ardamax | aebfa75d535251557da308e4f414c42abccba893844363e54b60aa3d235e72d8

General

Target

JaffaCakes118_380ae6ae87aa0afb28a39016b5516757.exe
Size

2.2MB
MD5

380ae6ae87aa0afb28a39016b5516757
SHA1

b85c0ac2958fc6c9e5411d16aca6d5c1be47cbcb
SHA256

aebfa75d535251557da308e4f414c42abccba893844363e54b60aa3d235e72d8
SHA512

b0297fa543682e552666458d6e5776ad98fcd8a5754f9a4b615939bd0f36543626c2b8051166012348dc814c57d2bb971ec7d13ea0a7e594fc8f289077dba786
SSDEEP

49152:oXTYCbQht9tgfeZhXXGeZgwdoBtaMVLXTYCbQht9tgfeZhXXGeZgwdoBtaMV:HCUht9tgGZhXXjZiBtzgCUht9tgGZhXO

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x000600000001960f-9.dat	family_ardamax

Executes dropped EXE 2 IoCs

pid	Process
2292	CJQ.exe
2872	BlankCode.exe

Loads dropped DLL 6 IoCs

pid	Process
1404	JaffaCakes118_380ae6ae87aa0afb28a39016b5516757.exe
2292	CJQ.exe
1404	JaffaCakes118_380ae6ae87aa0afb28a39016b5516757.exe
1404	JaffaCakes118_380ae6ae87aa0afb28a39016b5516757.exe
1404	JaffaCakes118_380ae6ae87aa0afb28a39016b5516757.exe
2872	BlankCode.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CJQ Start = "C:\\Windows\\SysWOW64\\UTIJUK\\CJQ.exe"	CJQ.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\UTIJUK\	CJQ.exe
File created	C:\Windows\SysWOW64\UTIJUK\CJQ.004	JaffaCakes118_380ae6ae87aa0afb28a39016b5516757.exe
File created	C:\Windows\SysWOW64\UTIJUK\CJQ.001	JaffaCakes118_380ae6ae87aa0afb28a39016b5516757.exe
File created	C:\Windows\SysWOW64\UTIJUK\CJQ.002	JaffaCakes118_380ae6ae87aa0afb28a39016b5516757.exe
File created	C:\Windows\SysWOW64\UTIJUK\AKV.exe	JaffaCakes118_380ae6ae87aa0afb28a39016b5516757.exe
File created	C:\Windows\SysWOW64\UTIJUK\CJQ.exe	JaffaCakes118_380ae6ae87aa0afb28a39016b5516757.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_380ae6ae87aa0afb28a39016b5516757.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CJQ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BlankCode.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2292	CJQ.exe
Token: SeIncBasePriorityPrivilege	2292	CJQ.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2292	CJQ.exe
2292	CJQ.exe
2292	CJQ.exe
2292	CJQ.exe
2872	BlankCode.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1404 wrote to memory of 2292	1404	JaffaCakes118_380ae6ae87aa0afb28a39016b5516757.exe	31
PID 1404 wrote to memory of 2292	1404	JaffaCakes118_380ae6ae87aa0afb28a39016b5516757.exe	31
PID 1404 wrote to memory of 2292	1404	JaffaCakes118_380ae6ae87aa0afb28a39016b5516757.exe	31
PID 1404 wrote to memory of 2292	1404	JaffaCakes118_380ae6ae87aa0afb28a39016b5516757.exe	31
PID 1404 wrote to memory of 2872	1404	JaffaCakes118_380ae6ae87aa0afb28a39016b5516757.exe	32
PID 1404 wrote to memory of 2872	1404	JaffaCakes118_380ae6ae87aa0afb28a39016b5516757.exe	32
PID 1404 wrote to memory of 2872	1404	JaffaCakes118_380ae6ae87aa0afb28a39016b5516757.exe	32
PID 1404 wrote to memory of 2872	1404	JaffaCakes118_380ae6ae87aa0afb28a39016b5516757.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_380ae6ae87aa0afb28a39016b5516757.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_380ae6ae87aa0afb28a39016b5516757.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Windows\SysWOW64\UTIJUK\CJQ.exe
  "C:\Windows\system32\UTIJUK\CJQ.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2292
- C:\Users\Admin\AppData\Local\Temp\BlankCode.exe
  "C:\Users\Admin\AppData\Local\Temp\BlankCode.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\UTIJUK\AKV.exe

Filesize
456KB

MD5
1f29b1075a91b3da0ccc0b9c49eece56

SHA1
048e675f087181035aedece9e7b11d065c6355cc

SHA256
4f6825548b32329c3360ed9abb7c0a6809a2c2291cf0bcaac511a9fa32a6336e

SHA512
7e152caf055f57f599ecc1e3a404b540b721b3315d2ba16bff6eb21f03edeb3a06ae185621e3139293612d94210f500f098bd281489ca7f336efd8b5284ee060

Download Submit
C:\Windows\SysWOW64\UTIJUK\CJQ.001

Filesize
61KB

MD5
31c866d8e4448c28ae63660a0521cd92

SHA1
0e4dcb44e3c8589688b8eacdd8cc463a920baab9

SHA256
dc0eaf9d62f0e40b6522d28b2e06b39ff619f9086ea7aa45fd40396a8eb61aa1

SHA512
1076da7f8137a90b5d3bbbbe2b24fd9774de6adbcdfd41fd55ae90c70b9eb4bbf441732689ad25e5b3048987bfb1d63ba59d5831a04c6d84cb05bbfd2d32f839

Download Submit
C:\Windows\SysWOW64\UTIJUK\CJQ.002

Filesize
43KB

MD5
093e599a1281e943ce1592f61d9591af

SHA1
6896810fe9b7efe4f5ae68bf280fec637e97adf5

SHA256
1ac0964d97b02204f4d4ae79cd5244342f1a1798f5846e9dd7f3448d4177a009

SHA512
64cb58fbf6295d15d9ee6a8a7a325e7673af7ee02e4ece8da5a95257f666566a425b348b802b78ac82e7868ba7923f85255c2c31e548618afa9706c1f88d34dc

Download Submit
C:\Windows\SysWOW64\UTIJUK\CJQ.004

Filesize
1KB

MD5
04edbc023d124575935ea350a55ce6e8

SHA1
29886ff5c0dc166cb636bf96310297bf0af2d0c3

SHA256
739065fb450ad3daff040ce556d46b512bcde4ce8188dde804a2ce6ddacdda53

SHA512
b9b67762f6630ee76d9df4de0917cdc0baf4cb1db939fc05e3a64a4ecd908e0ca5cbaa211a08cc21abad26fb5587ac37052b9aa1d4ba49f36d3f191c57b6dc76

Download Submit
C:\Windows\SysWOW64\UTIJUK\CJQ.exe

Filesize
1.5MB

MD5
0aaffc12ef1b416b9276bdc3fdec9dff

SHA1
9f38d7cf6241d867da58f89db9ff26544314b938

SHA256
42b33dd905c5668c2518a6a7d407fb10c303cfedeaefcd7b6e4c7cc1b891c73b

SHA512
bbde0986b298c6172e7c8e3f938db9425f54cca097e280736e1ba289afd06a0b86f7cbc91f6d46458bc8e75069c12cda1cf808acf3b6c773b0661d081136ee7c

Download Submit
\Users\Admin\AppData\Local\Temp\BlankCode.exe

Filesize
244KB

MD5
acf52c91cff15a165f096c9a06acabeb

SHA1
735611c1e6d4c8d6e3552e6c0745ea68246bdd03

SHA256
75b2cef3cb108ee5777d49db8c194fe728bc6f8e4d6a2c5049a24674e745289f

SHA512
87a2dcd57991c07afbb998f3b05d356abf08c29894e260ede0813cd26fe7b046bfce93165bf2fc51838d393db7eabf11d60360151fb5573dbe451ab22d28185d

Download Submit
memory/2292-16-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2292-30-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.