5e023770dfb9d9068706facc958c7d66

SHA1
9cf95074a78239da000452362c2167991970e972

SHA256
f16ca7e5533eb28fa882eb500add2a936f8d0a705cfc9f4e6c8f4c522a2cf6db

SHA512
a9621e77fe22b054686924cebee3c9a5c448b2f60bd1d4c8a6d6bda161ec270d9a5c76cbe07dcd1d0ee59fdc071de1d271344c629181e14c2c0a54cbac7831af

Download Submit
\Windows\SysWOW64\NSK.exe

Filesize
239KB

MD5
2bada91f44e2a5133a5c056b31866112

SHA1
9fbe664832d04d79f96fa090191b73d9811ef08d

SHA256
c742feab59b4e1b7b188b02ed91ab34eaeb83c87ac6babfb5f08649ed2b8cd02

SHA512
dc797a06061937f8dd657a34d4373d3069c9c1a6752752516042e5d135fc41257c7a3a6738b3accd626a02f1887476197eca0ab28cf568daf57269cbe9c8eb41

Download Submit
memory/608-38-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/608-32-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/608-41-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/608-40-0x0000000076930000-0x000000007695A000-memory.dmp

Filesize
168KB

Download
memory/2120-29-0x00000000028D0000-0x00000000028E7000-memory.dmp

Filesize
92KB

Download
memory/2120-26-0x00000000028D0000-0x00000000028E7000-memory.dmp

Filesize
92KB

Download
memory/2448-37-0x0000000076930000-0x000000007695A000-memory.dmp

Filesize
168KB

Download
memory/2448-36-0x0000000076931000-0x0000000076932000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing