ardamax | 46d490798d0aad8159e98304a96729cb4eb9c6d72acfdb6a32be84f91b4751cc

General

Target

JaffaCakes118_bc6689be58722aed1bea0dbe39c31157.exe
Size

177KB
MD5

bc6689be58722aed1bea0dbe39c31157
SHA1

b015f6486927a90e3bd7efa6b0dbb975cf2cbcdf
SHA256

46d490798d0aad8159e98304a96729cb4eb9c6d72acfdb6a32be84f91b4751cc
SHA512

e8c82bb2ad710703f352363e0b2c77dbd6b2bbd6494c5a5a24f6fe24e064ffa590c86b39ca2052539ef0c91abb2d7b82458f04e624b909dffb3a82edf808311e
SSDEEP

3072:uCNmpyGSrTe4wMjMMFPMex9b4UApEvOJ7DW7u7PkmkLpPdMF4depy:bmpyGyXwMAex9bpAUOJ7m8klP2F4Gy

Score

10^/10

ardamax discovery keylogger stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000016c23-11.dat	family_ardamax

Executes dropped EXE 1 IoCs

pid	Process
2340	lssas.exe

Loads dropped DLL 5 IoCs

pid	Process
2736	JaffaCakes118_bc6689be58722aed1bea0dbe39c31157.exe
2736	JaffaCakes118_bc6689be58722aed1bea0dbe39c31157.exe
2736	JaffaCakes118_bc6689be58722aed1bea0dbe39c31157.exe
2340	lssas.exe
2340	lssas.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\lssas.001	JaffaCakes118_bc6689be58722aed1bea0dbe39c31157.exe
File created	C:\Windows\SysWOW64\lssas.006	JaffaCakes118_bc6689be58722aed1bea0dbe39c31157.exe
File created	C:\Windows\SysWOW64\lssas.007	JaffaCakes118_bc6689be58722aed1bea0dbe39c31157.exe
File created	C:\Windows\SysWOW64\lssas.exe	JaffaCakes118_bc6689be58722aed1bea0dbe39c31157.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64	lssas.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_bc6689be58722aed1bea0dbe39c31157.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lssas.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2340	lssas.exe
Token: SeIncBasePriorityPrivilege	2340	lssas.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2340	lssas.exe
2340	lssas.exe
2340	lssas.exe
2340	lssas.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 2340	2736	JaffaCakes118_bc6689be58722aed1bea0dbe39c31157.exe	30
PID 2736 wrote to memory of 2340	2736	JaffaCakes118_bc6689be58722aed1bea0dbe39c31157.exe	30
PID 2736 wrote to memory of 2340	2736	JaffaCakes118_bc6689be58722aed1bea0dbe39c31157.exe	30
PID 2736 wrote to memory of 2340	2736	JaffaCakes118_bc6689be58722aed1bea0dbe39c31157.exe	30

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bc6689be58722aed1bea0dbe39c31157.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bc6689be58722aed1bea0dbe39c31157.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Windows\SysWOW64\lssas.exe
  "C:\Windows\system32\lssas.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\lssas.001

Filesize
2KB

MD5
47d466a6d07f8646baef6a1e47c68214

SHA1
2d737d6ed90c35564d8a865b67cbc2b52aba39cc

SHA256
f78e9c462b42d7ef98afeb62dae10299f624048e0b9bba26158115bee3cadc6e

SHA512
c399cbca8ee616eb1c640ea3c21799e53327ec4423b2fb3d580a962daedcf6777618a0c18c6a0951c5100f4dd816354b74b77b30656abed55d1ba63c260c2b6a

Download Submit
C:\Windows\SysWOW64\lssas.006

Filesize
5KB

MD5
db98486706de28b2f52ef5b74feacb47

SHA1
c3298decb5d15adb02016a7c14f39fcf179e33db

SHA256
d74d932e2e6833928a42c8ffa69132758b832f8d3eafef727e3690b441d972cb

SHA512
1d722b668d35b12637c8c427aca422dba828f17b9eb297fef63c3f7d03a4ba2d164fee825dee450208e1fbe2ce830b62060cc8be1b1dd7c41551efcdeb53f1b3

Download Submit
\Users\Admin\AppData\Local\Temp\@7BA5.tmp

Filesize
4KB

MD5
e5fb7457989a4bce5e8b24219b516c6f

SHA1
580ba07dc5c71115cad40fcda27a03f6605464d2

SHA256
5c34a7520cace89cc3b6a1c800e36817462e92ee628c9c1dd2ee34cbd379859b

SHA512
3ddfda190aae244a6a84ae7468b5946db4464e30d48f3db0de67e9bf5c3dadbff05cfb539577083c51bf8efd2098a95bf430278f5430f66691bc785329a0eca2

Download Submit
\Windows\SysWOW64\lssas.007

Filesize
4KB

MD5
7204d2265d5122969600bef372f1d436

SHA1
1e341404855a878f00c7f54d867ae7f587f627b5

SHA256
aaa51161654a83fd74d25fc56d568eff773f78efc4223e2eaded0afc94f5dcec

SHA512
c74c0a4cbb044820094382941f4c967e1a12e22fcb81c77a5497e68f2ec42ba0f6696c78db2db73bab74a148a232ae7c61b6ccb47ded4182df0420d761279cc7

Download Submit
\Windows\SysWOW64\lssas.exe

Filesize
286KB

MD5
47d45da7bc718cef809ecec470987248

SHA1
9137c8c0e84516bc08daf6b7e08192c7b9e17959

SHA256
d47237c917f006acc443546e338c68bad94c5cfa54eaabaffde0ad2dfbcdaa4e

SHA512
c8f39999ea258021318821a3336125fe1e41993572ec8264885437c689d080b2c606fbeecb72f0c6702e562f9598820d0105fee539cde51d8cf1b17119f4ffe9

Download Submit
memory/2340-19-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2340-24-0x00000000777DF000-0x00000000777E0000-memory.dmp

Filesize
4KB

Download
memory/2340-25-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing