ardamax | 950f64922eedf7dffb34db1e2f388c34b913f9197f8cd75a4952048392e13651

General

Target

7ed62395cac1fd0ac7b392c471a19506_JaffaCakes118.exe
Size

1.1MB
MD5

7ed62395cac1fd0ac7b392c471a19506
SHA1

a855b7ed4aad62335a03accd70d89f10b575f7ad
SHA256

950f64922eedf7dffb34db1e2f388c34b913f9197f8cd75a4952048392e13651
SHA512

a51518cbb0c8319b3baea4353c37c39e3b7b3b3f01ba5b152c69df0f1f659dacdc1d82d374a6f823bedf3f7ceed20337164c0d760ce7756a8bdf3706ca84d6eb
SSDEEP

24576:LHvZTs+eR5Wm5ylzXx/APrj+YD9YYMkPktmhUlEcLb+bJuXrSlQ+9o:bBTs+ahyhXaTj+YpTPkYClnf+bJu7Cl

Score

10^/10

ardamax defense_evasion discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x00070000000234d2-8.dat	family_ardamax

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-857544305-989156968-2929034274-1000\Control Panel\International\Geo\Nation	7ed62395cac1fd0ac7b392c471a19506_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-857544305-989156968-2929034274-1000\Control Panel\International\Geo\Nation	VHS.exe

Executes dropped EXE 1 IoCs

pid	Process
5048	VHS.exe

Loads dropped DLL 2 IoCs

pid	Process
5048	VHS.exe
2560	NOTEPAD.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VHS Start = "C:\\Windows\\SysWOW64\\XKPUFK\\VHS.exe"	VHS.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\XKPUFK\VHS.exe	7ed62395cac1fd0ac7b392c471a19506_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\XKPUFK\	VHS.exe
File created	C:\Windows\SysWOW64\XKPUFK\VHS.004	7ed62395cac1fd0ac7b392c471a19506_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\XKPUFK\VHS.001	7ed62395cac1fd0ac7b392c471a19506_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\XKPUFK\VHS.002	7ed62395cac1fd0ac7b392c471a19506_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\XKPUFK\AKV.exe	7ed62395cac1fd0ac7b392c471a19506_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7ed62395cac1fd0ac7b392c471a19506_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VHS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-857544305-989156968-2929034274-1000_Classes\Local Settings	7ed62395cac1fd0ac7b392c471a19506_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	5048	VHS.exe
Token: SeIncBasePriorityPrivilege	5048	VHS.exe
Token: SeIncBasePriorityPrivilege	5048	VHS.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
5048	VHS.exe
5048	VHS.exe
5048	VHS.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3972 wrote to memory of 5048	3972	7ed62395cac1fd0ac7b392c471a19506_JaffaCakes118.exe	85
PID 3972 wrote to memory of 5048	3972	7ed62395cac1fd0ac7b392c471a19506_JaffaCakes118.exe	85
PID 3972 wrote to memory of 5048	3972	7ed62395cac1fd0ac7b392c471a19506_JaffaCakes118.exe	85
PID 3972 wrote to memory of 2560	3972	7ed62395cac1fd0ac7b392c471a19506_JaffaCakes118.exe	87
PID 3972 wrote to memory of 2560	3972	7ed62395cac1fd0ac7b392c471a19506_JaffaCakes118.exe	87
PID 3972 wrote to memory of 2560	3972	7ed62395cac1fd0ac7b392c471a19506_JaffaCakes118.exe	87
PID 5048 wrote to memory of 3500	5048	VHS.exe	91
PID 5048 wrote to memory of 3500	5048	VHS.exe	91
PID 5048 wrote to memory of 3500	5048	VHS.exe	91

C:\Users\Admin\AppData\Local\Temp\7ed62395cac1fd0ac7b392c471a19506_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7ed62395cac1fd0ac7b392c471a19506_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3972
- C:\Windows\SysWOW64\XKPUFK\VHS.exe
  "C:\Windows\system32\XKPUFK\VHS.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5048
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\XKPUFK\VHS.exe > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3500
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\New Text Document.txt
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

1

T1070

File Deletion

Modify Registry

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\XKPUFK\AKV.exe

Filesize
459KB

MD5
28f68e988bfb6a7c9d45d23058cf74e5

SHA1
a0740aea5602429f844cc7ba35c637d26c59edf9

SHA256
1dd66d2320104e426a9d8ae390d3199a6ae2ecadb85e35eed9c6ed7a1819d478

SHA512
dccc2cb961f86a0e11a27976d9f53043df895edf8ca624ace1be2b002b5ce2c372a833b87fdbeb518ada7666c72d01b9724f5ba203b301af444e1ac01104fcda

Download Submit
C:\Windows\SysWOW64\XKPUFK\VHS.001

Filesize
61KB

MD5
a2e848c23f0e2cca1974ea55e6a99779

SHA1
34a5a236c6bdfb6b9a47d5cd213147da7a507ad9

SHA256
e852249a3fc489ee5c3fb4928dab911c4d826ef180f27faaa2f37a7179d231e4

SHA512
70b67fd7368b0efdcaaad3cf8478b7519761afcb0578bded88f61bc357cbddf0c851e8248cab32c1d3b12dc933a33ccd23906aee695a9a9748a1d465566a108f

Download Submit
C:\Windows\SysWOW64\XKPUFK\VHS.002

Filesize
43KB

MD5
94aba5bdc0756bc2ceb5f521c4b620c6

SHA1
fbfd46ae5704c7dd6d63b959c1edb869f7dd19cf

SHA256
5bc8115fdcbe153a33a3feb65bc9eefe4e2a0357a145525f05689054939779e3

SHA512
0f4e154a0813f39f76acc95ec70b87241017d4210b44395bea9ef66c31f0da05503cf8ad665e03fd0c7aed8084e99bf3358de699bbcae2ffbe5176987640e33b

Download Submit
C:\Windows\SysWOW64\XKPUFK\VHS.004

Filesize
1KB

MD5
c0232d63d307851e2243f41b958f84e3

SHA1
7709d2ff8e30be4994a7a437f85f7db8fdc1b857

SHA256
d7678b14a95301dfbb18490ec4248e7c59bc8f0e943fd5eb05b62ab31ad64dc6

SHA512
72c33a300d47bd97c1aa83a268fb98f4fa497d9dd2cb0e279a6364334789213ae19c539a9c6be958aa24d732fa45404c0cb08f34dd4e1b626e4488a41faa2691

Download Submit
C:\Windows\SysWOW64\XKPUFK\VHS.exe

Filesize
1.5MB

MD5
b2d5e28fcce82e8ee5e1c0b1502e8730

SHA1
2573726de59c9c342e3d77bf7436704e74ad90f4

SHA256
b69590e97e053d49295aa1776526052caf3669579e81302825c954b0a4804095

SHA512
0318b6cc12c373a200fdfd144af551c90e2db0219115c6d7d3ec43275f177831c71a06a1c9741cc9522defb293212375707df73e28824d4b37c1d8a6d7c0638b

Download Submit
memory/5048-18-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/5048-22-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads