ardamax | 0fe1c48661ee65629b9c7a29fbd0abfc2e4d563663604030d1208fbaefa0c73d

General

Target

38509a18fd24936fc020cb56c5969b94_JaffaCakes118.exe
Size

5.6MB
MD5

38509a18fd24936fc020cb56c5969b94
SHA1

998a751d9e58e82a9ecd34cd435bb9c3963127de
SHA256

0fe1c48661ee65629b9c7a29fbd0abfc2e4d563663604030d1208fbaefa0c73d
SHA512

0e2f5fd1537753ea428e59fc5202855af94e23fa40169495d11b7a94829f7fdde244afc3fa45fd6346f32cff02f8edc54b523cf6e5edcdd8a9ade862ec6dceca
SSDEEP

98304:PS1D+uzu+F4BvexQTiGdQt0frlgQK0kaloOFuEybTis/1+EQMv+Pf:PS1D+uzu+KBvexQTiF2fr20NeEybTBNk

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023478-8.dat	family_ardamax

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	38509a18fd24936fc020cb56c5969b94_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	OEI.exe

Executes dropped EXE 3 IoCs

pid	Process
460	OEI.exe
4024	CheatEngine561.exe
3096	CheatEngine561.tmp

Loads dropped DLL 4 IoCs

pid	Process
460	OEI.exe
4024	CheatEngine561.exe
3096	CheatEngine561.tmp
3096	CheatEngine561.tmp

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OEI Start = "C:\\Windows\\SysWOW64\\ATTRSE\\OEI.exe"	OEI.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ATTRSE\OEI.001	38509a18fd24936fc020cb56c5969b94_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ATTRSE\OEI.002	38509a18fd24936fc020cb56c5969b94_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ATTRSE\AKV.exe	38509a18fd24936fc020cb56c5969b94_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ATTRSE\OEI.exe	38509a18fd24936fc020cb56c5969b94_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\ATTRSE\	OEI.exe
File created	C:\Windows\SysWOW64\ATTRSE\OEI.004	38509a18fd24936fc020cb56c5969b94_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	460	OEI.exe
Token: SeIncBasePriorityPrivilege	460	OEI.exe
Token: SeIncBasePriorityPrivilege	460	OEI.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
460	OEI.exe
460	OEI.exe
460	OEI.exe
460	OEI.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3996 wrote to memory of 460	3996	38509a18fd24936fc020cb56c5969b94_JaffaCakes118.exe	85
PID 3996 wrote to memory of 460	3996	38509a18fd24936fc020cb56c5969b94_JaffaCakes118.exe	85
PID 3996 wrote to memory of 460	3996	38509a18fd24936fc020cb56c5969b94_JaffaCakes118.exe	85
PID 3996 wrote to memory of 4024	3996	38509a18fd24936fc020cb56c5969b94_JaffaCakes118.exe	87
PID 3996 wrote to memory of 4024	3996	38509a18fd24936fc020cb56c5969b94_JaffaCakes118.exe	87
PID 3996 wrote to memory of 4024	3996	38509a18fd24936fc020cb56c5969b94_JaffaCakes118.exe	87
PID 4024 wrote to memory of 3096	4024	CheatEngine561.exe	88
PID 4024 wrote to memory of 3096	4024	CheatEngine561.exe	88
PID 4024 wrote to memory of 3096	4024	CheatEngine561.exe	88
PID 460 wrote to memory of 2312	460	OEI.exe	92
PID 460 wrote to memory of 2312	460	OEI.exe	92
PID 460 wrote to memory of 2312	460	OEI.exe	92

C:\Users\Admin\AppData\Local\Temp\38509a18fd24936fc020cb56c5969b94_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\38509a18fd24936fc020cb56c5969b94_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3996
- C:\Windows\SysWOW64\ATTRSE\OEI.exe
  "C:\Windows\system32\ATTRSE\OEI.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:460
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\ATTRSE\OEI.exe > nul
    3⤵
    PID:2312
- C:\Users\Admin\AppData\Local\Temp\CheatEngine561.exe
  "C:\Users\Admin\AppData\Local\Temp\CheatEngine561.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4024
- - C:\Users\Admin\AppData\Local\Temp\is-0NTB0.tmp\CheatEngine561.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-0NTB0.tmp\CheatEngine561.tmp" /SL5="$502BC,4411123,54272,C:\Users\Admin\AppData\Local\Temp\CheatEngine561.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CheatEngine561.exe

Filesize
4.4MB

MD5
3b659e1ef1e544856a716433a17da61f

SHA1
92c332a025753f94e0339b82ebe0e54ad3cec7bd

SHA256
9e88e7ce1ac737d3b5dfa7b7d972b0d47468ae74843974414d64635ce3400936

SHA512
232cd2469c426dfb126392ed3830476b99a651ab59ad1c773d9ca4234b917cbb90744b648591b26b4b2a1b39d9a749aff6c947d94cb5bfa2ae8dcf5ab0ce8d8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0NTB0.tmp\CheatEngine561.tmp

Filesize
683KB

MD5
ce4e0ff83ac2a3256fd5c220562294a1

SHA1
72429c43cc4ed0a184a9c7b208902005489ff49a

SHA256
130ec61d37b76fa26a4c7ebcf210467c5be3ae2ace7346546c65f093478bb06b

SHA512
b375a78ca9b8e30ba665d3934716e5d3ac5737d8cf05a562f59c8b142923e3a79f1c44b55e995bd43fd0a9056a122cbe332d33947f626fa2d5bfb9f2e1824e98

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0TMJ6.tmp\OCSetupHlp.dll

Filesize
438KB

MD5
602bb41454775c49b50e739746d2ded1

SHA1
def9a2045d8fc2e7d47e5f128adbc30422b4f3ca

SHA256
8fca7bd9a6836df00aa71b4e07a6b4032f7442a4c0b76ce4e5046c13e089932b

SHA512
4059516bf7608948dc29a959841176354911130ba0cc84a8b57ada78c7436dd54502c14f6b48bff33c679907467b4b5b20e451290b39c42c975b5513b7dcaba6

Download Submit
C:\Windows\SysWOW64\ATTRSE\AKV.exe

Filesize
456KB

MD5
48cfaed4d566c34716326302b49bdad2

SHA1
566e0989b6bc7ed205f9ae250ea98e3a4d7fba52

SHA256
54c2e10de3ed7135d20c239a7f656c6ff57d1158607fa4c6779e042681de87ea

SHA512
96c871ed9af039142aab5904021d3ef3f75a58c5cc1fdf4d59e40e3699fd03e7cff384b788f7359a1de519ebdcafdad55891fef4f67e2c216ea89ebc945996a0

Download Submit
C:\Windows\SysWOW64\ATTRSE\OEI.001

Filesize
60KB

MD5
a15c556f17d7db8287e023138942d5db

SHA1
880bf8ec944120830dc2e2e040e5996e4e0e6c83

SHA256
f3716810ab011a4cb7693d31b69cd540380ef2a067724e0d568070c8a558694e

SHA512
930339711e3d73e5af0778367a648c94411c20d23bf4c27ec5d72222e76b8902eb3fc0992d70cc4141600c19087159514246d42f1e762c98dad306f8e0bd99cd

Download Submit
C:\Windows\SysWOW64\ATTRSE\OEI.002

Filesize
43KB

MD5
daabecdfba287a3333b60ae82211acd7

SHA1
e67b4c7bf0dd71ad47263a58bb60be4bce504b84

SHA256
12981c35adf6f00c7dddbc3ab23c04c30133cc5be107015dab9fd7ba4e8b4173

SHA512
937f551f959bd823292fe5983bbfb1c3a6dd86426a5da228dc7ddba38138c898599bc713d707b9d3463b20825cee0783d92c1c19019cd0328986a8aef5c1222f

Download Submit
C:\Windows\SysWOW64\ATTRSE\OEI.004

Filesize
1KB

MD5
ba469cef1ec860203c065c6c39860ef2

SHA1
f791fb76a1808c83c394890692b0ccbf1340116b

SHA256
6311b9500a38b44cc1f45ecc5ee170b8d7666231ea4f788072b2d9c75ce4f9b1

SHA512
f8e6eb7d5cc021be92d984b620f5d7e325cbff9fd819f845d40b9c1fff97a16b459b9196985c870e178430ac218a83027f1d72fc0aae94749c59ffc030d65a6e

Download Submit
C:\Windows\SysWOW64\ATTRSE\OEI.exe

Filesize
1.7MB

MD5
f3819a6cab8ae058254c4abb3844d87e

SHA1
0f8b1a74af87f1823ec0d76e21a8d54d55a53a8b

SHA256
3d656d1364b4b2382020f64990a2c630b7b9422ca7b7fe2c30646fda3303e6c9

SHA512
dfe9d342f3ad543fec8bd278e21ac5059b1c36ed3f735734e9b92d639cb25609f9307862ab2b35ea3e88713f4a652abe5863871225f915462c79d493ac5e1f57

Download Submit
memory/460-30-0x0000000000400000-0x00000000005B3000-memory.dmp

Filesize
1.7MB

Download
memory/460-53-0x0000000000400000-0x00000000005B3000-memory.dmp

Filesize
1.7MB

Download
memory/460-62-0x0000000000400000-0x00000000005B3000-memory.dmp

Filesize
1.7MB

Download
memory/3096-44-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3096-50-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/4024-25-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/4024-23-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4024-49-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads