ardamax | e842fe993f175f111fd6799907f2fb42956766e03c51b1397263f1922f3c3aeb

General

Target

001950ed5a6d66308ae1fb1782ddea42_JaffaCakes118.exe
Size

187KB
MD5

001950ed5a6d66308ae1fb1782ddea42
SHA1

794343bbc42718c10b7aff927de5d6f9264e123c
SHA256

e842fe993f175f111fd6799907f2fb42956766e03c51b1397263f1922f3c3aeb
SHA512

512306e23f04fa45af213a28939f8d5708fc96035b918a29db634355a571e7f355a8c3cd8d4af7644d2d548787b14f0fcb4e6b71038b90a791b9335f034c84de
SSDEEP

3072:7CNmpyGKj6KpZZUCnkAKrM2SkF1vHrqkjoZEuOfnhIAkrdhiMYW1gU3r0GMzk:0mpyGKuKpZGCkAB2fTHrFkZEuOf3kBht

Score

10^/10

ardamax discovery keylogger stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023497-12.dat	family_ardamax

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	001950ed5a6d66308ae1fb1782ddea42_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
3980	NIH.exe

Loads dropped DLL 4 IoCs

pid	Process
4324	001950ed5a6d66308ae1fb1782ddea42_JaffaCakes118.exe
3980	NIH.exe
3980	NIH.exe
3980	NIH.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\NIH.001	001950ed5a6d66308ae1fb1782ddea42_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NIH.006	001950ed5a6d66308ae1fb1782ddea42_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NIH.007	001950ed5a6d66308ae1fb1782ddea42_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NIH.exe	001950ed5a6d66308ae1fb1782ddea42_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64	NIH.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	001950ed5a6d66308ae1fb1782ddea42_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NIH.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	3980	NIH.exe
Token: SeIncBasePriorityPrivilege	3980	NIH.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3980	NIH.exe
3980	NIH.exe
3980	NIH.exe
3980	NIH.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4324 wrote to memory of 3980	4324	001950ed5a6d66308ae1fb1782ddea42_JaffaCakes118.exe	82
PID 4324 wrote to memory of 3980	4324	001950ed5a6d66308ae1fb1782ddea42_JaffaCakes118.exe	82
PID 4324 wrote to memory of 3980	4324	001950ed5a6d66308ae1fb1782ddea42_JaffaCakes118.exe	82

C:\Users\Admin\AppData\Local\Temp\001950ed5a6d66308ae1fb1782ddea42_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001950ed5a6d66308ae1fb1782ddea42_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4324
- C:\Windows\SysWOW64\NIH.exe
  "C:\Windows\system32\NIH.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@8ADB.tmp

Filesize
4KB

MD5
3e52aef4a9e1bbf25dc611e0f5c45934

SHA1
91862bee5ac57eb719cf9bc14c69f9ef5affcbbf

SHA256
1b881b4299a8555f785088bd0e1b6969e76dc470f1f67429678a678c5f8b349d

SHA512
e4bc9fab4d1c555a896936927ff5866634885401a41f2eade5a976311dad3cdc40c0c7229c61925a8b32ae7b69c4c99537dc10baf292375a82a885a7a908a807

Download Submit
C:\Windows\SysWOW64\NIH.001

Filesize
2KB

MD5
9290e3e9a524dffed92f02687de5c9d3

SHA1
37a7ac69ccb4dca74496946db040c08ab696c376

SHA256
ccfe151e42eb19f118797341075c015ddf52755ee777c006a8af3ec6c4c1e18d

SHA512
14b08b4e3d33a5ae021e841d7c6fffe36ec7769722d63f6a8d711c0bcb79c2a997d452b2467aa18777a5dcf37b39ffdd95d84d8e8cb2d8c3c525239a94723182

Download Submit
C:\Windows\SysWOW64\NIH.006

Filesize
5KB

MD5
e98ae645054f00269eaad44b95c4e37c

SHA1
59bcfb291cb15f521e6e5982c12913052b5755b1

SHA256
028e4ef0ed6a7d9792ad2694c56b41ba247e72ef690089142c47bb6e1a693221

SHA512
ae4b1316c9785623944a0bc1884648f1382f3f8fb494927e7c872a72b0786fb5a1d090ebc2d5e468b91c8eef7663b43f73be4a1f65f7d8dd9bdaa6dfc694a35e

Download Submit
C:\Windows\SysWOW64\NIH.007

Filesize
4KB

MD5
ea32497496dd6b80be1c47fe5fac1fcf

SHA1
2bf9bee8e0f83b6785188a91047695ebcdf342da

SHA256
370a94fec91220668a370c2dcd0d2ac10c3f0a1d1befc7fee50db6f5e0b99676

SHA512
353d11071b695fe23080bc6d5cb5dc557b59b152b42921daec6f4124f9e8bb58555ac30c5ec96dae31871ff3d2416e91690b5f862d4feb5e7b038a996c8a1ff3

Download Submit
C:\Windows\SysWOW64\NIH.exe

Filesize
295KB

MD5
decf3769c920a9b642f56e24933cdf81

SHA1
930ddaf6b310fa2b3569580ff671e91d80b8b11b

SHA256
46a451f14816a0dc46d392158d1507f5806fe76e9fc9f0080d00d0b3dd26183b

SHA512
2807345e5ae0438c0bd41c3d0b6b09e3d1c04d0397e5e990d614125a14b6100de3c3f5bebab168f5654d6823eef5dbfd5a878aa0de64eec13bb546c8c32b8cb2

Download Submit
memory/3980-20-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/3980-26-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing