ardamax | 7b60c973a7b8d40f2725bd2211f10751a44b70c02d2bf7ef6d0ea4134da12e73

General

Target

e98fb884d8db64313a2d421f085e83a9_JaffaCakes118.exe
Size

1.2MB
MD5

e98fb884d8db64313a2d421f085e83a9
SHA1

e9d0b52f2a9f18f21f9b23a7db22f707d5bde4d1
SHA256

7b60c973a7b8d40f2725bd2211f10751a44b70c02d2bf7ef6d0ea4134da12e73
SHA512

bc2f9fe7e3294197051f6487c557fc62c5cf71f94b5d5fa0011bd9f45897321089547cc69f6deed75f7062f97c0b2a98ec5cf4ba17471e293120663b6b1dd24f
SSDEEP

24576:xOnITNiz6a5WVfUqBIM7Vh0+FlTyZmKFCNEo2ZEGvPd/6HY8szX5d44bPssQt:xOITNU8VuUmRZ1FUEpiFHY8sLBPsB

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x00070000000234e2-8.dat	family_ardamax

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	e98fb884d8db64313a2d421f085e83a9_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
5020	DVO.exe

Loads dropped DLL 1 IoCs

pid	Process
5020	DVO.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DVO Start = "C:\\Windows\\SysWOW64\\DFWJXL\\DVO.exe"	DVO.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\DFWJXL\DVO.exe	e98fb884d8db64313a2d421f085e83a9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DFWJXL\	DVO.exe
File created	C:\Windows\SysWOW64\DFWJXL\DVO.004	e98fb884d8db64313a2d421f085e83a9_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DFWJXL\DVO.001	e98fb884d8db64313a2d421f085e83a9_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DFWJXL\DVO.002	e98fb884d8db64313a2d421f085e83a9_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DFWJXL\AKV.exe	e98fb884d8db64313a2d421f085e83a9_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e98fb884d8db64313a2d421f085e83a9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DVO.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5020	DVO.exe
5020	DVO.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	5020	DVO.exe
Token: SeIncBasePriorityPrivilege	5020	DVO.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
5020	DVO.exe
5020	DVO.exe
5020	DVO.exe
5020	DVO.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 5020	2160	e98fb884d8db64313a2d421f085e83a9_JaffaCakes118.exe	82
PID 2160 wrote to memory of 5020	2160	e98fb884d8db64313a2d421f085e83a9_JaffaCakes118.exe	82
PID 2160 wrote to memory of 5020	2160	e98fb884d8db64313a2d421f085e83a9_JaffaCakes118.exe	82

C:\Users\Admin\AppData\Local\Temp\e98fb884d8db64313a2d421f085e83a9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e98fb884d8db64313a2d421f085e83a9_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Windows\SysWOW64\DFWJXL\DVO.exe
  "C:\Windows\system32\DFWJXL\DVO.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\DFWJXL\AKV.exe

Filesize
490KB

MD5
4a9c593eecd544d364a177b13c2bca08

SHA1
4d45a5bd2ae551e1094eb5b05a1dd771dd5c5a2f

SHA256
f834b097641aeea37281d50353f3b88fd83749ed77a8db0bfc1f28dc1dfeac7e

SHA512
b7d5e5eb03f05763b34b722e7b19d320db3b2bb32b1d367bf79376c56a01d3c06541db6c2518623e9aa1ca6a7880189519aa1d09fe27817eb5aff67c62dfea03

Download Submit
C:\Windows\SysWOW64\DFWJXL\DVO.001

Filesize
61KB

MD5
1b96913d74f1c4f36c846c0a804a7037

SHA1
8e0dfc0012edb64042b018d470950cd5e415aa5a

SHA256
553b04ef8dd080a1c8c9b285008fbef1134c44fd98ca7cc2d3600b870882e761

SHA512
ed6b01ad0dd6ef9ed24c1e5fd8c7f6f1e68c4c5d5c1d75e770c9cda4cdde09c5eefde6009c864956ff1e1e379d40ee105bf7a1a033bd1ee95c797762d1f06f9f

Download Submit
C:\Windows\SysWOW64\DFWJXL\DVO.002

Filesize
44KB

MD5
6d836081d32019c0a5928587be5ef42c

SHA1
d51bdc15dca361f17418746bbe0efa3a7dee046c

SHA256
6ca6cab6f131ee5b69d445a64cc269f1489ee8ecaf6dbfdbc400b829490f8c21

SHA512
2cabc9d6e8f017b8f42680018cadea69824bb40ec60c7a534135c66363be1b53e575c6fe39b8861923744f62b5e531492f1d729f12de32e29ff9cf7869d22ade

Download Submit
C:\Windows\SysWOW64\DFWJXL\DVO.004

Filesize
1KB

MD5
20782e5185bdc538d1ec4b758f9c7c25

SHA1
56d8d41d21206c6988244da9155b48aee3893fbc

SHA256
c1c14ceaa3cd4d48eb3eaecc0f7bc234bf92a21802ea9d93faeb787a62d2b449

SHA512
b272cce08963f6cce3e3ca69ca964f3c60964cd130925984647aaee0e19eaf9a74d78ff09b6834f5c839e778199f8453ed2852db52c559d617ab8e0c5a074697

Download Submit
C:\Windows\SysWOW64\DFWJXL\DVO.exe

Filesize
1.7MB

MD5
a2ff5d2b7214bd4c0d5e13223ece568c

SHA1
a710b1d805aba3abd7734c0c07f300d7be95a1af

SHA256
60a09a85e7779af967967925237a5408735ea2ecca9b182e0c1049f4f261b302

SHA512
909a51ab15b6b793087728bf5ddae551dbd7b32ed16929e6db0a23c897f742e2218b270c9d055fd6f261b3a1e1595daffc387511e85643bf35a8c0b6155c18d8

Download Submit
memory/5020-16-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/5020-18-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads