ardamax | 334c3b8cb19cfd151405e8c3d7d7b5675b6ad2f4df624fe1a9f82d59faea564d

General

Target

96650ed7efce4d60e3c07188dcd61673_JaffaCakes118.exe
Size

582KB
MD5

96650ed7efce4d60e3c07188dcd61673
SHA1

afb5bb0bcbd028a534846f8840494d6ce11649c1
SHA256

334c3b8cb19cfd151405e8c3d7d7b5675b6ad2f4df624fe1a9f82d59faea564d
SHA512

5131932338708ace2c6fdeac8fce0de87e0334c64bc2ad48a26305dcdaa5855e2e925e006952b2b702f5f037794a886d8b0f346c7b3968e3ebefa0ad6c7b2ac2
SSDEEP

12288:4Lbnjlo+y5HTclPbQkGamU9//JMZHbxk/1yQscbyIvHI032SGU2:2nGtHGyqEZ7Kc87vI7SGF

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000700000002349f-12.dat	family_ardamax

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	96650ed7efce4d60e3c07188dcd61673_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
4452	KXKU.exe

Loads dropped DLL 4 IoCs

pid	Process
2024	96650ed7efce4d60e3c07188dcd61673_JaffaCakes118.exe
4452	KXKU.exe
4452	KXKU.exe
4452	KXKU.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\KXKU Agent = "C:\\Windows\\SysWOW64\\YHF\\KXKU.exe"	KXKU.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\YHF\KXKU.001	96650ed7efce4d60e3c07188dcd61673_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\YHF\KXKU.006	96650ed7efce4d60e3c07188dcd61673_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\YHF\KXKU.007	96650ed7efce4d60e3c07188dcd61673_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\YHF\KXKU.exe	96650ed7efce4d60e3c07188dcd61673_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\YHF\AKV.exe	96650ed7efce4d60e3c07188dcd61673_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\YHF	KXKU.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96650ed7efce4d60e3c07188dcd61673_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KXKU.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4452	KXKU.exe
Token: SeIncBasePriorityPrivilege	4452	KXKU.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4452	KXKU.exe
4452	KXKU.exe
4452	KXKU.exe
4452	KXKU.exe
4452	KXKU.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 4452	2024	96650ed7efce4d60e3c07188dcd61673_JaffaCakes118.exe	94
PID 2024 wrote to memory of 4452	2024	96650ed7efce4d60e3c07188dcd61673_JaffaCakes118.exe	94
PID 2024 wrote to memory of 4452	2024	96650ed7efce4d60e3c07188dcd61673_JaffaCakes118.exe	94

C:\Users\Admin\AppData\Local\Temp\96650ed7efce4d60e3c07188dcd61673_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\96650ed7efce4d60e3c07188dcd61673_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Windows\SysWOW64\YHF\KXKU.exe
  "C:\Windows\system32\YHF\KXKU.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@9BD2.tmp

Filesize
4KB

MD5
30bfd4514b7d7bf4feb29fa277a85704

SHA1
1de5fcd883a38190e8d3a020ef0b65ee9a8dd62d

SHA256
73b7e30ad8c34db793eed457f4845d360e80e08738663f7e40e0f9c217a914c7

SHA512
0a8dc5c73272577016830cfb6fad43906f63debee9630456336a08b88740109f2d88e9e79ee5ac14be48c715335bd731d99f9e022c09d1ee73e5b1436645b5b7

Download Submit
C:\Windows\SysWOW64\YHF\AKV.exe

Filesize
416KB

MD5
4668b7f6816e3af3096c06f5480e5899

SHA1
ca2300c38cc073c2e0a9dddfbfec19cc1ccad510

SHA256
561bb8440fb91e21a3ce6dcc0ec2d06829003fcd1282d14283451e962bd30fac

SHA512
f949fdc2b4158a791a67c7c0a2ebc372668147d98331692887b4e607fd9bdd24d53a79d3934b6fc36980c5034c6d30a7c02fd95d6caa0e868bfa2e1e963ef1c4

Download Submit
C:\Windows\SysWOW64\YHF\KXKU.001

Filesize
518B

MD5
db23c0254fad75610f50cd214044589d

SHA1
72e4d52e8149c19d2e3ecf4d1002f192445ce39d

SHA256
590b70998d777d17ffa5f2fff1b9b8e325aa28bad7434c26dd55f86127e3e35b

SHA512
1dd07a0e3100ba9ec85227719a41262d0cf48361fc6154474806ca830d486ad131270f34d54fd30b6ed9ddfb04a2131cbb8124f9ef122befa9531a2db2592c88

Download Submit
C:\Windows\SysWOW64\YHF\KXKU.006

Filesize
8KB

MD5
8fb07f75858ce780589f73c560bed729

SHA1
ceb87f6a61636ea862f3042a18a09dbc89742bba

SHA256
dc83deabf925d71c6e8596b33290020ee76ff3fbb909ad3a4e62f6924000f42c

SHA512
31964cf1f0add8b98e5a13782867a636aa82a9bbcf24f2c36ca46dda1934fc0d830546c6e46c0b59903a0a29578ddd71b1a5885008f8ab837cb8987f25d9926a

Download Submit
C:\Windows\SysWOW64\YHF\KXKU.007

Filesize
5KB

MD5
12f0081516d47e47c4296c960fc6beea

SHA1
8b3c35d39eefe8b69ec58125a8e755576c5f527d

SHA256
b0a9c55e49cc0aa6ebbec533e9c350adce4a78bca6bdbaa3ef5ee70a62eb53b8

SHA512
ea90005dd6aa0bfa6a3cb233e4aadb39335bcdaa3722d038273719fcadd7ae71678e25f1e32ef01604a9646f5eee0ae0f6e78fc14869598e27a7b6b8c256daca

Download Submit
C:\Windows\SysWOW64\YHF\KXKU.exe

Filesize
540KB

MD5
20b550c5d6d61aa1e1c464d366264c9e

SHA1
ee9e349bb73a70d0e6d5e0776dc959ea57f9d96c

SHA256
9bfa43a345b1446984cd3e0c20896cc188b3c2c2f21fccb85227a662f38aa1f6

SHA512
04f6ad21a0c90ac850c1646ca78a59709f7a9cacdaaab621f1258490df269f5d07e5d063b1d4244792f76360b797df228e476fbbd3419385ffeb7cae7748cc5e

Download Submit
memory/4452-23-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/4452-27-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads