ardamax | 0a4ff2e067fe1644dfca1f3542bc44c86e05c67ec454b7a4775a8a15afa8e367

General

Target

b5b1d763703c33438c101d5e1bf6d09c_JaffaCakes118.exe
Size

1.6MB
MD5

b5b1d763703c33438c101d5e1bf6d09c
SHA1

199e28b5e26a679abd193ffc215f9fbd5c8062aa
SHA256

0a4ff2e067fe1644dfca1f3542bc44c86e05c67ec454b7a4775a8a15afa8e367
SHA512

44a3290d6c935276da2c7285980a2027df76a7c9b78fe3afb049a6abdb39729f6bf259646698b46bf56485742fcbcbd0556b06c3085d092a272573282093c1ec
SSDEEP

24576:UjxJRkKup3nSivnVM2EgFurReZLX23nHxNawI7JRgRRczuf1van6gG/9Kwfmwk:0ivV5iWLXwnzEyqzkExw

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023515-22.dat	family_ardamax

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	win32.exe

Executes dropped EXE 2 IoCs

pid	Process
3100	win32.exe
892	VYQ.exe

Loads dropped DLL 1 IoCs

pid	Process
892	VYQ.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\runAPI46 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\runAPI93.exe\""	b5b1d763703c33438c101d5e1bf6d09c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VYQ Start = "C:\\Windows\\SysWOW64\\RAMHIT\\VYQ.exe"	VYQ.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\RAMHIT\VYQ.exe	win32.exe
File opened for modification	C:\Windows\SysWOW64\RAMHIT\	VYQ.exe
File created	C:\Windows\SysWOW64\RAMHIT\VYQ.004	win32.exe
File created	C:\Windows\SysWOW64\RAMHIT\VYQ.001	win32.exe
File created	C:\Windows\SysWOW64\RAMHIT\VYQ.002	win32.exe
File created	C:\Windows\SysWOW64\RAMHIT\AKV.exe	win32.exe
File created	C:\Windows\SysWOW64\RAMHIT\VYQ.003	win32.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 880 set thread context of 3100	880	b5b1d763703c33438c101d5e1bf6d09c_JaffaCakes118.exe	84

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b5b1d763703c33438c101d5e1bf6d09c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	win32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VYQ.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
892	VYQ.exe
892	VYQ.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	892	VYQ.exe
Token: SeIncBasePriorityPrivilege	892	VYQ.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
892	VYQ.exe
892	VYQ.exe
892	VYQ.exe
892	VYQ.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 880 wrote to memory of 3100	880	b5b1d763703c33438c101d5e1bf6d09c_JaffaCakes118.exe	84
PID 880 wrote to memory of 3100	880	b5b1d763703c33438c101d5e1bf6d09c_JaffaCakes118.exe	84
PID 880 wrote to memory of 3100	880	b5b1d763703c33438c101d5e1bf6d09c_JaffaCakes118.exe	84
PID 880 wrote to memory of 3100	880	b5b1d763703c33438c101d5e1bf6d09c_JaffaCakes118.exe	84
PID 880 wrote to memory of 3100	880	b5b1d763703c33438c101d5e1bf6d09c_JaffaCakes118.exe	84
PID 880 wrote to memory of 3100	880	b5b1d763703c33438c101d5e1bf6d09c_JaffaCakes118.exe	84
PID 880 wrote to memory of 3100	880	b5b1d763703c33438c101d5e1bf6d09c_JaffaCakes118.exe	84
PID 880 wrote to memory of 3100	880	b5b1d763703c33438c101d5e1bf6d09c_JaffaCakes118.exe	84
PID 880 wrote to memory of 3100	880	b5b1d763703c33438c101d5e1bf6d09c_JaffaCakes118.exe	84
PID 880 wrote to memory of 3100	880	b5b1d763703c33438c101d5e1bf6d09c_JaffaCakes118.exe	84
PID 3100 wrote to memory of 892	3100	win32.exe	86
PID 3100 wrote to memory of 892	3100	win32.exe	86
PID 3100 wrote to memory of 892	3100	win32.exe	86

C:\Users\Admin\AppData\Local\Temp\b5b1d763703c33438c101d5e1bf6d09c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b5b1d763703c33438c101d5e1bf6d09c_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:880
- C:\Users\Admin\AppData\Local\Temp\win32.exe
  C:\Users\Admin\AppData\Local\Temp\win32.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3100
- - C:\Windows\SysWOW64\RAMHIT\VYQ.exe
    "C:\Windows\system32\RAMHIT\VYQ.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\win32.exe

Filesize
4KB

MD5
5e5ecae8b08152c885904cde71c50dad

SHA1
727f24d102ab29be690c783ddc149b3a39430fb6

SHA256
b3550952a2474802ae5f2d2d7e75987ccd7ca23baa8ba015c3eaa6fd04b55541

SHA512
dd6287a8471aa575abbcf46300ac64a170c0cb19052d779c7bc0899149c6114a4e42520756dae1598e18458d94522d6c7701a7bc3a37067ac2a1616dbbf8e5ea

Download Submit
C:\Windows\SysWOW64\RAMHIT\AKV.exe

Filesize
485KB

MD5
b905540561802896d1609a5709c38795

SHA1
a265f7c1d428ccece168d36ae1a5f50abfb69e37

SHA256
ce666ce776c30251bb1b465d47826c23efaa86ec5ee50b2a4d23a4ceb343ed53

SHA512
7663654f134f47a8092bae1f3f9d46732d2541ab955e7604d43a0def1e61e2bc039a6753e94d99f1d04b69f55a86f1fb937513671019f1bdf100edb97b24badc

Download Submit
C:\Windows\SysWOW64\RAMHIT\VYQ.001

Filesize
61KB

MD5
0e7e847fb96b4faa6cb4d3707a96887e

SHA1
896fd4064044e271312e9128e874108eec69521f

SHA256
c0f3e18ed0020dae5f75d3338b51f9c8de26d8af0a4d31904ba77cb1d112bbca

SHA512
ad680ed30b0cabe1be4e7237b8e620060de9c5f64d088d21a6acf6f293551ab4abc10f8f959aa6041e19aeaea538e72beeecc29b7669546a9a151141d4e73684

Download Submit
C:\Windows\SysWOW64\RAMHIT\VYQ.002

Filesize
43KB

MD5
f195701cf2c54d6ceadad943cf5135b8

SHA1
9beb03fc097fc58d7375b0511b87ced98a423a08

SHA256
177c1dcc7f13158445f0b99713e9cad205da86e764940a48d43dc375565b0dec

SHA512
f78def1ab431bb2b7b647ec76c063c30a87cabd22605f94cbe4fbb6f757fd54ddf7861d3842a0e369abfce94b68d41dec0fe2322a74f67d9875f561f92b20025

Download Submit
C:\Windows\SysWOW64\RAMHIT\VYQ.003

Filesize
65KB

MD5
fa881c9545d01792ac6697572d52ab85

SHA1
bcf56567eea2066fce6662651d886d026eaaec30

SHA256
540e5d4e0cac56e0db7e4218838625460b3f4249a3c063c10f8bc01a277752de

SHA512
1c7fe1495b590120605701e331890c0f65b2a01b3179a454ef8622d8765c57ec918c45da68034b85241fedf00cde4e4d8cee74db198c03ca573f5ab64494fb28

Download Submit
C:\Windows\SysWOW64\RAMHIT\VYQ.004

Filesize
1KB

MD5
b56a8e4d491fe306c6e64023c213167e

SHA1
1657c57a388e56cf9a743eb83a35493b7daa027d

SHA256
98e5a09a5b8da4adfb0464a96c04bd8f128a89bb283e4b5eae095d528203dd63

SHA512
f2fbc35f142826f734260d266d8556c4a75b9fe2dd139e186d5c214fa2b97c31cfecc0148b8e1872d66a534d09e488f4f3642ea7b69c2dcc12a0c8618f65bd3c

Download Submit
C:\Windows\SysWOW64\RAMHIT\VYQ.exe

Filesize
1.7MB

MD5
d95623e481661c678a0546e02f10f24c

SHA1
b6949e68a19b270873764585eb1e82448d1e0717

SHA256
cecfadce6fb09b3977c20d15fb40f8f66a1d7e488a4794451d048a598c3417da

SHA512
dee02644d92ed30e88bb10e9dcdba97abd9949b230059ec20cf5d93061f9cdb77b1e793e5f69d0b51595c30077c3ddd093348d22b070ce898ccefe28b8062591

Download Submit
memory/880-0-0x0000000074B32000-0x0000000074B33000-memory.dmp

Filesize
4KB

Download
memory/880-27-0x0000000074B30000-0x00000000750E1000-memory.dmp

Filesize
5.7MB

Download
memory/880-2-0x0000000074B30000-0x00000000750E1000-memory.dmp

Filesize
5.7MB

Download
memory/880-1-0x0000000074B30000-0x00000000750E1000-memory.dmp

Filesize
5.7MB

Download
memory/892-35-0x0000000000400000-0x00000000005BA000-memory.dmp

Filesize
1.7MB

Download
memory/892-36-0x0000000000400000-0x00000000005BA000-memory.dmp

Filesize
1.7MB

Download
memory/3100-18-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/3100-24-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/3100-5-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/3100-9-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/3100-8-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads