ardamax | a676bd39c2939e13185063e83fbcdb02f52b11f3f6433a52b84638c456c0f3ac

General

Target

f039ba0206d99acf666c9523bc2f4f8b_JaffaCakes118.exe
Size

334KB
MD5

f039ba0206d99acf666c9523bc2f4f8b
SHA1

a4008925fdc49ced659ee7112a3b8ef87a670f1a
SHA256

a676bd39c2939e13185063e83fbcdb02f52b11f3f6433a52b84638c456c0f3ac
SHA512

d717a429d32d0d7cdfe26aa38c8a348151140955c9c771e28896347ed264170423ff5cb3efab5319f671e1c1224832ae64e5fab06b2d986399a1ab02f25edcd4
SSDEEP

6144:nlW1wiBz/+cF69C9XYJLo7XL9788xGKvR47spQnxaA9yEQ2pD3:lQwIzmcY9C9omxY8xrvR473R9yEQ2N3

Score

10^/10

ardamax defense_evasion discovery keylogger stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 3 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023455-14.dat	family_ardamax
behavioral2/files/0x000700000002345d-29.dat	family_ardamax
behavioral2/files/0x000700000002345c-25.dat	family_ardamax

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	f039ba0206d99acf666c9523bc2f4f8b_JaffaCakes118.exe

System Binary Proxy Execution: Rundll32 1 TTPs 1 IoCs

Abuse Rundll32 to proxy execution of malicious code.

defense_evasion

Rundll32

T1218.011

pid	Process
5076	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Tray Commander\MouseHook.dll	xcopy.exe
File opened for modification	C:\Program Files (x86)\Tray Commander\Russian.lng	xcopy.exe
File created	C:\Program Files (x86)\Tray Commander\TC.exe	xcopy.exe
File opened for modification	C:\Program Files (x86)\Tray Commander\TC.exe	xcopy.exe
File created	C:\Program Files (x86)\Tray Commander\MouseHook.dll	xcopy.exe
File created	C:\Program Files (x86)\Tray Commander\English.lng	xcopy.exe
File opened for modification	C:\Program Files (x86)\Tray Commander\English.lng	xcopy.exe
File created	C:\Program Files (x86)\Tray Commander\Russian.lng	xcopy.exe
File opened for modification	C:\Program Files (x86)\Tray Commander	xcopy.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\INF\TC.inf	cmd.exe
File opened for modification	C:\Windows\INF\TC.inf	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f039ba0206d99acf666c9523bc2f4f8b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1784 wrote to memory of 4488	1784	f039ba0206d99acf666c9523bc2f4f8b_JaffaCakes118.exe	86
PID 1784 wrote to memory of 4488	1784	f039ba0206d99acf666c9523bc2f4f8b_JaffaCakes118.exe	86
PID 1784 wrote to memory of 4488	1784	f039ba0206d99acf666c9523bc2f4f8b_JaffaCakes118.exe	86
PID 1784 wrote to memory of 5076	1784	f039ba0206d99acf666c9523bc2f4f8b_JaffaCakes118.exe	88
PID 1784 wrote to memory of 5076	1784	f039ba0206d99acf666c9523bc2f4f8b_JaffaCakes118.exe	88
PID 1784 wrote to memory of 5076	1784	f039ba0206d99acf666c9523bc2f4f8b_JaffaCakes118.exe	88
PID 1784 wrote to memory of 1196	1784	f039ba0206d99acf666c9523bc2f4f8b_JaffaCakes118.exe	89
PID 1784 wrote to memory of 1196	1784	f039ba0206d99acf666c9523bc2f4f8b_JaffaCakes118.exe	89
PID 1784 wrote to memory of 1196	1784	f039ba0206d99acf666c9523bc2f4f8b_JaffaCakes118.exe	89
PID 1784 wrote to memory of 4976	1784	f039ba0206d99acf666c9523bc2f4f8b_JaffaCakes118.exe	91
PID 1784 wrote to memory of 4976	1784	f039ba0206d99acf666c9523bc2f4f8b_JaffaCakes118.exe	91
PID 1784 wrote to memory of 4976	1784	f039ba0206d99acf666c9523bc2f4f8b_JaffaCakes118.exe	91
PID 4976 wrote to memory of 2136	4976	cmd.exe	93
PID 4976 wrote to memory of 2136	4976	cmd.exe	93
PID 4976 wrote to memory of 2136	4976	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\f039ba0206d99acf666c9523bc2f4f8b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f039ba0206d99acf666c9523bc2f4f8b_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1784
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy TC.inf C:\Windows\INF
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:4488
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" advpack,LaunchINFSection TC.inf,DefaultInstall,0
  2⤵
  - System Binary Proxy Execution: Rundll32
  - System Location Discovery: System Language Discovery
  PID:5076
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c del TC.inf /q
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1196
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c xcopy * "C:\Program Files (x86)\Tray Commander" /s /e /i /y
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4976
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy * "C:\Program Files (x86)\Tray Commander" /s /e /i /y
    3⤵
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Enumerates system info in registry
    PID:2136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

1

T1070

File Deletion

1

T1070.004

System Binary Proxy Execution

1

T1218

Rundll32

1

T1218.011

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Tray Commander\MouseHook.dll

Filesize
56KB

MD5
3e745f22481b07450f30e64f936a37a2

SHA1
ba6700f0a3d948d99db882004d2da20152df7947

SHA256
06d72e1818e33ebdc2be3af82829e56845d539263e2b6d24712368fe3ae68185

SHA512
98fe9dc8ac9b346ad7cd0488507ee8667a7fd63861be2411de88eae1c6e98567641229bd6b42e622a18fae79f5e23e1ec9968bb6d7414221768c76973ee885af

Download Submit
C:\Program Files (x86)\Tray Commander\Russian.lng

Filesize
7KB

MD5
0900b52f35547a4fc0ec9e93c4a406e4

SHA1
9b223991d6b229c114f956bcb2ba2befe51dabcc

SHA256
3a90c09063db79d994ed940552243d5f6e49d63b7358390f7934ecc0bd2b2ad6

SHA512
6c694c392c44534a8b8e42af1c407a91af404ebc813ede3e9aa78d5901295e696eafdba9876970ea69cc51188fb7b8a1d1cdab0300379d2a481808d00f98ade4

Download Submit
C:\Program Files (x86)\Tray Commander\TC.exe

Filesize
912KB

MD5
6cb58710d2d5e150f3939f9da788a027

SHA1
32fa977a1ebba73dc5315ae70d0753577949e1e9

SHA256
ba6a656e609f20a59e5bc3d1ef0c65b06aeb5d6d0442691737b78fb464789fde

SHA512
e4f3dc946ce2a40e95f3addcd14a54c598bf57c59eef116888a02960afb3aac69b1fab05a6d9ac0444908c4f20b3507e66cf9caf0684a44c1f679eeba11e5cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\English.lng

Filesize
6KB

MD5
8dd863ee37377b9262d8c0d1fe7c0ab3

SHA1
7a7b610e2d4157029b76960ff1ef76eeac270738

SHA256
e971b69b010ccd268e61e5d8513be87967d731ea0d3ff31a91ee2328ffecf9c8

SHA512
81f9c34af78485b61dff7ee2e335433602e18c46e0dbbbcfeec47c1320f4f89af088bde737e5f6f3a10f17c4099b6c5ce6d151c7cf2d5f7a6fb0810a45e2f0e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\TC.inf

Filesize
2KB

MD5
815a8ca02a3a97f0696c890b35492fcd

SHA1
beda158470bb3d7fe9b1b0691155b59b58bdfa27

SHA256
8fe36a0fb3b8b15c4578b1c1caeb020afa28e910419ab7b57311c76dcb3e1076

SHA512
81f2faf79f4035ca2f4b6237d10cd4ff98b7343962ecdb32f5daf509d65c5eebac74d827318a75b0f2d338e72d9c55530ecfe4250a1e11f9969b54261da30781

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads