ardamax | 22816c05f7641b764cbaca69a21602bcbd0e6ad8b57b2f3bb59d771f3b4221ea

General

Target

JaffaCakes118_bb47034dbb2f2b6b2ce63208ff3b6d91.exe
Size

502KB
MD5

bb47034dbb2f2b6b2ce63208ff3b6d91
SHA1

45b8f22b88e004a39621a1db3a323a4a18e0d3ac
SHA256

22816c05f7641b764cbaca69a21602bcbd0e6ad8b57b2f3bb59d771f3b4221ea
SHA512

80fe81737424e2fc0542ab12f4b2992b8242ba10925dff9bf74914211426557e8a4a298e70babd3425ca26af20dd60d383bcf8ddba97a6173a2395c44355a7f9
SSDEEP

12288:l6+RUTV5nolfFgD7V/QdvHmH+Qfoaur41TJDt3iCH/Vq4n9T:+TV5neFKhYdElfoauctjH/0mJ

Score

10^/10

ardamax defense_evasion discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x001900000002b0dd-12.dat	family_ardamax

Executes dropped EXE 2 IoCs

pid	Process
5996	BKFE.exe
3636	BKFE.exe

Loads dropped DLL 11 IoCs

pid	Process
3728	JaffaCakes118_bb47034dbb2f2b6b2ce63208ff3b6d91.exe
5996	BKFE.exe
5996	BKFE.exe
5996	BKFE.exe
3312	NOTEPAD.EXE
3312	NOTEPAD.EXE
3312	NOTEPAD.EXE
3636	BKFE.exe
3636	BKFE.exe
3636	BKFE.exe
4972	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BKFE Agent = "C:\\Windows\\SysWOW64\\Sys\\BKFE.exe"	BKFE.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Sys\BKFE.exe	JaffaCakes118_bb47034dbb2f2b6b2ce63208ff3b6d91.exe
File created	C:\Windows\SysWOW64\Sys\AKV.exe	JaffaCakes118_bb47034dbb2f2b6b2ce63208ff3b6d91.exe
File opened for modification	C:\Windows\SysWOW64\Sys	BKFE.exe
File created	C:\Windows\SysWOW64\Sys\BKFE.001	JaffaCakes118_bb47034dbb2f2b6b2ce63208ff3b6d91.exe
File created	C:\Windows\SysWOW64\Sys\BKFE.006	JaffaCakes118_bb47034dbb2f2b6b2ce63208ff3b6d91.exe
File created	C:\Windows\SysWOW64\Sys\BKFE.007	JaffaCakes118_bb47034dbb2f2b6b2ce63208ff3b6d91.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4972	5996	WerFault.exe	78

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BKFE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_bb47034dbb2f2b6b2ce63208ff3b6d91.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BKFE.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000_Classes\Local Settings	JaffaCakes118_bb47034dbb2f2b6b2ce63208ff3b6d91.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	5996	BKFE.exe
Token: SeIncBasePriorityPrivilege	5996	BKFE.exe
Token: SeIncBasePriorityPrivilege	5996	BKFE.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
5996	BKFE.exe
5996	BKFE.exe
5996	BKFE.exe
5996	BKFE.exe
5996	BKFE.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3728 wrote to memory of 5996	3728	JaffaCakes118_bb47034dbb2f2b6b2ce63208ff3b6d91.exe	78
PID 3728 wrote to memory of 5996	3728	JaffaCakes118_bb47034dbb2f2b6b2ce63208ff3b6d91.exe	78
PID 3728 wrote to memory of 5996	3728	JaffaCakes118_bb47034dbb2f2b6b2ce63208ff3b6d91.exe	78
PID 3728 wrote to memory of 3312	3728	JaffaCakes118_bb47034dbb2f2b6b2ce63208ff3b6d91.exe	81
PID 3728 wrote to memory of 3312	3728	JaffaCakes118_bb47034dbb2f2b6b2ce63208ff3b6d91.exe	81
PID 3728 wrote to memory of 3312	3728	JaffaCakes118_bb47034dbb2f2b6b2ce63208ff3b6d91.exe	81
PID 3444 wrote to memory of 3636	3444	cmd.exe	82
PID 3444 wrote to memory of 3636	3444	cmd.exe	82
PID 3444 wrote to memory of 3636	3444	cmd.exe	82
PID 5996 wrote to memory of 2724	5996	BKFE.exe	86
PID 5996 wrote to memory of 2724	5996	BKFE.exe	86
PID 5996 wrote to memory of 2724	5996	BKFE.exe	86

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb47034dbb2f2b6b2ce63208ff3b6d91.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb47034dbb2f2b6b2ce63208ff3b6d91.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3728
- C:\Windows\SysWOW64\Sys\BKFE.exe
  "C:\Windows\system32\Sys\BKFE.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5996
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5996 -s 1172
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:4972
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\Sys\BKFE.exe > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2724
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\New Text Document.txt
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\Sys\BKFE.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3444
- C:\Windows\SysWOW64\Sys\BKFE.exe
  C:\Windows\SysWOW64\Sys\BKFE.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5996 -ip 5996
1⤵
PID:4992

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

1

T1070

File Deletion

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@8DD8.tmp

Filesize
4KB

MD5
84739b32b36267ca4ad9458d3fe6aff6

SHA1
57b7394c461b15f600554f57796397f2c65d2886

SHA256
b82cb4c1d7766d8536cd19f3689ae7fd153df43ff5ac78244c1604d0fe96ba00

SHA512
3aa1b092ff14b029386a26fabf095055cd371b21e726bd6a7fc94c2c6145dea151f78faa52e8eee1392d1d840176837a4f1bdc4a327c688fb462917876a324c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Text Document.txt

Filesize
925B

MD5
590d7debb99ff21e17e8d3d0c2ced6f7

SHA1
7142ecb69c5d085231c0b07539d3fe2a40af0479

SHA256
910477690c0f3eee7ab87196b356c8b79c4eedd2c1c083edae03f438c39a7d4b

SHA512
b97bfcfe897787c50d93ea51593bd22851f194a9cbbf705935118c68c9d6f698b296d02338cbcff0c9d2c0700da7ea9708534ebddd3ae6a29a6038496a90017e

Download Submit
C:\Windows\SysWOW64\Sys\AKV.exe

Filesize
390KB

MD5
db485c0d252649c051970bf5c42167af

SHA1
e5ca18b8e3d033cf27ed3c02bf893bd007767d43

SHA256
a53287648d0a86577044a1ae0347a72c5e20b6a1087ba4e59b369209fa01498f

SHA512
afab398e80e242967c081dc16b52834270f548a8dc453e337d7e275ae78b104f0e82bb4968d570286a605e3c3bb0fccead70ef0abb8e33de3f6a648fe4d3120f

Download Submit
C:\Windows\SysWOW64\Sys\BKFE.001

Filesize
490B

MD5
e5f0b238a1dca2e6c6aac4678551a4e3

SHA1
3523f128c4ca5e4f04b9abd38b1b4cf3a73a62ef

SHA256
f003290bedb9996f55d795cad49bcb9cc2a6d605929af03fe3abedce7916a574

SHA512
74ed4c99a027778d48a9529202aad1576cd4e4e4b84a6cce6a6385e1b9b3e1a230c73f34144ab1dd72e7ed95fa953c1504aaa4a2225fa91ef9c5637375766ef8

Download Submit
C:\Windows\SysWOW64\Sys\BKFE.006

Filesize
7KB

MD5
dc31755a645defcff561e0c96a13f004

SHA1
19f46782befe3fd743b8b0134bb711fd7b30cb82

SHA256
674997f5cd56e9a013a97fcb4f5848f1aa20825e8f5989d5fb96bd4c32d21704

SHA512
8cd892647011826408d764f6bea0f57317ff5d216d9c31bf9e6ead3329c14653dd2e84e91997f1cded78eca0012936779ee6f22a66c8923ce11ebc5269e1ee4b

Download Submit
C:\Windows\SysWOW64\Sys\BKFE.007

Filesize
5KB

MD5
0766f2291c9f350a0d3d70c25d4d0c23

SHA1
67d07f1963833e31c3406eddaf63da125e3478f4

SHA256
d1f5c987db340dd00d620f546c7b89a1816d86d169a03bce9a3ff0f25207f8b5

SHA512
ebfeedae7b5fdbd2f0e3f70ce42ee3eba6c464a1f314546b329e6b483e688c39daef8b010c7cf6d8eebc06db7560c77198b38b3166bb4dab146b8b46eb87b161

Download Submit
C:\Windows\SysWOW64\Sys\BKFE.exe

Filesize
476KB

MD5
b751c3555cdff47c29334fa53a449a45

SHA1
ea8ae7c80619980f8271d44890ee5ac29febb3fc

SHA256
c8b941cc547d4c79826626619a86852d29a56a70f3369e8bdd419b62e2b167c4

SHA512
ab46e167e94cef76b3fbc3488ecdaa8cec8eff3b4d952cd69a225d2e237842d3f382342bc1226d0a777672361d1ff925582f58ecb8adbd836e4c2c1e3ccf441f

Download Submit
memory/5996-22-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download
memory/5996-37-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads