ardamax | 57f19fa6f02c6a8ad956feaf830269028dbb8d4de13afbac601f1f1844e105a3

General

Target

a02fb395dc25e5f2d8ae6dc1f184034a_JaffaCakes118.exe
Size

1.9MB
MD5

a02fb395dc25e5f2d8ae6dc1f184034a
SHA1

30f10fcc570f30a6ee0df57cc088919c74dc0e5f
SHA256

57f19fa6f02c6a8ad956feaf830269028dbb8d4de13afbac601f1f1844e105a3
SHA512

3bc5bf469425e91e3f3485c4d9a3c5df960c32c43852b9c9cd76a58efd60b997a155539532e1835da7da97f2cd405e8ac2a816c47cfc196f04b74346f1f0cf63
SSDEEP

24576:KezZcJKrlWwLG89uJLW0bFyp2r9baDbiFhv0gv+0AddYx8vrUGRIk7rUHzWkiJL6:KdgH/2r9GovenU8UTWkdrf

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000800000002358c-18.dat	family_ardamax

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	Miss YoU.exe

Executes dropped EXE 2 IoCs

pid	Process
2160	Miss YoU.exe
2760	GCJR5.exe

Loads dropped DLL 3 IoCs

pid	Process
2760	GCJR5.exe
2760	GCJR5.exe
2760	GCJR5.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\GCJR5 Agent = "C:\\Windows\\SysWOW64\\1025\\xyz3\\GCJR5.exe"	GCJR5.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\1025\xyz3\GCJR5.006	Miss YoU.exe
File opened for modification	C:\Windows\SysWOW64\1025\xyz3\GCJR5.007	Miss YoU.exe
File created	C:\Windows\SysWOW64\1025\xyz3\GCJR5.001	Miss YoU.exe
File opened for modification	C:\Windows\SysWOW64\1025\xyz3\GCJR5.001	Miss YoU.exe
File opened for modification	C:\Windows\SysWOW64\1025\xyz3	GCJR5.exe
File created	C:\Windows\SysWOW64\1025\xyz3\GCJR5.exe	Miss YoU.exe
File opened for modification	C:\Windows\SysWOW64\1025\xyz3\GCJR5.exe	Miss YoU.exe
File created	C:\Windows\SysWOW64\1025\xyz3\GCJR5.007	Miss YoU.exe
File opened for modification	C:\Windows\SysWOW64\1025\xyz3\fathel-gowa_elroo7_Elissa.rm	Miss YoU.exe
File opened for modification	C:\Windows\SysWOW64\1025	Miss YoU.exe
File opened for modification	C:\Windows\SysWOW64\1025\xyz3	Miss YoU.exe
File created	C:\Windows\SysWOW64\1025\xyz3\__tmp_rar_sfx_access_check_240692515	Miss YoU.exe
File created	C:\Windows\SysWOW64\1025\xyz3\GCJR5.006	Miss YoU.exe
File created	C:\Windows\SysWOW64\1025\xyz3\fathel-gowa_elroo7_Elissa.rm	Miss YoU.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a02fb395dc25e5f2d8ae6dc1f184034a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Miss YoU.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GCJR5.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	Miss YoU.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
828	vlc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
828	vlc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2760	GCJR5.exe
Token: SeIncBasePriorityPrivilege	2760	GCJR5.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
828	vlc.exe
828	vlc.exe
828	vlc.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
828	vlc.exe
828	vlc.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
220	a02fb395dc25e5f2d8ae6dc1f184034a_JaffaCakes118.exe
2760	GCJR5.exe
2760	GCJR5.exe
2760	GCJR5.exe
2760	GCJR5.exe
2760	GCJR5.exe
828	vlc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 220 wrote to memory of 2160	220	a02fb395dc25e5f2d8ae6dc1f184034a_JaffaCakes118.exe	96
PID 220 wrote to memory of 2160	220	a02fb395dc25e5f2d8ae6dc1f184034a_JaffaCakes118.exe	96
PID 220 wrote to memory of 2160	220	a02fb395dc25e5f2d8ae6dc1f184034a_JaffaCakes118.exe	96
PID 2160 wrote to memory of 2760	2160	Miss YoU.exe	97
PID 2160 wrote to memory of 2760	2160	Miss YoU.exe	97
PID 2160 wrote to memory of 2760	2160	Miss YoU.exe	97
PID 2160 wrote to memory of 828	2160	Miss YoU.exe	98
PID 2160 wrote to memory of 828	2160	Miss YoU.exe	98

C:\Users\Admin\AppData\Local\Temp\a02fb395dc25e5f2d8ae6dc1f184034a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a02fb395dc25e5f2d8ae6dc1f184034a_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:220
- C:\Users\Admin\AppData\Local\Temp\U4J9gm\Miss YoU.exe
  "C:\Users\Admin\AppData\Local\Temp\\U4J9gm\Miss YoU.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Windows\SysWOW64\1025\xyz3\GCJR5.exe
    "C:\Windows\system32\1025\xyz3\GCJR5.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2760
- - C:\Program Files\VideoLAN\VLC\vlc.exe
    "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Windows\system32\1025\xyz3\fathel-gowa_elroo7_Elissa.rm"
    3⤵
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3996,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=3860 /prefetch:8
1⤵
PID:1612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\U4J9gm\Miss YoU.exe

Filesize
1.4MB

MD5
1dcfb11668d84c67386d22ec880135c3

SHA1
5691c781bd34f860c7503de1837261fc00847a44

SHA256
97dd60dededb4ff032ecc07b15a12534fca7f552e2d886cbe477c037838e329b

SHA512
43d4136103417d12e1d1e5cdd6055336d1bf7991663eb1c6e4adc791051998195face1187bb1503c558bc25aa644f9c2743a2c03981441809a4a20142dd6748a

Download Submit
C:\Windows\SysWOW64\1025\xyz3\GCJR5.001

Filesize
2KB

MD5
a5578fb864cb7fff69f535613fc07c66

SHA1
985d0bb6360e07af6897ed143aa41aa4e25607a7

SHA256
898e9d2b2db740b4334aeaf75f1d74d77f399514a1dc279403c977c784dd6755

SHA512
b2c194718c8e1e10511f6fd4835e348b99840d13aacca6d4490d7deddecb448e83c853a68f6ba299343f632ef12164028825ef0e6c0f94a5dabf2fc80155f433

Download Submit
C:\Windows\SysWOW64\1025\xyz3\GCJR5.006

Filesize
8KB

MD5
8499922ab422c17e550a724083be50c7

SHA1
914aa24da69f9882d12d7d7cceae38de4dbcad1c

SHA256
894ff0262900acdc5b0266f75b2db829d3dec9a059f28888d5c0997d5b76db8a

SHA512
9d2e7619c7e8e459449a7f70d581ae52a1d33ba1c90b2a14812c2a44474451dc06e78a8e410aae5e7caf9306bbe739b1eeca1a1bc167498a982d9f1320dbbd1b

Download Submit
C:\Windows\SysWOW64\1025\xyz3\GCJR5.007

Filesize
5KB

MD5
b128c2f3eafaff6725ed554a2a21b72f

SHA1
377c206483b5348eb4b657363d29cae830be0b8c

SHA256
b9939a330a7cf6d9947a2b3ffb52170a35d5927e401016e7694fdd24ba1aa4ef

SHA512
3de5ec44becf7520d7ae32764b4636a1d727ab92d192fd92d725d6d308067e331f88e62f3cd9a4a334eb1d9e2ea44bf30f14ebd4e4f2877cdbd6b7bf0ed771c8

Download Submit
C:\Windows\SysWOW64\1025\xyz3\GCJR5.exe

Filesize
526KB

MD5
74102271a26cbc2435d5a8cedcb75923

SHA1
be11192b6229754994fce170c0ef647f50464d3b

SHA256
9e605741081a9c39bc8aa2d1a6425428f6ec82abc12d1245d1ea62a0e9550c9d

SHA512
47e1553048160a76d82b9891c3cfb28e2815a84e4b3a651138572118259d97cc9a40582197b0922a20024d2db2acf680a6910327a54622a55feeded44d41d9ab

Download Submit
C:\Windows\SysWOW64\1025\xyz3\fathel-gowa_elroo7_Elissa.rm

Filesize
1.1MB

MD5
099b5798e56b97b6f9785acb993c5c52

SHA1
2b074987cddf921434f9ce1be4ec023b144be113

SHA256
b97b499d7053570bf209a9cdd9afac603ca474a07d8f0c36985cc4b54288909e

SHA512
322a09cad5e91ba656826be41a9824b915762d6164a60dde46acff4aa4710dff2d9fccce4c774d5c9484bc141dbec7ed0f31c74cb959b9a2b59ab3d70774930b

Download Submit
memory/828-44-0x00007FFA3F1A0000-0x00007FFA3F1E1000-memory.dmp

Filesize
260KB

Download
memory/828-37-0x00007FFA3F430000-0x00007FFA3F441000-memory.dmp

Filesize
68KB

Download
memory/828-32-0x00007FF7ABBB0000-0x00007FF7ABCA8000-memory.dmp

Filesize
992KB

Download
memory/828-35-0x00007FFA3F470000-0x00007FFA3F488000-memory.dmp

Filesize
96KB

Download
memory/828-41-0x00007FFA3F240000-0x00007FFA3F251000-memory.dmp

Filesize
68KB

Download
memory/828-40-0x00007FFA3F260000-0x00007FFA3F27D000-memory.dmp

Filesize
116KB

Download
memory/828-39-0x00007FFA3F280000-0x00007FFA3F291000-memory.dmp

Filesize
68KB

Download
memory/828-42-0x00007FFA2F650000-0x00007FFA2F85B000-memory.dmp

Filesize
2.0MB

Download
memory/828-38-0x00007FFA3F2A0000-0x00007FFA3F2B7000-memory.dmp

Filesize
92KB

Download
memory/828-33-0x00007FFA3F490000-0x00007FFA3F4C4000-memory.dmp

Filesize
208KB

Download
memory/828-36-0x00007FFA3F450000-0x00007FFA3F467000-memory.dmp

Filesize
92KB

Download
memory/828-34-0x00007FFA2F860000-0x00007FFA2FB16000-memory.dmp

Filesize
2.7MB

Download
memory/828-43-0x00007FFA2E5A0000-0x00007FFA2F650000-memory.dmp

Filesize
16.7MB

Download
memory/828-46-0x00007FFA3F180000-0x00007FFA3F198000-memory.dmp

Filesize
96KB

Download
memory/828-48-0x00007FFA3EA60000-0x00007FFA3EA77000-memory.dmp

Filesize
92KB

Download
memory/828-47-0x00007FFA3F110000-0x00007FFA3F177000-memory.dmp

Filesize
412KB

Download
memory/828-45-0x00007FFA3F210000-0x00007FFA3F231000-memory.dmp

Filesize
132KB

Download
memory/2160-31-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads