ardamax | c59bab8d7c52d89ad8f1f7c9f427977f47b6777e8ec78de1633c19dcedb55a08

General

Target

f0a2e8a793e51910361edd2bdc8666c8_JaffaCakes118.exe
Size

1.0MB
MD5

f0a2e8a793e51910361edd2bdc8666c8
SHA1

014e4d34c67c35e9a82dff9aa828b865082ff5a9
SHA256

c59bab8d7c52d89ad8f1f7c9f427977f47b6777e8ec78de1633c19dcedb55a08
SHA512

7eb549bbd6698557e76656c25a55e553441661d08adc7395f738dd78af152ee061bc0a5d6af92685e0ccc2ec1f1d67e32b33628c346bb9fe6e59d79d153b1d50
SSDEEP

24576:+bPTdiJTqTI0LBK10z8h9k+iolFZq4kBwlqpYmHfFxG8I6cS:+7TGTqThlK10Se+HTZu+lq2mHj7/

Score

10^/10

ardamax defense_evasion discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000700000002365c-9.dat	family_ardamax

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	NDP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	f0a2e8a793e51910361edd2bdc8666c8_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2836	NDP.exe

Loads dropped DLL 1 IoCs

pid	Process
2836	NDP.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NDP Start = "C:\\Windows\\SysWOW64\\NJMTCR\\NDP.exe"	NDP.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\NJMTCR\NDP.001	f0a2e8a793e51910361edd2bdc8666c8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NJMTCR\NDP.002	f0a2e8a793e51910361edd2bdc8666c8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NJMTCR\AKV.exe	f0a2e8a793e51910361edd2bdc8666c8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NJMTCR\NDP.exe	f0a2e8a793e51910361edd2bdc8666c8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\NJMTCR\	NDP.exe
File created	C:\Windows\SysWOW64\NJMTCR\NDP.004	f0a2e8a793e51910361edd2bdc8666c8_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f0a2e8a793e51910361edd2bdc8666c8_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NDP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	2836	NDP.exe
Token: SeIncBasePriorityPrivilege	2836	NDP.exe
Token: SeIncBasePriorityPrivilege	2836	NDP.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2836	NDP.exe
2836	NDP.exe
2836	NDP.exe
2836	NDP.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 2836	2388	f0a2e8a793e51910361edd2bdc8666c8_JaffaCakes118.exe	89
PID 2388 wrote to memory of 2836	2388	f0a2e8a793e51910361edd2bdc8666c8_JaffaCakes118.exe	89
PID 2388 wrote to memory of 2836	2388	f0a2e8a793e51910361edd2bdc8666c8_JaffaCakes118.exe	89
PID 2836 wrote to memory of 3972	2836	NDP.exe	101
PID 2836 wrote to memory of 3972	2836	NDP.exe	101
PID 2836 wrote to memory of 3972	2836	NDP.exe	101

C:\Users\Admin\AppData\Local\Temp\f0a2e8a793e51910361edd2bdc8666c8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f0a2e8a793e51910361edd2bdc8666c8_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Windows\SysWOW64\NJMTCR\NDP.exe
  "C:\Windows\system32\NJMTCR\NDP.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\NJMTCR\NDP.exe > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1308,i,8231329449558834090,4540802069600791165,262144 --variations-seed-version --mojo-platform-channel-handle=3908 /prefetch:8
1⤵
PID:3884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

1

T1070

File Deletion

Modify Registry

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\NJMTCR\AKV.exe

Filesize
449KB

MD5
83fec9657eb13e74504a6efb3f1aad0e

SHA1
cb2f84288a5435bab248716c0855601ee66a5983

SHA256
8ca4fb9f3830165b3e03b6797ba5f1147fa884e4c4a5f16f6d64620ba670d50d

SHA512
ea7cce2c602497c8c6da31a00f90fb08a4b27d3593ca330dc16937dff518fbb22c89fbd47396a5c8cc740dd2589d2db577b570aaf898bb44c57999512a6f05b7

Download Submit
C:\Windows\SysWOW64\NJMTCR\NDP.001

Filesize
61KB

MD5
1d6f0b3843d17046be7669262085fb67

SHA1
703b2d00731920b77041908ee4ec44ed10d6f8f9

SHA256
88c91de925b84024367fd2a0a2597ef884c16f424771ca1a17780fb4cff7c591

SHA512
23c6e8c94908bce7400527c7ad4bdd030074d45c48421140eeee6a9e156571d5a31c4ad7bb0f2042b2dfceab14f36044c433c0b2d4cdee4dfed1dccb9b28188a

Download Submit
C:\Windows\SysWOW64\NJMTCR\NDP.002

Filesize
43KB

MD5
4207e94e5371e60c5a1c8a3a1bf7169a

SHA1
469d55baaed9f93dd74bdf41383a760fd8690342

SHA256
0caf0bcee50026d048e8c02345be9d6aa387db5245d99c2dcc255c75eccbcec5

SHA512
c85ed60aefd0bc7105760df5d969ab606e1d6775de20b11ef14b454fc27f1308e91111786895e42c38b019f286425f980ac113086809ed3c6babc778af5deec1

Download Submit
C:\Windows\SysWOW64\NJMTCR\NDP.004

Filesize
376B

MD5
bc96c84ef436210c9d666b631c36807b

SHA1
f917724ec8449113584870f0e63cde72fc184960

SHA256
ba2403c3af9d82e9f8a4949f3e9c9cf061c57b8a7bffb1ed2c87a1b04fd32f3e

SHA512
6825eee924960f7fe1cd954ed92137915ff48d6701b4ee0f78d29759fb15d0a821704ad46013f5114230c4c51bd2ce29aa303060035cc2c7b2fe3222f908c428

Download Submit
C:\Windows\SysWOW64\NJMTCR\NDP.exe

Filesize
1.4MB

MD5
3c0034d74caf9846686a2d93fd3079ac

SHA1
949adf7912c74ca8517d70f30b823264a5a7e067

SHA256
55750ec7e5c987dbe2585f0e4b1728999b3bb94d5efd458f4aed75efa960855b

SHA512
5c25cfbbdb2f794a484a2a1d9a454d9b13ab90cba0313ce995330e97516b422524cd388a357d211addfdfcec06d681edf131a3b98839a3f6d3d9863d97ad1399

Download Submit
memory/2388-0-0x00000000007B0000-0x00000000008BC000-memory.dmp

Filesize
1.0MB

Download
memory/2388-13-0x00000000007B0000-0x00000000008BC000-memory.dmp

Filesize
1.0MB

Download
memory/2836-18-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/2836-20-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads