ardamax | c6fc65385178249668171fed48e5e181fc2d4639236accae70038f7b9e4f83bb

General

Target

JaffaCakes118_174369d77153f3486c5052562ab45c17.exe
Size

412KB
MD5

174369d77153f3486c5052562ab45c17
SHA1

acdbe1e00cba24ee96136509954f5045c4cf5343
SHA256

c6fc65385178249668171fed48e5e181fc2d4639236accae70038f7b9e4f83bb
SHA512

03f80b2b115ec35df6d072ce46c4a637ff5f456d71b3fbf2bc21f23c47e4d80e29235455eca3659c65ccb22ff23c4df4819354c0d7a18836ad28f68cab742fdb
SSDEEP

12288:i0AfEnZcqwIt1z3rxbXXwoPhkA89WEkAPiBZCGNK4P:+QZcfgtb9woJkJ9Wl+iBZHNK4P

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000015f38-9.dat	family_ardamax

Executes dropped EXE 2 IoCs

pid	Process
2864	PWUC.exe
2772	TibiCAM.exe

Loads dropped DLL 16 IoCs

pid	Process
1228	JaffaCakes118_174369d77153f3486c5052562ab45c17.exe
1228	JaffaCakes118_174369d77153f3486c5052562ab45c17.exe
1228	JaffaCakes118_174369d77153f3486c5052562ab45c17.exe
2864	PWUC.exe
1228	JaffaCakes118_174369d77153f3486c5052562ab45c17.exe
1228	JaffaCakes118_174369d77153f3486c5052562ab45c17.exe
1228	JaffaCakes118_174369d77153f3486c5052562ab45c17.exe
2864	PWUC.exe
2772	TibiCAM.exe
2772	TibiCAM.exe
2848	WerFault.exe
2848	WerFault.exe
2848	WerFault.exe
2848	WerFault.exe
2848	WerFault.exe
2848	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PWUC Agent = "C:\\Windows\\SysWOW64\\28463\\PWUC.exe"	PWUC.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\PWUC.001	JaffaCakes118_174369d77153f3486c5052562ab45c17.exe
File created	C:\Windows\SysWOW64\28463\PWUC.006	JaffaCakes118_174369d77153f3486c5052562ab45c17.exe
File created	C:\Windows\SysWOW64\28463\PWUC.007	JaffaCakes118_174369d77153f3486c5052562ab45c17.exe
File created	C:\Windows\SysWOW64\28463\PWUC.exe	JaffaCakes118_174369d77153f3486c5052562ab45c17.exe
File opened for modification	C:\Windows\SysWOW64\28463	PWUC.exe
File created	C:\Windows\SysWOW64\28463\TibiCAM.rtf	TibiCAM.exe
File opened for modification	C:\Windows\SysWOW64\28463\Language.dat	TibiCAM.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2848	2772	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_174369d77153f3486c5052562ab45c17.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PWUC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TibiCAM.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2864	PWUC.exe
Token: SeIncBasePriorityPrivilege	2864	PWUC.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2864	PWUC.exe
2864	PWUC.exe
2864	PWUC.exe
2864	PWUC.exe
2864	PWUC.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1228 wrote to memory of 2864	1228	JaffaCakes118_174369d77153f3486c5052562ab45c17.exe	30
PID 1228 wrote to memory of 2864	1228	JaffaCakes118_174369d77153f3486c5052562ab45c17.exe	30
PID 1228 wrote to memory of 2864	1228	JaffaCakes118_174369d77153f3486c5052562ab45c17.exe	30
PID 1228 wrote to memory of 2864	1228	JaffaCakes118_174369d77153f3486c5052562ab45c17.exe	30
PID 1228 wrote to memory of 2772	1228	JaffaCakes118_174369d77153f3486c5052562ab45c17.exe	31
PID 1228 wrote to memory of 2772	1228	JaffaCakes118_174369d77153f3486c5052562ab45c17.exe	31
PID 1228 wrote to memory of 2772	1228	JaffaCakes118_174369d77153f3486c5052562ab45c17.exe	31
PID 1228 wrote to memory of 2772	1228	JaffaCakes118_174369d77153f3486c5052562ab45c17.exe	31
PID 2772 wrote to memory of 2848	2772	TibiCAM.exe	33
PID 2772 wrote to memory of 2848	2772	TibiCAM.exe	33
PID 2772 wrote to memory of 2848	2772	TibiCAM.exe	33
PID 2772 wrote to memory of 2848	2772	TibiCAM.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_174369d77153f3486c5052562ab45c17.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_174369d77153f3486c5052562ab45c17.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Windows\SysWOW64\28463\PWUC.exe
  "C:\Windows\system32\28463\PWUC.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2864
- C:\Users\Admin\AppData\Local\Temp\TibiCAM.exe
  "C:\Users\Admin\AppData\Local\Temp\TibiCAM.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 268
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\28463\PWUC.001

Filesize
494B

MD5
c9142751967f14acf8d40bb0701316a1

SHA1
29e8ebbde573fb7eb1abc639767297ac2ff59cfa

SHA256
595ee4a93d9cff04101c0fbb4bb17646c3027f726c2c2202772cb7fb2ac67f68

SHA512
1437f09a46c7285f60d0bfea0025933d727840b56ef8e476850abfcf287b6fc2e8f853ac019332a97145612535add20fd129b0058e4d688ba42ff54ef48931bc

Download Submit
C:\Windows\SysWOW64\28463\PWUC.006

Filesize
7KB

MD5
46e0f5831dfe24c3105ef20190c5f0d7

SHA1
dbd701062695f9df971bffc1fa433eb18ef61727

SHA256
d7c7932d10e19ebde38c50583b4f5a0215a0ac88a2b131ea1b2a97824af759f9

SHA512
3dbe9e90f989ae3939d304f9f7822c3886e2d76ef575162e6a0518b61f5a52fcd8d0c63e06bbcf920c6f8298cb918ef5f3c0b92d42e99fa3eaabd787fc686a61

Download Submit
C:\Windows\SysWOW64\28463\PWUC.007

Filesize
5KB

MD5
70c68ec7e4e7f18abf35d47976a47f0f

SHA1
f1263f67e712760e055833d3030ed4583611ad6f

SHA256
cb8664787c631611643518ca2853f10ba9d460c25e476f55fb1b9f79838801fb

SHA512
80cad83643c9c83be70809eebb4b662f58a323cbd5f1bfbc328722fbfa16f1a846f9ef159552a066850f12157cb7388d6ab37ea6f4e7563fff7cc26258b77a81

Download Submit
\Users\Admin\AppData\Local\Temp\@3F13.tmp

Filesize
4KB

MD5
a33680859a24229dc931c0e8a82ae84a

SHA1
dff1e7e7160ffbfaae221cd3a85de40722fddde6

SHA256
d5913b88289154f5979c03325b29f00d1d8c6a1e5f6195df915d96a46d0f71f3

SHA512
a419214699ab3478926fbb7f621a616e192eae22db20e72c83a4b529ba5307ab4dc906e0b1286bc4e4cb13ba1e28fb93fa4918c3ff7345273197e39c206c10bf

Download Submit
\Users\Admin\AppData\Local\Temp\TibiCAM.exe

Filesize
596KB

MD5
b6e194788efe686f969a02de97e88429

SHA1
84f45bc686e7eba9f3365cbcb1ae3cb5bcef713c

SHA256
1333092038762ffd7ceb1b9808a6102cd04f2961c57ef0bac71dd9e4205e7bab

SHA512
f4ffebb62871b182d4c7a7e6b81a3288394285f4ac22c442629f1bb94574840ef06c7a67b973a0efce45e8983f2f152f56f9a906b4d37e83c931af7c945f48e5

Download Submit
\Windows\SysWOW64\28463\PWUC.exe

Filesize
471KB

MD5
328ef8c28309203cfbe5655274d5ea48

SHA1
403399787e94f7d4e3c8e237e25399263e9f4047

SHA256
0f92918405d195ce10b0c897f07a73493d06e9e49505371a525d50cea75213bb

SHA512
93dde6ab2d06af2d09b7f52619f2f475912152bbfd4b4ff93796eeffe7363f0ee777f4a46edb808039466fe0f82036dc291a378d4a8c6e407f0e1d4f3f6ea40a

Download Submit
memory/2772-37-0x000000007716F000-0x0000000077170000-memory.dmp

Filesize
4KB

Download
memory/2772-45-0x000000007716F000-0x0000000077170000-memory.dmp

Filesize
4KB

Download
memory/2864-22-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2864-38-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads