ardamax | 17adfb6c866792d0dd22a0852c2d8190e24148f0678b7432a50ba03ebe4d0bff

General

Target

a83acf46401a254fa4c571fcdc606458_JaffaCakes118.exe
Size

1.7MB
MD5

a83acf46401a254fa4c571fcdc606458
SHA1

6d24fe6e79c7118922d80889fe8182c413639042
SHA256

17adfb6c866792d0dd22a0852c2d8190e24148f0678b7432a50ba03ebe4d0bff
SHA512

2d8cebc384d076db9b46d4fd762f58a22018646bf5fafb04ac57374ca3f9ba3556b1f781dfe80b0fdb50053872934342929192f088523e36d2fee1f7e06549d3
SSDEEP

24576:Tb1Xyoq4cvpuxFzywd2kQdd3j8Xua1f901:Tbf5FbC

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000c0000000233c4-22.dat	family_ardamax

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	7.exe

Executes dropped EXE 2 IoCs

pid	Process
2832	7.exe
1880	DAUS.exe

Loads dropped DLL 4 IoCs

pid	Process
2832	7.exe
1880	DAUS.exe
1880	DAUS.exe
1880	DAUS.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DAUS Agent = "C:\\Windows\\28463\\DAUS.exe"	DAUS.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\28463	DAUS.exe
File created	C:\Windows\28463\DAUS.001	7.exe
File created	C:\Windows\28463\DAUS.006	7.exe
File created	C:\Windows\28463\DAUS.007	7.exe
File created	C:\Windows\28463\DAUS.exe	7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DAUS.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1880	DAUS.exe
Token: SeIncBasePriorityPrivilege	1880	DAUS.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1880	DAUS.exe
1880	DAUS.exe
1880	DAUS.exe
1880	DAUS.exe
1880	DAUS.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 2832	1916	a83acf46401a254fa4c571fcdc606458_JaffaCakes118.exe	86
PID 1916 wrote to memory of 2832	1916	a83acf46401a254fa4c571fcdc606458_JaffaCakes118.exe	86
PID 1916 wrote to memory of 2832	1916	a83acf46401a254fa4c571fcdc606458_JaffaCakes118.exe	86
PID 2832 wrote to memory of 1880	2832	7.exe	94
PID 2832 wrote to memory of 1880	2832	7.exe	94
PID 2832 wrote to memory of 1880	2832	7.exe	94

C:\Users\Admin\AppData\Local\Temp\a83acf46401a254fa4c571fcdc606458_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a83acf46401a254fa4c571fcdc606458_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Users\Admin\AppData\Local\Temp\7.exe
  C:\Users\Admin\AppData\Local\Temp\7.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Windows\28463\DAUS.exe
    "C:\Windows\28463\DAUS.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7.exe

Filesize
599KB

MD5
83f7cd6a680e32fe5d0644d98500efe0

SHA1
b19d39e258b003acc5783fbc81d40aa1d1c4bb36

SHA256
0c432dfe5172bed53e1bb364e276b4f07ced21a054650b1bf8403e1caf63c410

SHA512
645d15a56aabfda5544c9aacf8b6f2b794aa4175edd763271204626e684d9a94a1c591a3499414572eae49eecb70c0cdb4d89a974de775a065b4b68123660a27

Download Submit
C:\Users\Admin\AppData\Local\Temp\@9470.tmp

Filesize
4KB

MD5
4b8ed89120fe8ddc31ddba07bc15372b

SHA1
181e7ac3d444656f50c1cd02a6832708253428e6

SHA256
2ae6b0e14465338be0bc5ad10703f5c823d092ebb8cff7e5a05b7d79c8459b93

SHA512
49269b71270b3eda0ddcb399021de9c88f6fd2086cf54fa4898a91e64afe109d44b635d47a5ea9bae7f53a5e968af97fa13bdf699ba00ce879ecadd7bbc8af23

Download Submit
C:\Windows\28463\DAUS.001

Filesize
386B

MD5
c63413be1aea90735aaa7d7fd438fdc9

SHA1
8d096e50b44289f804f8c267472c12a64b329903

SHA256
8813c8cb51e256303e42fc7e3266bf56e03e4fb97c9e32e765beb121cde412fe

SHA512
63c5718c62bf3d5c039a2e4cf22957d2d0d5edb40ae5b4cea8713d9f9714a15b8a7365be79b73627de3431a288b1c0b701bc2aea40e7e5fb7d3245a2ef52ffda

Download Submit
C:\Windows\28463\DAUS.006

Filesize
8KB

MD5
395bbef326fa5ad1216b23f5debf167b

SHA1
aa4a7334b5a693b3f0d6f47b568e0d13a593d782

SHA256
7c1c4ba8978d3ec53bc6da4d8f9e5e1ca52edf5ccf5ec19ef06b02055ff3b3d1

SHA512
dc3f3d7501feb10623807e89f28a0e38bdbbd4a7e2ad964c8ab33c392bde61896fe40bb7773f6309cd59ad9a686decbd81c15b588ac8d311fd2a273ac9410679

Download Submit
C:\Windows\28463\DAUS.007

Filesize
5KB

MD5
1b5e72f0ebd49cf146f9ae68d792ffe5

SHA1
1e90a69c12b9a849fbbac0670296b07331c1cf87

SHA256
8f4485675fe35b14276f5c8af8a6b42f03cf1b5de638355e4c4b28397385e87e

SHA512
6364f5581de5aaec09b5d1c4e5745193f981ff93cf91e20c6c9ff56566b5d182ccbdacf9aeed1d7a01460eb21619e14ac4ab31b083a951b45b3b7f9d93a62ffc

Download Submit
C:\Windows\28463\DAUS.exe

Filesize
912KB

MD5
6768ba61744862704760b66ce8f8fdd4

SHA1
e86cbed8cf20c2a9c76219d0c434bc310ffb2392

SHA256
4cf4bf2b7d2bb4215e255e1f2b1238ad989f3c8a98ebfd5cb033bccf32fedaa0

SHA512
eadb56b633707724ef4f47f8b421b0f3b2afa5a9800fae030f81aefae483eed6b494da470278273f388c3ae346a33cbbfe742924d231dab1c9b42bbefaf95a61

Download Submit
memory/1880-32-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

Filesize
4KB

Download
memory/1880-27-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/1880-36-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/1880-37-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

Filesize
4KB

Download
memory/1916-14-0x00007FF8A2500000-0x00007FF8A2EA1000-memory.dmp

Filesize
9.6MB

Download
memory/1916-0-0x00007FF8A27B5000-0x00007FF8A27B6000-memory.dmp

Filesize
4KB

Download
memory/1916-12-0x00007FF8A2500000-0x00007FF8A2EA1000-memory.dmp

Filesize
9.6MB

Download
memory/1916-3-0x00007FF8A2500000-0x00007FF8A2EA1000-memory.dmp

Filesize
9.6MB

Download
memory/1916-1-0x000000001C170000-0x000000001C216000-memory.dmp

Filesize
664KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads