ardamax | ea6e1cd7b54a6abca274cea4aca81c1d6a3e199c42c417089a6e1a9de655cfd0

General

Target

e53bcefe67ef4c07fbc68571aeed16bb_JaffaCakes118.exe
Size

327KB
MD5

e53bcefe67ef4c07fbc68571aeed16bb
SHA1

ac43508e3195525348518e43c4514de1023bff2e
SHA256

ea6e1cd7b54a6abca274cea4aca81c1d6a3e199c42c417089a6e1a9de655cfd0
SHA512

129c2fb2cbdf3e87375ee82342e169cd025b6fa5adef0083fa3f60ddd8e9377f1bc4a7ae57c2727e10f3666bba194191eb5d9fec41196e397cd3aea5f52460db
SSDEEP

6144:LmpyGttLh7jEa4q5S+MBQUC7TWZgRZUYZ:Lmt574q4rBFC7Th9Z

Score

10^/10

ardamax discovery keylogger stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000015f1b-16.dat	family_ardamax

Executes dropped EXE 1 IoCs

pid	Process
2528	iexplore.exe

Loads dropped DLL 7 IoCs

pid	Process
2176	e53bcefe67ef4c07fbc68571aeed16bb_JaffaCakes118.exe
2176	e53bcefe67ef4c07fbc68571aeed16bb_JaffaCakes118.exe
2176	e53bcefe67ef4c07fbc68571aeed16bb_JaffaCakes118.exe
2528	iexplore.exe
2528	iexplore.exe
2176	e53bcefe67ef4c07fbc68571aeed16bb_JaffaCakes118.exe
2460	POWERPNT.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\iexplore.exe	e53bcefe67ef4c07fbc68571aeed16bb_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\iexplore.001	e53bcefe67ef4c07fbc68571aeed16bb_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\iexplore.006	e53bcefe67ef4c07fbc68571aeed16bb_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\iexplore.007	e53bcefe67ef4c07fbc68571aeed16bb_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64	iexplore.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e53bcefe67ef4c07fbc68571aeed16bb_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	POWERPNT.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2460	POWERPNT.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2528	iexplore.exe
Token: SeIncBasePriorityPrivilege	2528	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2528	iexplore.exe
2528	iexplore.exe
2528	iexplore.exe
2528	iexplore.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 2528	2176	e53bcefe67ef4c07fbc68571aeed16bb_JaffaCakes118.exe	30
PID 2176 wrote to memory of 2528	2176	e53bcefe67ef4c07fbc68571aeed16bb_JaffaCakes118.exe	30
PID 2176 wrote to memory of 2528	2176	e53bcefe67ef4c07fbc68571aeed16bb_JaffaCakes118.exe	30
PID 2176 wrote to memory of 2528	2176	e53bcefe67ef4c07fbc68571aeed16bb_JaffaCakes118.exe	30
PID 2176 wrote to memory of 2460	2176	e53bcefe67ef4c07fbc68571aeed16bb_JaffaCakes118.exe	31
PID 2176 wrote to memory of 2460	2176	e53bcefe67ef4c07fbc68571aeed16bb_JaffaCakes118.exe	31
PID 2176 wrote to memory of 2460	2176	e53bcefe67ef4c07fbc68571aeed16bb_JaffaCakes118.exe	31
PID 2176 wrote to memory of 2460	2176	e53bcefe67ef4c07fbc68571aeed16bb_JaffaCakes118.exe	31
PID 2176 wrote to memory of 2460	2176	e53bcefe67ef4c07fbc68571aeed16bb_JaffaCakes118.exe	31
PID 2176 wrote to memory of 2460	2176	e53bcefe67ef4c07fbc68571aeed16bb_JaffaCakes118.exe	31
PID 2176 wrote to memory of 2460	2176	e53bcefe67ef4c07fbc68571aeed16bb_JaffaCakes118.exe	31
PID 2176 wrote to memory of 2460	2176	e53bcefe67ef4c07fbc68571aeed16bb_JaffaCakes118.exe	31
PID 2176 wrote to memory of 2460	2176	e53bcefe67ef4c07fbc68571aeed16bb_JaffaCakes118.exe	31
PID 2460 wrote to memory of 2756	2460	POWERPNT.EXE	32
PID 2460 wrote to memory of 2756	2460	POWERPNT.EXE	32
PID 2460 wrote to memory of 2756	2460	POWERPNT.EXE	32
PID 2460 wrote to memory of 2756	2460	POWERPNT.EXE	32

C:\Users\Admin\AppData\Local\Temp\e53bcefe67ef4c07fbc68571aeed16bb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e53bcefe67ef4c07fbc68571aeed16bb_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Windows\SysWOW64\iexplore.exe
  "C:\Windows\system32\iexplore.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2528
- C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" /s "C:\Users\Admin\AppData\Local\Temp\Cidade dos anjos.pps"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cidade dos anjos.pps

Filesize
135KB

MD5
0a14b8ccf3374fb94c2bde7438cedc94

SHA1
40704ffc1f37cc819b32dbfa9360ba8b1a694eb4

SHA256
78a070c66b86759cb46db93ad6bfff5518a2435ce5fd0695e2130a8b9a049f39

SHA512
319b63a8171f073e32b65498584218e736264af03128a6cb1d5ff2ef2a89b67478cb6d3822b17b42397437e033ae4b984f24ce156e9fff23c4b064b9f2807801

Download Submit
C:\Windows\SysWOW64\iexplore.001

Filesize
2KB

MD5
c960dc2c2ee28c2cd292445bb603dda9

SHA1
a736c2b77ef13a059d87158e07d89f46e9ab988e

SHA256
a43d34f1374c8d6b0e5ff04711a9cdfe38714147e75ffaa85a19c73e897652fd

SHA512
97b5e686557d4dee78c824bbe642c4b6e08db807dfb892c76ddd42c978fcbba4c390745ebf70e9858afbc3e59f3df07f976d61e76e7d43496fb6152f0b174f97

Download Submit
C:\Windows\SysWOW64\iexplore.006

Filesize
5KB

MD5
b8e130b146557e640cb3e198f3d9110e

SHA1
c1cbebfce4e3af8ced7d1019586e91c371432d78

SHA256
3dbca63a39382e4c25d0b02e668ba72c5c81071bb62937ec939325f1f89926a1

SHA512
bc858367e64188c3a365fff4c7986e86d6d666651b2421e3b96fe06836aede073f2228349f66f1836e6ef98bb8e5120354c54a0fb13059e5b875bbf34ed7868f

Download Submit
C:\Windows\SysWOW64\iexplore.007

Filesize
4KB

MD5
097c525e86f64364479227f1603a0221

SHA1
c84897900f59cbff5f607368ceba93bfc5273998

SHA256
1b62745c0181f36b7c0227225da12c0d357fd6f14ff8a0ea8484fd4a9c6bf766

SHA512
b52b9d51c3bb50fab292c8bf13d2d87694391481742830c266f4512b2e33a16b852cdbf3faea7f5945b60415a12d1d6a0e9319500cb769b12e0a03357f66ef12

Download Submit
C:\Windows\SysWOW64\iexplore.exe

Filesize
295KB

MD5
2b8def730c5bab9d9b58e117af9fb84a

SHA1
090c2c4f0309895bad639ba1c0af21d1eb70d987

SHA256
759f339edba9126cd77ee621e6852f281b9a3190bc4aa17711164bac5ece41a7

SHA512
809aa7300e4bef33489f4166fd5b8245a9b9523c9fd908a37b51a0384966f8f036ac09fbca3730bb04b98ff976c17380ddc4c2ed75dbda51350f049b3d0bf48a

Download Submit
\Users\Admin\AppData\Local\Temp\@B358.tmp

Filesize
4KB

MD5
683f1f1e72a9fd91018e379b0f45c646

SHA1
e715798afee630bca17bd35e382626399e608788

SHA256
0770043fa8f879787c32f97e915295320738b28dc5c7a07a033df6d9ac5b4e50

SHA512
490a8fcc256fb97bdaf0ef7a243998338b3796db448874ed85613a087e16a9e1b0105af3deb57e18db253e550e5c8a0fd02dba1e52f4959937ffb6c587e3b8f5

Download Submit
memory/2176-27-0x000000007777F000-0x0000000077780000-memory.dmp

Filesize
4KB

Download
memory/2460-35-0x000000007243D000-0x0000000072448000-memory.dmp

Filesize
44KB

Download
memory/2460-28-0x000000002DB91000-0x000000002DB92000-memory.dmp

Filesize
4KB

Download
memory/2460-30-0x000000007777F000-0x0000000077780000-memory.dmp

Filesize
4KB

Download
memory/2460-32-0x000000007243D000-0x0000000072448000-memory.dmp

Filesize
44KB

Download
memory/2460-31-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2528-18-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2528-34-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2528-23-0x000000007777F000-0x0000000077780000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing