ardamax | 64a036220f70fa81cf329bd327234f389043519848d134d40c06922f3fdfd14b

General

Target

e80833781f81f299f5325bf9449d0312_JaffaCakes118.exe
Size

992KB
MD5

e80833781f81f299f5325bf9449d0312
SHA1

fcf214258d5aa215d2b293d7182383eb504e5994
SHA256

64a036220f70fa81cf329bd327234f389043519848d134d40c06922f3fdfd14b
SHA512

fa40d07ad82a4b2bbdb872abef82b2295c4789556193f46c072c72d64aa758604fe785e8520f8263ed7db56a51dd93917d0d99fca698ebfeb99df4a38aa5e811
SSDEEP

12288:HKUouvazKUOLRoVtjf5kBRi2d/NjvQpC68CubZZuTUmiSJHr7PZ9TD:H5NIgoVtURi0+32Go+HZ

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x00070000000235b7-18.dat	family_ardamax

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	Job.v515.dll

Executes dropped EXE 3 IoCs

pid	Process
2316	Job.v515.dll
1840	system32SSRY.exe
5056	Selamla.exe

Loads dropped DLL 8 IoCs

pid	Process
2316	Job.v515.dll
1840	system32SSRY.exe
116	e80833781f81f299f5325bf9449d0312_JaffaCakes118.exe
1840	system32SSRY.exe
1840	system32SSRY.exe
5056	Selamla.exe
116	e80833781f81f299f5325bf9449d0312_JaffaCakes118.exe
116	e80833781f81f299f5325bf9449d0312_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system32SSRY Agent = "C:\\Windows\\system32SSRY.exe"	system32SSRY.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\system32AKV.exe	Job.v515.dll
File created	C:\Windows\system32SSRY.001	Job.v515.dll
File created	C:\Windows\system32SSRY.006	Job.v515.dll
File created	C:\Windows\system32SSRY.007	Job.v515.dll
File created	C:\Windows\system32SSRY.exe	Job.v515.dll

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e80833781f81f299f5325bf9449d0312_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Job.v515.dll
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system32SSRY.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Selamla.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1840	system32SSRY.exe
Token: SeIncBasePriorityPrivilege	1840	system32SSRY.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
116	e80833781f81f299f5325bf9449d0312_JaffaCakes118.exe
5056	Selamla.exe
1840	system32SSRY.exe
1840	system32SSRY.exe
1840	system32SSRY.exe
1840	system32SSRY.exe
1840	system32SSRY.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 116 wrote to memory of 2316	116	e80833781f81f299f5325bf9449d0312_JaffaCakes118.exe	89
PID 116 wrote to memory of 2316	116	e80833781f81f299f5325bf9449d0312_JaffaCakes118.exe	89
PID 116 wrote to memory of 2316	116	e80833781f81f299f5325bf9449d0312_JaffaCakes118.exe	89
PID 2316 wrote to memory of 1840	2316	Job.v515.dll	90
PID 2316 wrote to memory of 1840	2316	Job.v515.dll	90
PID 2316 wrote to memory of 1840	2316	Job.v515.dll	90
PID 2316 wrote to memory of 5056	2316	Job.v515.dll	91
PID 2316 wrote to memory of 5056	2316	Job.v515.dll	91
PID 2316 wrote to memory of 5056	2316	Job.v515.dll	91

C:\Users\Admin\AppData\Local\Temp\e80833781f81f299f5325bf9449d0312_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e80833781f81f299f5325bf9449d0312_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:116
- C:\Users\Admin\AppData\Local\Temp\Job.v515.dll
  C:\Users\Admin\AppData\Local\Temp\Job.v515.dll
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Windows\system32SSRY.exe
    "C:\Windows\system32SSRY.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1840
- - C:\Users\Admin\AppData\Local\Temp\Selamla.exe
    "C:\Users\Admin\AppData\Local\Temp\Selamla.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4348,i,1828333185976713750,7918646547767660928,262144 --variations-seed-version --mojo-platform-channel-handle=4052 /prefetch:8
1⤵
PID:316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@2E2F.tmp

Filesize
4KB

MD5
b7ea0bc4bb833ab77dce179f16039c14

SHA1
b05cc205aa6ffc60a5316c1d5d3831def5a60c20

SHA256
e7bc62fb964bacd8e3189f22a8d64a27bddeb90007a38da3d3e6b58f6d8a2dba

SHA512
5a4ad9b469c7502a930158ca2db814b0b84880b2658a6a6dcca9fee60e6c8dc5f8a3c8d09e280a026d63e3d48b5291074827d16f3e680ce87645d8aad996a652

Download Submit
C:\Users\Admin\AppData\Local\Temp\Job.v515.dll

Filesize
482KB

MD5
be24d37789b9d7398ee14c632c647cc1

SHA1
eed8686e02e11a7612fbd1d436b87e759b2fd95e

SHA256
a9803da162412180d6aabf4d1302e2e757f8c36a1f629573f01da35f48cafcb4

SHA512
f8157111b0b2e76102c41c0b187eba2c651387835add0a3b9c98d83ed8b518d9251c701ec9de17d37b525694ab624f753d36009456e2a2268b445fa289167467

Download Submit
C:\Users\Admin\AppData\Local\Temp\Selamla.exe

Filesize
16KB

MD5
17e2fd7c20f4eec6c3ca84c3db660ea9

SHA1
1118a2f602a8e0350ad5c681c3d896b5aae44a90

SHA256
c11145cb46c00dcebeee513e14e1629f93c1d64522e3df64db982a7539360933

SHA512
8fd50e0ac295feee4da2781f660f198068c47a68b3d36f53f54003ba42fd1d7e86afe173e01475273681e5a9db2fad725f49e5bda7be4a10f91add48ab2b3bf6

Download Submit
C:\Windows\system32SSRY.001

Filesize
410B

MD5
817f5f87b1c5639a4bc46d9e5b5ba297

SHA1
1b849503dd79c50e4c128166e2346fa1e3fa9240

SHA256
b9436c61ee1db64c3a4aaa23fd51903150b214fb6ba2feadd2161d45cf445eb9

SHA512
6c7ea7a87627cf2383be145957ab109f091e631b8aaf458896c56735392098de9593b55d2d44d742ba33d294bc64c8802db81370d4f2988e040b2ee67dc031b9

Download Submit
C:\Windows\system32SSRY.006

Filesize
7KB

MD5
87ccf7eb039971590aac6f254b2c788a

SHA1
3095496ffd364b32cdbe63ba4dd2f477fd848515

SHA256
59973b04dd9bec56a7ff9d898fda25e9214ee7652f2687ba409b435ae07e554b

SHA512
d5f9f7855725021522fae819a855d3d2d2cf028b0ea3ac191ad02039cbb688af42b191a1ec4f1868365e2f7de36acca2b7ba3bee0a7b8447820c4521e942d8d2

Download Submit
C:\Windows\system32SSRY.007

Filesize
5KB

MD5
81938df0dbfee60828e9ce953bdf62e6

SHA1
b1182a051011e901c17eab2e28727bec8db475fb

SHA256
982e2e47e8af4384a6b71937fb4e678a61fbc354f6816204e14a01d325529a98

SHA512
64ebe41c17f55f725aeb946b1a7843ad27062490a3e9cc49df7ecb3e5e408444c766236642986cbe499e876e91d1d95d4aafe7d044fda3f5370bbe5f71532143

Download Submit
C:\Windows\system32SSRY.exe

Filesize
471KB

MD5
912c55621b4c3f0fb2daef5b4f4f5f4c

SHA1
735701c75569b7563950508afc8948b52e7bf4b2

SHA256
41ecb7a6e3e9c32ce1bbfdff8fe381f6c21fc1f601f7e9be9fcfa2678d2420a0

SHA512
65a08579e959d4beebb5ad026cab451d381e147621be8a0707baca748eaee22050c020e3d54f312376eaf6f20a1fc3713e5e07cc9d4ee7f32b7c17dc15c80d05

Download Submit
memory/1840-40-0x00000000020E0000-0x00000000020E1000-memory.dmp

Filesize
4KB

Download
memory/1840-51-0x00000000020E0000-0x00000000020E1000-memory.dmp

Filesize
4KB

Download
memory/5056-36-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5056-50-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads