ardamax | 7ec515b39707ff745b04a84ad8b54693f3ebfe257916b7aa493d4af6dc7b5ade

General

Target

cf712e0e1b007039477b42d9bc3d0f41_JaffaCakes118.exe
Size

1.5MB
MD5

cf712e0e1b007039477b42d9bc3d0f41
SHA1

c717859e2db94f568f32d5f3577ca34b5fa6e694
SHA256

7ec515b39707ff745b04a84ad8b54693f3ebfe257916b7aa493d4af6dc7b5ade
SHA512

178bbc4e3b89ae16336b38f8f487dd2f282201852bfc41930598f157e3d42b6c036a3917643180a58e365f3f4350a7434accf84b0896cef8066bb0df2987a68f
SSDEEP

24576:+DrTWoILNUc0Hy9wA9YhAnCnwmG0hMJ2klg+mG/fySYLKOl8v3dGIfADD9l1x:+XTZWNWyyAWywwjwCg+dTMK6gNGIaD3

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000700000002343c-9.dat	family_ardamax

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	cf712e0e1b007039477b42d9bc3d0f41_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
2460	PEX.exe
4944	firefox.exe

Loads dropped DLL 1 IoCs

pid	Process
2460	PEX.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PEX Start = "C:\\Windows\\SysWOW64\\KSUACV\\PEX.exe"	PEX.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\KSUACV\PEX.004	cf712e0e1b007039477b42d9bc3d0f41_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\KSUACV\PEX.001	cf712e0e1b007039477b42d9bc3d0f41_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\KSUACV\PEX.002	cf712e0e1b007039477b42d9bc3d0f41_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\KSUACV\AKV.exe	cf712e0e1b007039477b42d9bc3d0f41_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\KSUACV\PEX.003	cf712e0e1b007039477b42d9bc3d0f41_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\KSUACV\PEX.exe	cf712e0e1b007039477b42d9bc3d0f41_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\KSUACV\	PEX.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf712e0e1b007039477b42d9bc3d0f41_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PEX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	firefox.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2460	PEX.exe
2460	PEX.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2460	PEX.exe
Token: SeIncBasePriorityPrivilege	2460	PEX.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2460	PEX.exe
2460	PEX.exe
2460	PEX.exe
2460	PEX.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 2460	2252	cf712e0e1b007039477b42d9bc3d0f41_JaffaCakes118.exe	85
PID 2252 wrote to memory of 2460	2252	cf712e0e1b007039477b42d9bc3d0f41_JaffaCakes118.exe	85
PID 2252 wrote to memory of 2460	2252	cf712e0e1b007039477b42d9bc3d0f41_JaffaCakes118.exe	85
PID 2252 wrote to memory of 4944	2252	cf712e0e1b007039477b42d9bc3d0f41_JaffaCakes118.exe	87
PID 2252 wrote to memory of 4944	2252	cf712e0e1b007039477b42d9bc3d0f41_JaffaCakes118.exe	87
PID 2252 wrote to memory of 4944	2252	cf712e0e1b007039477b42d9bc3d0f41_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\cf712e0e1b007039477b42d9bc3d0f41_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cf712e0e1b007039477b42d9bc3d0f41_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Windows\SysWOW64\KSUACV\PEX.exe
  "C:\Windows\system32\KSUACV\PEX.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2460
- C:\Users\Admin\AppData\Local\Temp\firefox.exe
  "C:\Users\Admin\AppData\Local\Temp\firefox.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\firefox.exe

Filesize
902KB

MD5
76d68325edcb5b20e9860e018daddbff

SHA1
8c6400e0e8f04fccd3ba39a021e9cc701b243d31

SHA256
b8ea4decdd1ba8399317d677830d3cc337173366205ab81c932595b537c2add8

SHA512
b7ee8c87b3959c80790437a5394d5ec21d7091e398649eacff2e3c715b59630ce11d25636b8302449e2ac2aec7a53c5d0dc6a6611e45a20b49693a6e9b747897

Download Submit
C:\Windows\SysWOW64\KSUACV\AKV.exe

Filesize
487KB

MD5
0591055f864fdbf838f05500a4033170

SHA1
5d273a442877a65e501e5c123f3dc45677c7d049

SHA256
24c622dfc83330b4f233dcf87684c00a734a1112284188cfe1636221590e9497

SHA512
b6cf93e63d074ecd3856543bfea14f58c37594289dbb13595cdfb79f8ce027795ad00dccc7ca70b621767c9ba03b8ebe2014e5fddd53608405f00c2791305074

Download Submit
C:\Windows\SysWOW64\KSUACV\PEX.001

Filesize
61KB

MD5
da40e93ad90ab590fe53693447794639

SHA1
ecf59a5ecbd382191169eda65f86ea331dd08547

SHA256
b82f906b6429aa5c3df2dd7d2b61f33912c8db41ff783d35731050a024bc6420

SHA512
87dbcbd1825ea71c78583680650236e8a8f8d4f718cf85f1542ed51fb1caaa4ff059ff0f201125564bcd80fa9d20c1d9ccd11e37133c7fef5ad30b27996f44e6

Download Submit
C:\Windows\SysWOW64\KSUACV\PEX.002

Filesize
44KB

MD5
377ce908ebaea0de394f2e850ca6a26a

SHA1
d54276a5deeab532d5e5e3602e08d608e95c0707

SHA256
dd81ace139ab0d6ca157775a5479fe6b94dc58de3a9bf81d39225967697cbcef

SHA512
fda6bd43017754e7fa23037591073a52bdecac8629b5b2fe0eb924fd958dd450074b742ee94879430e0d4155efa9fc0a080b6dd035cf726cce3cb575ac6eb35f

Download Submit
C:\Windows\SysWOW64\KSUACV\PEX.003

Filesize
66KB

MD5
bb539ff6a07c7ac0b60c9a5fddbb18d8

SHA1
ecfc555fdc98d347050e39db2cc666f6d637804d

SHA256
b9d16d56d84aefdfccf96b9158e7d67538f828574cbe03bdfe4e260cca555957

SHA512
a2203e5fad05b71206a180b289def908810189932c38f2cbcc68390fe00349b54aa160b5a89a3396d74339e8b0b246549a516518e2a2abfd5a77d6d3f6cc708c

Download Submit
C:\Windows\SysWOW64\KSUACV\PEX.004

Filesize
1KB

MD5
1eb6e25faf41a56d4b91ff89d479a0b0

SHA1
88b8fc8c271ef446a2817615b3f23bd7143dec78

SHA256
a8a1b00956410dc4e0cc6ae8f120c7d06c72999eb0bf22732a949090a77ff2bd

SHA512
1f18c28785fdf7390bc3b4334fb799a1a42df342ad20407fc333ace0f85c8f1bfc263ac118ed51103fe833433ebd9802f9e3b8603231636793592d3b53b8f26a

Download Submit
C:\Windows\SysWOW64\KSUACV\PEX.exe

Filesize
1.7MB

MD5
913606bf5ce3b52911d6645f99b066da

SHA1
1a651dbc73e39f9f8ff4b8979b463e9b2c480f60

SHA256
082036e132e0317a4dfa2add3e76ec42a82c6c64623d4cffc92314f3511bdc4d

SHA512
d136e882a1a87eac4706b4aea82a10584d7570116e6b025f6ee419d13eb2760dde2f54a10fa1ac149be62441f75f171ba0dc8503c00d404877ff9d433212604a

Download Submit
memory/2460-29-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/2460-31-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads