ardamax | fd1e2cdc0f3572ce57d22cc6983b45723050b3b28e4cf2a7cfc566fe910386bd

General

Target

JaffaCakes118_457a12d73b4df05613b400d4c147732c.exe
Size

1.4MB
MD5

457a12d73b4df05613b400d4c147732c
SHA1

f3e9e107993eb72cac5f444e21b368059239d844
SHA256

fd1e2cdc0f3572ce57d22cc6983b45723050b3b28e4cf2a7cfc566fe910386bd
SHA512

ae25f9500382d07c23310088fdf434a79c0d0a33a3e16762b846a1c5fc5d6bfe75cb858cc9af4bfbba67a259a01f2cee0d4090a995d2d652a19e721dbe8874b7
SSDEEP

24576:N0NzTRglcnSeizw2d4doLXoSXgLemsO8dhq8wwQTr1otchcNwYwbhdL:N0pTRgCnSeiUdXuFXhq5wQtot6v

Score

10^/10

ardamax defense_evasion discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000017525-6.dat	family_ardamax

Executes dropped EXE 2 IoCs

pid	Process
2776	TIF.exe
2828	G-Cash 3.exe

Loads dropped DLL 7 IoCs

pid	Process
2080	JaffaCakes118_457a12d73b4df05613b400d4c147732c.exe
2776	TIF.exe
2080	JaffaCakes118_457a12d73b4df05613b400d4c147732c.exe
2080	JaffaCakes118_457a12d73b4df05613b400d4c147732c.exe
2828	G-Cash 3.exe
2776	TIF.exe
2776	TIF.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TIF Start = "C:\\Windows\\SysWOW64\\HDCLGU\\TIF.exe"	TIF.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\HDCLGU\TIF.008	TIF.exe
File created	C:\Windows\SysWOW64\HDCLGU\TIF.004	JaffaCakes118_457a12d73b4df05613b400d4c147732c.exe
File created	C:\Windows\SysWOW64\HDCLGU\TIF.001	JaffaCakes118_457a12d73b4df05613b400d4c147732c.exe
File created	C:\Windows\SysWOW64\HDCLGU\TIF.002	JaffaCakes118_457a12d73b4df05613b400d4c147732c.exe
File created	C:\Windows\SysWOW64\HDCLGU\AKV.exe	JaffaCakes118_457a12d73b4df05613b400d4c147732c.exe
File created	C:\Windows\SysWOW64\HDCLGU\TIF.exe	JaffaCakes118_457a12d73b4df05613b400d4c147732c.exe
File opened for modification	C:\Windows\SysWOW64\HDCLGU\	TIF.exe
File created	C:\Windows\SysWOW64\HDCLGU\TIF.008	TIF.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_457a12d73b4df05613b400d4c147732c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TIF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	G-Cash 3.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2776	TIF.exe
2776	TIF.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	2776	TIF.exe
Token: SeIncBasePriorityPrivilege	2776	TIF.exe
Token: SeIncBasePriorityPrivilege	2776	TIF.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2776	TIF.exe
2776	TIF.exe
2776	TIF.exe
2776	TIF.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 2776	2080	JaffaCakes118_457a12d73b4df05613b400d4c147732c.exe	30
PID 2080 wrote to memory of 2776	2080	JaffaCakes118_457a12d73b4df05613b400d4c147732c.exe	30
PID 2080 wrote to memory of 2776	2080	JaffaCakes118_457a12d73b4df05613b400d4c147732c.exe	30
PID 2080 wrote to memory of 2776	2080	JaffaCakes118_457a12d73b4df05613b400d4c147732c.exe	30
PID 2080 wrote to memory of 2828	2080	JaffaCakes118_457a12d73b4df05613b400d4c147732c.exe	31
PID 2080 wrote to memory of 2828	2080	JaffaCakes118_457a12d73b4df05613b400d4c147732c.exe	31
PID 2080 wrote to memory of 2828	2080	JaffaCakes118_457a12d73b4df05613b400d4c147732c.exe	31
PID 2080 wrote to memory of 2828	2080	JaffaCakes118_457a12d73b4df05613b400d4c147732c.exe	31
PID 2776 wrote to memory of 1728	2776	TIF.exe	32
PID 2776 wrote to memory of 1728	2776	TIF.exe	32
PID 2776 wrote to memory of 1728	2776	TIF.exe	32
PID 2776 wrote to memory of 1728	2776	TIF.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_457a12d73b4df05613b400d4c147732c.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_457a12d73b4df05613b400d4c147732c.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Windows\SysWOW64\HDCLGU\TIF.exe
  "C:\Windows\system32\HDCLGU\TIF.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\HDCLGU\TIF.exe > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1728
- C:\Users\Admin\AppData\Local\Temp\G-Cash 3.exe
  "C:\Users\Admin\AppData\Local\Temp\G-Cash 3.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

1

T1070

File Deletion

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\HDCLGU\AKV.exe

Filesize
485KB

MD5
b905540561802896d1609a5709c38795

SHA1
a265f7c1d428ccece168d36ae1a5f50abfb69e37

SHA256
ce666ce776c30251bb1b465d47826c23efaa86ec5ee50b2a4d23a4ceb343ed53

SHA512
7663654f134f47a8092bae1f3f9d46732d2541ab955e7604d43a0def1e61e2bc039a6753e94d99f1d04b69f55a86f1fb937513671019f1bdf100edb97b24badc

Download Submit
C:\Windows\SysWOW64\HDCLGU\TIF.001

Filesize
61KB

MD5
0e7e847fb96b4faa6cb4d3707a96887e

SHA1
896fd4064044e271312e9128e874108eec69521f

SHA256
c0f3e18ed0020dae5f75d3338b51f9c8de26d8af0a4d31904ba77cb1d112bbca

SHA512
ad680ed30b0cabe1be4e7237b8e620060de9c5f64d088d21a6acf6f293551ab4abc10f8f959aa6041e19aeaea538e72beeecc29b7669546a9a151141d4e73684

Download Submit
C:\Windows\SysWOW64\HDCLGU\TIF.002

Filesize
43KB

MD5
f195701cf2c54d6ceadad943cf5135b8

SHA1
9beb03fc097fc58d7375b0511b87ced98a423a08

SHA256
177c1dcc7f13158445f0b99713e9cad205da86e764940a48d43dc375565b0dec

SHA512
f78def1ab431bb2b7b647ec76c063c30a87cabd22605f94cbe4fbb6f757fd54ddf7861d3842a0e369abfce94b68d41dec0fe2322a74f67d9875f561f92b20025

Download Submit
C:\Windows\SysWOW64\HDCLGU\TIF.004

Filesize
1KB

MD5
39d1ac158e1908dd94a828e4428dd809

SHA1
c7751d8a1dfb12e2b8dec8bb829d92a8cbe7f8bb

SHA256
0e86b7d4fe48c88ec4b60e68f038aa5e04399622ee376861e4e9c0bce3bcbf39

SHA512
d3c4b7f06623ee0f659120b03a1949be3d78db54054db33963c14dbd88e53bf86a7429592dc5c901e4f0edb601052f18df99fb8a11111157865dc48cdb44dfa3

Download Submit
C:\Windows\SysWOW64\HDCLGU\TIF.008

Filesize
514B

MD5
f24d2c865c7b6fb5e41fd9f14cd604e3

SHA1
8da1ca575d1a16255e521d4d10fabec1634ddd76

SHA256
5f657b59acadfe9312b418c608715f432f9f69d49b9f50c535eb0b93d1157fb0

SHA512
b714d51ac4f330b2e98b843c8a5d3b2bbe3741d7c5560cfe6b4f5d427bdb5940c14f1660adade6ed6a637902c2d25d98dec9e27e63cbb09a3cc6658df6be3b93

Download Submit
\Users\Admin\AppData\Local\Temp\G-Cash 3.exe

Filesize
259KB

MD5
8a10ad865cbbf3677d28fcd9b770043c

SHA1
b8a15e9fb6c8d13e43a1a3c4531da0be788f6197

SHA256
89e931f23b4fd72ad821ce6d59a4ffbba01053d4c1f59ce936f173e517a3411e

SHA512
b2fd81594243472fbe244e0dc7323fdc1ef576c18414dca98f61438381b0e55ad24e52c9b625239011090fdf86ec9761c5b76ad7505e9cd6cd653fe2196b3652

Download Submit
\Windows\SysWOW64\HDCLGU\TIF.exe

Filesize
1.7MB

MD5
d95623e481661c678a0546e02f10f24c

SHA1
b6949e68a19b270873764585eb1e82448d1e0717

SHA256
cecfadce6fb09b3977c20d15fb40f8f66a1d7e488a4794451d048a598c3417da

SHA512
dee02644d92ed30e88bb10e9dcdba97abd9949b230059ec20cf5d93061f9cdb77b1e793e5f69d0b51595c30077c3ddd093348d22b070ce898ccefe28b8062591

Download Submit
memory/2776-16-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2776-37-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2828-29-0x0000000073EFE000-0x0000000073EFF000-memory.dmp

Filesize
4KB

Download
memory/2828-36-0x0000000001350000-0x0000000001398000-memory.dmp

Filesize
288KB

Download
memory/2828-38-0x0000000073EFE000-0x0000000073EFF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads