ardamax | 5539d7c79aeb186125e5ea0b0be0d0a2b22d10db19bc83b2438faaff24c8e1d7

General

Target

JaffaCakes118_bc8aa639cb791cde737b522d799bef07.exe
Size

1.1MB
MD5

bc8aa639cb791cde737b522d799bef07
SHA1

b84951897061b480b8cb201507abbe039c2b42bf
SHA256

5539d7c79aeb186125e5ea0b0be0d0a2b22d10db19bc83b2438faaff24c8e1d7
SHA512

3e2cd017c54083b2d576f0125841dd3ec640d7feb1020af9413f8f6802a8eb43e3c96e709d1727a5c39fca422f9e43c9448bc8c6965c1d84538c6ae61b4bf67a
SSDEEP

24576:MNFh9lEwXFenly32AHHlY6P1tA+AZh6LGGLM52bWal:CP9lEwXIlrAHFY6PD9AZCJLMcbB

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x001900000002b0d4-17.dat	family_ardamax

Executes dropped EXE 2 IoCs

pid	Process
4028	RAB.exe
2560	RAB.exe

Loads dropped DLL 2 IoCs

pid	Process
4028	RAB.exe
2560	RAB.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RAB Start = "C:\\Windows\\SysWOW64\\BVCIGO\\RAB.exe"	RAB.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\BVCIGO\RAB.002	JaffaCakes118_bc8aa639cb791cde737b522d799bef07.exe
File created	C:\Windows\SysWOW64\BVCIGO\AKV.exe	JaffaCakes118_bc8aa639cb791cde737b522d799bef07.exe
File created	C:\Windows\SysWOW64\BVCIGO\RAB.exe	JaffaCakes118_bc8aa639cb791cde737b522d799bef07.exe
File opened for modification	C:\Windows\SysWOW64\BVCIGO\	RAB.exe
File created	C:\Windows\SysWOW64\BVCIGO\RAB.004	JaffaCakes118_bc8aa639cb791cde737b522d799bef07.exe
File created	C:\Windows\SysWOW64\BVCIGO\RAB.001	JaffaCakes118_bc8aa639cb791cde737b522d799bef07.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5756 set thread context of 5544	5756	JaffaCakes118_bc8aa639cb791cde737b522d799bef07.exe	78

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_bc8aa639cb791cde737b522d799bef07.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_bc8aa639cb791cde737b522d799bef07.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RAB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RAB.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4028	RAB.exe
Token: SeIncBasePriorityPrivilege	4028	RAB.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
5756	JaffaCakes118_bc8aa639cb791cde737b522d799bef07.exe
4028	RAB.exe
4028	RAB.exe
4028	RAB.exe
4028	RAB.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 5756 wrote to memory of 5544	5756	JaffaCakes118_bc8aa639cb791cde737b522d799bef07.exe	78
PID 5756 wrote to memory of 5544	5756	JaffaCakes118_bc8aa639cb791cde737b522d799bef07.exe	78
PID 5756 wrote to memory of 5544	5756	JaffaCakes118_bc8aa639cb791cde737b522d799bef07.exe	78
PID 5756 wrote to memory of 5544	5756	JaffaCakes118_bc8aa639cb791cde737b522d799bef07.exe	78
PID 5756 wrote to memory of 5544	5756	JaffaCakes118_bc8aa639cb791cde737b522d799bef07.exe	78
PID 5756 wrote to memory of 5544	5756	JaffaCakes118_bc8aa639cb791cde737b522d799bef07.exe	78
PID 5756 wrote to memory of 5544	5756	JaffaCakes118_bc8aa639cb791cde737b522d799bef07.exe	78
PID 5756 wrote to memory of 5544	5756	JaffaCakes118_bc8aa639cb791cde737b522d799bef07.exe	78
PID 5756 wrote to memory of 5544	5756	JaffaCakes118_bc8aa639cb791cde737b522d799bef07.exe	78
PID 5756 wrote to memory of 5544	5756	JaffaCakes118_bc8aa639cb791cde737b522d799bef07.exe	78
PID 5544 wrote to memory of 4028	5544	JaffaCakes118_bc8aa639cb791cde737b522d799bef07.exe	79
PID 5544 wrote to memory of 4028	5544	JaffaCakes118_bc8aa639cb791cde737b522d799bef07.exe	79
PID 5544 wrote to memory of 4028	5544	JaffaCakes118_bc8aa639cb791cde737b522d799bef07.exe	79
PID 5344 wrote to memory of 2560	5344	cmd.exe	82
PID 5344 wrote to memory of 2560	5344	cmd.exe	82
PID 5344 wrote to memory of 2560	5344	cmd.exe	82

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bc8aa639cb791cde737b522d799bef07.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bc8aa639cb791cde737b522d799bef07.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5756
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bc8aa639cb791cde737b522d799bef07.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bc8aa639cb791cde737b522d799bef07.exe
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5544
- - C:\Windows\SysWOW64\BVCIGO\RAB.exe
    "C:\Windows\system32\BVCIGO\RAB.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\BVCIGO\RAB.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5344
- C:\Windows\SysWOW64\BVCIGO\RAB.exe
  C:\Windows\SysWOW64\BVCIGO\RAB.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2560

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\BVCIGO\AKV.exe

Filesize
463KB

MD5
eb916da4abe4ff314662089013c8f832

SHA1
1e7e611cc6922a2851bcf135806ab51cdb499efa

SHA256
96af80e7ba0f3997d59ebcb5ecef619f980d71ca29113e2cd2f2e8adcdea3061

SHA512
d0dbe1d1612982b9cd2a3ed3cbd3e3b5be49237f580f91d5e5d5b6d20ed4dc0babb69a666c19bf4e0f10776a43b9b1dcda91a4cd381ce3705b1795ef9d731c8b

Download Submit
C:\Windows\SysWOW64\BVCIGO\RAB.001

Filesize
61KB

MD5
425ff37c76030ca0eb60321eedd4afdd

SHA1
7dde5e9ce5c4057d3db149f323fa43ed29d90e09

SHA256
70b00b09ae76a7ecfd6680ab22df546b17826755087c069fc87d14895e1a4e24

SHA512
ef5ff97c0d682b6155eff8f92dace1789cf01ca8bca55af1c1d0f2243b5e18bc12a657bb2bb12601b51ef9e1b942f02feb8462644da291fd1b2239c34ef2b59b

Download Submit
C:\Windows\SysWOW64\BVCIGO\RAB.002

Filesize
43KB

MD5
12fb4f589942682a478b7c7881dfcba2

SHA1
a3d490c6cda965708a1ff6a0dc4e88037e0d6336

SHA256
4de0c277800ae36b85a11ed9765f732a73578d4dce053ff7179f96ab776fb60d

SHA512
dd1c6a4ea5bc9698701ec941c4e90fe8dfb0993dc321edc052d1a80cc49bc46be665a85ec678876e698de60cda5dbf1d6279742a16d648f9d18e642a3ea33ddd

Download Submit
C:\Windows\SysWOW64\BVCIGO\RAB.004

Filesize
1KB

MD5
63ddc004274f1bacf90dd63142efb9c3

SHA1
50fae9a059708dd5398338f488141e8b4a54361f

SHA256
074117cfcf6c6f1e7b94e3a07886fd326d1b876ef1efcd91d3c4583d2fdacd55

SHA512
0e8fe42ecdc17fb411b0df6fe011935271c7479bf9e369f21329129baf38f9687f51f145902534fb6196b61d343f7e373571212774b21807a6c8222e13b6a267

Download Submit
C:\Windows\SysWOW64\BVCIGO\RAB.exe

Filesize
1.5MB

MD5
f8530f0dfe90c7c1e20239b0a7643041

SHA1
3e0208ab84b8444a69c8d62ad0b81c4186395802

SHA256
734439c4049ae1a832b4cc5c8d227112106406945d1a7cbb355e11a3f5e356c4

SHA512
5cb01517938789e006e00d69729ae7d73ad480f1ae17a80059bf81ee5d9cebb1263a35732c84f03d742684a650b116b13e6731ca80b0b9cdb3908e5588649399

Download Submit
memory/4028-27-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/4028-31-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/5544-4-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/5544-3-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/5544-20-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/5544-2-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/5544-8-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/5544-6-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/5544-5-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads