ardamax | b5caa1969c3f79397f7d79bb0c4b4996f28e60cb463ac641915a5e6f00e800bf

General

Target

d1264394591171f7aec07628e8cabfb8_JaffaCakes118.exe
Size

1.2MB
MD5

d1264394591171f7aec07628e8cabfb8
SHA1

51c128411497aaa60c55fbc20d173c7fcb82ba17
SHA256

b5caa1969c3f79397f7d79bb0c4b4996f28e60cb463ac641915a5e6f00e800bf
SHA512

b800a52320f4d1098050a3f5bcb52a767833ed0802e7d5cea98ccbd8648f3df00efe5224475625371f3506db83ca1c2e3649d8ff582e7fc64901d14b34dfc603
SSDEEP

24576:guNOT9WWYPYIRuPR2C4/3bf7S8wqRsJNWlHznWCliYatKwTOkwfZHuDcJ:gucTQW4lWAzfwasJYpyO5xHu

Score

10^/10

ardamax defense_evasion discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x00070000000234d1-8.dat	family_ardamax

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	d1264394591171f7aec07628e8cabfb8_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	BVN.exe

Executes dropped EXE 1 IoCs

pid	Process
1040	BVN.exe

Loads dropped DLL 1 IoCs

pid	Process
1040	BVN.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BVN Start = "C:\\Windows\\SysWOW64\\GCAKTL\\BVN.exe"	BVN.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\GCAKTL\AKV.exe	d1264394591171f7aec07628e8cabfb8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\GCAKTL\BVN.exe	d1264394591171f7aec07628e8cabfb8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\GCAKTL\	BVN.exe
File created	C:\Windows\SysWOW64\GCAKTL\BVN.004	d1264394591171f7aec07628e8cabfb8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\GCAKTL\BVN.001	d1264394591171f7aec07628e8cabfb8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\GCAKTL\BVN.002	d1264394591171f7aec07628e8cabfb8_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1264394591171f7aec07628e8cabfb8_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BVN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1040	BVN.exe
1040	BVN.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	1040	BVN.exe
Token: SeIncBasePriorityPrivilege	1040	BVN.exe
Token: SeIncBasePriorityPrivilege	1040	BVN.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1040	BVN.exe
1040	BVN.exe
1040	BVN.exe
1040	BVN.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5084 wrote to memory of 1040	5084	d1264394591171f7aec07628e8cabfb8_JaffaCakes118.exe	83
PID 5084 wrote to memory of 1040	5084	d1264394591171f7aec07628e8cabfb8_JaffaCakes118.exe	83
PID 5084 wrote to memory of 1040	5084	d1264394591171f7aec07628e8cabfb8_JaffaCakes118.exe	83
PID 1040 wrote to memory of 3564	1040	BVN.exe	95
PID 1040 wrote to memory of 3564	1040	BVN.exe	95
PID 1040 wrote to memory of 3564	1040	BVN.exe	95

C:\Users\Admin\AppData\Local\Temp\d1264394591171f7aec07628e8cabfb8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d1264394591171f7aec07628e8cabfb8_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5084
- C:\Windows\SysWOW64\GCAKTL\BVN.exe
  "C:\Windows\system32\GCAKTL\BVN.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1040
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\GCAKTL\BVN.exe > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

1

T1070

File Deletion

Modify Registry

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\GCAKTL\AKV.exe

Filesize
487KB

MD5
eb9f503f6859a5161bcb9aeac042ceab

SHA1
d46039f98020e296bbd6455c834c6299528c821b

SHA256
51fc5b6f1711fd6b4b5945d935d37f57609eafa68d865c1ec1464b0ab221830c

SHA512
fa034d6292e0c16bb4958f1efe2b51577db99df6ccdb2223ba3fee4bab1796a5d4fa37667c077296da22e4c67d39ae0667a428f774aa2d5d3c7750a28320d33d

Download Submit
C:\Windows\SysWOW64\GCAKTL\BVN.001

Filesize
61KB

MD5
2666d675f8905ce58b7e961ffbfe8f61

SHA1
afa6625a916d27da14a591feba03352b2afb91cc

SHA256
1594c6986d0e4339825e2c812791c54c912d8358a76b6058da0bf6bba5f5c697

SHA512
81193afcb9406ea906db628ae434f576b6e4e2959674902cf8c2b11f5c7007b384a8e0385a6889637506f289d4849dd8dcb32dee9302363834333ef7813a2778

Download Submit
C:\Windows\SysWOW64\GCAKTL\BVN.002

Filesize
44KB

MD5
52f41f282445a7a75238c2bf31ff7b7d

SHA1
5b5c5eb4066e2c583137dff7e1333b89640514a7

SHA256
3a9e12f314bf9b5f043f3f05556b244a7ba244d3625f8adbd9cb59e9385ac4f3

SHA512
bc6e2959be659a86a2de4bb1dbae8171a6b02e39fd98e948c1c40e96e101e73af274e6ceb590fd5aa5e5cb558e8e80fb79aac0162cdc2266ab1b173bda419107

Download Submit
C:\Windows\SysWOW64\GCAKTL\BVN.004

Filesize
1KB

MD5
bfae0c1e1a74b658a8af46db7cc8ccff

SHA1
b4dab36bf3dbee4b50df053d15855c5d5d4870d6

SHA256
d177ea0c6c9bc32640b94f1975661f6f25f8cf5dd79f397ffcd224ec81287df3

SHA512
97362ded536c6147c319c8a0be65a8e0a5bc8b4cde32b9320118bb14b5708432aeee8df581ca8250ba55fb6289b965659242eac85f353aac9876a4fe6939653d

Download Submit
C:\Windows\SysWOW64\GCAKTL\BVN.exe

Filesize
1.7MB

MD5
68c19411dc10799efff9cfdb1dfa6ea3

SHA1
b337a16ee1a383ff4406fdaf65816f67174a6ec6

SHA256
a8565859541d680f0d8c74acdc0e0fee438de817785f4f596e470bdbefca0855

SHA512
16a2d576df4a24fa7f973e8e588f8cc79281d03343510344e6ef4ff8e3903e3a7751f38ef4f1c9fa2f8bdfaf3181b4fecae6905833df861c98e5b7b993a429d3

Download Submit
memory/1040-16-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/1040-18-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads