ardamax | abf3f2c13e0e9ff3ad70b7a2fed26602dd7fdf8247e6fb88d8429464850161f6

General

Target

JaffaCakes118_4ce57b96f723e34d313907094f504013.exe
Size

552KB
MD5

4ce57b96f723e34d313907094f504013
SHA1

8e65df2348d7851cc7efda99e89ee673a1d3bc45
SHA256

abf3f2c13e0e9ff3ad70b7a2fed26602dd7fdf8247e6fb88d8429464850161f6
SHA512

18779f6ab56a941f3cdabb822e5958b0d49147c9f3fc61b609f27d1bc28554439d74076ee66bff4c3bb503dec43d601c5fe44509cf7a91d87f961ba66f6aa39d
SSDEEP

6144:Eov6OIud0k/Al74xCZU0rJboaJQKLZuGCAJCMfy4OHAuspRP2WoDXZm4zuy8ZvO/:ZbdHfx50+aJQKsXMfhOseDJLzulVCybg

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x000b000000018678-9.dat	family_ardamax

Executes dropped EXE 2 IoCs

pid	Process
3008	MYGM.exe
2636	loader.exe

Loads dropped DLL 11 IoCs

pid	Process
1840	JaffaCakes118_4ce57b96f723e34d313907094f504013.exe
1840	JaffaCakes118_4ce57b96f723e34d313907094f504013.exe
1840	JaffaCakes118_4ce57b96f723e34d313907094f504013.exe
3008	MYGM.exe
3008	MYGM.exe
1840	JaffaCakes118_4ce57b96f723e34d313907094f504013.exe
1840	JaffaCakes118_4ce57b96f723e34d313907094f504013.exe
1840	JaffaCakes118_4ce57b96f723e34d313907094f504013.exe
1840	JaffaCakes118_4ce57b96f723e34d313907094f504013.exe
2636	loader.exe
2636	loader.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MYGM Agent = "C:\\Windows\\SysWOW64\\28463\\MYGM.exe"	MYGM.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\MYGM.001	JaffaCakes118_4ce57b96f723e34d313907094f504013.exe
File created	C:\Windows\SysWOW64\28463\MYGM.006	JaffaCakes118_4ce57b96f723e34d313907094f504013.exe
File created	C:\Windows\SysWOW64\28463\MYGM.007	JaffaCakes118_4ce57b96f723e34d313907094f504013.exe
File created	C:\Windows\SysWOW64\28463\MYGM.exe	JaffaCakes118_4ce57b96f723e34d313907094f504013.exe
File opened for modification	C:\Windows\SysWOW64\28463	MYGM.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MYGM.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_4ce57b96f723e34d313907094f504013.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: 33	3008	MYGM.exe
Token: SeIncBasePriorityPrivilege	3008	MYGM.exe
Token: SeIncreaseQuotaPrivilege	2636	loader.exe
Token: SeSecurityPrivilege	2636	loader.exe
Token: SeLoadDriverPrivilege	2636	loader.exe
Token: SeSystemProfilePrivilege	2636	loader.exe
Token: SeSystemtimePrivilege	2636	loader.exe
Token: SeProfSingleProcessPrivilege	2636	loader.exe
Token: SeIncBasePriorityPrivilege	2636	loader.exe
Token: SeCreatePagefilePrivilege	2636	loader.exe
Token: SeShutdownPrivilege	2636	loader.exe
Token: SeDebugPrivilege	2636	loader.exe
Token: SeSystemEnvironmentPrivilege	2636	loader.exe
Token: SeRemoteShutdownPrivilege	2636	loader.exe
Token: SeUndockPrivilege	2636	loader.exe
Token: SeManageVolumePrivilege	2636	loader.exe
Token: 33	2636	loader.exe
Token: 34	2636	loader.exe
Token: 35	2636	loader.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3008	MYGM.exe
3008	MYGM.exe
3008	MYGM.exe
3008	MYGM.exe
3008	MYGM.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1840 wrote to memory of 3008	1840	JaffaCakes118_4ce57b96f723e34d313907094f504013.exe	31
PID 1840 wrote to memory of 3008	1840	JaffaCakes118_4ce57b96f723e34d313907094f504013.exe	31
PID 1840 wrote to memory of 3008	1840	JaffaCakes118_4ce57b96f723e34d313907094f504013.exe	31
PID 1840 wrote to memory of 3008	1840	JaffaCakes118_4ce57b96f723e34d313907094f504013.exe	31
PID 1840 wrote to memory of 2636	1840	JaffaCakes118_4ce57b96f723e34d313907094f504013.exe	32
PID 1840 wrote to memory of 2636	1840	JaffaCakes118_4ce57b96f723e34d313907094f504013.exe	32
PID 1840 wrote to memory of 2636	1840	JaffaCakes118_4ce57b96f723e34d313907094f504013.exe	32
PID 1840 wrote to memory of 2636	1840	JaffaCakes118_4ce57b96f723e34d313907094f504013.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4ce57b96f723e34d313907094f504013.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4ce57b96f723e34d313907094f504013.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1840
- C:\Windows\SysWOW64\28463\MYGM.exe
  "C:\Windows\system32\28463\MYGM.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3008
- C:\Users\Admin\AppData\Local\Temp\loader.exe
  "C:\Users\Admin\AppData\Local\Temp\loader.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\28463\MYGM.001

Filesize
382B

MD5
b0c0d02a8cbd04cf991f99a32d27b946

SHA1
9aadd2151af94a12734555d88fecf16f6e71121c

SHA256
5a61c8b52a3cb3c497c712bd20c9f4cd2867f647ba51f73749c0b87246f1c3ce

SHA512
7f6960ffb5a5a9d043476fa8caa140ba4df23f790c7ef127c8fcecf4a8f00b3e59006a8df2bf61a291f34a115a0084b4cb608e4e051c1b61f4fe66405d2423d4

Download Submit
C:\Windows\SysWOW64\28463\MYGM.006

Filesize
8KB

MD5
86d96c93965255cef35ca42413188b75

SHA1
9d77f203267febe047d049584e5c79f1c1801b2d

SHA256
b796bd1f5cdb1d1db91c3aca1ac700c015775b9caf2725fbf4b6089a096f21c5

SHA512
2db81080a16494ec549f4f39ee382580ba12cd5cbfe31632c8459ba94d767ce1ad3e9c0e6643f80530ae5e316fc42dca05708eeade7ce3c0341d669325cdb095

Download Submit
C:\Windows\SysWOW64\28463\MYGM.007

Filesize
5KB

MD5
b73942c11844487ca7fc3e78062c8abb

SHA1
28f4c4159528ccbe9d83b5cd5e157861d11ff04c

SHA256
4ba88f8964ee02a395d88974fd43b05610cf520b4ab40f36b3f98715ce1e0984

SHA512
d4c782f5abd91b3396b243345f968eb5a705a7aefeedf92e62047309f7ccf223c0825623c184de66e3667c22eb371f0329be97ea70f6d72b54f98b22042e1f9c

Download Submit
\Users\Admin\AppData\Local\Temp\@DF28.tmp

Filesize
4KB

MD5
9dc64557fcebd521ca4b267da15c2914

SHA1
c2247f9e0f0c8d11c7b9ab93f43ed53943d0bdd2

SHA256
a49cb9cbab2a60418b2079d4110123682fc980bb6b46ac5ada144797b5fa2cf4

SHA512
00241a139ca307c5eb4d89fa8b6296833961091286282c3482746e4a3589ef61e6d007edb6aa6fa1ef812d57bf63a8e495e0db712e17decc77bbae2490cdbe01

Download Submit
\Users\Admin\AppData\Local\Temp\loader.exe

Filesize
290KB

MD5
4f211987b6dfd4c44e91643d5d06f318

SHA1
a6cc7a50a28d71ec5a72a3ea5608d5a221d575b5

SHA256
78a4cc26a6c9a3ca340d66fa98341e8bad39a0d74fab1325acf34f3fcf7daab4

SHA512
36b3d17cc1c11ea46573cdda88e313fc865ac0c2e08857d453e86fa32c3b4c359e29be98d4b1485886d8b997f6549def16e3354d05c2407a6bf80227d0e6749e

Download Submit
\Windows\SysWOW64\28463\MYGM.exe

Filesize
472KB

MD5
324154483b20e6f67a3c1486e3fc7c6a

SHA1
d6630eb1d8555b48413434b4a5d54c8de819cbf8

SHA256
ded1c934280294375d7b926773511e4d5e6c8dbb22b0dd25a80a6b0b3af065d3

SHA512
36349f7c53b9989eac63e8c91b7fb009a5a0dce934242ae5956a5e3d3764949a87296adeba81f3da96b5e035f3755b4dd75de2ffa211b7db296313c52f6d478b

Download Submit
memory/1840-36-0x0000000077BDF000-0x0000000077BE0000-memory.dmp

Filesize
4KB

Download
memory/2636-38-0x0000000077BDF000-0x0000000077BE0000-memory.dmp

Filesize
4KB

Download
memory/2636-40-0x0000000077BDF000-0x0000000077BE0000-memory.dmp

Filesize
4KB

Download
memory/2636-42-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3008-21-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3008-41-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads