ardamax | 98bf5793c46987e46bb2559ed565d0d96012f9cf16ae4961dc18d1fb65006a47

General

Target

4dd63bb405a5e282dc0942018bf30a48_JaffaCakes118.exe
Size

1.3MB
MD5

4dd63bb405a5e282dc0942018bf30a48
SHA1

842c1d0184f3df388fa8f3bf22d5e1a4d83ab28c
SHA256

98bf5793c46987e46bb2559ed565d0d96012f9cf16ae4961dc18d1fb65006a47
SHA512

64367d21bf5095bf9dc27a31885c8b65be5dfd047b65f96f3c74172a3e7b6e4db3647af94ebfcb6f3a4931215cb9a62fbf8b6be679d8333bfd81c5a21dc3b6c5
SSDEEP

24576:gHvZTmz2lf/T1XMT4vsItvbZFXwHHO4m2jcPupUw0sLuIfdd7paiHRIbl:oBTA2lho40IZXc3mTP6UwlLuIfd14ic

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x00070000000234d1-8.dat	family_ardamax

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	4dd63bb405a5e282dc0942018bf30a48_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
3672	HPA.exe
372	TibiaScript.exe

Loads dropped DLL 1 IoCs

pid	Process
3672	HPA.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HPA Start = "C:\\Windows\\SysWOW64\\USJVTX\\HPA.exe"	HPA.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\USJVTX\HPA.004	4dd63bb405a5e282dc0942018bf30a48_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\USJVTX\HPA.001	4dd63bb405a5e282dc0942018bf30a48_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\USJVTX\HPA.002	4dd63bb405a5e282dc0942018bf30a48_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\USJVTX\AKV.exe	4dd63bb405a5e282dc0942018bf30a48_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\USJVTX\HPA.exe	4dd63bb405a5e282dc0942018bf30a48_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\USJVTX\	HPA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	3672	HPA.exe
Token: SeIncBasePriorityPrivilege	3672	HPA.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3672	HPA.exe
3672	HPA.exe
3672	HPA.exe
3672	HPA.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2852 wrote to memory of 3672	2852	4dd63bb405a5e282dc0942018bf30a48_JaffaCakes118.exe	84
PID 2852 wrote to memory of 3672	2852	4dd63bb405a5e282dc0942018bf30a48_JaffaCakes118.exe	84
PID 2852 wrote to memory of 3672	2852	4dd63bb405a5e282dc0942018bf30a48_JaffaCakes118.exe	84
PID 2852 wrote to memory of 372	2852	4dd63bb405a5e282dc0942018bf30a48_JaffaCakes118.exe	86
PID 2852 wrote to memory of 372	2852	4dd63bb405a5e282dc0942018bf30a48_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\4dd63bb405a5e282dc0942018bf30a48_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4dd63bb405a5e282dc0942018bf30a48_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Windows\SysWOW64\USJVTX\HPA.exe
  "C:\Windows\system32\USJVTX\HPA.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3672
- C:\Users\Admin\AppData\Local\Temp\TibiaScript.exe
  "C:\Users\Admin\AppData\Local\Temp\TibiaScript.exe"
  2⤵
  - Executes dropped EXE
  PID:372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TibiaScript.exe

Filesize
168KB

MD5
31ac1292634301dcc7240afec2c36b45

SHA1
d9304e6bcf1b9a439a70e5401dd8fcee4c6fe515

SHA256
421e5c460caeddbeab8f4a6427bcf66045d2fc1d5a7251ae7e01a6630910de53

SHA512
8c72083b92590181e0ef344836e201d75fd345a02aacc0a1586690cb36167e100b6dafa91df0afe15f7bde47b3514a0dca1c52bf1c3ed221901a834147cb5faf

Download Submit
C:\Windows\SysWOW64\USJVTX\AKV.exe

Filesize
457KB

MD5
9b02932229a5ebad8d942bbfc6dd02eb

SHA1
8cfb364a303d4861d1129b8d3f19f6a605499a39

SHA256
1223da59a4cb9e56bb606cefe6fb5bbc7205b626ea33897343ccad706aed302e

SHA512
76f868249e04bbf68807c8f0345ad2239e0f3aeade0852849e0ed43a5ed05902360c131fbfb8ef490d11ed2f385ba310877665a899f4db87375a5283b260e2df

Download Submit
C:\Windows\SysWOW64\USJVTX\HPA.001

Filesize
61KB

MD5
49b7f1123fb05df5ffa72268e2065ff8

SHA1
1fba30ce46cbca32b933751045dd9760d1ebb0cf

SHA256
cada62c6811dfa92d90ed5b622fa29f95e855ebc9ea06413fbcc63945c74d103

SHA512
d600fc9412e1615d203144ffe864bcbd1e92eb42cdc107dbdc9c2555a02f6530ff6423248ce6e76856abdbf2011af658cb8409e39894d0991c7b8eaf78e3c5f4

Download Submit
C:\Windows\SysWOW64\USJVTX\HPA.002

Filesize
43KB

MD5
806d1ce95a8a9baeae3fee7490fb2150

SHA1
9c19a9f3e91a31fb17b33466dcd788feba1d20c0

SHA256
e998a8fa03e719fc56088fe17d355afa5109084f2607f8b3e502bb4391273a76

SHA512
0a7fdf97cfd067e235638df9d6fa397b67ef1467b26adef566f1ce6c2203a58e92222f7d9327d84cf368994dc7933a8daaf0a218b24fe7e2d622372fc63b690a

Download Submit
C:\Windows\SysWOW64\USJVTX\HPA.004

Filesize
1KB

MD5
5d11fe9dfd36bbc7ac058da428bd5643

SHA1
8793663fdb352f82b57f74555989bc0e2bde1be0

SHA256
31d183f294bc2f8fe53ccc81cd60a33b654ddc91bd728d52ce62f7a6670bee12

SHA512
7518a64bc5fc158e6b79877a86002e39d809427b250dae0fb33c3f08243f1bef60b95cb49092747be34aaca29db6228c14f480fea6b191e18874c4bd2590a31e

Download Submit
C:\Windows\SysWOW64\USJVTX\HPA.exe

Filesize
1.5MB

MD5
7b59f5ae2140ed3b885a64a6f88e2913

SHA1
0e17f6a11c5b3c4c96a3c832181c7b209f872439

SHA256
7f560cd87731d1f70a0cf193756994ff69f039e737a4c017f63603b0ba2efbe5

SHA512
56f42802a149425d07a898879de6c808872e9bd3f29bd8feab7188bf43693cfc7fe03cab83d613a0b6142d95df79cc871e75709f57a46ab0bec3b0c742f45c40

Download Submit
memory/372-29-0x00007FF90B4B0000-0x00007FF90B6A5000-memory.dmp

Filesize
2.0MB

Download
memory/372-28-0x00007FF90B4B0000-0x00007FF90B6A5000-memory.dmp

Filesize
2.0MB

Download
memory/372-30-0x00007FF90B4B0000-0x00007FF90B6A5000-memory.dmp

Filesize
2.0MB

Download
memory/372-32-0x000000001B860000-0x000000001B906000-memory.dmp

Filesize
664KB

Download
memory/372-33-0x000000001BF10000-0x000000001C3DE000-memory.dmp

Filesize
4.8MB

Download
memory/372-34-0x000000001C480000-0x000000001C51C000-memory.dmp

Filesize
624KB

Download
memory/372-35-0x000000001B940000-0x000000001B948000-memory.dmp

Filesize
32KB

Download
memory/372-36-0x000000001C5B0000-0x000000001C5FC000-memory.dmp

Filesize
304KB

Download
memory/372-37-0x00007FF90B4B0000-0x00007FF90B6A5000-memory.dmp

Filesize
2.0MB

Download
memory/372-39-0x00007FF90B4B0000-0x00007FF90B6A5000-memory.dmp

Filesize
2.0MB

Download
memory/3672-27-0x00007FF90B4B0000-0x00007FF90B6A5000-memory.dmp

Filesize
2.0MB

Download
memory/3672-38-0x00007FF90B4B0000-0x00007FF90B6A5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads