ardamax | fbbc6997695e761f6c40f3e64f35517f6f2b22893e51dc8586d870d39d170645

General

Target

9b2667ea36063df0a65bbe9ed508b314_JaffaCakes118.exe
Size

1.2MB
MD5

9b2667ea36063df0a65bbe9ed508b314
SHA1

aeeda8c5460fffa37b39e884b03e55bd1f0758f3
SHA256

fbbc6997695e761f6c40f3e64f35517f6f2b22893e51dc8586d870d39d170645
SHA512

661304e1736d27fa8546181de6e58c12da2ccf04663fb7902e5ffbce4121b025d253a9542b513389f2f9c759481afa13bef593faccca3eca9dbbfa2805c03ebc
SSDEEP

24576:5zwTT6y+Ujl05ZeVG1eDUiUyD98PB38xOBUCjzcSewD:5z+TP7xUhiGVBUCcSew

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000700000002345d-8.dat	family_ardamax

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	9b2667ea36063df0a65bbe9ed508b314_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
508	HSA.exe

Loads dropped DLL 1 IoCs

pid	Process
508	HSA.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HSA Start = "C:\\Windows\\SysWOW64\\ESDXOH\\HSA.exe"	HSA.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ESDXOH\HSA.004	9b2667ea36063df0a65bbe9ed508b314_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ESDXOH\HSA.001	9b2667ea36063df0a65bbe9ed508b314_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ESDXOH\HSA.002	9b2667ea36063df0a65bbe9ed508b314_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ESDXOH\AKV.exe	9b2667ea36063df0a65bbe9ed508b314_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ESDXOH\HSA.exe	9b2667ea36063df0a65bbe9ed508b314_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\ESDXOH\	HSA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9b2667ea36063df0a65bbe9ed508b314_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HSA.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
508	HSA.exe
508	HSA.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	508	HSA.exe
Token: SeIncBasePriorityPrivilege	508	HSA.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
508	HSA.exe
508	HSA.exe
508	HSA.exe
508	HSA.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 508	2924	9b2667ea36063df0a65bbe9ed508b314_JaffaCakes118.exe	86
PID 2924 wrote to memory of 508	2924	9b2667ea36063df0a65bbe9ed508b314_JaffaCakes118.exe	86
PID 2924 wrote to memory of 508	2924	9b2667ea36063df0a65bbe9ed508b314_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\9b2667ea36063df0a65bbe9ed508b314_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9b2667ea36063df0a65bbe9ed508b314_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Windows\SysWOW64\ESDXOH\HSA.exe
  "C:\Windows\system32\ESDXOH\HSA.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ESDXOH\AKV.exe

Filesize
485KB

MD5
42150775d201a85ebc379d21aa253f85

SHA1
fccd7df34e16abaf8d55935016cdb15df8041e06

SHA256
00206ccef9ee8da111cc547c698b7e61736b328de48ac5c307d05f2921ef0b9c

SHA512
4ff3c587a8d88e319acb028829c75ecb3e11c16a62ba9c2090720613c51c6555af698ba8ff75672b405602f196ed1b99dbeb9395bae62aac2140fa31600b36e0

Download Submit
C:\Windows\SysWOW64\ESDXOH\HSA.001

Filesize
61KB

MD5
c74a88fa4ee66db7064461b5190e912a

SHA1
f40f0180d5df3aaf1a56220f7b5a8657b86bde49

SHA256
2ddfe3bf4e0268abbb6718cd36288ae190ecb422a75a17d8a321b049c475b06b

SHA512
6265d804ba1405b958d52259cf080242b3e63bffbdc37699af748b4160d19d40cabc70e747a3ba0cb537be390b34e703d691805d6c7b719982363b2f606dbeab

Download Submit
C:\Windows\SysWOW64\ESDXOH\HSA.002

Filesize
44KB

MD5
e65e4bdb2c86226589b88f101153c01b

SHA1
731be43621721dba20f0bb74966ea08043ef37fd

SHA256
e8a9477bc04824357c0f0bcc1cb665e1dfb6cf5c05f68517749f6cb11821cec2

SHA512
7700ee197f109a8f2cff2e529715e371e36c1d9924af0bedef9285f76898d3448847af3bff342813b9bd8ca619b7c39b9607150596008ffc6fe68b338f6769cd

Download Submit
C:\Windows\SysWOW64\ESDXOH\HSA.004

Filesize
1KB

MD5
4e10f853e81259490f513f402a4648a3

SHA1
6d47f9047849eee68322ea480d9e3b90865f88d3

SHA256
611a7ac09257e60a55414ae31c1547b080e379017c70d1d91b61b96b5cb198e2

SHA512
ca907ef67886f8cc6cceeb559f063022c22800ffa09f60f4ac2bc83a4e884b4f17b91f1a1d66b9a73d33e9f553f2b8c5593519173dbf74ae8b8459438b17df08

Download Submit
C:\Windows\SysWOW64\ESDXOH\HSA.exe

Filesize
1.7MB

MD5
9a6a50772539f5a61fefa29c34666223

SHA1
b2b8650d817ef7d86bfef48420e9716f0ffdccce

SHA256
93db12799d366bbb10f28b923188e3f1457b3ec931ddf33ddeb131a80e46f00b

SHA512
eb5f89e6b27981d85dc235edc477a4397d08b9e89d638b0e07301a26ca6e640f12251fdcfe1386df4167a2928bc60959289329531bc7a9e14a232ead22935fed

Download Submit
memory/508-17-0x0000000000B70000-0x0000000000B71000-memory.dmp

Filesize
4KB

Download
memory/508-19-0x0000000000B70000-0x0000000000B71000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads