ardamax | 6f494e7b857e15508e8477ec3ff06df897d304bb4fd99d78a305133ecf021ac0

General

Target

Foto002.exe
Size

1.2MB
MD5

6b225013a0daf6f5dbc3a71cd40d6a39
SHA1

7883c741c0f4cf95e9226c13f0709c0fb7ad45fb
SHA256

124ebc7aa97224fa3060bfeebeec5ff39499a2af97b27cb630ecf514f2554312
SHA512

e8f7df27e65353e9505ef196dc65fac530c2550a94cab2cc7c62dcfacdbbfb7b9a4d743808bb3fcd0709e308b3aad154f2d6d97ac3431c7994f3b6422fb34e2d
SSDEEP

24576:Z0NzTBazwlNuVJKuMOTHbWmUGNZXaqRMwVsjH342Pm2TLKnwaLOvYwueSOTW:Z0pTsOu2VOWmUwqqRMUAFPf4wy1

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000015f55-6.dat	family_ardamax

Executes dropped EXE 1 IoCs

pid	Process
2844	JRD.exe

Loads dropped DLL 4 IoCs

pid	Process
2780	Foto002.exe
2844	JRD.exe
2612	DllHost.exe
2780	Foto002.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JRD Start = "C:\\Windows\\SysWOW64\\JECWCN\\JRD.exe"	JRD.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\JECWCN\JRD.008	JRD.exe
File created	C:\Windows\SysWOW64\JECWCN\JRD.004	Foto002.exe
File created	C:\Windows\SysWOW64\JECWCN\JRD.001	Foto002.exe
File created	C:\Windows\SysWOW64\JECWCN\JRD.002	Foto002.exe
File created	C:\Windows\SysWOW64\JECWCN\AKV.exe	Foto002.exe
File created	C:\Windows\SysWOW64\JECWCN\JRD.exe	Foto002.exe
File opened for modification	C:\Windows\SysWOW64\JECWCN\	JRD.exe
File created	C:\Windows\SysWOW64\JECWCN\JRD.008	JRD.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Foto002.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JRD.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2844	JRD.exe
2844	JRD.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2844	JRD.exe
Token: SeIncBasePriorityPrivilege	2844	JRD.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2612	DllHost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2844	JRD.exe
2844	JRD.exe
2844	JRD.exe
2844	JRD.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 2844	2780	Foto002.exe	30
PID 2780 wrote to memory of 2844	2780	Foto002.exe	30
PID 2780 wrote to memory of 2844	2780	Foto002.exe	30
PID 2780 wrote to memory of 2844	2780	Foto002.exe	30

C:\Users\Admin\AppData\Local\Temp\Foto002.exe
"C:\Users\Admin\AppData\Local\Temp\Foto002.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Windows\SysWOW64\JECWCN\JRD.exe
  "C:\Windows\system32\JECWCN\JRD.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2844

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\joven1.jpg

Filesize
10KB

MD5
de165893d49d45d35a7e0db29839c274

SHA1
d900b0ae1aeddb9ae4fc12a449694ee2d5511315

SHA256
3f8a791c869476cd0aa43adc5659bb04e18ec6af2a548be7d0b1eb64765b3868

SHA512
f4d779f3234e0923f1910adfc49e30895308f93a857138b2fdd5e680374f63ad320bbf7d317aa1d01a36211f87766a2df661116a42908c964483a692fc90b8f2

Download Submit
C:\Windows\SysWOW64\JECWCN\AKV.exe

Filesize
485KB

MD5
b905540561802896d1609a5709c38795

SHA1
a265f7c1d428ccece168d36ae1a5f50abfb69e37

SHA256
ce666ce776c30251bb1b465d47826c23efaa86ec5ee50b2a4d23a4ceb343ed53

SHA512
7663654f134f47a8092bae1f3f9d46732d2541ab955e7604d43a0def1e61e2bc039a6753e94d99f1d04b69f55a86f1fb937513671019f1bdf100edb97b24badc

Download Submit
C:\Windows\SysWOW64\JECWCN\JRD.002

Filesize
43KB

MD5
f195701cf2c54d6ceadad943cf5135b8

SHA1
9beb03fc097fc58d7375b0511b87ced98a423a08

SHA256
177c1dcc7f13158445f0b99713e9cad205da86e764940a48d43dc375565b0dec

SHA512
f78def1ab431bb2b7b647ec76c063c30a87cabd22605f94cbe4fbb6f757fd54ddf7861d3842a0e369abfce94b68d41dec0fe2322a74f67d9875f561f92b20025

Download Submit
C:\Windows\SysWOW64\JECWCN\JRD.004

Filesize
1KB

MD5
a4b6133801c03032b687aabb7dcf208f

SHA1
edf84f8404783eeab8e4a16598482958fcea3994

SHA256
374704384cb764afecd5ca831a2db424221e872382ccdd56c7b033bcf6d0880e

SHA512
db926e1bea7392f3300068ccc65b47eb9d961f796445f273bcc316ea6cf38da6199c617efcb3c0cdfeca12a85689a3d338e891324002da330cec157e365fac62

Download Submit
\Windows\SysWOW64\JECWCN\JRD.001

Filesize
61KB

MD5
0e7e847fb96b4faa6cb4d3707a96887e

SHA1
896fd4064044e271312e9128e874108eec69521f

SHA256
c0f3e18ed0020dae5f75d3338b51f9c8de26d8af0a4d31904ba77cb1d112bbca

SHA512
ad680ed30b0cabe1be4e7237b8e620060de9c5f64d088d21a6acf6f293551ab4abc10f8f959aa6041e19aeaea538e72beeecc29b7669546a9a151141d4e73684

Download Submit
\Windows\SysWOW64\JECWCN\JRD.exe

Filesize
1.7MB

MD5
d95623e481661c678a0546e02f10f24c

SHA1
b6949e68a19b270873764585eb1e82448d1e0717

SHA256
cecfadce6fb09b3977c20d15fb40f8f66a1d7e488a4794451d048a598c3417da

SHA512
dee02644d92ed30e88bb10e9dcdba97abd9949b230059ec20cf5d93061f9cdb77b1e793e5f69d0b51595c30077c3ddd093348d22b070ce898ccefe28b8062591

Download Submit
memory/2612-25-0x0000000000160000-0x0000000000162000-memory.dmp

Filesize
8KB

Download
memory/2780-24-0x00000000004B0000-0x00000000004B2000-memory.dmp

Filesize
8KB

Download
memory/2844-16-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads