ardamax | cf3527128db278098cca1a842226a7b771c8327b7950d73318b230c67770ce49

General

Target

JaffaCakes118_28cbb7e46c3dd74d28bd1d5ab5e8f13c.exe
Size

163KB
MD5

28cbb7e46c3dd74d28bd1d5ab5e8f13c
SHA1

abd90abca64a292d3e03309338a9445ba6cdf038
SHA256

cf3527128db278098cca1a842226a7b771c8327b7950d73318b230c67770ce49
SHA512

1e58732f645379674ec960a670a6175a64a26d65d16451389fc876d4a7073b7326f66477f998f2f419fe03ec815fe57893fc2fe8e8ba25e67c1bb60a0c7d7c9f
SSDEEP

3072:hePNhrDJ1YtUwIAsrygS+CqK5wiUSzH1h39iM/mPS8U5KkOoVf:aNhrDJCCMcygjpKiQhh3gXPGVOg

Score

10^/10

ardamax discovery keylogger stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000018b05-8.dat	family_ardamax

Executes dropped EXE 2 IoCs

pid	Process
2436	AKL.exe
3008	Loader.exe

Loads dropped DLL 8 IoCs

pid	Process
2172	JaffaCakes118_28cbb7e46c3dd74d28bd1d5ab5e8f13c.exe
2172	JaffaCakes118_28cbb7e46c3dd74d28bd1d5ab5e8f13c.exe
2172	JaffaCakes118_28cbb7e46c3dd74d28bd1d5ab5e8f13c.exe
2172	JaffaCakes118_28cbb7e46c3dd74d28bd1d5ab5e8f13c.exe
2172	JaffaCakes118_28cbb7e46c3dd74d28bd1d5ab5e8f13c.exe
2436	AKL.exe
2436	AKL.exe
3008	Loader.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\AKL.001	JaffaCakes118_28cbb7e46c3dd74d28bd1d5ab5e8f13c.exe
File created	C:\Windows\SysWOW64\AKL.006	JaffaCakes118_28cbb7e46c3dd74d28bd1d5ab5e8f13c.exe
File created	C:\Windows\SysWOW64\AKL.007	JaffaCakes118_28cbb7e46c3dd74d28bd1d5ab5e8f13c.exe
File created	C:\Windows\SysWOW64\AKL.exe	JaffaCakes118_28cbb7e46c3dd74d28bd1d5ab5e8f13c.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64	AKL.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_28cbb7e46c3dd74d28bd1d5ab5e8f13c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AKL.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2436	AKL.exe
Token: SeIncBasePriorityPrivilege	2436	AKL.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2436	AKL.exe
2436	AKL.exe
2436	AKL.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2436	2172	JaffaCakes118_28cbb7e46c3dd74d28bd1d5ab5e8f13c.exe	29
PID 2172 wrote to memory of 2436	2172	JaffaCakes118_28cbb7e46c3dd74d28bd1d5ab5e8f13c.exe	29
PID 2172 wrote to memory of 2436	2172	JaffaCakes118_28cbb7e46c3dd74d28bd1d5ab5e8f13c.exe	29
PID 2172 wrote to memory of 2436	2172	JaffaCakes118_28cbb7e46c3dd74d28bd1d5ab5e8f13c.exe	29
PID 2172 wrote to memory of 3008	2172	JaffaCakes118_28cbb7e46c3dd74d28bd1d5ab5e8f13c.exe	30
PID 2172 wrote to memory of 3008	2172	JaffaCakes118_28cbb7e46c3dd74d28bd1d5ab5e8f13c.exe	30
PID 2172 wrote to memory of 3008	2172	JaffaCakes118_28cbb7e46c3dd74d28bd1d5ab5e8f13c.exe	30
PID 2172 wrote to memory of 3008	2172	JaffaCakes118_28cbb7e46c3dd74d28bd1d5ab5e8f13c.exe	30

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_28cbb7e46c3dd74d28bd1d5ab5e8f13c.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_28cbb7e46c3dd74d28bd1d5ab5e8f13c.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Windows\SysWOW64\AKL.exe
  "C:\Windows\system32\AKL.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2436
- C:\Users\Admin\AppData\Local\Temp\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\AKL.001

Filesize
1KB

MD5
218d552a725f71e2ecb26fe44557ddeb

SHA1
eb17a38c2944c3c37c5c70c44ae39765b75fff84

SHA256
cf431aa1be4bf84551c2d79499c8d995c2c291d1efa3fd4e4cad2b1cd36b48be

SHA512
3fc3cec54450f0ba0170e940fd7de6e88c1320ad3eada48b17c68be64765b0d4911ff14d0912f75f3c09ce6994c505aa7b3990f7aad18261c9158224745a882f

Download Submit
\Users\Admin\AppData\Local\Temp\@FA18.tmp

Filesize
4KB

MD5
b2428dc1f1a06ca137052bd3e4565bdd

SHA1
b16d0640f8a0af70d2ac43089b8df3afe3de8845

SHA256
0b9c70d6c79a70d1a1958b9c5c4fb88e56b8fdfae0d345721370706f083f4fef

SHA512
c2fcc8f90a2ec1abec1161c7235b004032cbe1bfe850e1d554a6371d3fd36c537d440cb413ac0517d7ed589fffcc97780a896174dcae5de160094edac0a276a6

Download Submit
\Users\Admin\AppData\Local\Temp\Loader.exe

Filesize
60KB

MD5
fea3416f23cd90b0662736895157afd5

SHA1
6ab68ea083c481a9111f37b82a8656bc68c02c2d

SHA256
1227ce94aa36fb5d42fa5a3cf34ae62391746828a19e16fcb24738f261264720

SHA512
436ef372d994e8baf4cfcb11cd539c8f41abdc58e83ec1630d235a9dea76bcc4c9de3c40af4a2f1f1fb6fb0c6ab5e9b259b291ac33b1481b4556a4fefbea0b02

Download Submit
\Windows\SysWOW64\AKL.006

Filesize
4KB

MD5
626b46c466bcc63f2888dbe1bf7c07ea

SHA1
d6348cd2e7471c71940b22329057dabb6eb9b1aa

SHA256
447973833fe70c0fdfbde12b03af25c8e238b976703b3a349ce24db7bff6dbb3

SHA512
7ec431c583427b49e355299dbe7192c14fecb12b953e04e4844ced42b33618dd66d04b94dc811c21dae965801385d283572e6c164d6df89c392ee0bf045187f0

Download Submit
\Windows\SysWOW64\AKL.007

Filesize
6KB

MD5
a7868b0f2d9c382d80019bcc2014b9c6

SHA1
f7f1a902bc83ee7d21e44add822c2746dba63e5a

SHA256
0fdb7ba1709a0fb29a1b6c0c5ab2c9efe24158054ffc9db0161218b29468755c

SHA512
8bcabe75ec0bfdefc22ff00deca0d63fb459622fc1fa7a9379e2f7e99ec75cfe2f76fb98b195ed40f050e56da1a2503dd7a9d551f0d66494349723686376d448

Download Submit
\Windows\SysWOW64\AKL.exe

Filesize
218KB

MD5
780bdf7f767d8a85f1844721cd0077fa

SHA1
1ad480226e8532edda9909030cadac61c9a22ba1

SHA256
39f0a4980627c596514e51a540d4e721c8f1bf3d0c9e69abc8b3f11f7c4b9314

SHA512
6d68ac87d611ca8dc3869438346681782df17f70128200edc35a82defc966da2597aaf4416bbd4a7f7b34b5ca424491bf4c4b7148aea02502242519b0c8e0577

Download Submit
memory/2436-30-0x0000000075E11000-0x0000000075E12000-memory.dmp

Filesize
4KB

Download
memory/2436-31-0x0000000075E10000-0x0000000075E3A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing