ardamax | c34b02197afb6505004c5c258bd2c5013b431cf245f8763bbb6c4217a9c8e13a

General

Target

d385095950c0469946c0d3ede9859a35_JaffaCakes118.exe
Size

1.2MB
MD5

d385095950c0469946c0d3ede9859a35
SHA1

aa895808025b0be5a73ae8d489c9536033b263bb
SHA256

c34b02197afb6505004c5c258bd2c5013b431cf245f8763bbb6c4217a9c8e13a
SHA512

9446cee99737fe488bec33baeabec5c28c6a50f0987875875e3ff359b2a5eb55b6d576915ac2b733d3e6fdeef75f914e70c547257da65bd59210dee984671b1b
SSDEEP

24576:4t4mTIKXyRUCMu1Oo1IFznRupktQVnbvwbuk1ImVG4pln3gBd29fUv/4gAL:4ttTIKCR3siktQRS5XlwgUv/z

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0006000000018742-5.dat	family_ardamax

Executes dropped EXE 1 IoCs

pid	Process
2336	KKG.exe

Loads dropped DLL 2 IoCs

pid	Process
2416	d385095950c0469946c0d3ede9859a35_JaffaCakes118.exe
2336	KKG.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\KKG Start = "C:\\Windows\\SysWOW64\\JBBWSO\\KKG.exe"	KKG.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\JBBWSO\KKG.exe	d385095950c0469946c0d3ede9859a35_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\JBBWSO\	KKG.exe
File created	C:\Windows\SysWOW64\JBBWSO\KKG.004	d385095950c0469946c0d3ede9859a35_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\JBBWSO\KKG.001	d385095950c0469946c0d3ede9859a35_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\JBBWSO\KKG.002	d385095950c0469946c0d3ede9859a35_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d385095950c0469946c0d3ede9859a35_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KKG.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2336	KKG.exe
Token: SeIncBasePriorityPrivilege	2336	KKG.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2336	KKG.exe
2336	KKG.exe
2336	KKG.exe
2336	KKG.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 2336	2416	d385095950c0469946c0d3ede9859a35_JaffaCakes118.exe	31
PID 2416 wrote to memory of 2336	2416	d385095950c0469946c0d3ede9859a35_JaffaCakes118.exe	31
PID 2416 wrote to memory of 2336	2416	d385095950c0469946c0d3ede9859a35_JaffaCakes118.exe	31
PID 2416 wrote to memory of 2336	2416	d385095950c0469946c0d3ede9859a35_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\d385095950c0469946c0d3ede9859a35_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d385095950c0469946c0d3ede9859a35_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Windows\SysWOW64\JBBWSO\KKG.exe
  "C:\Windows\system32\JBBWSO\KKG.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\JBBWSO\KKG.001

Filesize
60KB

MD5
a0e52185446a908d52d822b0bb8c2112

SHA1
c8c2da5c2b140b01ba837cf385d452c08e43be18

SHA256
ae3211346da187dab804d037aa0fbbf6e1f103af005643cfe46f02bf1da2b993

SHA512
75d94285b322332ad0c221f8c1686b6ba6fe84ae5d289df059dfb31929fc1c1605794e9411d734013a3f9f66817be18a980dd517beec8e0b45e9dfc59da34786

Download Submit
C:\Windows\SysWOW64\JBBWSO\KKG.002

Filesize
43KB

MD5
aa19ffd6cd58b081109fd1d307d1f9c5

SHA1
13f86d496127ef3c6066ead3cb89d71fb9c748f4

SHA256
9b03cd394efeffa914fb095c23596d1fba87d4437d3229c8dca536881a4920b2

SHA512
b18c334ad6708aa93dcf86d749b0971f26b0627744872ec22ecba83dbe9962b18a2739c34fc1c3a16d87dfd8a126282923956cfe430aa8dda263511868509d37

Download Submit
C:\Windows\SysWOW64\JBBWSO\KKG.004

Filesize
1KB

MD5
a1e3378ae76cc2b3b4d4ddadafe397e4

SHA1
d59b5d3cf1bc0518166544cd33d39bf87581a870

SHA256
b9bea98ab8cf31d61e73a5981aa9eb452bb860c45901a4692dbaa3bc4d61458b

SHA512
0dbe79c3ca7c1d076687d8458a36b49c9a6edb89499d82782112ec4df8c0d090916fcb18867c17d51efdcc2eb86174072025f7633acec083657b02edef7f3474

Download Submit
\Windows\SysWOW64\JBBWSO\KKG.exe

Filesize
1.7MB

MD5
34b3619a56a670342c773cee6ebae01d

SHA1
8528631520e56d2ec7d6838965185a71cbb43d2f

SHA256
9e233be19677930f0a1182be94d9594b30c33ee4de1a56d606fbcf8033870c49

SHA512
a92e73a05430765887c7b71ec6c5b36c5cfc2e9a3ada94fd11adafc14e13c122899fbf545d0ecca7292df6c1ebf885fff7ac890d49d4d9a2bae8afc3e05c8e2b

Download Submit
memory/2336-13-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2336-15-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads