ardamax | 616ee50bca94c520c91d470e4736e77b2989b8ec715adf821b09577dc5045468

General

Target

e1100f10834787ea60e0b072d855f07d_JaffaCakes118.exe
Size

1.3MB
MD5

e1100f10834787ea60e0b072d855f07d
SHA1

f90b89a73967562373e0ba0bf402a86c4faa7fb2
SHA256

616ee50bca94c520c91d470e4736e77b2989b8ec715adf821b09577dc5045468
SHA512

491ce55f6372d6f9736bd602d5c5a50fac60dbf75b2f92dbb79d3d91819ad4f5d9a0989c4f6a82e94a659c87c51cee577a59703d625aa8c22a72573304bd09f5
SSDEEP

24576:zzwTT6Vwry63aAu1bqTcOGFrX7GpiakqHcBD+navrw89kVa815tJ7yuDZbgA0mJC:zz+Tni4lGNiFHcGER9gaFuDCAfxS

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x00070000000234f1-8.dat	family_ardamax

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	e1100f10834787ea60e0b072d855f07d_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
3240	JHT.exe
3276	nf.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JHT Start = "C:\\Windows\\SysWOW64\\EPQTLE\\JHT.exe"	JHT.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\EPQTLE\JHT.004	e1100f10834787ea60e0b072d855f07d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\EPQTLE\JHT.001	e1100f10834787ea60e0b072d855f07d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\EPQTLE\JHT.002	e1100f10834787ea60e0b072d855f07d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\EPQTLE\AKV.exe	e1100f10834787ea60e0b072d855f07d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\EPQTLE\JHT.exe	e1100f10834787ea60e0b072d855f07d_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1100f10834787ea60e0b072d855f07d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JHT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nf.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3276	nf.exe
3276	nf.exe
3276	nf.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4004 wrote to memory of 3240	4004	e1100f10834787ea60e0b072d855f07d_JaffaCakes118.exe	86
PID 4004 wrote to memory of 3240	4004	e1100f10834787ea60e0b072d855f07d_JaffaCakes118.exe	86
PID 4004 wrote to memory of 3240	4004	e1100f10834787ea60e0b072d855f07d_JaffaCakes118.exe	86
PID 4004 wrote to memory of 3276	4004	e1100f10834787ea60e0b072d855f07d_JaffaCakes118.exe	87
PID 4004 wrote to memory of 3276	4004	e1100f10834787ea60e0b072d855f07d_JaffaCakes118.exe	87
PID 4004 wrote to memory of 3276	4004	e1100f10834787ea60e0b072d855f07d_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\e1100f10834787ea60e0b072d855f07d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e1100f10834787ea60e0b072d855f07d_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4004
- C:\Windows\SysWOW64\EPQTLE\JHT.exe
  "C:\Windows\system32\EPQTLE\JHT.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3240
- C:\Users\Admin\AppData\Local\Temp\nf.exe
  "C:\Users\Admin\AppData\Local\Temp\nf.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nf.exe

Filesize
532KB

MD5
315a376875937477be7712d6d883c7bb

SHA1
a27362c7553d0304bc3b0cd5c292e070f30c37c1

SHA256
8d16dfb8bbce0ac19a3d4a6ab941fbfad27158ed137d7cc5958d9ea9ac3aa57a

SHA512
c2c3c6b55d35630cc3fa47ec8fc32ff353435501718df69bf2bb86ba24dcd48a40d27a564cbc5899cd54dd5193e2ae9f41bae67b802f2f1c116ce18588722c8a

Download Submit
C:\Windows\SysWOW64\EPQTLE\AKV.exe

Filesize
485KB

MD5
42150775d201a85ebc379d21aa253f85

SHA1
fccd7df34e16abaf8d55935016cdb15df8041e06

SHA256
00206ccef9ee8da111cc547c698b7e61736b328de48ac5c307d05f2921ef0b9c

SHA512
4ff3c587a8d88e319acb028829c75ecb3e11c16a62ba9c2090720613c51c6555af698ba8ff75672b405602f196ed1b99dbeb9395bae62aac2140fa31600b36e0

Download Submit
C:\Windows\SysWOW64\EPQTLE\JHT.001

Filesize
61KB

MD5
9681d3e1f2c53ad98b8467b3acca33fc

SHA1
04d5d08781f27d6e08ad0262f7325b2be4db7743

SHA256
baecddca15ea6932b9cd4e7f5bae848c3c290660a85c408b898150c6f8fd744e

SHA512
5c6191fb676ace9d1c2ddfd4e98651959ab24b718ab626c343e2bb271d31edd8ba43ed9de528c7832ddcc2137d2424c22bb19f115dc252e1400cfcd3edce2098

Download Submit
C:\Windows\SysWOW64\EPQTLE\JHT.002

Filesize
44KB

MD5
e65e4bdb2c86226589b88f101153c01b

SHA1
731be43621721dba20f0bb74966ea08043ef37fd

SHA256
e8a9477bc04824357c0f0bcc1cb665e1dfb6cf5c05f68517749f6cb11821cec2

SHA512
7700ee197f109a8f2cff2e529715e371e36c1d9924af0bedef9285f76898d3448847af3bff342813b9bd8ca619b7c39b9607150596008ffc6fe68b338f6769cd

Download Submit
C:\Windows\SysWOW64\EPQTLE\JHT.004

Filesize
1KB

MD5
852eb5b86d49f1068c41c7b2b84b4e5f

SHA1
2afa10bce29adc1432630bc9139122c683eb938b

SHA256
63d45df7b89e07080aed93298da8dd930d19746f289c0f66cc52a541db8ced6e

SHA512
35a5e0f8a41150451bfe235550f1a5ca15232cc791d7f657494370f0c8875401d700c64537237c502699acbbc673dc63783c3026c31f8ac902f22500d959a4c5

Download Submit
C:\Windows\SysWOW64\EPQTLE\JHT.exe

Filesize
1.7MB

MD5
9a6a50772539f5a61fefa29c34666223

SHA1
b2b8650d817ef7d86bfef48420e9716f0ffdccce

SHA256
93db12799d366bbb10f28b923188e3f1457b3ec931ddf33ddeb131a80e46f00b

SHA512
eb5f89e6b27981d85dc235edc477a4397d08b9e89d638b0e07301a26ca6e640f12251fdcfe1386df4167a2928bc60959289329531bc7a9e14a232ead22935fed

Download Submit
memory/3240-26-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

Filesize
4KB

Download
memory/3240-57-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads