ardamax | 3bd530438baa822c20f13c3858b2630a8fc417267a50cd87e51b1f6bc4389045

General

Target

d3427fd297a83c3cd7cc0117f200ed7e_JaffaCakes118.exe
Size

3.5MB
MD5

d3427fd297a83c3cd7cc0117f200ed7e
SHA1

90bf7162b9c91a825598341a4a76cd3b333beebd
SHA256

3bd530438baa822c20f13c3858b2630a8fc417267a50cd87e51b1f6bc4389045
SHA512

3a954af93c20886c0827baea696124cc9c0ec04e28b64e9c77bccfd856381b852e34591c063179c6c1a4703de2123b8e21349e2e7e3b1c0e0cbbc33c22255d07
SSDEEP

49152:TXTXJo5wuKZ7I8PZyFbAxJxgYtTnX6uzIpMzqJbWx6YuAt1ykJmIspS38e3JCP:nK9YZyoxnTjhW5dmFJ5BbYP

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0006000000019377-6.dat	family_ardamax

Executes dropped EXE 2 IoCs

pid	Process
2496	JAU.exe
2256	UpLauncher.exe

Loads dropped DLL 4 IoCs

pid	Process
2192	d3427fd297a83c3cd7cc0117f200ed7e_JaffaCakes118.exe
2192	d3427fd297a83c3cd7cc0117f200ed7e_JaffaCakes118.exe
2496	JAU.exe
2256	UpLauncher.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JAU Start = "C:\\Windows\\SysWOW64\\BWFWHY\\JAU.exe"	JAU.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\BWFWHY\JAU.exe	d3427fd297a83c3cd7cc0117f200ed7e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\BWFWHY\	JAU.exe
File created	C:\Windows\SysWOW64\BWFWHY\JAU.004	d3427fd297a83c3cd7cc0117f200ed7e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\BWFWHY\JAU.001	d3427fd297a83c3cd7cc0117f200ed7e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\BWFWHY\JAU.002	d3427fd297a83c3cd7cc0117f200ed7e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\BWFWHY\AKV.exe	d3427fd297a83c3cd7cc0117f200ed7e_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3427fd297a83c3cd7cc0117f200ed7e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JAU.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UpLauncher.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2496	JAU.exe
Token: SeIncBasePriorityPrivilege	2496	JAU.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2496	JAU.exe
2496	JAU.exe
2496	JAU.exe
2496	JAU.exe
2256	UpLauncher.exe
2256	UpLauncher.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 2496	2192	d3427fd297a83c3cd7cc0117f200ed7e_JaffaCakes118.exe	28
PID 2192 wrote to memory of 2496	2192	d3427fd297a83c3cd7cc0117f200ed7e_JaffaCakes118.exe	28
PID 2192 wrote to memory of 2496	2192	d3427fd297a83c3cd7cc0117f200ed7e_JaffaCakes118.exe	28
PID 2192 wrote to memory of 2496	2192	d3427fd297a83c3cd7cc0117f200ed7e_JaffaCakes118.exe	28
PID 2192 wrote to memory of 2256	2192	d3427fd297a83c3cd7cc0117f200ed7e_JaffaCakes118.exe	29
PID 2192 wrote to memory of 2256	2192	d3427fd297a83c3cd7cc0117f200ed7e_JaffaCakes118.exe	29
PID 2192 wrote to memory of 2256	2192	d3427fd297a83c3cd7cc0117f200ed7e_JaffaCakes118.exe	29
PID 2192 wrote to memory of 2256	2192	d3427fd297a83c3cd7cc0117f200ed7e_JaffaCakes118.exe	29
PID 2192 wrote to memory of 2256	2192	d3427fd297a83c3cd7cc0117f200ed7e_JaffaCakes118.exe	29
PID 2192 wrote to memory of 2256	2192	d3427fd297a83c3cd7cc0117f200ed7e_JaffaCakes118.exe	29
PID 2192 wrote to memory of 2256	2192	d3427fd297a83c3cd7cc0117f200ed7e_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\d3427fd297a83c3cd7cc0117f200ed7e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d3427fd297a83c3cd7cc0117f200ed7e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Windows\SysWOW64\BWFWHY\JAU.exe
  "C:\Windows\system32\BWFWHY\JAU.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2496
- C:\Users\Admin\AppData\Local\Temp\UpLauncher.exe
  "C:\Users\Admin\AppData\Local\Temp\UpLauncher.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2256

Network

DNS

dl.ak.ankama.com

UpLauncher.exe

Remote address:

8.8.8.8:53

Request

dl.ak.ankama.com

IN A

Response

No results found

8.8.8.8:53

dl.ak.ankama.com

dns

UpLauncher.exe

62 B
140 B
1
1

DNS Request

dl.ak.ankama.com

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\UpLauncher.exe

Filesize
4.7MB

MD5
2d37598a87882977d38453517356648d

SHA1
d2326eb0752311647e0554467995c8c5902c481e

SHA256
4112a7ea3445b41a3b218bfa548778b478f83043654d0d4da13ffb9610dbb58d

SHA512
e4f382736c358aa1ccc6afe61e499bba482184dc7d067f3152645c2d879359d815dc4ee3c359f43d5bf05c8c4a49fe5e35b3c6ed04fc50940afebaa52e66d787

Download Submit
C:\Users\Admin\AppData\Local\Temp\uplauncher.log

Filesize
1KB

MD5
6aa67b7c26e87c2dfcf5ea8929c72135

SHA1
0ad647cfd3d432117de4aaaea3d09fce57cb9ae5

SHA256
2380f759caabac119fee0367357ec52c0accc186e3ad8e03e2cc261e268c1f6d

SHA512
660648ef4e47425cecc39e2c14a31093267cc55b561a4c51b383db623d2ca84dc76a5edebc76ff9efa97d1b03c0ac3ad3839da775c60d6d25aa325918e3308c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\uplauncher.log

Filesize
4KB

MD5
c75d5836b1e87b7879f3d2883b00d0b9

SHA1
13eb6f8cc6848ce61ce2156bbfdbe55e15160678

SHA256
8ad0ea23768956f058abf42856dbdb99d9a47296296c146e225ee543e7674ad6

SHA512
4d9b5d9fe74daa79f971320a77831712901f519f7ca09ed126a464febfd3af212be46ef9f85400c3fe8c2e5ef46ef8848db90919330f807adaf493bccd4b81c4

Download Submit
C:\Windows\SysWOW64\BWFWHY\AKV.exe

Filesize
456KB

MD5
a65c554c77c4607a4efdef07b9503fb9

SHA1
4faa215bd772deb3223dac1601972fce2f6c05f1

SHA256
7d32aa95d682ac91df6efa4efc01e5675f69e72fc9821632006111df44e08d7c

SHA512
44be9403aff24e3bdb886a883b7ad8fa06950d969ef1588c4dab43fcc030768d4797fd4ce645ddfe49949d6a97fac5061f2d840ab086b5e43189e5adb441438a

Download Submit
C:\Windows\SysWOW64\BWFWHY\JAU.001

Filesize
61KB

MD5
5901282271c72b6effd11d0ec9c17547

SHA1
729945fc0534bd5203dbe02b2dcdf33d0edb84e1

SHA256
395e86709d918c7954ee97baaa34634ede86a2af233ac175c15ae3107f2e9a28

SHA512
05e92fad30ab5d89ebb6eb33fdc76ef9575dbf4c7d649782fd902010a11505a7499b38a4aceccf46e5f8b31617b730a0436cf821442b59dcdeec71ecc2a90a17

Download Submit
C:\Windows\SysWOW64\BWFWHY\JAU.002

Filesize
43KB

MD5
c04e0de732e8f56b401e409c4417149c

SHA1
7b260b3600345fb72af9fd0e4025b4a125c8dd08

SHA256
0d359c2c70001f56c14e7e29a12456c82606bb9a46f9db1f8216a9087775dec6

SHA512
d9e2bf02bcb144a8c37e05cb2544ca46fe93e1f2b5a4e08832d533ab9348ddb9153b5c36efa4186d625a80af5d546331d740a13f43c5195ccb4829c98eaa69b0

Download Submit
C:\Windows\SysWOW64\BWFWHY\JAU.004

Filesize
1KB

MD5
8981cce7d43aff9ec41fe1ea77a3c909

SHA1
3d2632b9e522073ce41fd0067c5b1408306218ad

SHA256
4fd7411c72345cd8dac96c82370249817e53557bc5025509b720a28511bccdb9

SHA512
fec7c8c77c7209957163f3ad3ab54a762fb1e225898af4c5db8b879def45f4a00ecaaf4cdf082e04435ada676faaf19ff2ae39f5afe986d7b16ade7eb0c6ec34

Download Submit
\Windows\SysWOW64\BWFWHY\JAU.exe

Filesize
1.5MB

MD5
82dc38922620ab6a5850f391584d2657

SHA1
ef30f091ff7aa242600f19e87f2b7b0cd7b0764f

SHA256
b464e42b8dfef6629030283e19c20bcc69d6d7c1bf9bb7e8df472f762debcea2

SHA512
4ec72c1d1599721ee1205f46a74a71fb67801e4d7aa6ca55907c2461a03c41cc3e1333e0b4ed9631b92e2310f45bf27cf865a5cc7ee2507e92f58cdb467023e8

Download Submit
memory/2496-17-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2496-48-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.