ardamax | ce128edffa617b6a7f3f2f026edf1006f513cce6bffed1d2dbb2822ed04a0146

General

Target

JaffaCakes118_929d09ff18ff8d9c20ef83f909fa0da5.exe
Size

1.4MB
MD5

929d09ff18ff8d9c20ef83f909fa0da5
SHA1

cd975090ef80b4bbce53e6ef453da3d083ca87a3
SHA256

ce128edffa617b6a7f3f2f026edf1006f513cce6bffed1d2dbb2822ed04a0146
SHA512

4903ee2f32b329beca583df87dc96edf1b648d3b9d170f7d1dd983a040a2452e8bd0d3cea21183ade81830dc0a9d3582bc1d5473ff6ea3d1f3cbf01b66b4f594
SSDEEP

24576:Ckjc+wyNU7od/Z0shLxMypfybLVC9PzBRXPuiO7o6mTAyhIo490ZK5vY8NF8mAcq:CkjcQU7ah9tIg9zBR/SaDhIonkvpAcwD

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x00060000000186d9-9.dat	family_ardamax

Executes dropped EXE 2 IoCs

pid	Process
2716	SFKB.exe
2984	Revolution.exe

Loads dropped DLL 16 IoCs

pid	Process
1656	JaffaCakes118_929d09ff18ff8d9c20ef83f909fa0da5.exe
1656	JaffaCakes118_929d09ff18ff8d9c20ef83f909fa0da5.exe
1656	JaffaCakes118_929d09ff18ff8d9c20ef83f909fa0da5.exe
1656	JaffaCakes118_929d09ff18ff8d9c20ef83f909fa0da5.exe
1656	JaffaCakes118_929d09ff18ff8d9c20ef83f909fa0da5.exe
2716	SFKB.exe
1044	WerFault.exe
1044	WerFault.exe
1044	WerFault.exe
1044	WerFault.exe
1044	WerFault.exe
2716	SFKB.exe
1044	WerFault.exe
1044	WerFault.exe
2984	Revolution.exe
2984	Revolution.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SFKB Agent = "C:\\Windows\\SysWOW64\\Sys32\\SFKB.exe"	SFKB.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Sys32\SFKB.006	JaffaCakes118_929d09ff18ff8d9c20ef83f909fa0da5.exe
File created	C:\Windows\SysWOW64\Sys32\SFKB.007	JaffaCakes118_929d09ff18ff8d9c20ef83f909fa0da5.exe
File created	C:\Windows\SysWOW64\Sys32\SFKB.exe	JaffaCakes118_929d09ff18ff8d9c20ef83f909fa0da5.exe
File created	C:\Windows\SysWOW64\Sys32\AKV.exe	JaffaCakes118_929d09ff18ff8d9c20ef83f909fa0da5.exe
File opened for modification	C:\Windows\SysWOW64\Sys32	SFKB.exe
File created	C:\Windows\SysWOW64\Sys32\SFKB.001	JaffaCakes118_929d09ff18ff8d9c20ef83f909fa0da5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1044	2984	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_929d09ff18ff8d9c20ef83f909fa0da5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SFKB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Revolution.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2984	Revolution.exe
Token: 33	2716	SFKB.exe
Token: SeIncBasePriorityPrivilege	2716	SFKB.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2716	SFKB.exe
2716	SFKB.exe
2716	SFKB.exe
2716	SFKB.exe
2716	SFKB.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 2716	1656	JaffaCakes118_929d09ff18ff8d9c20ef83f909fa0da5.exe	30
PID 1656 wrote to memory of 2716	1656	JaffaCakes118_929d09ff18ff8d9c20ef83f909fa0da5.exe	30
PID 1656 wrote to memory of 2716	1656	JaffaCakes118_929d09ff18ff8d9c20ef83f909fa0da5.exe	30
PID 1656 wrote to memory of 2716	1656	JaffaCakes118_929d09ff18ff8d9c20ef83f909fa0da5.exe	30
PID 1656 wrote to memory of 2984	1656	JaffaCakes118_929d09ff18ff8d9c20ef83f909fa0da5.exe	31
PID 1656 wrote to memory of 2984	1656	JaffaCakes118_929d09ff18ff8d9c20ef83f909fa0da5.exe	31
PID 1656 wrote to memory of 2984	1656	JaffaCakes118_929d09ff18ff8d9c20ef83f909fa0da5.exe	31
PID 1656 wrote to memory of 2984	1656	JaffaCakes118_929d09ff18ff8d9c20ef83f909fa0da5.exe	31
PID 2984 wrote to memory of 1044	2984	Revolution.exe	32
PID 2984 wrote to memory of 1044	2984	Revolution.exe	32
PID 2984 wrote to memory of 1044	2984	Revolution.exe	32
PID 2984 wrote to memory of 1044	2984	Revolution.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_929d09ff18ff8d9c20ef83f909fa0da5.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_929d09ff18ff8d9c20ef83f909fa0da5.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Windows\SysWOW64\Sys32\SFKB.exe
  "C:\Windows\system32\Sys32\SFKB.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2716
- C:\Users\Admin\AppData\Local\Temp\Revolution.exe
  "C:\Users\Admin\AppData\Local\Temp\Revolution.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 412
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Sys32\AKV.exe

Filesize
389KB

MD5
53a578b112aeb18c5993556d4440ade1

SHA1
e51f2fcc784def3cc5ff594edfee5e25f1e9818c

SHA256
9170ccd49c118818a83d6ec5264e58519a986671828a144b70d9f601afd29156

SHA512
31357e35a4d31483951a7fbd0d774dffd880c8451e2410226dcfb8f8b1c24422febba81ae91aa2e5bb482bc0e662060f772417239e7e7a11c3c36ff8d716f352

Download Submit
C:\Windows\SysWOW64\Sys32\SFKB.001

Filesize
430B

MD5
92afb41d4a683f053bf3f3128cf52582

SHA1
a7ca614020770782af2b76ce4b02689fb3e4059a

SHA256
2b25c7f3a3406c6f6e9bd0a6364303bf98cafeaf8eca9dd2a487de8943aaea62

SHA512
95e5f8f7a8b31020e30ce716663f06216039fa49869a6ad149f13896be6913421954355bb9d9c015612294671e5ca462ae250964f48bcccb63cdc0448e28dcb3

Download Submit
C:\Windows\SysWOW64\Sys32\SFKB.006

Filesize
7KB

MD5
504f5a7e8447c65bc2218bb3d47c309b

SHA1
5d2d703cfa8b1c0fab1b13b01e2250e246e2eb44

SHA256
81f383d6a9a90d1587af3f2903d9fd4ce4b4843aa285928ba731a3ee8f60c39f

SHA512
b90427bc146e30a5db47aaea4d7ac559db679f64ce490eb2195106acbc3d266442d71a7c0b00762203010436ed86bc84ef59bc3269b7611f9a6b5025fc85190b

Download Submit
C:\Windows\SysWOW64\Sys32\SFKB.007

Filesize
5KB

MD5
22e9e9b13c2c676bec39178311d55253

SHA1
da60379e518feeb798005065dcf626a74afe1848

SHA256
3a77698cfcbbc40473f163c76838e6509c52bd6ffb97ba9d144ccd25ef5c7e14

SHA512
1d3b7eb4dcaa969a49786f1f55caa731e2e82dc79896985d50aa225fd7071bef521a6d85f56ee249db518cf0fc4a53f942299328bf54862307f742d3a6ca3dcc

Download Submit
\Users\Admin\AppData\Local\Temp\@A5D1.tmp

Filesize
3KB

MD5
14c3321783fac66161b308d34c5b0eac

SHA1
021b4f77e27d6e0b032158936a752e27cdde09fa

SHA256
09e6cfa1698ed3cd3592fa4ed36eb970fa599cb86ce6975f5ef90dfbaf6a2f21

SHA512
9ba6f2992164e7e98084e3c3b5a4cd231edeca22b784d01e5e98078ed19a1114ba9f837aa77ec3303bfcff6fa6a7a3b4588ee6e3a444eb35fc5e8c1d732825ad

Download Submit
\Users\Admin\AppData\Local\Temp\Revolution.exe

Filesize
2.3MB

MD5
ed5e167bb7bf13ea0dd5a85cc05bb5b7

SHA1
f9460106df307d8b0558aa0c6cdc5b57acb36e62

SHA256
a2d8a23e08bfa3b4f3a19112313c7331f6053266d5f6fa69d2ab258a06be1168

SHA512
6bf2d006ed5192bb3980e7bd7c89074f2e74e180a09887cdb1c28b179c159381761797ebbe5d98bac03276633f2de41d739cf2f2499cae9d107dd2ffea59ace4

Download Submit
\Windows\SysWOW64\Sys32\SFKB.exe

Filesize
475KB

MD5
9c3ff825312190802dc56c7b0d0ccebd

SHA1
58e200c00382b3d13c81c9e829da065ed45f5928

SHA256
e55fbc08da9dc8bfb13b1d649e117540ee2c416a678eafa40e49088c2864dcc4

SHA512
513f6e3ab1bc31d01c1730c04313a39df5f9a5e30db70699df0507fff4c82f36706a637d32f532985e551a5a835682ebdc077560fee2f9741cba7767a86b7968

Download Submit
memory/2716-24-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2716-47-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2984-35-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2984-45-0x0000000077D2F000-0x0000000077D30000-memory.dmp

Filesize
4KB

Download
memory/2984-48-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2984-49-0x0000000000400000-0x0000000000649000-memory.dmp

Filesize
2.3MB

Download
memory/2984-50-0x0000000077D2F000-0x0000000077D30000-memory.dmp

Filesize
4KB

Download
memory/2984-51-0x0000000000400000-0x0000000000649000-memory.dmp

Filesize
2.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads