ardamax | a806e04e9c914ac1e9c4bd83bc36745c4115305bb0d1b41fe4ae0cb8471adf5d

General

Target

JaffaCakes118_c3e31efcf09e50605dd5857ab57e83f5.exe
Size

505KB
MD5

c3e31efcf09e50605dd5857ab57e83f5
SHA1

8f4c02d474de71d40abe398dd40dd2499ace2102
SHA256

a806e04e9c914ac1e9c4bd83bc36745c4115305bb0d1b41fe4ae0cb8471adf5d
SHA512

acf00ead17365c525126aa0fefc4bb764e860a92c55a8647eb2424c6ac9d60b5ffdfa88a32d7f3b13c3326211d87abd91e7217fc0a0e146f0982adbda8efa4ba
SSDEEP

12288:c74k/bva28VWTp4uBoiY23J9PbZEl8q6Oduw5:R6bSo14Rif50Oq6KH

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000016d46-9.dat	family_ardamax

Executes dropped EXE 1 IoCs

pid	Process
2112	HXHB.exe

Loads dropped DLL 5 IoCs

pid	Process
2376	JaffaCakes118_c3e31efcf09e50605dd5857ab57e83f5.exe
2376	JaffaCakes118_c3e31efcf09e50605dd5857ab57e83f5.exe
2376	JaffaCakes118_c3e31efcf09e50605dd5857ab57e83f5.exe
2112	HXHB.exe
2112	HXHB.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HXHB Agent = "C:\\Windows\\SysWOW64\\YOF\\HXHB.exe"	HXHB.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\YOF\HXHB.001	JaffaCakes118_c3e31efcf09e50605dd5857ab57e83f5.exe
File created	C:\Windows\SysWOW64\YOF\HXHB.006	JaffaCakes118_c3e31efcf09e50605dd5857ab57e83f5.exe
File created	C:\Windows\SysWOW64\YOF\HXHB.007	JaffaCakes118_c3e31efcf09e50605dd5857ab57e83f5.exe
File created	C:\Windows\SysWOW64\YOF\HXHB.exe	JaffaCakes118_c3e31efcf09e50605dd5857ab57e83f5.exe
File created	C:\Windows\SysWOW64\YOF\AKV.exe	JaffaCakes118_c3e31efcf09e50605dd5857ab57e83f5.exe
File opened for modification	C:\Windows\SysWOW64\YOF	HXHB.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_c3e31efcf09e50605dd5857ab57e83f5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HXHB.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2112	HXHB.exe
Token: SeIncBasePriorityPrivilege	2112	HXHB.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2112	HXHB.exe
2112	HXHB.exe
2112	HXHB.exe
2112	HXHB.exe
2112	HXHB.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 2112	2376	JaffaCakes118_c3e31efcf09e50605dd5857ab57e83f5.exe	30
PID 2376 wrote to memory of 2112	2376	JaffaCakes118_c3e31efcf09e50605dd5857ab57e83f5.exe	30
PID 2376 wrote to memory of 2112	2376	JaffaCakes118_c3e31efcf09e50605dd5857ab57e83f5.exe	30
PID 2376 wrote to memory of 2112	2376	JaffaCakes118_c3e31efcf09e50605dd5857ab57e83f5.exe	30

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c3e31efcf09e50605dd5857ab57e83f5.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c3e31efcf09e50605dd5857ab57e83f5.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Windows\SysWOW64\YOF\HXHB.exe
  "C:\Windows\system32\YOF\HXHB.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\YOF\AKV.exe

Filesize
415KB

MD5
03f5f0a0cbc0bd03ae4c08d21987a6f4

SHA1
e483154ff545b89b98062aec57740a3f5475c2e4

SHA256
03e7e07be992103e2dc099eb322b4fe3662cc542a558ca997ad8a7c3393c9173

SHA512
f503bca21dd0a9a0bf8291a75a82be3d3eee41e93d7649cbd1875903a04531c97cacb8bdabcbeb20613d7464781751c9db081386a7725c04ab6a7f8b076b44f9

Download Submit
C:\Windows\SysWOW64\YOF\HXHB.001

Filesize
572B

MD5
bf75ad92fe50ebc602d28b2ad183ceb2

SHA1
95e42b68eb497676351854b4883a23372158b05f

SHA256
4d3f5d8d38a6669ea0936dbe263a6af15c6f86a2ae723007e4ddd9b2f2ad3811

SHA512
e5412b9b867a803335a5d6ccfcae21f7b665134cbd41490757a28d05b9acb41feb89846409df53aa5a89fbc685897f4e35b8d73b936bdd314b82a4725bd32a93

Download Submit
C:\Windows\SysWOW64\YOF\HXHB.006

Filesize
8KB

MD5
5b804d44d319d07ffce11f26a868cdbc

SHA1
b1d2f0a65268040b8e1fbd3aa84acc45521e2de1

SHA256
38707419a03079f3cddea1d5be541d0931432de06efed9d0490325f3b71bbdc7

SHA512
9614eb15db15cb360e4b088c1d6e02e68be7a8e2588f0099201b9129fbf9c595642113bf03b021156f7d50d6a8458ce3281f6173644b1cbab9f02a2ca652590c

Download Submit
C:\Windows\SysWOW64\YOF\HXHB.007

Filesize
5KB

MD5
cde2d5fe02a920ff3e6517b6802a3ef5

SHA1
9e432c61ef27028180292e707713e262b81bcff0

SHA256
75549ed23c3ed2ef76451b58d0e4ecf6d430f8522bebb622b31d0663712c04b0

SHA512
9bafe2cac45f706b2f3c84b26e701610786b296f7e39c8483bb1dfd2b22be560bf6ebddded3e4b154022ac2422582bc5485c61b9b1e188ff5810f25d47f3bb13

Download Submit
\Users\Admin\AppData\Local\Temp\@82B7.tmp

Filesize
4KB

MD5
7bc158f56b7fc671e1510ab25c9ff568

SHA1
e456ae134470811bdd88b4ead6a7cc65e377e5ca

SHA256
4dd29b39dc1216c03858369e17e98f3845d335f25c75f19e14f1208c413cda7c

SHA512
2d5693bdb8adcde7f2ed4f4f721ef76873f08dbcd2d858e4932335db80a06995bfb37c4afca72476a437fb0a92827c4fc73d7f99789ecc845c31a83a011156d9

Download Submit
\Windows\SysWOW64\YOF\HXHB.exe

Filesize
540KB

MD5
237ee27dfb8638589cbb8730bae98e98

SHA1
f862bcc281590f347a5b9659f99b5d54a3f3b7be

SHA256
c580f1437a5bfd8d6bb7ffb7ca6b0e560ec8453c4a6ce356b19429a09c0bd653

SHA512
0537519a30bc704a6029fe6cf1d9c9db2930db94efa13017c91c34d3e3eeb4431f87ee54a01cea4a7e5d6e9e65b547ad510aa60fca7fc6c0993b976c319f2441

Download Submit
memory/2112-24-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2112-27-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads