ardamax | 2c77a10433534041cadbb3468696417382dfe0a1e57a69814c0c7c62b0606656

General

Target

8ba4efbee9c7e1d1eaf06c852be26907_JaffaCakes118.exe
Size

1.0MB
MD5

8ba4efbee9c7e1d1eaf06c852be26907
SHA1

e708a176c606b8d088c88e23d8a8b2a4b30d4973
SHA256

2c77a10433534041cadbb3468696417382dfe0a1e57a69814c0c7c62b0606656
SHA512

12a3bd1c7351274905eea279e4a0f1c1145e0aace005a94f5768a9d836ba0f46174d1ab8c29efe30cf19b35667709704aa672863d348ce65800f092afeaaa770
SSDEEP

24576:Bh3sT73sVm04EuA/StLByKvF3wKXkPz9mYuTQuiCbIMK1Up:n83sw04EuAatLBy2eKXkPzkmuiCbzt

Score

10^/10

ardamax defense_evasion discovery keylogger persistence stealer upx

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x00070000000234d8-29.dat	family_ardamax

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	CJK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	8ba4efbee9c7e1d1eaf06c852be26907_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	msn.exe

Executes dropped EXE 3 IoCs

pid	Process
1448	msn.exe
2176	autorun.exe
4868	CJK.exe

Loads dropped DLL 1 IoCs

pid	Process
4868	CJK.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/212-0-0x0000000000400000-0x0000000000523000-memory.dmp	upx
behavioral2/memory/212-23-0x0000000000400000-0x0000000000523000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CJK Start = "C:\\Windows\\SysWOW64\\PVWKQO\\CJK.exe"	CJK.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\PVWKQO\	CJK.exe
File created	C:\Windows\SysWOW64\PVWKQO\CJK.004	msn.exe
File created	C:\Windows\SysWOW64\PVWKQO\CJK.001	msn.exe
File created	C:\Windows\SysWOW64\PVWKQO\CJK.002	msn.exe
File created	C:\Windows\SysWOW64\PVWKQO\CJK.exe	msn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8ba4efbee9c7e1d1eaf06c852be26907_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	autorun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CJK.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	4868	CJK.exe
Token: SeIncBasePriorityPrivilege	4868	CJK.exe
Token: SeIncBasePriorityPrivilege	4868	CJK.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4868	CJK.exe
4868	CJK.exe
4868	CJK.exe
4868	CJK.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 212 wrote to memory of 1448	212	8ba4efbee9c7e1d1eaf06c852be26907_JaffaCakes118.exe	85
PID 212 wrote to memory of 1448	212	8ba4efbee9c7e1d1eaf06c852be26907_JaffaCakes118.exe	85
PID 212 wrote to memory of 1448	212	8ba4efbee9c7e1d1eaf06c852be26907_JaffaCakes118.exe	85
PID 212 wrote to memory of 2176	212	8ba4efbee9c7e1d1eaf06c852be26907_JaffaCakes118.exe	86
PID 212 wrote to memory of 2176	212	8ba4efbee9c7e1d1eaf06c852be26907_JaffaCakes118.exe	86
PID 212 wrote to memory of 2176	212	8ba4efbee9c7e1d1eaf06c852be26907_JaffaCakes118.exe	86
PID 1448 wrote to memory of 4868	1448	msn.exe	88
PID 1448 wrote to memory of 4868	1448	msn.exe	88
PID 1448 wrote to memory of 4868	1448	msn.exe	88
PID 4868 wrote to memory of 3500	4868	CJK.exe	102
PID 4868 wrote to memory of 3500	4868	CJK.exe	102
PID 4868 wrote to memory of 3500	4868	CJK.exe	102

C:\Users\Admin\AppData\Local\Temp\8ba4efbee9c7e1d1eaf06c852be26907_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8ba4efbee9c7e1d1eaf06c852be26907_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:212
- C:\Users\Admin\AppData\Local\Temp\msn.exe
  "C:\Users\Admin\AppData\Local\Temp\msn.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1448
- - C:\Windows\SysWOW64\PVWKQO\CJK.exe
    "C:\Windows\system32\PVWKQO\CJK.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4868
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\PVWKQO\CJK.exe > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:3500
- C:\Users\Admin\AppData\Local\Temp\autorun.exe
  "C:\Users\Admin\AppData\Local\Temp\autorun.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

1

T1070

File Deletion

Modify Registry

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\autorun.exe

Filesize
209KB

MD5
2129cc0820a91e0dfae425578b14c1a4

SHA1
9e7c38f889930672c13d7e18b18b53d78d635407

SHA256
7c8960429c0a77d660a10428a05623750fd7df5a77e3c6db95d3b94d45bd4a33

SHA512
b05379c1a2e733a7305b9ce2359a152f4c6e8a338f73c3495cd41fb4355569386bff9248480f411943e1892847de1d6f59c4324036982da0dc8e80e635c314cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\msn.exe

Filesize
894KB

MD5
60a4905939f20476aef78863d26a57be

SHA1
1715172d38eadada40f2199d152ddc0b9e3c691a

SHA256
9221cbe0266be4b2a43a36bef3e74f605ac76299fedb4ad4aa3bc8a268368a61

SHA512
0aa18f0bbd2819d323c184c7480d739d8a93007c9426e64b326ac65245dafa579611f2591051412630e552d6620a63c8e099d679fadee9000117d226b3a49d24

Download Submit
C:\Windows\SysWOW64\PVWKQO\CJK.001

Filesize
61KB

MD5
531e64a4fe6c3ca60a609d1ee60d5ef5

SHA1
618d2ad5cc0d74a9a66946791544540c62ca9317

SHA256
89e94f28792d0de2fbb74eb5a2368b30db5e154f6845a1778e2cdf81ce1fb501

SHA512
5bf245d3371fcb90401ff5fa735b7e1f2672c9efa90c8917dcbe9164bd49adf43855017db7b14fb51da045362b8d38a293c91ce21825721726f173419336c9ce

Download Submit
C:\Windows\SysWOW64\PVWKQO\CJK.002

Filesize
43KB

MD5
b42f6052ceed5cce1bcaf3ecfcf65ece

SHA1
121e9a32af559261ec7485f8923463beea618e89

SHA256
8969214d0824806ae4af98abed05b38a80b9f04390f1b5b81e5351cebc5e6984

SHA512
c8907c30535e6bb68ff3175adf97180f01fb6a50b9c65ee4f58f19f17908e348480225b8d7a25d9bff42b29b6dea059480d124ec3ade5346053e26f2597c5175

Download Submit
C:\Windows\SysWOW64\PVWKQO\CJK.004

Filesize
1KB

MD5
0ad408e80a6212158311d96378bf42ca

SHA1
2bac909f52d266d15c756eae858e5cbfa77b3e3e

SHA256
4726a26181f4fdfbb2139c13ec485746cc2f755b35b812430f0da3d4508b1c3d

SHA512
0b5a05b82421250ab53120c7efa754aedc39088e127b696ca0bed21963d294b22f1c56c1ac17e00bbc96b2f11d7d3959456443c9f49c06e52b0b04ba1071bb08

Download Submit
C:\Windows\SysWOW64\PVWKQO\CJK.exe

Filesize
1.5MB

MD5
7c66e42411616c20e365cf927e0501b0

SHA1
ad749fa5974ad5480caff11d9c412f7321da84c7

SHA256
ada5a9d3b0947cc3dbab16da7e8737d5a21fc3decbc413f31fe808b065bca5c3

SHA512
04e55da475e1e933527f3320a18fcd2ff47cd19f960a071a1b9b14e710a9caf9d7f9e8a9404719aab4ff32c323d56b9e7eba700b9cd01af25afca6b4023e37cf

Download Submit
memory/212-0-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/212-23-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads