ardamax | 0b54f9dd8cef52f547a6d7a7b6ca4280ec62bc05ce9690b17ab7e71e99f9490a

General

Target

4dc817425f7d45ae9ad07088cb94ade6_JaffaCakes118.exe
Size

4.7MB
MD5

4dc817425f7d45ae9ad07088cb94ade6
SHA1

5f4cd3542ad07666f26d1cc662abb568b13529c3
SHA256

0b54f9dd8cef52f547a6d7a7b6ca4280ec62bc05ce9690b17ab7e71e99f9490a
SHA512

e6e12f8f68b2717e343eefb666b969a7b2eaed64995aee22f8b57c2b83c35c4c6d8ee397b7ddd247f0b3e954b68c214f71d288bd1d4e3986961c17da6e390aec
SSDEEP

98304:MKWvmu52gNpHVwztOGO8ajuvbjbz48CIShL/Qaeefw4oiDct729P:cmuYaw5I8ajuvLprShL/QyZoxt0

Score

10^/10

ardamax discovery keylogger persistence stealer upx

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000700000002343a-24.dat	family_ardamax

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	Explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	ASX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	4dc817425f7d45ae9ad07088cb94ade6_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

pid	Process
3940	Explorer.exe
1524	ASX.exe
2492	DragonAge2.exe

Loads dropped DLL 2 IoCs

pid	Process
1524	ASX.exe
3768	4dc817425f7d45ae9ad07088cb94ade6_JaffaCakes118.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3768-0-0x0000000000400000-0x00000000010AC000-memory.dmp	upx
behavioral2/memory/3768-37-0x0000000000400000-0x00000000010AC000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ASX Start = "C:\\Windows\\SysWOW64\\PSDUNO\\ASX.exe"	ASX.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\PSDUNO\ASX.exe	Explorer.exe
File opened for modification	C:\Windows\SysWOW64\PSDUNO\	ASX.exe
File created	C:\Windows\SysWOW64\PSDUNO\ASX.004	Explorer.exe
File created	C:\Windows\SysWOW64\PSDUNO\ASX.001	Explorer.exe
File created	C:\Windows\SysWOW64\PSDUNO\ASX.002	Explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	1524	ASX.exe
Token: SeIncBasePriorityPrivilege	1524	ASX.exe
Token: SeIncBasePriorityPrivilege	1524	ASX.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1524	ASX.exe
1524	ASX.exe
1524	ASX.exe
1524	ASX.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3768 wrote to memory of 3940	3768	4dc817425f7d45ae9ad07088cb94ade6_JaffaCakes118.exe	86
PID 3768 wrote to memory of 3940	3768	4dc817425f7d45ae9ad07088cb94ade6_JaffaCakes118.exe	86
PID 3768 wrote to memory of 3940	3768	4dc817425f7d45ae9ad07088cb94ade6_JaffaCakes118.exe	86
PID 3940 wrote to memory of 1524	3940	Explorer.exe	88
PID 3940 wrote to memory of 1524	3940	Explorer.exe	88
PID 3940 wrote to memory of 1524	3940	Explorer.exe	88
PID 3768 wrote to memory of 2492	3768	4dc817425f7d45ae9ad07088cb94ade6_JaffaCakes118.exe	87
PID 3768 wrote to memory of 2492	3768	4dc817425f7d45ae9ad07088cb94ade6_JaffaCakes118.exe	87
PID 3768 wrote to memory of 2492	3768	4dc817425f7d45ae9ad07088cb94ade6_JaffaCakes118.exe	87
PID 1524 wrote to memory of 1844	1524	ASX.exe	92
PID 1524 wrote to memory of 1844	1524	ASX.exe	92
PID 1524 wrote to memory of 1844	1524	ASX.exe	92

C:\Users\Admin\AppData\Local\Temp\4dc817425f7d45ae9ad07088cb94ade6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4dc817425f7d45ae9ad07088cb94ade6_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3768
- C:\Users\Admin\AppData\Local\Temp\Explorer.exe
  "C:\Users\Admin\AppData\Local\Temp\Explorer.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3940
- - C:\Windows\SysWOW64\PSDUNO\ASX.exe
    "C:\Windows\system32\PSDUNO\ASX.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1524
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\PSDUNO\ASX.exe > nul
      4⤵
      PID:1844
- C:\Users\Admin\AppData\Local\Temp\DragonAge2.exe
  "C:\Users\Admin\AppData\Local\Temp\DragonAge2.exe"
  2⤵
  - Executes dropped EXE
  PID:2492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DragonAge2.exe

Filesize
11.7MB

MD5
eda0521aec080fad0774d44312c29e1d

SHA1
95ef4039146350e6faa908ddcb4aeff9810badb1

SHA256
571d9ed5bba9d0c1a2b109fabce5cf726875f0cc679ab689e418ada4f40d5b5c

SHA512
7002cbba759ab643f6bd9e9418ed37e2a73b7c3aa45409d44fe4f4f620f3c1e7399f92e25b283226950cbc094e528c601208db678cfe53f319c11ddade739c46

Download Submit
C:\Users\Admin\AppData\Local\Temp\Explorer.exe

Filesize
894KB

MD5
27a29b3b3fcebf47237405db1b5bfd32

SHA1
232f4563ed7574c01d697de9e7f60136084bba8a

SHA256
72c9ae3f09168f101ed6c96b3eaf84a82215940a074589c25db509d0522ca3bc

SHA512
2a53cfc34739bebb289496f9c7e5697ef0fd14b9dd890f8c78eea7bbf28ea9e28ce53e9f896f804883cb6224bf00f426e9267df0e56c3de283dcb70833cbc8b4

Download Submit
C:\Windows\SysWOW64\PSDUNO\ASX.001

Filesize
61KB

MD5
531e64a4fe6c3ca60a609d1ee60d5ef5

SHA1
618d2ad5cc0d74a9a66946791544540c62ca9317

SHA256
89e94f28792d0de2fbb74eb5a2368b30db5e154f6845a1778e2cdf81ce1fb501

SHA512
5bf245d3371fcb90401ff5fa735b7e1f2672c9efa90c8917dcbe9164bd49adf43855017db7b14fb51da045362b8d38a293c91ce21825721726f173419336c9ce

Download Submit
C:\Windows\SysWOW64\PSDUNO\ASX.002

Filesize
43KB

MD5
b42f6052ceed5cce1bcaf3ecfcf65ece

SHA1
121e9a32af559261ec7485f8923463beea618e89

SHA256
8969214d0824806ae4af98abed05b38a80b9f04390f1b5b81e5351cebc5e6984

SHA512
c8907c30535e6bb68ff3175adf97180f01fb6a50b9c65ee4f58f19f17908e348480225b8d7a25d9bff42b29b6dea059480d124ec3ade5346053e26f2597c5175

Download Submit
C:\Windows\SysWOW64\PSDUNO\ASX.004

Filesize
1KB

MD5
57bafaa41aa134a2c000ae847f9704a3

SHA1
e6fb9ce135497470284451921c28e8ec6b470bea

SHA256
afa7ec71d7a1dda902404002d171192811f0d86913e274f81eecaf2ace21ccc0

SHA512
78609debf3e5072dcad733acffa1642b9263c678cc69a0dd13a221cbccd5a536bcc05109162845cb6ef89b3800b8b4fb41d2eccccfd4b0bd6c57bd83bf0d7911

Download Submit
C:\Windows\SysWOW64\PSDUNO\ASX.exe

Filesize
1.5MB

MD5
7c66e42411616c20e365cf927e0501b0

SHA1
ad749fa5974ad5480caff11d9c412f7321da84c7

SHA256
ada5a9d3b0947cc3dbab16da7e8737d5a21fc3decbc413f31fe808b065bca5c3

SHA512
04e55da475e1e933527f3320a18fcd2ff47cd19f960a071a1b9b14e710a9caf9d7f9e8a9404719aab4ff32c323d56b9e7eba700b9cd01af25afca6b4023e37cf

Download Submit
memory/1524-32-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/2492-38-0x0000000000400000-0x0000000000FBD000-memory.dmp

Filesize
11.7MB

Download
memory/3768-0-0x0000000000400000-0x00000000010AC000-memory.dmp

Filesize
12.7MB

Download
memory/3768-37-0x0000000000400000-0x00000000010AC000-memory.dmp

Filesize
12.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads