ardamax | 5501975ee1c7308f0c59a054f5ea72c8198c157986b1593d7d7de353e2353ad2

General

Target

JaffaCakes118_c31ae57b8a58bcaa1c127a8e5d957b61.exe
Size

479KB
MD5

c31ae57b8a58bcaa1c127a8e5d957b61
SHA1

c712874880f27148d12d86d57474a482590aad5d
SHA256

5501975ee1c7308f0c59a054f5ea72c8198c157986b1593d7d7de353e2353ad2
SHA512

325dc62b98b96cbc160c9a835f3ddb6fa3d2f721bdd3a2bf2d37b518440f73062bd8576f7151e2bbfde738620e38cee0ea6a9d45e2e6c08134c0232113b19c10
SSDEEP

12288:/hDgTMmUu2ePd5D4LO06stZbmIOQ94s37ETmPzZHD:KT6en6PqXsLWmbJ

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x001900000002b2eb-12.dat	family_ardamax

Executes dropped EXE 2 IoCs

pid	Process
5048	system32SOLS.exe
1588	system32SOLS.exe

Loads dropped DLL 10 IoCs

pid	Process
5660	JaffaCakes118_c31ae57b8a58bcaa1c127a8e5d957b61.exe
5048	system32SOLS.exe
6096	NOTEPAD.EXE
5048	system32SOLS.exe
5048	system32SOLS.exe
6096	NOTEPAD.EXE
6096	NOTEPAD.EXE
1588	system32SOLS.exe
1588	system32SOLS.exe
1588	system32SOLS.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system32SOLS Agent = "C:\\Windows\\system32SOLS.exe"	system32SOLS.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\system32SOLS.001	JaffaCakes118_c31ae57b8a58bcaa1c127a8e5d957b61.exe
File created	C:\Windows\system32SOLS.006	JaffaCakes118_c31ae57b8a58bcaa1c127a8e5d957b61.exe
File created	C:\Windows\system32SOLS.007	JaffaCakes118_c31ae57b8a58bcaa1c127a8e5d957b61.exe
File created	C:\Windows\system32SOLS.exe	JaffaCakes118_c31ae57b8a58bcaa1c127a8e5d957b61.exe
File created	C:\Windows\system32AKV.exe	JaffaCakes118_c31ae57b8a58bcaa1c127a8e5d957b61.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_c31ae57b8a58bcaa1c127a8e5d957b61.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system32SOLS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system32SOLS.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2787523927-1212474705-3964982594-1000_Classes\Local Settings	JaffaCakes118_c31ae57b8a58bcaa1c127a8e5d957b61.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
6096	NOTEPAD.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	5048	system32SOLS.exe
Token: SeIncBasePriorityPrivilege	5048	system32SOLS.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
5048	system32SOLS.exe
5048	system32SOLS.exe
5048	system32SOLS.exe
5048	system32SOLS.exe
5048	system32SOLS.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5660 wrote to memory of 5048	5660	JaffaCakes118_c31ae57b8a58bcaa1c127a8e5d957b61.exe	79
PID 5660 wrote to memory of 5048	5660	JaffaCakes118_c31ae57b8a58bcaa1c127a8e5d957b61.exe	79
PID 5660 wrote to memory of 5048	5660	JaffaCakes118_c31ae57b8a58bcaa1c127a8e5d957b61.exe	79
PID 5660 wrote to memory of 6096	5660	JaffaCakes118_c31ae57b8a58bcaa1c127a8e5d957b61.exe	82
PID 5660 wrote to memory of 6096	5660	JaffaCakes118_c31ae57b8a58bcaa1c127a8e5d957b61.exe	82
PID 5660 wrote to memory of 6096	5660	JaffaCakes118_c31ae57b8a58bcaa1c127a8e5d957b61.exe	82
PID 4636 wrote to memory of 1588	4636	cmd.exe	83
PID 4636 wrote to memory of 1588	4636	cmd.exe	83
PID 4636 wrote to memory of 1588	4636	cmd.exe	83

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c31ae57b8a58bcaa1c127a8e5d957b61.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c31ae57b8a58bcaa1c127a8e5d957b61.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5660
- C:\Windows\system32SOLS.exe
  "C:\Windows\system32SOLS.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5048
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\v.txt
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Opens file in notepad (likely ransom note)
  PID:6096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32SOLS.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4636
- C:\Windows\system32SOLS.exe
  C:\Windows\system32SOLS.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1588

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@A19F.tmp

Filesize
4KB

MD5
d9e02f226fc338d14df200ba9a700625

SHA1
414f134a16a309b31e418ed9e08c0c48aaf6e2bc

SHA256
8165757efb79acceb9fd0bfae6b2c19b8f087cc0461abb17941d460dbdf2e260

SHA512
13c73381602fe2593312d41ab4bc5cd5f922ac651f9e71e3fe3c58e7f0c5c73ecc9d79d61ec46f33a0a81cf73373421eeb510bd99650c0f53af30974ed61b8ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\v.txt

Filesize
38B

MD5
2b9de7291f021f3d28a676b99ee59710

SHA1
9536a72be8b1e18112bff6564f01879173c5d03f

SHA256
b0483782a19193f2adc92f5d8fc0eaaeede98243a78f25f53cccdd8d0e94a2fb

SHA512
7d0b0ce25e933b6b8bb4c8bfb44635f7fcf0bcbf69431109be79a59bc5b97889b0aa3ec58019eb4063e327d1679702de7ab543b4dace4c3386b0ec29e6470dc3

Download Submit
C:\Windows\system32SOLS.001

Filesize
458B

MD5
6868867a2e1aacd264fc9c6991ae7f10

SHA1
28c4c8976d447b773922f17098d90d2621655f45

SHA256
8260bbfb06240a4d4114dffbf2fe2fd52c3d392451ace05508215be9c5125adb

SHA512
6bc3834ef1ef6df0903985545bcbf56e4e2591acf3f453415bc78a905288790eb7e0273f85f91fbe5b1bd2d418f7d74a8ddc951a24162ec6d5b4aa1e39da26d8

Download Submit
C:\Windows\system32SOLS.006

Filesize
7KB

MD5
32dd7b4bc8b6f290b0ece3cc1c011c96

SHA1
b979683868b399c6a6204ebaed9fc9c784a0429a

SHA256
6dcce9bbba5c2de47eea3abf7597a9c4fb2e4d358efc3752fa65c169cccfa2a1

SHA512
9e0d720799fe816f7d09c8a722b762203b6f12a8625c1c93cd640219ecc35969bd641b4d9e6dc04ab6f95ceb73235a438eb7d48ee9402118db3618b5760551ea

Download Submit
C:\Windows\system32SOLS.007

Filesize
5KB

MD5
e8155b68775ed29590e14df80fdc0e9f

SHA1
ed449da02e648a524004c265f3c37496d2f07f1f

SHA256
b39ba894b0a9a3201461ddd9ee9b297928e793dff221a47f019e75c11df631f3

SHA512
b14e00c46cf9bed0aca0f85775f624ff064f2d2afe1fa68b61bee5729db73cf9a8eced669c52d7cbb9504ff1b369a9a16a0f36c71a70c13c0bd1eaf5e07ccc11

Download Submit
C:\Windows\system32SOLS.exe

Filesize
471KB

MD5
3c06bbc025b61d2182ef5573f2852bda

SHA1
ebc1464c00b13fb5b3f80a59c80b595020e1fe7c

SHA256
e7f64e7215284cdeb8ef1eba28733f7aeae7f6977f82809d8de1e76a2e249085

SHA512
9d839ada211b85fc1efb1fe7bb3ce66fcf0e8069221d958234649c2ac5dc0f1bd06f1a016f9c727077af36fb46cac5409be9c8a8201d17f689c6b473aa01acdc

Download Submit
memory/5048-20-0x0000000000B70000-0x0000000000B71000-memory.dmp

Filesize
4KB

Download
memory/5048-36-0x0000000000B70000-0x0000000000B71000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads