ardamax | 9e666edc914999c8c35e5decce6cceb71573e8f81fdbfd6e9264eb8214e7ba0f

General

Target

fa9b25bce5c0a6293035f92d7ce95316_JaffaCakes118.exe
Size

525KB
MD5

fa9b25bce5c0a6293035f92d7ce95316
SHA1

b67c13ae984f7d11778e4522220acc18d35e311f
SHA256

9e666edc914999c8c35e5decce6cceb71573e8f81fdbfd6e9264eb8214e7ba0f
SHA512

a3d244a596542ccf1a5573a99a5b920fdae71cf422545b7fe19db1287598f3df036940750d257ede46c9f47b037266313c2c18524759327f2f18e12dbc16a9cb
SSDEEP

12288:rT4HprWom4bgasOKO8nnSvWkvcFbRpJFiHufEOLoW8ofKQtfpY:rT4HpCbkgasOD8nK3YnF3z6YpY

Score

10^/10

ardamax discovery keylogger stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000700000002342e-21.dat	family_ardamax

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	tmp.tmp.tmp1

Executes dropped EXE 2 IoCs

pid	Process
5108	tmp.tmp.tmp1
4100	MTWC.exe

Loads dropped DLL 4 IoCs

pid	Process
5108	tmp.tmp.tmp1
4100	MTWC.exe
4100	MTWC.exe
4100	MTWC.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Sys\MTWC.exe	tmp.tmp.tmp1
File created	C:\Windows\SysWOW64\Sys\AKV.exe	tmp.tmp.tmp1
File opened for modification	C:\Windows\SysWOW64\Sys	MTWC.exe
File created	C:\Windows\SysWOW64\Sys\MTWC.001	tmp.tmp.tmp1
File created	C:\Windows\SysWOW64\Sys\MTWC.006	tmp.tmp.tmp1
File created	C:\Windows\SysWOW64\Sys\MTWC.007	tmp.tmp.tmp1

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\tmp.tmp.tmp1	fa9b25bce5c0a6293035f92d7ce95316_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2384	2988	WerFault.exe	81

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fa9b25bce5c0a6293035f92d7ce95316_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp.tmp.tmp1
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MTWC.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4100	MTWC.exe
Token: SeIncBasePriorityPrivilege	4100	MTWC.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2988	fa9b25bce5c0a6293035f92d7ce95316_JaffaCakes118.exe
4100	MTWC.exe
4100	MTWC.exe
4100	MTWC.exe
4100	MTWC.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 5108	2988	fa9b25bce5c0a6293035f92d7ce95316_JaffaCakes118.exe	82
PID 2988 wrote to memory of 5108	2988	fa9b25bce5c0a6293035f92d7ce95316_JaffaCakes118.exe	82
PID 2988 wrote to memory of 5108	2988	fa9b25bce5c0a6293035f92d7ce95316_JaffaCakes118.exe	82
PID 5108 wrote to memory of 4100	5108	tmp.tmp.tmp1	85
PID 5108 wrote to memory of 4100	5108	tmp.tmp.tmp1	85
PID 5108 wrote to memory of 4100	5108	tmp.tmp.tmp1	85

C:\Users\Admin\AppData\Local\Temp\fa9b25bce5c0a6293035f92d7ce95316_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fa9b25bce5c0a6293035f92d7ce95316_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Windows\tmp.tmp.tmp1
  C:\Windows\tmp.tmp.tmp1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5108
- - C:\Windows\SysWOW64\Sys\MTWC.exe
    "C:\Windows\system32\Sys\MTWC.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4100
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 508
  2⤵
  - Program crash
  PID:2384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2988 -ip 2988
1⤵
PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@8E26.tmp

Filesize
4KB

MD5
b429300c8148810d2e6a8d40009fc124

SHA1
93ec9660cc0d68cadc6c7f44b35ea0a0ef684ae8

SHA256
98445d51b61014815fc43e44933e5dc126c4fe763545141e78ee1358e487b4b7

SHA512
47a1cfdba6c1e04a322116538a62b22d61cf6b31966e53cfe4e54eb75a58530a7636e3deffcfb7e96ff2bdae2b99c7bcb312685d1ceac2f79c118f6347bf2407

Download Submit
C:\Windows\SysWOW64\Sys\AKV.exe

Filesize
387KB

MD5
bcf6fab667525797024d0962e41e9b7b

SHA1
86b3d41b65eb4ed85c6610a4bb595df787bb2a6a

SHA256
916385eb000bc6011cac9b11d89fd08ffaaddf7d727f9c9bf0764bbcf905b877

SHA512
7e04832d129e3bacb4d4d83259ec02e1e6f5da4da742dbbf010345ccd90a0547e12fcca68da3cff284687a112f570ca269596512605715b3477ae99933afc82c

Download Submit
C:\Windows\SysWOW64\Sys\MTWC.001

Filesize
3KB

MD5
6ac5f05661cd6479d76e866301e56484

SHA1
9c29ac93d5d8cf0fe800fdf4cdf481d804b2535b

SHA256
438940b151fb9797861ece7fb55cb29d7d1f78b726fde69b0596b4f08294d4f7

SHA512
94d54a04089da1271da07a119567f7c18a241284a44130d3f0203abdf64890823b3ff911f27e0df8b7b30ac69cf8698ffd336aae5875be81db7f584187338f75

Download Submit
C:\Windows\SysWOW64\Sys\MTWC.006

Filesize
5KB

MD5
3a2ef41ad6d9415229e0b76ec6df1baf

SHA1
e72f2c0d664a4d2323872bd1f586ec60bb0a6342

SHA256
b7e321cf9dacead275e600c2b531e96a62c671e0a2d641e141acbefb509adf2b

SHA512
b8d5f62e7da21d4114f8764afb16bc409921935d3440f8e712740a50dd7a01f850cfda31f0a4b41e4f514d6bb64e407a83e8e034e5be65cddde27817c728caeb

Download Submit
C:\Windows\SysWOW64\Sys\MTWC.007

Filesize
4KB

MD5
cb576a1e67ddeb42dc0e23a541cefdb8

SHA1
9684e67a013de4f0f5066856f553674db0f2749c

SHA256
8a9a4e62b646f072f6c1b5415b8461af96db307f59c4d32c9e4f455477ffc221

SHA512
e173475fbf9541daa6790133ceef4b8af414491c0a198e356ba1b1c2fcbdcf7044e8b8ae22d72f39b2b7b888e254fd742b9b09ae3c4e63fa64b5171508247942

Download Submit
C:\Windows\SysWOW64\Sys\MTWC.exe

Filesize
468KB

MD5
4b64ea8b01e25e1af067d11698778ce4

SHA1
20c4d03590cc3ef10e0b3ddbfcdf6fbb41149847

SHA256
08b9f18c1098036ae8830caae054c451c66478490dcd4c653a01abaa937ee7c5

SHA512
5bea198540fa4dd9234017ec3e7a0cf79da4d3bc53cb715a3a6335567c08ff0871b886d6f4dd80e9f4e9df4cac8be392fc7d0e3456c14624583c6cf337ce65d0

Download Submit
C:\Windows\tmp.tmp.tmp1

Filesize
497KB

MD5
3ec05c76a55a97ef6da3fef0f2e43d9a

SHA1
01c2af3400ca114e1d2d51079fc7df1a639eab1c

SHA256
151bd21915a656b9e42b8ecd230b7d14b4bc43551b8fbcc8c465b882d08ffe63

SHA512
012ed911d93c0c75422d2e4dd51ef109b54a2cc79c772d42110660e623c71c4f5af6a944b85f7289ebfb6836384b1b341ddb364f5ab07c6b687659f16d9b7331

Download Submit
memory/2988-0-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2988-36-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4100-32-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

Filesize
4KB

Download
memory/4100-37-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing