ardamax | e61d28d5d33357245a86e503b0df4a86a008ee1addaa9cdfe750b0cda86e71cc

General

Target

eedf82e3dd7a05c7bc06c3f9b3a6c374_JaffaCakes118.exe
Size

767KB
MD5

eedf82e3dd7a05c7bc06c3f9b3a6c374
SHA1

35af51899c19d55a330613fb2b08c7786b8d55aa
SHA256

e61d28d5d33357245a86e503b0df4a86a008ee1addaa9cdfe750b0cda86e71cc
SHA512

c8205e08e7bf25570445b8532df94533facba508832743a823ef60eec18f432d553f8656dfb7b6835eeb9dfab4edccba293c7566f8a90224d37a604b1e00c597
SSDEEP

12288:ZsuegejptY+eP6cfMUOv8kh1bse/bhfnQMTSDKoKZIUBIYvhZHybee/qYU9jiJFa:ENFeyqn68kQIhx+ejbB/JZHybPa9jcFa

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x000600000001878f-8.dat	family_ardamax

Executes dropped EXE 2 IoCs

pid	Process
776	CPMU.exe
2220	spider.exe

Loads dropped DLL 9 IoCs

pid	Process
2364	eedf82e3dd7a05c7bc06c3f9b3a6c374_JaffaCakes118.exe
2364	eedf82e3dd7a05c7bc06c3f9b3a6c374_JaffaCakes118.exe
2364	eedf82e3dd7a05c7bc06c3f9b3a6c374_JaffaCakes118.exe
2364	eedf82e3dd7a05c7bc06c3f9b3a6c374_JaffaCakes118.exe
2364	eedf82e3dd7a05c7bc06c3f9b3a6c374_JaffaCakes118.exe
776	CPMU.exe
776	CPMU.exe
2220	spider.exe
2220	spider.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CPMU Agent = "C:\\Windows\\SysWOW64\\Sys32\\CPMU.exe"	CPMU.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Sys32\AKV.exe	eedf82e3dd7a05c7bc06c3f9b3a6c374_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Sys32	CPMU.exe
File created	C:\Windows\SysWOW64\Sys32\CPMU.001	eedf82e3dd7a05c7bc06c3f9b3a6c374_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Sys32\CPMU.006	eedf82e3dd7a05c7bc06c3f9b3a6c374_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Sys32\CPMU.007	eedf82e3dd7a05c7bc06c3f9b3a6c374_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Sys32\CPMU.exe	eedf82e3dd7a05c7bc06c3f9b3a6c374_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eedf82e3dd7a05c7bc06c3f9b3a6c374_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CPMU.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spider.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	776	CPMU.exe
Token: SeIncBasePriorityPrivilege	776	CPMU.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
776	CPMU.exe
776	CPMU.exe
776	CPMU.exe
776	CPMU.exe
776	CPMU.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 776	2364	eedf82e3dd7a05c7bc06c3f9b3a6c374_JaffaCakes118.exe	30
PID 2364 wrote to memory of 776	2364	eedf82e3dd7a05c7bc06c3f9b3a6c374_JaffaCakes118.exe	30
PID 2364 wrote to memory of 776	2364	eedf82e3dd7a05c7bc06c3f9b3a6c374_JaffaCakes118.exe	30
PID 2364 wrote to memory of 776	2364	eedf82e3dd7a05c7bc06c3f9b3a6c374_JaffaCakes118.exe	30
PID 2364 wrote to memory of 2220	2364	eedf82e3dd7a05c7bc06c3f9b3a6c374_JaffaCakes118.exe	31
PID 2364 wrote to memory of 2220	2364	eedf82e3dd7a05c7bc06c3f9b3a6c374_JaffaCakes118.exe	31
PID 2364 wrote to memory of 2220	2364	eedf82e3dd7a05c7bc06c3f9b3a6c374_JaffaCakes118.exe	31
PID 2364 wrote to memory of 2220	2364	eedf82e3dd7a05c7bc06c3f9b3a6c374_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\eedf82e3dd7a05c7bc06c3f9b3a6c374_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eedf82e3dd7a05c7bc06c3f9b3a6c374_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Windows\SysWOW64\Sys32\CPMU.exe
  "C:\Windows\system32\Sys32\CPMU.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:776
- C:\Users\Admin\AppData\Local\Temp\spider.exe
  "C:\Users\Admin\AppData\Local\Temp\spider.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\spider.exe

Filesize
526KB

MD5
2f83e4c369590aee78825c9b553816de

SHA1
0e3ae6855e0835b59764bccae54091f35d094ac0

SHA256
6f3db5f9c14dbaeb5dea41ada44175d06fa57c1ddd4c2fc37aad438fed10c9e3

SHA512
50e1e34e95697900a36efaa0cf1e77c01d9942c3d450f8f612f791185441bd7f45954a84cf1a02c2d681894fbaa92a87aa283122e09536a9ea71d2543ec67292

Download Submit
C:\Windows\SysWOW64\Sys32\AKV.exe

Filesize
391KB

MD5
42d621e2cfb9c20627fca4a0376c4174

SHA1
fa89729dd54f9d68c92f423eada65c993bb194f1

SHA256
52e97b8a9c6ab207767616f71834b6160f7476890e0d12528140dd751e408426

SHA512
5c5386d1f504df56a60fd4dc402f90915f44f513a2c70c0645cdcfb57d92754bf545b0f704e2ac1ab1bc9e985fe164d7e740d2f8f3867fbdf13cce7048dc199a

Download Submit
C:\Windows\SysWOW64\Sys32\CPMU.001

Filesize
514B

MD5
53b574c1574b8b830dfae02c019d156a

SHA1
f603efe3b4adb90d856041dc4fafff84c25fc348

SHA256
98808a3d5b8faa0a1063eb3802be2067c862d28c4db65f323bdfca9443a76bc6

SHA512
9f843819077942d858a86eb3db9bb4b1613c5c3d5af7207d0b7f12e0b6a1d479d597c26732d2399270d255ba5c0c55547a38e7509b1d6c95fa46334817fa2cfc

Download Submit
C:\Windows\SysWOW64\Sys32\CPMU.006

Filesize
7KB

MD5
cae44465a902cdee5716cd290f5e5d15

SHA1
d847caa95776c5d238bcb16530cb266d9a4a214c

SHA256
440512b20650797a76add16ca5ce4a079f73e56b56b4b17b892f881d70ca69b7

SHA512
4e4f80188b8b5391e81f92ef47caf98feb06a7bda8d75f8f55b65c23fc0738048dbb56bb0007505b8f3f86b0183d7b953252133d79c95dca02e385a89f44a7ce

Download Submit
C:\Windows\SysWOW64\Sys32\CPMU.007

Filesize
5KB

MD5
ec7ae4f69f2cbb52ee4fbbc0ddf4d1e8

SHA1
0b4baca1ef2cfb23b7cdc21a94bf75971ce857c4

SHA256
b9078189accbcdd76a0fbda68020cbbef096a1f01ba4351a54a4232e356008f0

SHA512
263907449236afb75ef29a3822c5493dbad4dd18ae5a9b21199a3c51304c057bc94f1cb4b6d23a3c308ec0e3cf26989b40f685c301e0678d694f32fa66aa9c0d

Download Submit
C:\Windows\SysWOW64\Sys32\CPMU.exe

Filesize
476KB

MD5
3141cee1200fc3f14e92336d7d8dbed7

SHA1
0eae11bcfb73105bf20c272bfd17cd368d38b668

SHA256
a7b5fadbce366e689b54af37cb0dc84ba2a51bf0ba5f52efd46367d015a8b8a5

SHA512
429d1cd67c07571429a55c62218ee7902796c6dc22f20e4292a3983e0c37d307d3f46c7d198f9781a0bac1238c1b35ea4ffdf317386890837db16a2b73d6e054

Download Submit
\Users\Admin\AppData\Local\Temp\@C091.tmp

Filesize
4KB

MD5
ac3fe2c556596b659ee6b595c58e10a5

SHA1
815ed04b1a4045fde2660d2f5e36cce75cba96e1

SHA256
b264c6fa863a4471fe3334a3f7404145bfd2e4d41904e6395a35f050f39a34a9

SHA512
43a4798a3c0c31c8c8797cb519861579818350365c26665fe0b8c65f4fa3c8ef6bc1837ac6ceffc6c31e51e1bb572cc294c091b7ef5f891a20010521575aa514

Download Submit
memory/776-33-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/776-40-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2220-38-0x0000000077E5F000-0x0000000077E60000-memory.dmp

Filesize
4KB

Download
memory/2220-39-0x0000000077E5F000-0x0000000077E60000-memory.dmp

Filesize
4KB

Download
memory/2220-41-0x0000000077E5F000-0x0000000077E60000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads