ardamax | ac52018b88643cdcf2e7f0bd07c3e4043454a6b5b665f7ab4144281dc2dd27d5

General

Target

JaffaCakes118_a3e4d2bb2ba32428384839bb95328cb7.exe
Size

140KB
MD5

a3e4d2bb2ba32428384839bb95328cb7
SHA1

d35db8eeae2da93ecc21ca0c63e5c1ee1336c51d
SHA256

ac52018b88643cdcf2e7f0bd07c3e4043454a6b5b665f7ab4144281dc2dd27d5
SHA512

72f32cd1939c7f259434d4a4e0f658babc4c097633281ec6e110e3560d51097b8f72b65c440673cbe3509dd1269e0facaeb45f868e0b1da33f95c51371a0b861
SSDEEP

3072:67uG39Vk4ML6h2F9CbcajLhVRNWgxqqgvepvCE5p+7m:zG3Hxhw0NhVRNWgxJgvGCE506

Score

10^/10

ardamax discovery keylogger stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000016cd7-11.dat	family_ardamax

Executes dropped EXE 1 IoCs

pid	Process
2476	AKL.exe

Loads dropped DLL 1 IoCs

pid	Process
2064	JaffaCakes118_a3e4d2bb2ba32428384839bb95328cb7.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\AKL.001	JaffaCakes118_a3e4d2bb2ba32428384839bb95328cb7.exe
File created	C:\Windows\kh.dll	JaffaCakes118_a3e4d2bb2ba32428384839bb95328cb7.exe
File created	C:\Windows\il.dll	JaffaCakes118_a3e4d2bb2ba32428384839bb95328cb7.exe
File created	C:\Windows\AKL.exe	JaffaCakes118_a3e4d2bb2ba32428384839bb95328cb7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_a3e4d2bb2ba32428384839bb95328cb7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AKL.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2476	AKL.exe
2476	AKL.exe
2476	AKL.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 2476	2064	JaffaCakes118_a3e4d2bb2ba32428384839bb95328cb7.exe	30
PID 2064 wrote to memory of 2476	2064	JaffaCakes118_a3e4d2bb2ba32428384839bb95328cb7.exe	30
PID 2064 wrote to memory of 2476	2064	JaffaCakes118_a3e4d2bb2ba32428384839bb95328cb7.exe	30
PID 2064 wrote to memory of 2476	2064	JaffaCakes118_a3e4d2bb2ba32428384839bb95328cb7.exe	30

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a3e4d2bb2ba32428384839bb95328cb7.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a3e4d2bb2ba32428384839bb95328cb7.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Windows\AKL.exe
  "C:\Windows\AKL.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\AKL.001

Filesize
1KB

MD5
1de4e23cf8e0c17b68cfc6abfe978da1

SHA1
69422659a403b8c95aba14342cf92e278305007d

SHA256
5f90882d1c69d4e3af1669b924b29998be4f09e001610ca997dfbc48568aba98

SHA512
f81abe603f3060add27287cd7ad0e340e009892eb4b186481689275ee2d650435a096aa1e7d718296c0f55bceb667fe571cba440609bf78a66b775b6b265bac2

Download Submit
C:\Windows\AKL.exe

Filesize
268KB

MD5
2dd44c135c6917583c3a04998da08443

SHA1
471143f45afaad9f8f4413e7490783a96364f9a5

SHA256
ae2b2c267c4d5a5b73cddda8a65395c1db179bf6b7eefb7a3e51d2df2c6d947e

SHA512
4ff49d290ca0a0b300b88b9d7d0568343ccca80990348c14806c2c44fc73a36e2080a5c6adf0de6cf3fae420b74549804fd86f7a79892ff6642cd3b5e9f62e20

Download Submit
C:\Windows\il.dll

Filesize
6KB

MD5
d3be4406776845e91e661f8c0c5db9ef

SHA1
c69c92054a010372db0c5ba02e80645a8afb186b

SHA256
811008786b6dca68e508829167f6fb3aaa80e8ce3f8e100aa326d829b4c64bd7

SHA512
044bb64633d7437e05f0d6caddba94755e48180c846ee2f5f80cd7a9dcd4afcc5842a2b43d01b483621941766f4f4bd7f9305855fa90052cc7d1f0672f896951

Download Submit
C:\Windows\kh.dll

Filesize
4KB

MD5
9b3dcfb9ca7f01932d1bd32e3fab94c2

SHA1
fd85f7e9fc7c5fecb64ab2e28ad94068e334fbe6

SHA256
874520a6964f859b657edab5e2f9bec7267f4be7f638033ba61bdbc870688c7c

SHA512
e63b04404704503856c4efc5738a75d0a05ea366b2c74af175a73fae5282458d8ec475cc15a18b3fe7b77437cd3d0f5a3ae2897f9e3ad763477ec5237c82872c

Download Submit
\Users\Admin\AppData\Local\Temp\@B664.tmp

Filesize
4KB

MD5
47c8159c7c5f9f299c3aeb5995b69314

SHA1
df4e3e2d881fdc378094438f359da2686428f84f

SHA256
de08d6a12b245d0b6d811762526018b108ae0c92ce7a48a927a0d33783a225c5

SHA512
b12d2e8ccb96be66983dd757beba0d5377441eca1b3370beb217339432991190cc4929f4c53e37a9b239ee6b974ccb92d71dc18896606a66d32f14b12e96e266

Download Submit
memory/2476-18-0x0000000076241000-0x0000000076242000-memory.dmp

Filesize
4KB

Download
memory/2476-19-0x0000000076240000-0x000000007626A000-memory.dmp

Filesize
168KB

Download
memory/2476-21-0x0000000000370000-0x0000000000376000-memory.dmp

Filesize
24KB

Download
memory/2476-20-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing