ardamax | ce7d3fbb56b9979ccee5ac362c309cd7e9537405a6582371d6dc523a43ab4ffa

General

Target

JaffaCakes118_90485acf2ddcf1917a88110cea53edbc.exe
Size

395KB
MD5

90485acf2ddcf1917a88110cea53edbc
SHA1

d543ae4fca17de1a189d5898329c9af3b9ced665
SHA256

ce7d3fbb56b9979ccee5ac362c309cd7e9537405a6582371d6dc523a43ab4ffa
SHA512

c189de85086de01bc170a3780652aec0ff743b05dbef7b4b610e1f37091217d6f5f454475a31633e0ac3e73de92bd4af3ee81c5e2b3fb2714aeadfa10ce8cfd7
SSDEEP

6144:bPmpyGRWVyPuhmgB2wabv2gOoD6RXeKzAjIJ3K+SEml0eNroRcW464I82UrNlciz:bP6WVSbODoDsz6IYfEm2W16g1+QN

Score

10^/10

ardamax discovery keylogger stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0006000000018636-9.dat	family_ardamax

Executes dropped EXE 2 IoCs

pid	Process
2096	TND.exe
2792	Trade Hack.exe

Loads dropped DLL 9 IoCs

pid	Process
376	JaffaCakes118_90485acf2ddcf1917a88110cea53edbc.exe
376	JaffaCakes118_90485acf2ddcf1917a88110cea53edbc.exe
376	JaffaCakes118_90485acf2ddcf1917a88110cea53edbc.exe
2096	TND.exe
2096	TND.exe
376	JaffaCakes118_90485acf2ddcf1917a88110cea53edbc.exe
376	JaffaCakes118_90485acf2ddcf1917a88110cea53edbc.exe
376	JaffaCakes118_90485acf2ddcf1917a88110cea53edbc.exe
2792	Trade Hack.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Sys\TND.001	JaffaCakes118_90485acf2ddcf1917a88110cea53edbc.exe
File created	C:\Windows\SysWOW64\Sys\TND.006	JaffaCakes118_90485acf2ddcf1917a88110cea53edbc.exe
File created	C:\Windows\SysWOW64\Sys\TND.007	JaffaCakes118_90485acf2ddcf1917a88110cea53edbc.exe
File created	C:\Windows\SysWOW64\Sys\TND.exe	JaffaCakes118_90485acf2ddcf1917a88110cea53edbc.exe
File opened for modification	C:\Windows\SysWOW64\Sys	TND.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trade Hack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_90485acf2ddcf1917a88110cea53edbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TND.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2792	Trade Hack.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2096	TND.exe
Token: SeIncBasePriorityPrivilege	2096	TND.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2096	TND.exe
2096	TND.exe
2096	TND.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 376 wrote to memory of 2096	376	JaffaCakes118_90485acf2ddcf1917a88110cea53edbc.exe	30
PID 376 wrote to memory of 2096	376	JaffaCakes118_90485acf2ddcf1917a88110cea53edbc.exe	30
PID 376 wrote to memory of 2096	376	JaffaCakes118_90485acf2ddcf1917a88110cea53edbc.exe	30
PID 376 wrote to memory of 2096	376	JaffaCakes118_90485acf2ddcf1917a88110cea53edbc.exe	30
PID 376 wrote to memory of 2792	376	JaffaCakes118_90485acf2ddcf1917a88110cea53edbc.exe	31
PID 376 wrote to memory of 2792	376	JaffaCakes118_90485acf2ddcf1917a88110cea53edbc.exe	31
PID 376 wrote to memory of 2792	376	JaffaCakes118_90485acf2ddcf1917a88110cea53edbc.exe	31
PID 376 wrote to memory of 2792	376	JaffaCakes118_90485acf2ddcf1917a88110cea53edbc.exe	31

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_90485acf2ddcf1917a88110cea53edbc.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_90485acf2ddcf1917a88110cea53edbc.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:376
- C:\Windows\SysWOW64\Sys\TND.exe
  "C:\Windows\system32\Sys\TND.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2096
- C:\Users\Admin\AppData\Local\Temp\Trade Hack.exe
  "C:\Users\Admin\AppData\Local\Temp\Trade Hack.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Sys\TND.001

Filesize
3KB

MD5
a9947553bf4f1fba405b50e4a28e1355

SHA1
6352ef69a8b6dadd254bfb0267572e72701c1e05

SHA256
d8ba9d2c5dbb9fa3f1d26154fb7d3a5d71ab17ef0457dc7b4a800aecfb82a248

SHA512
331bd6b2e4f902ae80d9cd40c7750f0a3860ac663dd700a1b336d2b9a38174382aa2a7a955d7883b43f62f2a639f40cc85d1348c389ebcce73bc770c19b29d8f

Download Submit
C:\Windows\SysWOW64\Sys\TND.006

Filesize
5KB

MD5
4e703c3e0aa89d786461c86930f1fcf1

SHA1
22fdba9ff74e42d0fa653b97377baaf5445acf69

SHA256
4351f6b332a81cb69b235797066c5e87e87c69076e26ab8a091c535a874f5d5d

SHA512
6e4cf0ebda7bbd3b7e2940cabb256ff4c3f61e7b27be5dc25e301c794270a50ca3c46ca62424264b74af26de9c87745e6ad402a90ba66b3bd8014455c8b7f114

Download Submit
C:\Windows\SysWOW64\Sys\TND.007

Filesize
4KB

MD5
c15c61ff83a6c6397def01e9a0e26ee6

SHA1
7f0b41b508b40c560e1516d0c036cf8b91e9c020

SHA256
4929ab294f6903e127deaf106a0025bd03b69c89bf7f2cc493135c958aa30381

SHA512
200960460b8496299c363381584ffc7ce1c79dcc9c507f9c92cca31f400321fdac3ae451de51018e1ed2f4be63ee97da72ac9f215c2adb341fb0f7285b4074af

Download Submit
\Users\Admin\AppData\Local\Temp\@9A1D.tmp

Filesize
4KB

MD5
660e00c09eda382f3638411d8a4046bd

SHA1
6ed7c1e97fc93b6e7f363db5223eebdafad1d5c8

SHA256
ff8fdecda6b7781eb4ce6144241279cedeeab2a24305df7dce86ba3d8c640bc2

SHA512
5d1e6004b1b4dc9efad09ee6b8fa53699408de18baef91e714b51bfdfe6c80771b0f1af9796b0f238f24c4c937612b72b5910e338577658cbaa04f115eca007c

Download Submit
\Users\Admin\AppData\Local\Temp\Trade Hack.exe

Filesize
244KB

MD5
2def991c2031c6381c081dde9fa57547

SHA1
dea93ff7594fe9e0d71a4ad24c7b45a8479b54d2

SHA256
f43d1d69c7c63bed0e64995c35ea8774474122ed25c026fc9d0729bc8b5e5a1e

SHA512
a7daba0c77d9f88ae80b0f911fe84d43cba4da215d1df134f6e40512b5492ec5d5c02891305f8a3a0c591dac3d4d56f0d41124dbb3c20e3aef992a35fc716ae3

Download Submit
\Windows\SysWOW64\Sys\TND.exe

Filesize
459KB

MD5
a6c12264242dba831b32523a07688d4a

SHA1
b398746aed573305c9125aed29a4a18d0caf8100

SHA256
867c7ad4eaef4f00e372b657cf7ef0d29f7aa7a6f593289eb0e78d56e39e33ef

SHA512
a59074799d914842b8b5f851cc43faaa5318e318ff5d1f0e9261d820ca991511ecf20d7f14ecad33b243b97dcdfd4a201e85d78e29baea2171d79ebdf2af5d26

Download Submit
memory/376-35-0x00000000774EF000-0x00000000774F0000-memory.dmp

Filesize
4KB

Download
memory/2096-21-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2096-25-0x00000000774EF000-0x00000000774F0000-memory.dmp

Filesize
4KB

Download
memory/2096-26-0x00000000774EF000-0x00000000774F0000-memory.dmp

Filesize
4KB

Download
memory/2096-40-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2792-39-0x00000000774EF000-0x00000000774F0000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing