ardamax | af767d080a74637105d7c56a724c665f6a15c3d29fa9f4792ba6a8681c4e3398

General

Target

JaffaCakes118_d53e78fe3cddbaaad3ecf367ef3b43eb.exe
Size

175KB
MD5

d53e78fe3cddbaaad3ecf367ef3b43eb
SHA1

905021038017709e4284f31f3800038cbd7e0f24
SHA256

af767d080a74637105d7c56a724c665f6a15c3d29fa9f4792ba6a8681c4e3398
SHA512

ddc2381a9a1f54a829705150603c15fc3377bc7aa41e71b3973186afe923416ed9dad296e0538776b016054d3a8a35e1c90c4df87aa7cb9ad0a5aee47e8812c8
SSDEEP

3072:OO6QmEGX0JFD4nQsh1r+EVFGYt6GXiv1ystW2ei+jw2NbCnt6kRWwg9tdRRvjjSS:RGXS4nQM+EjGIXZstyi0VCnbReJRJSBc

Score

10^/10

ardamax discovery keylogger stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0006000000019428-9.dat	family_ardamax

Executes dropped EXE 2 IoCs

pid	Process
2732	NSK.exe
2596	mircex.exe

Loads dropped DLL 8 IoCs

pid	Process
2936	JaffaCakes118_d53e78fe3cddbaaad3ecf367ef3b43eb.exe
2936	JaffaCakes118_d53e78fe3cddbaaad3ecf367ef3b43eb.exe
2936	JaffaCakes118_d53e78fe3cddbaaad3ecf367ef3b43eb.exe
2732	NSK.exe
2936	JaffaCakes118_d53e78fe3cddbaaad3ecf367ef3b43eb.exe
2936	JaffaCakes118_d53e78fe3cddbaaad3ecf367ef3b43eb.exe
2732	NSK.exe
2596	mircex.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\NSK.007	JaffaCakes118_d53e78fe3cddbaaad3ecf367ef3b43eb.exe
File created	C:\Windows\SysWOW64\NSK.exe	JaffaCakes118_d53e78fe3cddbaaad3ecf367ef3b43eb.exe
File created	C:\Windows\SysWOW64\NSK.001	JaffaCakes118_d53e78fe3cddbaaad3ecf367ef3b43eb.exe
File created	C:\Windows\SysWOW64\NSK.006	JaffaCakes118_d53e78fe3cddbaaad3ecf367ef3b43eb.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Winamp\Plugins\ircex-readme.txt	mircex.exe
File created	C:\Program Files (x86)\Winamp\Plugins\gpl.txt	mircex.exe
File created	C:\Program Files (x86)\Winamp\Plugins\gen_ircex.dll	mircex.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64	NSK.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NSK.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mircex.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_d53e78fe3cddbaaad3ecf367ef3b43eb.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2732	NSK.exe
Token: SeIncBasePriorityPrivilege	2732	NSK.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2732	NSK.exe
2732	NSK.exe
2732	NSK.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 2732	2936	JaffaCakes118_d53e78fe3cddbaaad3ecf367ef3b43eb.exe	30
PID 2936 wrote to memory of 2732	2936	JaffaCakes118_d53e78fe3cddbaaad3ecf367ef3b43eb.exe	30
PID 2936 wrote to memory of 2732	2936	JaffaCakes118_d53e78fe3cddbaaad3ecf367ef3b43eb.exe	30
PID 2936 wrote to memory of 2732	2936	JaffaCakes118_d53e78fe3cddbaaad3ecf367ef3b43eb.exe	30
PID 2936 wrote to memory of 2596	2936	JaffaCakes118_d53e78fe3cddbaaad3ecf367ef3b43eb.exe	31
PID 2936 wrote to memory of 2596	2936	JaffaCakes118_d53e78fe3cddbaaad3ecf367ef3b43eb.exe	31
PID 2936 wrote to memory of 2596	2936	JaffaCakes118_d53e78fe3cddbaaad3ecf367ef3b43eb.exe	31
PID 2936 wrote to memory of 2596	2936	JaffaCakes118_d53e78fe3cddbaaad3ecf367ef3b43eb.exe	31
PID 2596 wrote to memory of 2256	2596	mircex.exe	32
PID 2596 wrote to memory of 2256	2596	mircex.exe	32
PID 2596 wrote to memory of 2256	2596	mircex.exe	32
PID 2596 wrote to memory of 2256	2596	mircex.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d53e78fe3cddbaaad3ecf367ef3b43eb.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d53e78fe3cddbaaad3ecf367ef3b43eb.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Windows\SysWOW64\NSK.exe
  "C:\Windows\system32\NSK.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2732
- C:\Users\Admin\AppData\Local\Temp\mircex.exe
  "C:\Users\Admin\AppData\Local\Temp\mircex.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Windows\notepad.exe
    "C:\Windows\notepad.exe" C:\Program Files (x86)\Winamp\Plugins\\ircex-readme.txt
    3⤵
    PID:2256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Winamp\Plugins\ircex-readme.txt

Filesize
2KB

MD5
7c4e4ed4e787b53023ec2efa6be264e6

SHA1
7cf456e062eed320dafb545c6e85f391f7862649

SHA256
bbebffedc4187980721fabbf3b6b6b050998d87ef5035d1bc6a8ac086fc19243

SHA512
0027caa3271b6080448ec8204c2c3e37a62f0e106045f31644c8dc5be3ac6a13fec9b4c4eec1fb9408a5f7cdaf0f19240bf21ab4d69138ccb775279b933fa51a

Download Submit
C:\Windows\SysWOW64\NSK.001

Filesize
1KB

MD5
ee51e44a66b8b05c5fbf06984dc460f6

SHA1
41124b42a9c76f4e11b309379b5c1c0fb3ba02af

SHA256
b3bb8a3042579c6737f2cfac5f5507dc2d5b02c0f5e6044f097148f6733320a1

SHA512
60b43e0230b116064964d3c5a7b8606802ef4aa3ab3725f0504fb6fee08f72ff1bee199f8963f42ba49e664e856204e5e92f694db8192369a79202a555acb4fc

Download Submit
C:\Windows\SysWOW64\NSK.006

Filesize
4KB

MD5
0868167c8915fb3d87d4e5a775a57ffd

SHA1
5f223134e003382fd8c191a1f4ca94922f1d802e

SHA256
6a28449ee15745e772f877b6133913325400a2ca3dbf829d76cf42e0c8d6da4c

SHA512
d9f82239d6990b3dcc261f99f5acf20d71965b08146821575f830698fa07a5ec7ba0553494bb779e427692ada39ed5973489d1077aeec5ddfdf5a73d9c91b058

Download Submit
\Users\Admin\AppData\Local\Temp\@74F1.tmp

Filesize
4KB

MD5
ccfd350414f3804bbb32ddd7eb3f6153

SHA1
e91d270b8481d456a3beabf617ef3379a93f1137

SHA256
1dabedfe9c7cda2d8aa74c95ba57fb832a4066b20f4051c0330b4422de237eb3

SHA512
328e069aaced9217eb9f4b4f20e27cd7ef933427e3388b3a0829089d694ea2280a2e5511a9eb577cec2a7b409cf367b0f17d8654076931648e152936fad810bd

Download Submit
\Users\Admin\AppData\Local\Temp\mircex.exe

Filesize
51KB

MD5
40d9bfda1019eee29733fb6e0ac88a1f

SHA1
c6f37298115f7d3bb780a0717c9383722db5f30e

SHA256
1debeaa110534a3330a4b6461e292578b631cac2ba3f3c79e8c8b6f990fbf68c

SHA512
fc599e53dddb68a65b7cabf8d84afb3669a3b0f43fa4bcb444847892e505ad6645121fd456249755593cd0672f73953afbe6dcdbd7983cba792001911e2eacb7

Download Submit
\Windows\SysWOW64\NSK.007

Filesize
6KB

MD5
5e023770dfb9d9068706facc958c7d66

SHA1
9cf95074a78239da000452362c2167991970e972

SHA256
f16ca7e5533eb28fa882eb500add2a936f8d0a705cfc9f4e6c8f4c522a2cf6db

SHA512
a9621e77fe22b054686924cebee3c9a5c448b2f60bd1d4c8a6d6bda161ec270d9a5c76cbe07dcd1d0ee59fdc071de1d271344c629181e14c2c0a54cbac7831af

Download Submit
\Windows\SysWOW64\NSK.exe

Filesize
239KB

MD5
2bada91f44e2a5133a5c056b31866112

SHA1
9fbe664832d04d79f96fa090191b73d9811ef08d

SHA256
c742feab59b4e1b7b188b02ed91ab34eaeb83c87ac6babfb5f08649ed2b8cd02

SHA512
dc797a06061937f8dd657a34d4373d3069c9c1a6752752516042e5d135fc41257c7a3a6738b3accd626a02f1887476197eca0ab28cf568daf57269cbe9c8eb41

Download Submit
memory/2596-36-0x00000000755D0000-0x00000000755FA000-memory.dmp

Filesize
168KB

Download
memory/2596-40-0x00000000755D0000-0x00000000755FA000-memory.dmp

Filesize
168KB

Download
memory/2732-34-0x00000000755D0000-0x00000000755FA000-memory.dmp

Filesize
168KB

Download
memory/2732-32-0x00000000755D1000-0x00000000755D2000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing