ardamax | 6dc3e06732fd9fe6b6f1f094ca99a57f4dbe75554eea4d4bb4b1bf13e967cd7e

General

Target

JaffaCakes118_21704f45d350146eceb6bc788bae4219.exe
Size

648KB
MD5

21704f45d350146eceb6bc788bae4219
SHA1

3e15c2bc07e088190ec282843fbdc4fa333aedc4
SHA256

6dc3e06732fd9fe6b6f1f094ca99a57f4dbe75554eea4d4bb4b1bf13e967cd7e
SHA512

4acacba15464d16605e0f552b48b248dc3cb7d74e77c5b3efc0047323396d7e349f16992334aff7492568c0c445c8a8a2496ed801e80b0545b7b57c9ef972d44
SSDEEP

12288:gFlERKFl9X8fSCLhGV9qaC+sHYZEGIkWxDdarPTZ0pLNCFSIR8Cmqp0F:NRUX8fZAV9q6C6WxJaxZFSo8Go

Score

10^/10

ardamax defense_evasion discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x000700000001686c-11.dat	family_ardamax

Executes dropped EXE 2 IoCs

pid	Process
1300	system32OBBC.exe
2304	GTA-SA.CarSpawn-Trainer v1.1.exe

Loads dropped DLL 3 IoCs

pid	Process
1744	JaffaCakes118_21704f45d350146eceb6bc788bae4219.exe
1744	JaffaCakes118_21704f45d350146eceb6bc788bae4219.exe
1744	JaffaCakes118_21704f45d350146eceb6bc788bae4219.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system32OBBC Agent = "C:\\Windows\\system32OBBC.exe"	system32OBBC.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\system32OBBC.001	JaffaCakes118_21704f45d350146eceb6bc788bae4219.exe
File created	C:\Windows\system32OBBC.006	JaffaCakes118_21704f45d350146eceb6bc788bae4219.exe
File created	C:\Windows\system32OBBC.007	JaffaCakes118_21704f45d350146eceb6bc788bae4219.exe
File created	C:\Windows\system32OBBC.exe	JaffaCakes118_21704f45d350146eceb6bc788bae4219.exe
File created	C:\Windows\system32AKV.exe	JaffaCakes118_21704f45d350146eceb6bc788bae4219.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GTA-SA.CarSpawn-Trainer v1.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_21704f45d350146eceb6bc788bae4219.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system32OBBC.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	1300	system32OBBC.exe
Token: SeIncBasePriorityPrivilege	1300	system32OBBC.exe
Token: SeIncBasePriorityPrivilege	1300	system32OBBC.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2304	GTA-SA.CarSpawn-Trainer v1.1.exe
1300	system32OBBC.exe
1300	system32OBBC.exe
1300	system32OBBC.exe
1300	system32OBBC.exe
1300	system32OBBC.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1744 wrote to memory of 1300	1744	JaffaCakes118_21704f45d350146eceb6bc788bae4219.exe	28
PID 1744 wrote to memory of 1300	1744	JaffaCakes118_21704f45d350146eceb6bc788bae4219.exe	28
PID 1744 wrote to memory of 1300	1744	JaffaCakes118_21704f45d350146eceb6bc788bae4219.exe	28
PID 1744 wrote to memory of 1300	1744	JaffaCakes118_21704f45d350146eceb6bc788bae4219.exe	28
PID 1744 wrote to memory of 2304	1744	JaffaCakes118_21704f45d350146eceb6bc788bae4219.exe	29
PID 1744 wrote to memory of 2304	1744	JaffaCakes118_21704f45d350146eceb6bc788bae4219.exe	29
PID 1744 wrote to memory of 2304	1744	JaffaCakes118_21704f45d350146eceb6bc788bae4219.exe	29
PID 1744 wrote to memory of 2304	1744	JaffaCakes118_21704f45d350146eceb6bc788bae4219.exe	29
PID 1300 wrote to memory of 1852	1300	system32OBBC.exe	32
PID 1300 wrote to memory of 1852	1300	system32OBBC.exe	32
PID 1300 wrote to memory of 1852	1300	system32OBBC.exe	32
PID 1300 wrote to memory of 1852	1300	system32OBBC.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21704f45d350146eceb6bc788bae4219.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21704f45d350146eceb6bc788bae4219.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Windows\system32OBBC.exe
  "C:\Windows\system32OBBC.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1300
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Windows\SYSTEM~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1852
- C:\Users\Admin\AppData\Local\Temp\GTA-SA.CarSpawn-Trainer v1.1.exe
  "C:\Users\Admin\AppData\Local\Temp\GTA-SA.CarSpawn-Trainer v1.1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

1

T1070

File Deletion

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system32OBBC.001

Filesize
476B

MD5
4ae8801a83d71f23ebeb8fd17dc3f9de

SHA1
895797efc2bb19af46e3d16cf7ead83c19f502cc

SHA256
d11e284dd0dc5566aeaaa5740707cba53cc9064a5cce87153d205b4205acc5d7

SHA512
49ef2bfff8131745bc2755ebab402d6755bdcf8c568de267276e2a0d0556e9c7863cbcc289a063c951d75576835d131d9f0ef2874878f312e475571d128e3b41

Download Submit
C:\Windows\system32OBBC.006

Filesize
7KB

MD5
840a1ae793d07aed4585781697178bc1

SHA1
5d42f9763e32c1dced9cdd14144926c43044d6ad

SHA256
af73b0a6c98eec78e121cb1fed4ee4b5df052833242179cdeec04c75b6df2cfc

SHA512
078ddc10ebccd4c108e52555ae7aeb644aadfc006dbc2aa1aad319b6e9bd35b779fee9e3d063c22f48a7e082e1a01e1f70ab11f8c26827750b13a1c8cb636689

Download Submit
C:\Windows\system32OBBC.007

Filesize
5KB

MD5
530d177fa3d66ca092ecbdb4eb02a0d9

SHA1
868a3c3fa51df0fe5ffbba3aeeca20aa23da0fc4

SHA256
037e9a3e82e1a8902d8220c82650e52f549d6acc490ff30481a497130b7208f2

SHA512
44d84513aaab0eb5f2c0c9be64cc78beb8caf0ddf6039fe726d39834d19d4c1084cec1611b565529920d4edf4d432dba6e67a01d94a845b7fd083dd284545002

Download Submit
C:\Windows\system32OBBC.exe

Filesize
471KB

MD5
040be8249f1b7b90730867c398e40568

SHA1
d6908d242bed9d7d04dcf98c7e46571121f0b7f1

SHA256
84ce204e2d8ef6cc519fbabf8356999de06af6250ca4a170ecfb776952d855ca

SHA512
3c63436c6412f127a2ca64891af185678cde71846c52331ae4dda03b1313392ba3655699305d6ce05723d50aec0e4d227616536592bb5a23449e1eaddba94516

Download Submit
\Users\Admin\AppData\Local\Temp\@8759.tmp

Filesize
4KB

MD5
08c0e7cb9f56d7a8f6acfd2268ea7142

SHA1
e885ffa0db9b4dd38e547135eb5446cc89fe6865

SHA256
fe9304a2f41e446e3672a26b338cde680d34fd07b0c5a6866ef108366ed92eb9

SHA512
6325410c99d703b3181c4eb4d9cbcdf1d8e08cc57a8ef7c8334e5be02b2499997829a3d6fd708dd83541efd1712330c5163daffe68a09aa2863cc76d5cbdccf9

Download Submit
\Users\Admin\AppData\Local\Temp\GTA-SA.CarSpawn-Trainer v1.1.exe

Filesize
32KB

MD5
1625b832ffb722e2dc0275a1963fa165

SHA1
4a700ddf28f9a20918cea7b6eab146c5c888f17f

SHA256
0a87e1341cc66d79e2ebc98b491fc3c2ed79698b932cb081838225dca63b1eab

SHA512
92957137433fece1d4e29905120a6a14fd2ad06bcc5bb242f9669ccb8a464616fea047ff9664758815de595425371f79f88b5e824fc974cc9d0a0ed0b30787fe

Download Submit
memory/1300-34-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/1300-33-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1300-28-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1300-35-0x00000000003D0000-0x00000000003D6000-memory.dmp

Filesize
24KB

Download
memory/2304-32-0x00000000772AF000-0x00000000772B0000-memory.dmp

Filesize
4KB

Download
memory/2304-36-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/2304-37-0x0000000000290000-0x0000000000296000-memory.dmp

Filesize
24KB

Download
memory/2304-56-0x00000000772AF000-0x00000000772B0000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads