ardamax | c9eeab7cff2b60e87771737d2d0723175ced0ed121256c799da02883c1e56d30

General

Target

JaffaCakes118_10e062cab2a8915ceeac731374635d35.exe
Size

747KB
MD5

10e062cab2a8915ceeac731374635d35
SHA1

96ee390380f56cb55fc71df372871a92b30d4951
SHA256

c9eeab7cff2b60e87771737d2d0723175ced0ed121256c799da02883c1e56d30
SHA512

13ae7f8add9ba81e3928c1a8e8cd7990d5c4a32144445ee5405069a6e2c434bd4968c1f1e08db18a92d954b44dadc6b35c5779f1fafd6bd4cb355ff69716faa7
SSDEEP

12288:FcE973jHV2Ivi1AunsYRtMyq8dcO5fbgALuo+cTHhDDpQti/YNrUUaSoEyHpwXR:f1bviS9YfMW5fciRpq8YNAeoJHY

Score

10^/10

ardamax discovery keylogger stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000016cab-9.dat	family_ardamax

Executes dropped EXE 1 IoCs

pid	Process
1800	NSK.exe

Loads dropped DLL 5 IoCs

pid	Process
2380	JaffaCakes118_10e062cab2a8915ceeac731374635d35.exe
2380	JaffaCakes118_10e062cab2a8915ceeac731374635d35.exe
2380	JaffaCakes118_10e062cab2a8915ceeac731374635d35.exe
1800	NSK.exe
1800	NSK.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\NSK.007	JaffaCakes118_10e062cab2a8915ceeac731374635d35.exe
File created	C:\Windows\SysWOW64\NSK.exe	JaffaCakes118_10e062cab2a8915ceeac731374635d35.exe
File created	C:\Windows\SysWOW64\NSK.001	JaffaCakes118_10e062cab2a8915ceeac731374635d35.exe
File created	C:\Windows\SysWOW64\NSK.006	JaffaCakes118_10e062cab2a8915ceeac731374635d35.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64	NSK.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_10e062cab2a8915ceeac731374635d35.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NSK.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2500	vlc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2500	vlc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1800	NSK.exe
Token: SeIncBasePriorityPrivilege	1800	NSK.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2500	vlc.exe
2500	vlc.exe
2500	vlc.exe
2500	vlc.exe
2500	vlc.exe
2500	vlc.exe
2500	vlc.exe
2500	vlc.exe

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
2500	vlc.exe
2500	vlc.exe
2500	vlc.exe
2500	vlc.exe
2500	vlc.exe
2500	vlc.exe
2500	vlc.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1800	NSK.exe
1800	NSK.exe
1800	NSK.exe
2500	vlc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 1800	2380	JaffaCakes118_10e062cab2a8915ceeac731374635d35.exe	30
PID 2380 wrote to memory of 1800	2380	JaffaCakes118_10e062cab2a8915ceeac731374635d35.exe	30
PID 2380 wrote to memory of 1800	2380	JaffaCakes118_10e062cab2a8915ceeac731374635d35.exe	30
PID 2380 wrote to memory of 1800	2380	JaffaCakes118_10e062cab2a8915ceeac731374635d35.exe	30
PID 2380 wrote to memory of 2500	2380	JaffaCakes118_10e062cab2a8915ceeac731374635d35.exe	31
PID 2380 wrote to memory of 2500	2380	JaffaCakes118_10e062cab2a8915ceeac731374635d35.exe	31
PID 2380 wrote to memory of 2500	2380	JaffaCakes118_10e062cab2a8915ceeac731374635d35.exe	31
PID 2380 wrote to memory of 2500	2380	JaffaCakes118_10e062cab2a8915ceeac731374635d35.exe	31

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_10e062cab2a8915ceeac731374635d35.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_10e062cab2a8915ceeac731374635d35.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\SysWOW64\NSK.exe
  "C:\Windows\system32\NSK.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1800
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\cacheroinhydras_10580.rec"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cacheroinhydras_10580.rec

Filesize
654KB

MD5
45f816fa89ad624034b55d8e24dabb00

SHA1
d49b9f56d6c81276c6b4858c9b5013d05f16ee3d

SHA256
e552144ed1727e34ce40930671357978ff6044369deecfd1a70da1e9528fd42d

SHA512
ca2546428b26aef9be45e0a22c9f2e0ad29b459788b0e6244ffbf83cdc91abebe1d6867d2b51ad1fe4b32874cadab8bed64cbb946bbfd32abf45406240b1e37e

Download Submit
C:\Windows\SysWOW64\NSK.001

Filesize
1KB

MD5
4f380aaa44175528b931db5e8060ffc8

SHA1
baee81d3dda943f3c51b4d6387f643a61ddd9c27

SHA256
ba5ee279733ba996ea684ca12a35022e90e7c7b9296b7eeeef8c083a7166ca5d

SHA512
6aeb289acac52b5b88127d4554f16c3da67d45b3e5fc7611f6ed379977a2a95568a26f4dc3a2341049aa94995a917321609144fd4db5e06dad6b050f0aaaae03

Download Submit
C:\Windows\SysWOW64\NSK.006

Filesize
4KB

MD5
0868167c8915fb3d87d4e5a775a57ffd

SHA1
5f223134e003382fd8c191a1f4ca94922f1d802e

SHA256
6a28449ee15745e772f877b6133913325400a2ca3dbf829d76cf42e0c8d6da4c

SHA512
d9f82239d6990b3dcc261f99f5acf20d71965b08146821575f830698fa07a5ec7ba0553494bb779e427692ada39ed5973489d1077aeec5ddfdf5a73d9c91b058

Download Submit
C:\Windows\SysWOW64\NSK.007

Filesize
6KB

MD5
5e023770dfb9d9068706facc958c7d66

SHA1
9cf95074a78239da000452362c2167991970e972

SHA256
f16ca7e5533eb28fa882eb500add2a936f8d0a705cfc9f4e6c8f4c522a2cf6db

SHA512
a9621e77fe22b054686924cebee3c9a5c448b2f60bd1d4c8a6d6bda161ec270d9a5c76cbe07dcd1d0ee59fdc071de1d271344c629181e14c2c0a54cbac7831af

Download Submit
\Users\Admin\AppData\Local\Temp\@9463.tmp

Filesize
4KB

MD5
ccfd350414f3804bbb32ddd7eb3f6153

SHA1
e91d270b8481d456a3beabf617ef3379a93f1137

SHA256
1dabedfe9c7cda2d8aa74c95ba57fb832a4066b20f4051c0330b4422de237eb3

SHA512
328e069aaced9217eb9f4b4f20e27cd7ef933427e3388b3a0829089d694ea2280a2e5511a9eb577cec2a7b409cf367b0f17d8654076931648e152936fad810bd

Download Submit
\Windows\SysWOW64\NSK.exe

Filesize
239KB

MD5
2bada91f44e2a5133a5c056b31866112

SHA1
9fbe664832d04d79f96fa090191b73d9811ef08d

SHA256
c742feab59b4e1b7b188b02ed91ab34eaeb83c87ac6babfb5f08649ed2b8cd02

SHA512
dc797a06061937f8dd657a34d4373d3069c9c1a6752752516042e5d135fc41257c7a3a6738b3accd626a02f1887476197eca0ab28cf568daf57269cbe9c8eb41

Download Submit
memory/1800-24-0x00000000767E1000-0x00000000767E2000-memory.dmp

Filesize
4KB

Download
memory/1800-25-0x00000000767E0000-0x000000007680A000-memory.dmp

Filesize
168KB

Download
memory/2500-51-0x000007FEF6710000-0x000007FEF6721000-memory.dmp

Filesize
68KB

Download
memory/2500-49-0x000007FEF6750000-0x000007FEF6761000-memory.dmp

Filesize
68KB

Download
memory/2500-35-0x000007FEFB4A0000-0x000007FEFB4B8000-memory.dmp

Filesize
96KB

Download
memory/2500-36-0x000007FEFA2E0000-0x000007FEFA2F7000-memory.dmp

Filesize
92KB

Download
memory/2500-37-0x000007FEF7AF0000-0x000007FEF7B01000-memory.dmp

Filesize
68KB

Download
memory/2500-38-0x000007FEF7810000-0x000007FEF7827000-memory.dmp

Filesize
92KB

Download
memory/2500-39-0x000007FEF6CF0000-0x000007FEF6D01000-memory.dmp

Filesize
68KB

Download
memory/2500-40-0x000007FEF6CD0000-0x000007FEF6CED000-memory.dmp

Filesize
116KB

Download
memory/2500-41-0x000007FEF6CB0000-0x000007FEF6CC1000-memory.dmp

Filesize
68KB

Download
memory/2500-34-0x000007FEF6020000-0x000007FEF62D6000-memory.dmp

Filesize
2.7MB

Download
memory/2500-55-0x000007FEF4CE0000-0x000007FEF4D5C000-memory.dmp

Filesize
496KB

Download
memory/2500-56-0x000007FEF4CC0000-0x000007FEF4CD1000-memory.dmp

Filesize
68KB

Download
memory/2500-33-0x000007FEF7830000-0x000007FEF7864000-memory.dmp

Filesize
208KB

Download
memory/2500-53-0x000007FEF66C0000-0x000007FEF66F0000-memory.dmp

Filesize
192KB

Download
memory/2500-52-0x000007FEF66F0000-0x000007FEF6708000-memory.dmp

Filesize
96KB

Download
memory/2500-54-0x000007FEF6650000-0x000007FEF66B7000-memory.dmp

Filesize
412KB

Download
memory/2500-50-0x000007FEF6730000-0x000007FEF674B000-memory.dmp

Filesize
108KB

Download
memory/2500-32-0x000000013FF00000-0x000000013FFF8000-memory.dmp

Filesize
992KB

Download
memory/2500-61-0x000007FEF4BB0000-0x000007FEF4BD3000-memory.dmp

Filesize
140KB

Download
memory/2500-64-0x000007FEF4050000-0x000007FEF4061000-memory.dmp

Filesize
68KB

Download
memory/2500-63-0x000007FEF4B70000-0x000007FEF4B82000-memory.dmp

Filesize
72KB

Download
memory/2500-62-0x000007FEF4B90000-0x000007FEF4BA1000-memory.dmp

Filesize
68KB

Download
memory/2500-60-0x000007FEF4BE0000-0x000007FEF4BF8000-memory.dmp

Filesize
96KB

Download
memory/2500-65-0x000007FEF3F50000-0x000007FEF404F000-memory.dmp

Filesize
1020KB

Download
memory/2500-59-0x000007FEF4C00000-0x000007FEF4C24000-memory.dmp

Filesize
144KB

Download
memory/2500-58-0x000007FEF4C30000-0x000007FEF4C58000-memory.dmp

Filesize
160KB

Download
memory/2500-57-0x000007FEF4C60000-0x000007FEF4CB7000-memory.dmp

Filesize
348KB

Download
memory/2500-48-0x000007FEF6770000-0x000007FEF6781000-memory.dmp

Filesize
68KB

Download
memory/2500-47-0x000007FEF6790000-0x000007FEF67A1000-memory.dmp

Filesize
68KB

Download
memory/2500-46-0x000007FEF67F0000-0x000007FEF6808000-memory.dmp

Filesize
96KB

Download
memory/2500-45-0x000007FEF6C80000-0x000007FEF6CA1000-memory.dmp

Filesize
132KB

Download
memory/2500-44-0x000007FEF6810000-0x000007FEF6851000-memory.dmp

Filesize
260KB

Download
memory/2500-43-0x000007FEF4D60000-0x000007FEF4F6B000-memory.dmp

Filesize
2.0MB

Download
memory/2500-42-0x000007FEF4F70000-0x000007FEF6020000-memory.dmp

Filesize
16.7MB

Download

Analysis

Sharing