ardamax | 4cc4fbdc4c87647316c9aa805197960097029dab69bd943db8af61545f4d2e6b

General

Target

aeba61381c4689e9279c1339eac30c14_JaffaCakes118.exe
Size

1.1MB
MD5

aeba61381c4689e9279c1339eac30c14
SHA1

9feb89688c98f8bbb8c5b610b64906c4d898a8d2
SHA256

4cc4fbdc4c87647316c9aa805197960097029dab69bd943db8af61545f4d2e6b
SHA512

59a988b16d933d683bd93591d6e06735cb7a5f0176b7ac1c6a98f75575694c143c32e8a829336bacfd0b8e455cafb37e3765627417ac64d19960f9bbf8e9664a
SSDEEP

24576:Xk/ATfJLE8w998t8hsdGPfhLCP4EQ+olMXPcMWJTjKz+5Zv/yx:0oTfJHwsmhsdIfhNqfNWJT150

Score

10^/10

ardamax defense_evasion discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000700000002348d-9.dat	family_ardamax

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	aeba61381c4689e9279c1339eac30c14_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	XCG.exe

Executes dropped EXE 1 IoCs

pid	Process
4788	XCG.exe

Loads dropped DLL 1 IoCs

pid	Process
4788	XCG.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\XCG Start = "C:\\Windows\\SysWOW64\\XQHAPV\\XCG.exe"	XCG.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\XQHAPV\XCG.002	aeba61381c4689e9279c1339eac30c14_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\XQHAPV\AKV.exe	aeba61381c4689e9279c1339eac30c14_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\XQHAPV\XCG.chm	aeba61381c4689e9279c1339eac30c14_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\XQHAPV\XCG.exe	aeba61381c4689e9279c1339eac30c14_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\XQHAPV\	XCG.exe
File created	C:\Windows\SysWOW64\XQHAPV\XCG.004	aeba61381c4689e9279c1339eac30c14_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\XQHAPV\XCG.001	aeba61381c4689e9279c1339eac30c14_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aeba61381c4689e9279c1339eac30c14_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XCG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	4788	XCG.exe
Token: SeIncBasePriorityPrivilege	4788	XCG.exe
Token: SeIncBasePriorityPrivilege	4788	XCG.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4788	XCG.exe
4788	XCG.exe
4788	XCG.exe
4788	XCG.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2784 wrote to memory of 4788	2784	aeba61381c4689e9279c1339eac30c14_JaffaCakes118.exe	87
PID 2784 wrote to memory of 4788	2784	aeba61381c4689e9279c1339eac30c14_JaffaCakes118.exe	87
PID 2784 wrote to memory of 4788	2784	aeba61381c4689e9279c1339eac30c14_JaffaCakes118.exe	87
PID 4788 wrote to memory of 1188	4788	XCG.exe	104
PID 4788 wrote to memory of 1188	4788	XCG.exe	104
PID 4788 wrote to memory of 1188	4788	XCG.exe	104

C:\Users\Admin\AppData\Local\Temp\aeba61381c4689e9279c1339eac30c14_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\aeba61381c4689e9279c1339eac30c14_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Windows\SysWOW64\XQHAPV\XCG.exe
  "C:\Windows\system32\XQHAPV\XCG.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4788
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\XQHAPV\XCG.exe > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

1

T1070

File Deletion

Modify Registry

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\XQHAPV\AKV.exe

Filesize
463KB

MD5
eb916da4abe4ff314662089013c8f832

SHA1
1e7e611cc6922a2851bcf135806ab51cdb499efa

SHA256
96af80e7ba0f3997d59ebcb5ecef619f980d71ca29113e2cd2f2e8adcdea3061

SHA512
d0dbe1d1612982b9cd2a3ed3cbd3e3b5be49237f580f91d5e5d5b6d20ed4dc0babb69a666c19bf4e0f10776a43b9b1dcda91a4cd381ce3705b1795ef9d731c8b

Download Submit
C:\Windows\SysWOW64\XQHAPV\XCG.001

Filesize
61KB

MD5
425ff37c76030ca0eb60321eedd4afdd

SHA1
7dde5e9ce5c4057d3db149f323fa43ed29d90e09

SHA256
70b00b09ae76a7ecfd6680ab22df546b17826755087c069fc87d14895e1a4e24

SHA512
ef5ff97c0d682b6155eff8f92dace1789cf01ca8bca55af1c1d0f2243b5e18bc12a657bb2bb12601b51ef9e1b942f02feb8462644da291fd1b2239c34ef2b59b

Download Submit
C:\Windows\SysWOW64\XQHAPV\XCG.002

Filesize
43KB

MD5
12fb4f589942682a478b7c7881dfcba2

SHA1
a3d490c6cda965708a1ff6a0dc4e88037e0d6336

SHA256
4de0c277800ae36b85a11ed9765f732a73578d4dce053ff7179f96ab776fb60d

SHA512
dd1c6a4ea5bc9698701ec941c4e90fe8dfb0993dc321edc052d1a80cc49bc46be665a85ec678876e698de60cda5dbf1d6279742a16d648f9d18e642a3ea33ddd

Download Submit
C:\Windows\SysWOW64\XQHAPV\XCG.004

Filesize
1KB

MD5
36579aee2f0dd52100b2902d71836e2a

SHA1
fc529ed789acfb0d656ef36a9b637f0887986f67

SHA256
febec6de4dc46949510a116ed68a4f9e3467bda8d5a546ae94c56cf10cd83ddc

SHA512
f729bc7878f4788bf87c6ac885d28596e4c781da2d872e20a912bdad166c6a8319e79a5bd4fb3b8dd1c5475d3c4c7bf2a799270051216701a78db66e42d7aa1a

Download Submit
C:\Windows\SysWOW64\XQHAPV\XCG.chm

Filesize
20KB

MD5
164ea98e2f64635f8a097870781da36c

SHA1
7cd9294657902f6bc199007e30f6514fce66f666

SHA256
c69e694d6db9a958a99901afb86a8b864a17b510a5dcdd1c176f53abf0c61a61

SHA512
4e19842a0d959876cdac60fd145fa36f2d98650b843c6faea2b01e205b2f0ce262b45c1c60fbf483320f012d4c00b96dff36e72d27ecbe9133f09d6618cbde20

Download Submit
C:\Windows\SysWOW64\XQHAPV\XCG.exe

Filesize
1.5MB

MD5
f8530f0dfe90c7c1e20239b0a7643041

SHA1
3e0208ab84b8444a69c8d62ad0b81c4186395802

SHA256
734439c4049ae1a832b4cc5c8d227112106406945d1a7cbb355e11a3f5e356c4

SHA512
5cb01517938789e006e00d69729ae7d73ad480f1ae17a80059bf81ee5d9cebb1263a35732c84f03d742684a650b116b13e6731ca80b0b9cdb3908e5588649399

Download Submit
memory/4788-18-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/4788-20-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads