ardamax | ecc2fc1422d8b07d4331ed65fda2738b1db78ec057b95a46bf163c6ed5487b10

General

Target

JaffaCakes118_c1625ab3e986ecc00f57cd485076500d.exe
Size

503KB
MD5

c1625ab3e986ecc00f57cd485076500d
SHA1

74031342d823a0e6a6bd4f1edfe459da06ce9222
SHA256

ecc2fc1422d8b07d4331ed65fda2738b1db78ec057b95a46bf163c6ed5487b10
SHA512

b04477c6456dcf5f8761c63ca4c83e4eb2e38e075170a152ba4b409f42dd22c1ae3c8ebfbd5fa36003b0f11be7c9afccbd4995e65c7d8c2065360be57c60f2cb
SSDEEP

12288:5M23kuH2NJk+wXp29P1uLVf6xIFDQiOdRJmpWko7V+S2SUoZWxt:e2USjzXokLVfUyDjynmp5oX2Sq

Score

10^/10

ardamax defense_evasion discovery keylogger stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x001900000002b1ff-12.dat	family_ardamax

Executes dropped EXE 1 IoCs

pid	Process
5704	system32GWNX.exe

Loads dropped DLL 1 IoCs

pid	Process
1388	JaffaCakes118_c1625ab3e986ecc00f57cd485076500d.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\system32GWNX.001	JaffaCakes118_c1625ab3e986ecc00f57cd485076500d.exe
File created	C:\Windows\system32GWNX.006	JaffaCakes118_c1625ab3e986ecc00f57cd485076500d.exe
File created	C:\Windows\system32GWNX.007	JaffaCakes118_c1625ab3e986ecc00f57cd485076500d.exe
File created	C:\Windows\system32GWNX.exe	JaffaCakes118_c1625ab3e986ecc00f57cd485076500d.exe
File created	C:\Windows\system32AKV.exe	JaffaCakes118_c1625ab3e986ecc00f57cd485076500d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4576	5704	WerFault.exe	79

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_c1625ab3e986ecc00f57cd485076500d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system32GWNX.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 5704	1388	JaffaCakes118_c1625ab3e986ecc00f57cd485076500d.exe	79
PID 1388 wrote to memory of 5704	1388	JaffaCakes118_c1625ab3e986ecc00f57cd485076500d.exe	79
PID 1388 wrote to memory of 5704	1388	JaffaCakes118_c1625ab3e986ecc00f57cd485076500d.exe	79

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c1625ab3e986ecc00f57cd485076500d.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c1625ab3e986ecc00f57cd485076500d.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Windows\system32GWNX.exe
  "C:\Windows\system32GWNX.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5704
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5704 -s 1128
    3⤵
    - Program crash
    PID:4576
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Windows\SYSTEM~1.EXE > nul
    3⤵
    PID:5012
- C:\Users\Admin\AppData\Local\Temp\DragonBot Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\DragonBot Loader.exe"
  2⤵
  PID:3820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32GWNX.exe
1⤵
PID:3484
- C:\Windows\system32GWNX.exe
  C:\Windows\system32GWNX.exe
  2⤵
  PID:1900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 5704 -ip 5704
1⤵
PID:4940

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

1

T1070

File Deletion

1

T1070.004

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@6B5C.tmp

Filesize
4KB

MD5
d9e02f226fc338d14df200ba9a700625

SHA1
414f134a16a309b31e418ed9e08c0c48aaf6e2bc

SHA256
8165757efb79acceb9fd0bfae6b2c19b8f087cc0461abb17941d460dbdf2e260

SHA512
13c73381602fe2593312d41ab4bc5cd5f922ac651f9e71e3fe3c58e7f0c5c73ecc9d79d61ec46f33a0a81cf73373421eeb510bd99650c0f53af30974ed61b8ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\DragonBot Loader.exe

Filesize
23KB

MD5
f9c260f189773cc1617bc86799015f21

SHA1
a178adb63e1c85404f370b54e10fe7798fbc112b

SHA256
d747f0d6ccc36dc57645cf56e4ada836e6911763d7ac09d2ee50e724647c637d

SHA512
72e3cd6cb747b5aaee66fea2f75432e585310fc7b88808dd29e01a123f690a8f587e6fe3a9d08ac8ed5f42498f0e01e0ac55fdd68875930f66d66e82a5e24aad

Download Submit
C:\Windows\system32GWNX.001

Filesize
526B

MD5
36953dcd60c9ccfa89ef555a563b8ad1

SHA1
70924bb09cf1298bc3ba8fa469a534e1236fe7da

SHA256
3fd9e5c56f89b3c91d69360a3dde8fc039143404817857c657adb3acc7f0151a

SHA512
32d10ead113d759c441933c25993c3c3e29fbd3ef50a347eed426083fda948863820a548c7a0fe9b046e2f57a4af3b1409e8de86c9336714b8622ef23e60863d

Download Submit
C:\Windows\system32GWNX.006

Filesize
7KB

MD5
32dd7b4bc8b6f290b0ece3cc1c011c96

SHA1
b979683868b399c6a6204ebaed9fc9c784a0429a

SHA256
6dcce9bbba5c2de47eea3abf7597a9c4fb2e4d358efc3752fa65c169cccfa2a1

SHA512
9e0d720799fe816f7d09c8a722b762203b6f12a8625c1c93cd640219ecc35969bd641b4d9e6dc04ab6f95ceb73235a438eb7d48ee9402118db3618b5760551ea

Download Submit
C:\Windows\system32GWNX.007

Filesize
5KB

MD5
e8155b68775ed29590e14df80fdc0e9f

SHA1
ed449da02e648a524004c265f3c37496d2f07f1f

SHA256
b39ba894b0a9a3201461ddd9ee9b297928e793dff221a47f019e75c11df631f3

SHA512
b14e00c46cf9bed0aca0f85775f624ff064f2d2afe1fa68b61bee5729db73cf9a8eced669c52d7cbb9504ff1b369a9a16a0f36c71a70c13c0bd1eaf5e07ccc11

Download Submit
C:\Windows\system32GWNX.exe

Filesize
471KB

MD5
3c06bbc025b61d2182ef5573f2852bda

SHA1
ebc1464c00b13fb5b3f80a59c80b595020e1fe7c

SHA256
e7f64e7215284cdeb8ef1eba28733f7aeae7f6977f82809d8de1e76a2e249085

SHA512
9d839ada211b85fc1efb1fe7bb3ce66fcf0e8069221d958234649c2ac5dc0f1bd06f1a016f9c727077af36fb46cac5409be9c8a8201d17f689c6b473aa01acdc

Download Submit
memory/5704-29-0x0000000000D00000-0x0000000000D01000-memory.dmp

Filesize
4KB

Download
memory/5704-43-0x0000000000D00000-0x0000000000D01000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing