ardamax | ece7aff3e49913615d02a71a21d5e52ca9ba7f1ed28c337fc18b26b6e13b6b6a

General

Target

JaffaCakes118_bec99e3918eeacfd5220b5256e4b5a27.exe
Size

483KB
MD5

bec99e3918eeacfd5220b5256e4b5a27
SHA1

ab7ac68c8d92d3f7b87aeaa01b414a7a034de106
SHA256

ece7aff3e49913615d02a71a21d5e52ca9ba7f1ed28c337fc18b26b6e13b6b6a
SHA512

5d0d09024694c9f061575d11f1f4413c570d560353629da073e7452dd0e57ebca884638145b5bf9d8b35f0b8203635fd5b482e143980f597c138574a309544db
SSDEEP

12288:zRheq5unfBe/JVdkXdneXyqhTrU+6uuxYUPV56VR/0:2q4Je/riXdnY/hTcuu7UR0

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x001c00000002b174-12.dat	family_ardamax

Executes dropped EXE 2 IoCs

pid	Process
4280	KKDM.exe
3496	KKDM.exe

Loads dropped DLL 1 IoCs

pid	Process
5952	JaffaCakes118_bec99e3918eeacfd5220b5256e4b5a27.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\KKDM Agent = "C:\\Windows\\SysWOW64\\Sys32\\KKDM.exe"	KKDM.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Sys32\KKDM.001	JaffaCakes118_bec99e3918eeacfd5220b5256e4b5a27.exe
File created	C:\Windows\SysWOW64\Sys32\KKDM.006	JaffaCakes118_bec99e3918eeacfd5220b5256e4b5a27.exe
File created	C:\Windows\SysWOW64\Sys32\KKDM.007	JaffaCakes118_bec99e3918eeacfd5220b5256e4b5a27.exe
File created	C:\Windows\SysWOW64\Sys32\KKDM.exe	JaffaCakes118_bec99e3918eeacfd5220b5256e4b5a27.exe
File created	C:\Windows\SysWOW64\Sys32\AKV.exe	JaffaCakes118_bec99e3918eeacfd5220b5256e4b5a27.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KKDM.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KKDM.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_bec99e3918eeacfd5220b5256e4b5a27.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5952 wrote to memory of 4280	5952	JaffaCakes118_bec99e3918eeacfd5220b5256e4b5a27.exe	78
PID 5952 wrote to memory of 4280	5952	JaffaCakes118_bec99e3918eeacfd5220b5256e4b5a27.exe	78
PID 5952 wrote to memory of 4280	5952	JaffaCakes118_bec99e3918eeacfd5220b5256e4b5a27.exe	78
PID 5696 wrote to memory of 3496	5696	cmd.exe	81
PID 5696 wrote to memory of 3496	5696	cmd.exe	81
PID 5696 wrote to memory of 3496	5696	cmd.exe	81

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bec99e3918eeacfd5220b5256e4b5a27.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bec99e3918eeacfd5220b5256e4b5a27.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5952
- C:\Windows\SysWOW64\Sys32\KKDM.exe
  "C:\Windows\system32\Sys32\KKDM.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\Sys32\KKDM.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5696
- C:\Windows\SysWOW64\Sys32\KKDM.exe
  C:\Windows\SysWOW64\Sys32\KKDM.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3496

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@7D7D.tmp

Filesize
4KB

MD5
ce1db3d8d9e4b75ff749d38ca718a257

SHA1
5c7cc462e57f623c7d7a8c2a47467afc4927b4a4

SHA256
885d61204eff764496c6813967c4b4097cba7fcfb72e9571faabf1f4b5d473d9

SHA512
f6ee073336493f315b9644bf89526584a2aa9595626b51580faf1184e76f18718b696658288634737a9581d7ae27f36653243263ad35f0c9459001ba9892b160

Download Submit
C:\Windows\SysWOW64\Sys32\AKV.exe

Filesize
391KB

MD5
d2a65f5bcd35a551de241ff7db55ee10

SHA1
4037d2c5d08dcf5e9dbad74b577cbab419335a99

SHA256
b6de4fd78f2f9ba6ab981d4edc5a820b8a23bd8a5fd7cf9188f18168d94154db

SHA512
492b078f31dd41b46a58fdc938d391e283e7a2f50a7a514497926ad2c68f426bda91459dcba5fddc07d18e2216c632d6561fa4deb28f1d570bd656d0c3b1c4b3

Download Submit
C:\Windows\SysWOW64\Sys32\KKDM.001

Filesize
464B

MD5
0a786587b193b514dd1258c1baae1f2e

SHA1
ca379c98fcb5b87d1dad46dec4a241d90c3f36a1

SHA256
9fcb65d77a746ac898c0f2e563523f529c418f2919fd5418bc70fd1d8edb60ee

SHA512
ffa570c4ca957a2fdbca3117879e4f538de2d4d1a2ca35d2a5f08b5924cadc201c746a620b420672a81c14ac8b6bfe5777e01204b5fcc287558364dd59195289

Download Submit
C:\Windows\SysWOW64\Sys32\KKDM.006

Filesize
7KB

MD5
f88c78041afe02325aaed6f171ef23cf

SHA1
7a502ed670e5148a3d43d90e6b225926e3455f0c

SHA256
f80f5ec2826fbcb1b7a0b40b77e520d00ce25be52fae068b947868bbe93a406e

SHA512
1370e3cdfaedfbaa4c9d4e58520e6242316a629b671fae0664944cbe40ca6ef22230e2ec5b06698f6f1a1464ce4a57881655b5358d987f578caf766ac7e8e75e

Download Submit
C:\Windows\SysWOW64\Sys32\KKDM.007

Filesize
5KB

MD5
7073fbcfe75154326946919c8f86ebc2

SHA1
ba81cf37f06826ad6617e97b5a47538251024b4c

SHA256
89e3eb1103d75072346d3b454cde5efa92d7bb6f89f2d972b18fe0becf6db4e2

SHA512
7e9fcfd14460eebd02093f560d3fca6a198fc0b5592c3905be2efadd9bfafa24277a5155a54e4eaecfdf5829068e41969b0b97f70f5969fd1efafccfa870ae7b

Download Submit
C:\Windows\SysWOW64\Sys32\KKDM.exe

Filesize
476KB

MD5
93285f6ebc9657feb0724435db46e246

SHA1
f7762091e7cc91e6007f273284a59f74c36ff104

SHA256
2d44177550adda3ae9d69e7f5bb51557a7d5b1c23902d84e5a2ce9c1fe079d15

SHA512
0992893a78a4a66eea62057207717f91154ea16ae140bc62878968703496106a953c55a35b6ece0d081d521ece62fa9607d56fcab28d33ffdea0e80f0aa76c8d

Download Submit
memory/4280-23-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads