ardamax | bd2f9149b4f60521071a3b9291435258d7585aee30b487dad53c05cd9ac74738

General

Target

JaffaCakes118_bbc5fe6e503d26b383d1d8cf58b8c7eb.exe
Size

624KB
MD5

bbc5fe6e503d26b383d1d8cf58b8c7eb
SHA1

d84cba222562337c6ec9f2cfe25a11a0f7af0863
SHA256

bd2f9149b4f60521071a3b9291435258d7585aee30b487dad53c05cd9ac74738
SHA512

809e8f3e8252895afe657f1abecfb31f88206ccc125b6066f7573eff633ea09a855fb2718b6c9eec56b9fb05cf7f0f4b3f426c7a2bd8d2d5c319cab370a2c8a3
SSDEEP

12288:1e4wCG9wNPyEUv5hdXKbcCbJ9I1q3nXPbpmCtgyG1XrE7UBSY1:84wCGpN5hkK1q3nXP1D/QggUY1

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000014ba7-9.dat	family_ardamax

Executes dropped EXE 2 IoCs

pid	Process
2984	YNS.exe
2492	Mensagem da VOXCARDS.com.scr

Loads dropped DLL 9 IoCs

pid	Process
2764	JaffaCakes118_bbc5fe6e503d26b383d1d8cf58b8c7eb.exe
2764	JaffaCakes118_bbc5fe6e503d26b383d1d8cf58b8c7eb.exe
2764	JaffaCakes118_bbc5fe6e503d26b383d1d8cf58b8c7eb.exe
2764	JaffaCakes118_bbc5fe6e503d26b383d1d8cf58b8c7eb.exe
2764	JaffaCakes118_bbc5fe6e503d26b383d1d8cf58b8c7eb.exe
2984	YNS.exe
2492	Mensagem da VOXCARDS.com.scr
2984	YNS.exe
2492	Mensagem da VOXCARDS.com.scr

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\YNS = "C:\\Windows\\SysWOW64\\YNS.exe"	YNS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Windows\\hpztsb02.exe"	Mensagem da VOXCARDS.com.scr

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\YNS.001	JaffaCakes118_bbc5fe6e503d26b383d1d8cf58b8c7eb.exe
File created	C:\Windows\SysWOW64\YNS.006	JaffaCakes118_bbc5fe6e503d26b383d1d8cf58b8c7eb.exe
File created	C:\Windows\SysWOW64\YNS.007	JaffaCakes118_bbc5fe6e503d26b383d1d8cf58b8c7eb.exe
File created	C:\Windows\SysWOW64\YNS.exe	JaffaCakes118_bbc5fe6e503d26b383d1d8cf58b8c7eb.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64	YNS.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_bbc5fe6e503d26b383d1d8cf58b8c7eb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YNS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mensagem da VOXCARDS.com.scr

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2984	YNS.exe
Token: SeIncBasePriorityPrivilege	2984	YNS.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2984	YNS.exe
2984	YNS.exe
2984	YNS.exe
2984	YNS.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2764 wrote to memory of 2984	2764	JaffaCakes118_bbc5fe6e503d26b383d1d8cf58b8c7eb.exe	30
PID 2764 wrote to memory of 2984	2764	JaffaCakes118_bbc5fe6e503d26b383d1d8cf58b8c7eb.exe	30
PID 2764 wrote to memory of 2984	2764	JaffaCakes118_bbc5fe6e503d26b383d1d8cf58b8c7eb.exe	30
PID 2764 wrote to memory of 2984	2764	JaffaCakes118_bbc5fe6e503d26b383d1d8cf58b8c7eb.exe	30
PID 2764 wrote to memory of 2492	2764	JaffaCakes118_bbc5fe6e503d26b383d1d8cf58b8c7eb.exe	31
PID 2764 wrote to memory of 2492	2764	JaffaCakes118_bbc5fe6e503d26b383d1d8cf58b8c7eb.exe	31
PID 2764 wrote to memory of 2492	2764	JaffaCakes118_bbc5fe6e503d26b383d1d8cf58b8c7eb.exe	31
PID 2764 wrote to memory of 2492	2764	JaffaCakes118_bbc5fe6e503d26b383d1d8cf58b8c7eb.exe	31

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbc5fe6e503d26b383d1d8cf58b8c7eb.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbc5fe6e503d26b383d1d8cf58b8c7eb.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Windows\SysWOW64\YNS.exe
  "C:\Windows\system32\YNS.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2984
- C:\Users\Admin\AppData\Local\Temp\Mensagem da VOXCARDS.com.scr
  "C:\Users\Admin\AppData\Local\Temp\Mensagem da VOXCARDS.com.scr" /S
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Mensagem da VOXCARDS.com.scr

Filesize
453KB

MD5
87d7325247e44aa3fe7c2469402887b7

SHA1
600ab0443e062b607210c6b389b788b558d52362

SHA256
d4ca9400c58d9caa3c2102fe309af208173842e9ed7f48ba7cd8d499412daed6

SHA512
900f66cb69acbdcf181556dce59592b251afafee58059756deddcadb579126272cc1cb4cab3d2a01dc2475dc44d4a1a7e0abfd8e46e62158878a693641d83413

Download Submit
C:\Windows\SysWOW64\YNS.001

Filesize
2KB

MD5
9504da7fb1828c9d20da49fb95064252

SHA1
7975798348ab31e2eacfb4ec48fec5ffe7f7b808

SHA256
046194e9ce1371604443f54e37083f3fdf9b6793d418345d6ab428c2adf7f36e

SHA512
dbb2b214bd93060065fb68de209ee3086ead23dd3a43e60eddfd0887f7e29a33f4af066e36c59d0ed3ff41587ec4de4dbfa38f708149cd5d592135139f282c65

Download Submit
\Users\Admin\AppData\Local\Temp\@479B.tmp

Filesize
4KB

MD5
683f1f1e72a9fd91018e379b0f45c646

SHA1
e715798afee630bca17bd35e382626399e608788

SHA256
0770043fa8f879787c32f97e915295320738b28dc5c7a07a033df6d9ac5b4e50

SHA512
490a8fcc256fb97bdaf0ef7a243998338b3796db448874ed85613a087e16a9e1b0105af3deb57e18db253e550e5c8a0fd02dba1e52f4959937ffb6c587e3b8f5

Download Submit
\Windows\SysWOW64\YNS.006

Filesize
5KB

MD5
b8e130b146557e640cb3e198f3d9110e

SHA1
c1cbebfce4e3af8ced7d1019586e91c371432d78

SHA256
3dbca63a39382e4c25d0b02e668ba72c5c81071bb62937ec939325f1f89926a1

SHA512
bc858367e64188c3a365fff4c7986e86d6d666651b2421e3b96fe06836aede073f2228349f66f1836e6ef98bb8e5120354c54a0fb13059e5b875bbf34ed7868f

Download Submit
\Windows\SysWOW64\YNS.007

Filesize
4KB

MD5
097c525e86f64364479227f1603a0221

SHA1
c84897900f59cbff5f607368ceba93bfc5273998

SHA256
1b62745c0181f36b7c0227225da12c0d357fd6f14ff8a0ea8484fd4a9c6bf766

SHA512
b52b9d51c3bb50fab292c8bf13d2d87694391481742830c266f4512b2e33a16b852cdbf3faea7f5945b60415a12d1d6a0e9319500cb769b12e0a03357f66ef12

Download Submit
\Windows\SysWOW64\YNS.exe

Filesize
295KB

MD5
2b8def730c5bab9d9b58e117af9fb84a

SHA1
090c2c4f0309895bad639ba1c0af21d1eb70d987

SHA256
759f339edba9126cd77ee621e6852f281b9a3190bc4aa17711164bac5ece41a7

SHA512
809aa7300e4bef33489f4166fd5b8245a9b9523c9fd908a37b51a0384966f8f036ac09fbca3730bb04b98ff976c17380ddc4c2ed75dbda51350f049b3d0bf48a

Download Submit
memory/2492-41-0x0000000000400000-0x00000000008D7000-memory.dmp

Filesize
4.8MB

Download
memory/2492-28-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2492-32-0x0000000000400000-0x00000000008D7000-memory.dmp

Filesize
4.8MB

Download
memory/2492-40-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2492-39-0x0000000076EDF000-0x0000000076EE0000-memory.dmp

Filesize
4KB

Download
memory/2492-33-0x0000000000400000-0x00000000008D7000-memory.dmp

Filesize
4.8MB

Download
memory/2492-42-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2492-44-0x0000000000400000-0x00000000008D7000-memory.dmp

Filesize
4.8MB

Download
memory/2984-29-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2984-38-0x0000000076EDF000-0x0000000076EE0000-memory.dmp

Filesize
4KB

Download
memory/2984-43-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads