ardamax | 61623465831d4202e1c43e8b8180fa407fdea91c7826302ccae4216f07d7a0a4

General

Target

e07b9e9eabe0c861ceead05b4d3c393c_JaffaCakes118.exe
Size

505KB
MD5

e07b9e9eabe0c861ceead05b4d3c393c
SHA1

4552983c9df2cbb4aa31d878da3b1ab3ee428aca
SHA256

61623465831d4202e1c43e8b8180fa407fdea91c7826302ccae4216f07d7a0a4
SHA512

07109101aea1b3217776e08210c7333a7b4d283cf2d434060dae593a8b82e9457a33a7ee87e817ac7ed8298eb716abbf0a01f8ad53f5a6eac2faf6bcac4d02be
SSDEEP

12288:J7O4lUUxKuPafPwqHlo74iKo0DR6V/y4bMmLqNEb1L:9OPHwqqPOMVBbMmLUEb1

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x00090000000234eb-12.dat	family_ardamax

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	e07b9e9eabe0c861ceead05b4d3c393c_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2000	AWJH.exe

Loads dropped DLL 4 IoCs

pid	Process
924	e07b9e9eabe0c861ceead05b4d3c393c_JaffaCakes118.exe
2000	AWJH.exe
2000	AWJH.exe
2000	AWJH.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AWJH Agent = "C:\\Windows\\SysWOW64\\28463\\AWJH.exe"	AWJH.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\AWJH.001	e07b9e9eabe0c861ceead05b4d3c393c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\28463\AWJH.006	e07b9e9eabe0c861ceead05b4d3c393c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\28463\AWJH.007	e07b9e9eabe0c861ceead05b4d3c393c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\28463\AWJH.exe	e07b9e9eabe0c861ceead05b4d3c393c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\28463\AKV.exe	e07b9e9eabe0c861ceead05b4d3c393c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\28463	AWJH.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AWJH.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e07b9e9eabe0c861ceead05b4d3c393c_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2000	AWJH.exe
Token: SeIncBasePriorityPrivilege	2000	AWJH.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2000	AWJH.exe
2000	AWJH.exe
2000	AWJH.exe
2000	AWJH.exe
2000	AWJH.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 924 wrote to memory of 2000	924	e07b9e9eabe0c861ceead05b4d3c393c_JaffaCakes118.exe	91
PID 924 wrote to memory of 2000	924	e07b9e9eabe0c861ceead05b4d3c393c_JaffaCakes118.exe	91
PID 924 wrote to memory of 2000	924	e07b9e9eabe0c861ceead05b4d3c393c_JaffaCakes118.exe	91

C:\Users\Admin\AppData\Local\Temp\e07b9e9eabe0c861ceead05b4d3c393c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e07b9e9eabe0c861ceead05b4d3c393c_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:924
- C:\Windows\SysWOW64\28463\AWJH.exe
  "C:\Windows\system32\28463\AWJH.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@A4CB.tmp

Filesize
4KB

MD5
cbfaf9948594946d4921a261fe5c3e40

SHA1
e4943ed1144bb62c1048852275a843af1b4970a6

SHA256
e257d3a598449605f269ace371b27c675466f6410efe12f4bab2ca38d24a0f4e

SHA512
9ee932f3de9e02245cef9d6df4d094a1bd9d4691d8ffe0d26b8983b427fa9a71fc14c3e56f5e1894c57a5734d1c42593ce5137f19c3d607afc2a3fcf7db5672d

Download Submit
C:\Windows\SysWOW64\28463\AKV.exe

Filesize
416KB

MD5
e0d6dcf917123c3b01804904afe14654

SHA1
559eec79c61aa1a9cbbb95ca509bad9f9fad226a

SHA256
afd6d7abbe378994509913652c26b97711818dcde1bc620ca37210abed502653

SHA512
c36907bf0ea2df54785fe94123996ce2c0ddaf1d27d624a25337850ca7f71d61831728e5dd25168c103e893d0f8a481700808f27b5cd3461c6431b6928820e90

Download Submit
C:\Windows\SysWOW64\28463\AWJH.001

Filesize
504B

MD5
013438f3f5e6d442068aa7351f966b34

SHA1
56e3b3cdb54c728c2f26cf1e6e138f3d5947a9bc

SHA256
93806b9e64ba253039e1d6021c5a98188ab2ccb060dd0b336e1c08491fc2840b

SHA512
7b4e60cf0b1dbdf9fed5928c5d9d44551f96f4a4401e6fd0595048ed5bd4556b22dc0cc3913d989bcbfc08c9ee0905c83b93cf8f66634a43e6109ac55d9e5d58

Download Submit
C:\Windows\SysWOW64\28463\AWJH.006

Filesize
8KB

MD5
315504430c5af82495fb4d568e3b4d68

SHA1
828f9aafc692ad9e14bb6c21e2375074a2d2f70a

SHA256
ae2ffedba57333a174c82ea96eb3138b87cda18c9a4d725576a49d1f0257a3a8

SHA512
3c4f5db37c5c69a323e5ca79d66dd064be51e66239fbd33d09d918ba509d1aa3d81ac2af8db06f36ea4ece8ce8e4b34da25e9abeff03256078e15e35f1136c94

Download Submit
C:\Windows\SysWOW64\28463\AWJH.007

Filesize
5KB

MD5
b6d72867826e2f2b65a429f47c7c9064

SHA1
2408cf4a32bfb17d0512e09d0371922069fc2eb2

SHA256
7680db19d355a0df6b28a75f01acda61084af247ebc73b4816668ff22c0c3017

SHA512
6bdfe3c06d1ea86f3f1167e5e71e78f951386ac54b9067da88811bc36e3cfe28b55647c81b7e80e770fae5a32fc48e384c4f112f8c6ae99211345830345b7234

Download Submit
C:\Windows\SysWOW64\28463\AWJH.exe

Filesize
540KB

MD5
dcf2ea033e19787b8d51f68906db222c

SHA1
cba5862bc65604ad41084ad1acee16748145bb44

SHA256
c551d2d7f4b20f04b48821c086fa75842f364e4910f5022e7179451913fadce3

SHA512
ab1e95de35d0ee841f8e204ec9b480cd9cabaa811139bbf770086f81add257c67d12e0c0ae12a47efd1c3ca6dc93ea26a1b17ad64283d84cb08901d44942c2be

Download Submit
memory/2000-23-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/2000-27-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads