ardamax | 89f6197fbdf2f0e8c29a1fa9723f46c6425e9875f7b98646dd66673f685aec5b

General

Target

77d70848cc2c430a4f0da7df0b20d1fe_JaffaCakes118.exe
Size

561KB
MD5

77d70848cc2c430a4f0da7df0b20d1fe
SHA1

0a9b9cbd88f98b69052b400eb87e52bfb917bc6a
SHA256

89f6197fbdf2f0e8c29a1fa9723f46c6425e9875f7b98646dd66673f685aec5b
SHA512

2ca7fbe3fc95d029edbd55a4d065caa1e8e3e28a05d6432997cee62af92e1d1e92c8565c9f10d2d7d8a5778b81bbfb6b0ab1744ba2e201f1581139eb506cd894
SSDEEP

12288:sfhMLX5hRgJ6vuvbaibW4IPi5lE+FulOTJiedQjGE7DMYsl4uQuw:wMLpGbvbaiSPKlaAJPdQjGIDMBl4uo

Score

10^/10

ardamax defense_evasion discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023440-12.dat	family_ardamax

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	77d70848cc2c430a4f0da7df0b20d1fe_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	system32WLUO.exe

Executes dropped EXE 2 IoCs

pid	Process
4200	system32WLUO.exe
4664	Auto Talker Pro.exe

Loads dropped DLL 10 IoCs

pid	Process
1052	77d70848cc2c430a4f0da7df0b20d1fe_JaffaCakes118.exe
4200	system32WLUO.exe
1052	77d70848cc2c430a4f0da7df0b20d1fe_JaffaCakes118.exe
1052	77d70848cc2c430a4f0da7df0b20d1fe_JaffaCakes118.exe
4200	system32WLUO.exe
4200	system32WLUO.exe
4664	Auto Talker Pro.exe
4664	Auto Talker Pro.exe
4664	Auto Talker Pro.exe
1608	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system32WLUO Agent = "C:\\Windows\\system32WLUO.exe"	system32WLUO.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\system32WLUO.001	77d70848cc2c430a4f0da7df0b20d1fe_JaffaCakes118.exe
File created	C:\Windows\system32WLUO.006	77d70848cc2c430a4f0da7df0b20d1fe_JaffaCakes118.exe
File created	C:\Windows\system32WLUO.007	77d70848cc2c430a4f0da7df0b20d1fe_JaffaCakes118.exe
File created	C:\Windows\system32WLUO.exe	77d70848cc2c430a4f0da7df0b20d1fe_JaffaCakes118.exe
File created	C:\Windows\system32AKV.exe	77d70848cc2c430a4f0da7df0b20d1fe_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1608	4200	WerFault.exe	86

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	77d70848cc2c430a4f0da7df0b20d1fe_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system32WLUO.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Auto Talker Pro.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	4200	system32WLUO.exe
Token: SeIncBasePriorityPrivilege	4200	system32WLUO.exe
Token: SeIncBasePriorityPrivilege	4200	system32WLUO.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4200	system32WLUO.exe
4200	system32WLUO.exe
4200	system32WLUO.exe
4200	system32WLUO.exe
4200	system32WLUO.exe
4664	Auto Talker Pro.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1052 wrote to memory of 4200	1052	77d70848cc2c430a4f0da7df0b20d1fe_JaffaCakes118.exe	86
PID 1052 wrote to memory of 4200	1052	77d70848cc2c430a4f0da7df0b20d1fe_JaffaCakes118.exe	86
PID 1052 wrote to memory of 4200	1052	77d70848cc2c430a4f0da7df0b20d1fe_JaffaCakes118.exe	86
PID 1052 wrote to memory of 4664	1052	77d70848cc2c430a4f0da7df0b20d1fe_JaffaCakes118.exe	87
PID 1052 wrote to memory of 4664	1052	77d70848cc2c430a4f0da7df0b20d1fe_JaffaCakes118.exe	87
PID 1052 wrote to memory of 4664	1052	77d70848cc2c430a4f0da7df0b20d1fe_JaffaCakes118.exe	87
PID 4200 wrote to memory of 1792	4200	system32WLUO.exe	104
PID 4200 wrote to memory of 1792	4200	system32WLUO.exe	104
PID 4200 wrote to memory of 1792	4200	system32WLUO.exe	104

C:\Users\Admin\AppData\Local\Temp\77d70848cc2c430a4f0da7df0b20d1fe_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\77d70848cc2c430a4f0da7df0b20d1fe_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1052
- C:\Windows\system32WLUO.exe
  "C:\Windows\system32WLUO.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4200
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4200 -s 1068
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1608
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Windows\SYSTEM~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1792
- C:\Users\Admin\AppData\Local\Temp\Auto Talker Pro.exe
  "C:\Users\Admin\AppData\Local\Temp\Auto Talker Pro.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4200 -ip 4200
1⤵
PID:4832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

1

T1070

File Deletion

Modify Registry

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@88F6.tmp

Filesize
4KB

MD5
d9e02f226fc338d14df200ba9a700625

SHA1
414f134a16a309b31e418ed9e08c0c48aaf6e2bc

SHA256
8165757efb79acceb9fd0bfae6b2c19b8f087cc0461abb17941d460dbdf2e260

SHA512
13c73381602fe2593312d41ab4bc5cd5f922ac651f9e71e3fe3c58e7f0c5c73ecc9d79d61ec46f33a0a81cf73373421eeb510bd99650c0f53af30974ed61b8ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Auto Talker Pro.exe

Filesize
136KB

MD5
bfbafba031e52f4b724cd89264a68483

SHA1
620fcc3c27a5114a3eeed29c9aa8813eab449a90

SHA256
deeddbbbc6f21c964a58513b1fae4363312fc07307ceccf3354bfade45a216fb

SHA512
d44f0362e3dbc33b044632ec12988ae0e529393ce7eff1ca4a499760563032ae3a4dd1fa827d3d9e8e1da615e5d8df9860583c8c9f4ed88dc6519c74169a8646

Download Submit
C:\Windows\system32WLUO.001

Filesize
716B

MD5
c2edf4afc80e77383b22fd31eec5a562

SHA1
fedb7fd368066709ee074d401cca11ce202681c7

SHA256
0e2849fadecf06eed2ed1c8697213ab7f026a89f0a0304a53393c2d83aaf02d7

SHA512
2c80469f26a033b1519a5de1d936ebe7807d374ed7cd7508a7dd82849d53b3e3633ff389ff2c6afa69904b6ef4f7df0593885f1e7ed369d24ede6e428f51dc65

Download Submit
C:\Windows\system32WLUO.006

Filesize
7KB

MD5
32dd7b4bc8b6f290b0ece3cc1c011c96

SHA1
b979683868b399c6a6204ebaed9fc9c784a0429a

SHA256
6dcce9bbba5c2de47eea3abf7597a9c4fb2e4d358efc3752fa65c169cccfa2a1

SHA512
9e0d720799fe816f7d09c8a722b762203b6f12a8625c1c93cd640219ecc35969bd641b4d9e6dc04ab6f95ceb73235a438eb7d48ee9402118db3618b5760551ea

Download Submit
C:\Windows\system32WLUO.007

Filesize
5KB

MD5
e8155b68775ed29590e14df80fdc0e9f

SHA1
ed449da02e648a524004c265f3c37496d2f07f1f

SHA256
b39ba894b0a9a3201461ddd9ee9b297928e793dff221a47f019e75c11df631f3

SHA512
b14e00c46cf9bed0aca0f85775f624ff064f2d2afe1fa68b61bee5729db73cf9a8eced669c52d7cbb9504ff1b369a9a16a0f36c71a70c13c0bd1eaf5e07ccc11

Download Submit
C:\Windows\system32WLUO.exe

Filesize
471KB

MD5
3c06bbc025b61d2182ef5573f2852bda

SHA1
ebc1464c00b13fb5b3f80a59c80b595020e1fe7c

SHA256
e7f64e7215284cdeb8ef1eba28733f7aeae7f6977f82809d8de1e76a2e249085

SHA512
9d839ada211b85fc1efb1fe7bb3ce66fcf0e8069221d958234649c2ac5dc0f1bd06f1a016f9c727077af36fb46cac5409be9c8a8201d17f689c6b473aa01acdc

Download Submit
memory/4200-19-0x0000000000A70000-0x0000000000A71000-memory.dmp

Filesize
4KB

Download
memory/4200-44-0x0000000000A70000-0x0000000000A71000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads