ardamax | c1b4038d33cd9ff893b363969681e51c66382a2c38faed60ba1db884ee5b8948

General

Target

ed454da52205d617a86d28101aeb41ac_JaffaCakes118.exe
Size

1004KB
MD5

ed454da52205d617a86d28101aeb41ac
SHA1

3dbc93ce3f4719a91f9ec3224fad3959ccc4b9e5
SHA256

c1b4038d33cd9ff893b363969681e51c66382a2c38faed60ba1db884ee5b8948
SHA512

ba8e0492e14ad323f05f32f493ecdd6938a9e25709f957db98e85bd16941cf011cbf50dd0a7189fdbf441fc2c4b8c5ddc5cc58638aba223e49a72fd75e93c122
SSDEEP

24576:XjXTjx296XDo7lfiOQmoAFj8zcxibjreYhGNPnUn:XDTjx/OlfZP9p8zQiNcPnS

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000700000002346f-8.dat	family_ardamax

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	ed454da52205d617a86d28101aeb41ac_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
3840	NDN.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NDN Start = "C:\\Windows\\SysWOW64\\XQOKIC\\NDN.exe"	NDN.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\XQOKIC\AKV.exe	ed454da52205d617a86d28101aeb41ac_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\XQOKIC\NDN.exe	ed454da52205d617a86d28101aeb41ac_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\XQOKIC\NDN.004	ed454da52205d617a86d28101aeb41ac_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\XQOKIC\NDN.001	ed454da52205d617a86d28101aeb41ac_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\XQOKIC\NDN.002	ed454da52205d617a86d28101aeb41ac_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2040	3840	WerFault.exe	87

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NDN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed454da52205d617a86d28101aeb41ac_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4788 wrote to memory of 3840	4788	ed454da52205d617a86d28101aeb41ac_JaffaCakes118.exe	87
PID 4788 wrote to memory of 3840	4788	ed454da52205d617a86d28101aeb41ac_JaffaCakes118.exe	87
PID 4788 wrote to memory of 3840	4788	ed454da52205d617a86d28101aeb41ac_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\ed454da52205d617a86d28101aeb41ac_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ed454da52205d617a86d28101aeb41ac_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4788
- C:\Windows\SysWOW64\XQOKIC\NDN.exe
  "C:\Windows\system32\XQOKIC\NDN.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3840
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 616
    3⤵
    - Program crash
    PID:2040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3840 -ip 3840
1⤵
PID:4408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\XQOKIC\AKV.exe

Filesize
490KB

MD5
7c945f8ff017b9c3e00fb23e47c05b88

SHA1
c5808f4a6494f5f619584ce1eea3bd63fab41675

SHA256
0beb5579a7321017b3efe319e40af7ad940c4d64916295929fe0e88bdd35e848

SHA512
feb202e2c63be69ad77160716bcf4f83bd90571349c6115955fb2ea584d8913dd153ca782974e3b50c9a8cd58df01ade6c88339f0c43c2af5778fc3457132246

Download Submit
C:\Windows\SysWOW64\XQOKIC\NDN.001

Filesize
60KB

MD5
256d32d205671ac8ed51e56c5c5d2d56

SHA1
c0e98db79b026a2ba7c4838bf11d6e8775a10262

SHA256
064d8c21bd0cf41315cef61af65be92327275633fbdf37771c3d996202909a9a

SHA512
197a6c0d27550d4756c124b41310ae39e546449da3254c15d0070bfeec4600d12f4e653f12e4a554c69eeab615f3e159960805c029f9b4abb197b64af78c5581

Download Submit
C:\Windows\SysWOW64\XQOKIC\NDN.002

Filesize
42KB

MD5
ecb9e8c27d6cc6ffd1e857767b9c6f24

SHA1
10a9a5054e6f1c8d1bda456b9ecb5bf359faf010

SHA256
5d948e3a55e9b1de0e9f8f89d0dd3a769bbd8d178f3297cc02864f5688dbcb29

SHA512
259ae145a962426b9b60d585d939caf86043b9031480b472ab8ee91eada3d1d7d6fc502718fbbc07ac9600368e81f87e68fd10d5fa039a85a1d4a8ddfde1968e

Download Submit
C:\Windows\SysWOW64\XQOKIC\NDN.004

Filesize
764B

MD5
2be6a517ceadf19a61c007615def9c96

SHA1
430d68f4cfff2886dddeea37c4b6150e9eaaf028

SHA256
4d69585ac4174bcba7091293c4853697b30ec8d5323f7bbe1d72055284e6c931

SHA512
7047049e4bb5563692bb4faa856821c32dfc361db950a49422b3eaf4c24c5cabeb0284dc136b8d9591453efbcd19682352fd5fbfbecaa4e1346cf1325712f654

Download Submit
C:\Windows\SysWOW64\XQOKIC\NDN.exe

Filesize
1.3MB

MD5
6c94881041df04b34498298262be0095

SHA1
a55cf3e5b3d04cbc3fff689219bb4176db698afa

SHA256
b8e1a7f773703fd5b7e7658bc3f54fd50e4ea6502f9ed3b996c3ef9c977b3d9f

SHA512
dba2ad2dcb51d7dc9e01e668e91132fbb22c6c1423c3dc96c081a1bcc2614987e4091d99c9035abf4c1c2b485c36095a06cfaea67431e1d18a83c186bcea4fbf

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads