ardamax | 11c9cb9bbd091436fb485626d94f0e8098533d4a96358fb3bf15e763e68de9bd

General

Target

d1ddf3043d7e818ecdc49a916bcca0ec_JaffaCakes118.exe
Size

385KB
MD5

d1ddf3043d7e818ecdc49a916bcca0ec
SHA1

7cb2cfe49c16f75b97ecae782dba897e02f87cc5
SHA256

11c9cb9bbd091436fb485626d94f0e8098533d4a96358fb3bf15e763e68de9bd
SHA512

81f8475aa7cd555a4455cd74c4cf59a6f75234eb93680e1046fa2fc6701914bc19718f5e4ac7264654bdfb3b3f47def484a82c207a382c5d1fe0dbf18af55bbf
SSDEEP

6144:YAHNj9eotSOL0xB1vNGcDc768ytK1RcTCXiC6+ywakKd2dIFmJEY6DV:YANGxNNc7rD1KTPznQdIwEV

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000016de0-9.dat	family_ardamax

Executes dropped EXE 2 IoCs

pid	Process
2268	NSK.exe
2916	TTaimbot unpatched.exe

Loads dropped DLL 7 IoCs

pid	Process
2784	d1ddf3043d7e818ecdc49a916bcca0ec_JaffaCakes118.exe
2784	d1ddf3043d7e818ecdc49a916bcca0ec_JaffaCakes118.exe
2784	d1ddf3043d7e818ecdc49a916bcca0ec_JaffaCakes118.exe
2784	d1ddf3043d7e818ecdc49a916bcca0ec_JaffaCakes118.exe
2916	TTaimbot unpatched.exe
2916	TTaimbot unpatched.exe
2916	TTaimbot unpatched.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NSK = "C:\\Windows\\SysWOW64\\NSK.exe"	NSK.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\NSK.001	d1ddf3043d7e818ecdc49a916bcca0ec_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NSK.006	d1ddf3043d7e818ecdc49a916bcca0ec_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NSK.007	d1ddf3043d7e818ecdc49a916bcca0ec_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NSK.exe	d1ddf3043d7e818ecdc49a916bcca0ec_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\svkp2.dll	TTaimbot unpatched.exe
File created	C:\Windows\SysWOW64\ispn2.dll	TTaimbot unpatched.exe
File opened for modification	C:\Windows\SysWOW64\NSK.001	NSK.exe
File created	C:\Windows\SysWOW64\SVKP.sys	TTaimbot unpatched.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1ddf3043d7e818ecdc49a916bcca0ec_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NSK.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TTaimbot unpatched.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
476	Process not Found

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2784 wrote to memory of 2268	2784	d1ddf3043d7e818ecdc49a916bcca0ec_JaffaCakes118.exe	30
PID 2784 wrote to memory of 2268	2784	d1ddf3043d7e818ecdc49a916bcca0ec_JaffaCakes118.exe	30
PID 2784 wrote to memory of 2268	2784	d1ddf3043d7e818ecdc49a916bcca0ec_JaffaCakes118.exe	30
PID 2784 wrote to memory of 2268	2784	d1ddf3043d7e818ecdc49a916bcca0ec_JaffaCakes118.exe	30
PID 2784 wrote to memory of 2916	2784	d1ddf3043d7e818ecdc49a916bcca0ec_JaffaCakes118.exe	31
PID 2784 wrote to memory of 2916	2784	d1ddf3043d7e818ecdc49a916bcca0ec_JaffaCakes118.exe	31
PID 2784 wrote to memory of 2916	2784	d1ddf3043d7e818ecdc49a916bcca0ec_JaffaCakes118.exe	31
PID 2784 wrote to memory of 2916	2784	d1ddf3043d7e818ecdc49a916bcca0ec_JaffaCakes118.exe	31
PID 2784 wrote to memory of 2916	2784	d1ddf3043d7e818ecdc49a916bcca0ec_JaffaCakes118.exe	31
PID 2784 wrote to memory of 2916	2784	d1ddf3043d7e818ecdc49a916bcca0ec_JaffaCakes118.exe	31
PID 2784 wrote to memory of 2916	2784	d1ddf3043d7e818ecdc49a916bcca0ec_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\d1ddf3043d7e818ecdc49a916bcca0ec_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d1ddf3043d7e818ecdc49a916bcca0ec_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Windows\SysWOW64\NSK.exe
  "C:\Windows\system32\NSK.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:2268
- C:\Users\Admin\AppData\Local\Temp\TTaimbot unpatched.exe
  "C:\Users\Admin\AppData\Local\Temp\TTaimbot unpatched.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\NSK.001

Filesize
1KB

MD5
1629ed2fe828bc2480af878053772c5e

SHA1
22c254d5f3f889732ee766199ecbfc4300575b9c

SHA256
2af1d9c3da29d64c6275608693e52ccc949d3e442b6c646dfb525c81e281564a

SHA512
25ce7f73d6ec8d3255c96d2b366893ab2736d6496d3dc9f77cb9f2f1412badbe9c588149882e87d144fcb6b2f7d1453f9a10af7710df63264fcd1e30475f0692

Download Submit
\Users\Admin\AppData\Local\Temp\@6E4D.tmp

Filesize
4KB

MD5
ccfd350414f3804bbb32ddd7eb3f6153

SHA1
e91d270b8481d456a3beabf617ef3379a93f1137

SHA256
1dabedfe9c7cda2d8aa74c95ba57fb832a4066b20f4051c0330b4422de237eb3

SHA512
328e069aaced9217eb9f4b4f20e27cd7ef933427e3388b3a0829089d694ea2280a2e5511a9eb577cec2a7b409cf367b0f17d8654076931648e152936fad810bd

Download Submit
\Users\Admin\AppData\Local\Temp\TTaimbot unpatched.exe

Filesize
235KB

MD5
fba2a6d4fdb061ad0069ab811d39d868

SHA1
46bd1a1af3e6a7f8d5fcca320e93082880707a7d

SHA256
3c29c08ea6b529eeb3f47b757646f59f191236d6edfe53dd3174e620a6a09881

SHA512
3635c563856d3927e4dcffb0c7997a76fd8a457e1ea1eb16aea55317080796421fe9582494922806d02a339c4141078cc3f1df42c7a46b8ff4f88f4c5bd4902a

Download Submit
\Windows\SysWOW64\NSK.exe

Filesize
239KB

MD5
2bada91f44e2a5133a5c056b31866112

SHA1
9fbe664832d04d79f96fa090191b73d9811ef08d

SHA256
c742feab59b4e1b7b188b02ed91ab34eaeb83c87ac6babfb5f08649ed2b8cd02

SHA512
dc797a06061937f8dd657a34d4373d3069c9c1a6752752516042e5d135fc41257c7a3a6738b3accd626a02f1887476197eca0ab28cf568daf57269cbe9c8eb41

Download Submit
memory/2784-21-0x00000000028E0000-0x0000000002922000-memory.dmp

Filesize
264KB

Download
memory/2916-30-0x00000000003B0000-0x00000000003F2000-memory.dmp

Filesize
264KB

Download
memory/2916-31-0x00000000003B0000-0x00000000003F2000-memory.dmp

Filesize
264KB

Download
memory/2916-32-0x0000000000441000-0x0000000000442000-memory.dmp

Filesize
4KB

Download
memory/2916-33-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2916-36-0x00000000003B0000-0x00000000003F2000-memory.dmp

Filesize
264KB

Download
memory/2916-40-0x0000000000441000-0x0000000000442000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.