ardamax | 23085824b2b8cccdad9f95f232a685dadd3ea61a2d1b9d720f709c7d1a01bfa7

General

Target

03aef9418bbbbb8d28a74041ea0bfaca_JaffaCakes118.exe
Size

530KB
MD5

03aef9418bbbbb8d28a74041ea0bfaca
SHA1

d3ea583b7d045c529e314e5024d54dea96fdc821
SHA256

23085824b2b8cccdad9f95f232a685dadd3ea61a2d1b9d720f709c7d1a01bfa7
SHA512

bfa28059da6140f35fd4c4c0da3eefc35355f94997b50fb16d7590c3c040a6743e29f6a6cc33bea0ae941c79a80a139c10d45fad19086c4ffe8a4304681bd3e7
SSDEEP

12288:tLzzhroY0svpfy8ySSljezWAlvOUWMvssIwzJZof7GfVjqqJCuW:dhrTpad5ljeKOvOfVsxTof7AjqXuW

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x00070000000234ce-12.dat	family_ardamax

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	03aef9418bbbbb8d28a74041ea0bfaca_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2212	TBOX.exe

Loads dropped DLL 4 IoCs

pid	Process
508	03aef9418bbbbb8d28a74041ea0bfaca_JaffaCakes118.exe
2212	TBOX.exe
2212	TBOX.exe
2212	TBOX.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TBOX Agent = "C:\\Windows\\SysWOW64\\YHF\\TBOX.exe"	TBOX.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\YHF	TBOX.exe
File created	C:\Windows\SysWOW64\YHF\TBOX.001	03aef9418bbbbb8d28a74041ea0bfaca_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\YHF\TBOX.006	03aef9418bbbbb8d28a74041ea0bfaca_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\YHF\TBOX.007	03aef9418bbbbb8d28a74041ea0bfaca_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\YHF\TBOX.exe	03aef9418bbbbb8d28a74041ea0bfaca_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\YHF\AKV.exe	03aef9418bbbbb8d28a74041ea0bfaca_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	03aef9418bbbbb8d28a74041ea0bfaca_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TBOX.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2212	TBOX.exe
Token: SeIncBasePriorityPrivilege	2212	TBOX.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2212	TBOX.exe
2212	TBOX.exe
2212	TBOX.exe
2212	TBOX.exe
2212	TBOX.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 508 wrote to memory of 2212	508	03aef9418bbbbb8d28a74041ea0bfaca_JaffaCakes118.exe	87
PID 508 wrote to memory of 2212	508	03aef9418bbbbb8d28a74041ea0bfaca_JaffaCakes118.exe	87
PID 508 wrote to memory of 2212	508	03aef9418bbbbb8d28a74041ea0bfaca_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\03aef9418bbbbb8d28a74041ea0bfaca_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\03aef9418bbbbb8d28a74041ea0bfaca_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:508
- C:\Windows\SysWOW64\YHF\TBOX.exe
  "C:\Windows\system32\YHF\TBOX.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@A2D7.tmp

Filesize
4KB

MD5
30bfd4514b7d7bf4feb29fa277a85704

SHA1
1de5fcd883a38190e8d3a020ef0b65ee9a8dd62d

SHA256
73b7e30ad8c34db793eed457f4845d360e80e08738663f7e40e0f9c217a914c7

SHA512
0a8dc5c73272577016830cfb6fad43906f63debee9630456336a08b88740109f2d88e9e79ee5ac14be48c715335bd731d99f9e022c09d1ee73e5b1436645b5b7

Download Submit
C:\Windows\SysWOW64\YHF\AKV.exe

Filesize
416KB

MD5
4668b7f6816e3af3096c06f5480e5899

SHA1
ca2300c38cc073c2e0a9dddfbfec19cc1ccad510

SHA256
561bb8440fb91e21a3ce6dcc0ec2d06829003fcd1282d14283451e962bd30fac

SHA512
f949fdc2b4158a791a67c7c0a2ebc372668147d98331692887b4e607fd9bdd24d53a79d3934b6fc36980c5034c6d30a7c02fd95d6caa0e868bfa2e1e963ef1c4

Download Submit
C:\Windows\SysWOW64\YHF\TBOX.001

Filesize
492B

MD5
384618d92db4db69f8f245bf3204c357

SHA1
48c93b9a77dda84e3a478513bef1fa443da61207

SHA256
0178cffd26a337b46cd76feffbd1c5e14af17d488481cfb359aafe444a2f6f13

SHA512
86ff8714de554f7ea9fcca996033adf0b13405d48647f6175404b13e5d3daf46cee08160e7f6d794be4100b1e9791b473e4537ff4d185c37bbf589637a4142a7

Download Submit
C:\Windows\SysWOW64\YHF\TBOX.006

Filesize
8KB

MD5
8fb07f75858ce780589f73c560bed729

SHA1
ceb87f6a61636ea862f3042a18a09dbc89742bba

SHA256
dc83deabf925d71c6e8596b33290020ee76ff3fbb909ad3a4e62f6924000f42c

SHA512
31964cf1f0add8b98e5a13782867a636aa82a9bbcf24f2c36ca46dda1934fc0d830546c6e46c0b59903a0a29578ddd71b1a5885008f8ab837cb8987f25d9926a

Download Submit
C:\Windows\SysWOW64\YHF\TBOX.007

Filesize
5KB

MD5
12f0081516d47e47c4296c960fc6beea

SHA1
8b3c35d39eefe8b69ec58125a8e755576c5f527d

SHA256
b0a9c55e49cc0aa6ebbec533e9c350adce4a78bca6bdbaa3ef5ee70a62eb53b8

SHA512
ea90005dd6aa0bfa6a3cb233e4aadb39335bcdaa3722d038273719fcadd7ae71678e25f1e32ef01604a9646f5eee0ae0f6e78fc14869598e27a7b6b8c256daca

Download Submit
C:\Windows\SysWOW64\YHF\TBOX.exe

Filesize
540KB

MD5
20b550c5d6d61aa1e1c464d366264c9e

SHA1
ee9e349bb73a70d0e6d5e0776dc959ea57f9d96c

SHA256
9bfa43a345b1446984cd3e0c20896cc188b3c2c2f21fccb85227a662f38aa1f6

SHA512
04f6ad21a0c90ac850c1646ca78a59709f7a9cacdaaab621f1258490df269f5d07e5d063b1d4244792f76360b797df228e476fbbd3419385ffeb7cae7748cc5e

Download Submit
memory/2212-23-0x0000000000A80000-0x0000000000A81000-memory.dmp

Filesize
4KB

Download
memory/2212-27-0x0000000000A80000-0x0000000000A81000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads