ardamax | 3c34df0ad2aac499f2c4923e846425d796f303641fc7505565143f68d01baafa

General

Target

262bb4c09de2d7af25762e10e5af4062_JaffaCakes118.exe
Size

1.1MB
MD5

262bb4c09de2d7af25762e10e5af4062
SHA1

f1d6ae11f82a2be713fffdc3710b19e9a3841ac4
SHA256

3c34df0ad2aac499f2c4923e846425d796f303641fc7505565143f68d01baafa
SHA512

aa83cc5c721cedaa9cf8cc501c0b48cd066c6b0b6d8362243e1c70f9a7ba311ba7c95acc891979011301c873a3e1e49f02e19f44239bbef16f6c13662195999f
SSDEEP

24576:Mk/ATOhlAqik61EA06qEb7wE833jFYglD6LJwBZceKVdE3Pjxlq:VoTOnLik61EaL8zlDAGBZcHa37L

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x00070000000233bb-8.dat	family_ardamax

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	262bb4c09de2d7af25762e10e5af4062_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	LPN.exe

Executes dropped EXE 1 IoCs

pid	Process
2336	LPN.exe

Loads dropped DLL 1 IoCs

pid	Process
2336	LPN.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LPN Start = "C:\\Windows\\SysWOW64\\LIOCCR\\LPN.exe"	LPN.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\LIOCCR\LPN.004	262bb4c09de2d7af25762e10e5af4062_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\LIOCCR\LPN.001	262bb4c09de2d7af25762e10e5af4062_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\LIOCCR\LPN.002	262bb4c09de2d7af25762e10e5af4062_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\LIOCCR\AKV.exe	262bb4c09de2d7af25762e10e5af4062_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\LIOCCR\LPN.exe	262bb4c09de2d7af25762e10e5af4062_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\LIOCCR\	LPN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2336	LPN.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	2336	LPN.exe
Token: SeIncBasePriorityPrivilege	2336	LPN.exe
Token: SeIncBasePriorityPrivilege	2336	LPN.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2336	LPN.exe
2336	LPN.exe
2336	LPN.exe
2336	LPN.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1556 wrote to memory of 2336	1556	262bb4c09de2d7af25762e10e5af4062_JaffaCakes118.exe	83
PID 1556 wrote to memory of 2336	1556	262bb4c09de2d7af25762e10e5af4062_JaffaCakes118.exe	83
PID 1556 wrote to memory of 2336	1556	262bb4c09de2d7af25762e10e5af4062_JaffaCakes118.exe	83
PID 2336 wrote to memory of 1184	2336	LPN.exe	91
PID 2336 wrote to memory of 1184	2336	LPN.exe	91
PID 2336 wrote to memory of 1184	2336	LPN.exe	91

C:\Users\Admin\AppData\Local\Temp\262bb4c09de2d7af25762e10e5af4062_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\262bb4c09de2d7af25762e10e5af4062_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1556
- C:\Windows\SysWOW64\LIOCCR\LPN.exe
  "C:\Windows\system32\LIOCCR\LPN.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2336
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\LIOCCR\LPN.exe > nul
    3⤵
    PID:1184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\LIOCCR\AKV.exe

Filesize
466KB

MD5
4c5711d8a02899113661bdff195d80d5

SHA1
263592abea6d60887defb4b1bcb47dbb383edfb6

SHA256
661eee852ace18c0fe63548e3ca276866b40dd0dce722f67976b8c4bfdb92195

SHA512
4b16ee6c75a169ad02c6b30d08efcd969ba8840adf49f6eeec3abbe8b9f5f288e1b1cfb4431711a74510a6973663335e43d256ae0dcd1a68f55331152a4f64ae

Download Submit
C:\Windows\SysWOW64\LIOCCR\LPN.001

Filesize
61KB

MD5
7a5612cc859be918c5767487f8a6815a

SHA1
a855d3a3e6336ac0508a8099e8ace14680394c36

SHA256
643419bc7e3a46ecdd7196858b3489c806c5edc486b513ce58519a109544c9d1

SHA512
31c541870dbc695c34d132c4232accc2fe511f30188a4db33d5c41758cf5af00a4906b55b0a208b5848436313fd3d8ccf6be7f1af62ecedd3a5c4c301dc5e11d

Download Submit
C:\Windows\SysWOW64\LIOCCR\LPN.002

Filesize
43KB

MD5
b2bcd668abf17ee408d232cc636614b2

SHA1
c354f941121515536c4f0d9ae49ed1a9b28534b4

SHA256
563f5e99f0beb961ecf6a8284bf41fee3e85d6f63cdff1669438f5a2168bfd99

SHA512
ba1be164de5919ae45f4bedfebe7e7799626b457f07b42fc43b8912f2932955833617b45e147e2e4d406f57f57f50c1869aa611db18a569919395e42fa53a702

Download Submit
C:\Windows\SysWOW64\LIOCCR\LPN.004

Filesize
1KB

MD5
ffc8fe8ec245fc6e8fd5333b96f59339

SHA1
5c42da270f4773dbb102728d722e7727d55e4baa

SHA256
e559155763f2b28135e4fc06cdd0461b942171e06c5379b25a1eaffdfd53cf65

SHA512
7db66bb88f24feb6f452aeb5eb4448200947671916bae4f60c3068be29e27629fc1e1be3925eef627fd1b226e9b86c5e4da19856c68be6197a20c12717ec6ad0

Download Submit
C:\Windows\SysWOW64\LIOCCR\LPN.exe

Filesize
1.5MB

MD5
a9ea3f61a57b36cde9953afd91f18d34

SHA1
e7e931b96b6e39b64a2a38d704bbe9561a234cbc

SHA256
accbdc6de9b6b671e6dc5bda9f1f983fbfcaa07467fbf6eabd25b9d5314d82ec

SHA512
0a6a42a772a3afd66233d9d3abb962b3a8cbf3d6e0e719352795b6441a148617dbe788991f0cead29d4b1540726504c9c56bebd9836ae6263b82a121fafd89fc

Download Submit
memory/2336-16-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2336-18-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads