ardamax | dc4f9ccfeed3b040efd67d90e491c115b32887664845a05cc9018263c8116083

General

Target

fc7667c962cc70254bdbf5c20490ff8d_JaffaCakes118.exe
Size

986KB
MD5

fc7667c962cc70254bdbf5c20490ff8d
SHA1

74b56cd78731c5cf3a2d838aa527ba98ace4af2b
SHA256

dc4f9ccfeed3b040efd67d90e491c115b32887664845a05cc9018263c8116083
SHA512

b0d3ab6053730f4263759df8b58a4947247b8c1ec13c674dc5db826bcbcf4a0d033039cf1412b09792ceb5c90f194d7ee79036f5751763869d3dd8d6bb4cb208
SSDEEP

24576:+MdTTDWpMsrWM8Eoox2AekP1/37sm3DU4SeAqKji2/TV5nJ:+MBTqpx85AekP1sm3D8eO

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023443-7.dat	family_ardamax

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	fc7667c962cc70254bdbf5c20490ff8d_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
1176	IBS.exe

Loads dropped DLL 1 IoCs

pid	Process
1176	IBS.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\IBS Start = "C:\\Windows\\XXOCVV\\IBS.exe"	IBS.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\XXOCVV\IBS.004	fc7667c962cc70254bdbf5c20490ff8d_JaffaCakes118.exe
File created	C:\Windows\XXOCVV\IBS.001	fc7667c962cc70254bdbf5c20490ff8d_JaffaCakes118.exe
File created	C:\Windows\XXOCVV\IBS.002	fc7667c962cc70254bdbf5c20490ff8d_JaffaCakes118.exe
File created	C:\Windows\XXOCVV\IBS.exe	fc7667c962cc70254bdbf5c20490ff8d_JaffaCakes118.exe
File opened for modification	C:\Windows\XXOCVV\	IBS.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fc7667c962cc70254bdbf5c20490ff8d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IBS.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1176	IBS.exe
1176	IBS.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1176	IBS.exe
Token: SeIncBasePriorityPrivilege	1176	IBS.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1176	IBS.exe
1176	IBS.exe
1176	IBS.exe
1176	IBS.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 1176	2384	fc7667c962cc70254bdbf5c20490ff8d_JaffaCakes118.exe	82
PID 2384 wrote to memory of 1176	2384	fc7667c962cc70254bdbf5c20490ff8d_JaffaCakes118.exe	82
PID 2384 wrote to memory of 1176	2384	fc7667c962cc70254bdbf5c20490ff8d_JaffaCakes118.exe	82

C:\Users\Admin\AppData\Local\Temp\fc7667c962cc70254bdbf5c20490ff8d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fc7667c962cc70254bdbf5c20490ff8d_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\XXOCVV\IBS.exe
  "C:\Windows\XXOCVV\IBS.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\XXOCVV\IBS.001

Filesize
61KB

MD5
2235fc6de0e4a5c7b2907189deed75fd

SHA1
9f91cbe5fb9fbc50b50409ad16d5b805e94b16b2

SHA256
ae36fb7840b98c74ba34c1dd9c581e7185c5f2521fe611446adf3149a08a0a6e

SHA512
fc9235695505e1b87d8cc06771ebb91c6b4e05f091a3dca60592ce42538a57a798e45d8c3093ebc1db9faed340d85cee15a4b5e3170eddbd936c1e6e7fa9e030

Download Submit
C:\Windows\XXOCVV\IBS.002

Filesize
44KB

MD5
49f3466e9ba4c92529bbc6eeb1ee0ab9

SHA1
f0af510b20004d5380977c4cfb1831e40042d81f

SHA256
7912617f47fce846b880131f2ecfc58d60a67b58db1f9462f36f3e4705a8bc41

SHA512
9bb4883cb1b21a78bb049b75c04c27dafbcb06b73f3c102e957f470fd4451419edd67a30f295bee2e1da5dd158d186c3c26bb3fd33ea3a1d13232252143d9319

Download Submit
C:\Windows\XXOCVV\IBS.004

Filesize
1KB

MD5
0c556aa81f2b00ef300e2f4fc2ea4bf3

SHA1
9c0ae71b10143f1ceb260f01d9a95ef37dbda87a

SHA256
7e3401f6de9816ec291a14377bbc2ea3550f9b0b8cf5ab3f07c5ef43bef18783

SHA512
1dbefcff693495176b8ce7188adae31f282f04f5e5b9b6fc00549423a1885df9868dfe71e78232cb79f4ad98365ab07a1574e1b399b29cdbae7678faabad691e

Download Submit
C:\Windows\XXOCVV\IBS.exe

Filesize
1.7MB

MD5
050208e69caba33b40c37bf3f69c303a

SHA1
109da1ef57f0601086006aa18002fabce8635451

SHA256
f69fca14da64b63551018bca80b8f43ada22eb63cb679002e195399ec5175995

SHA512
4f1c59c562f72135ca13fc25fe7f71e2e1cc6124142c70b0c33082b0693d8d2cee83ea6297dc964e0fb247907578f8839c86cae93fa776a4d407d537d2bc3717

Download Submit
memory/1176-14-0x0000000000880000-0x0000000000881000-memory.dmp

Filesize
4KB

Download
memory/1176-16-0x0000000000880000-0x0000000000881000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads