ardamax | 6943cef14249d809466043ff45d34048e6a889356228c80fb4cca726e241c589

General

Target

0cba813ca83f3e80664be6cd05bfa97e_JaffaCakes118.exe
Size

1.0MB
MD5

0cba813ca83f3e80664be6cd05bfa97e
SHA1

d21d8267b1e58ac567c1279f9db755276e367bab
SHA256

6943cef14249d809466043ff45d34048e6a889356228c80fb4cca726e241c589
SHA512

5235faab2a44a28e97906c434b59a6cd860ecb0007e9a9a784dcffd24f620a1b9289956c2a187810d72a1096a77b5b4f04b48b657a6cd8ef55976864ae94c72a
SSDEEP

24576:xesTnX3/lPxkAFNcZxj57iNbz9wPEtHJGDE0+NI:x3TntPmHiNbz2sJn0a

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000b000000023c4f-8.dat	family_ardamax

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	0cba813ca83f3e80664be6cd05bfa97e_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
3240	OLG.exe

Loads dropped DLL 1 IoCs

pid	Process
3240	OLG.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OLG Start = "C:\\Windows\\SysWOW64\\WIMXOD\\OLG.exe"	OLG.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WIMXOD\OLG.002	0cba813ca83f3e80664be6cd05bfa97e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WIMXOD\AKV.exe	0cba813ca83f3e80664be6cd05bfa97e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WIMXOD\OLG.exe	0cba813ca83f3e80664be6cd05bfa97e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WIMXOD	OLG.exe
File created	C:\Windows\SysWOW64\WIMXOD\OLG.004	0cba813ca83f3e80664be6cd05bfa97e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WIMXOD\OLG.001	0cba813ca83f3e80664be6cd05bfa97e_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0cba813ca83f3e80664be6cd05bfa97e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OLG.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Web3.5 = "1727908523"	OLG.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	3240	OLG.exe
Token: SeIncBasePriorityPrivilege	3240	OLG.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3240	OLG.exe
3240	OLG.exe
3240	OLG.exe
3240	OLG.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1784 wrote to memory of 3240	1784	0cba813ca83f3e80664be6cd05bfa97e_JaffaCakes118.exe	85
PID 1784 wrote to memory of 3240	1784	0cba813ca83f3e80664be6cd05bfa97e_JaffaCakes118.exe	85
PID 1784 wrote to memory of 3240	1784	0cba813ca83f3e80664be6cd05bfa97e_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\0cba813ca83f3e80664be6cd05bfa97e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0cba813ca83f3e80664be6cd05bfa97e_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1784
- C:\Windows\SysWOW64\WIMXOD\OLG.exe
  "C:\Windows\system32\WIMXOD\OLG.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\WIMXOD\AKV.exe

Filesize
498KB

MD5
51c1f8be2696047a60425cf4e8370eeb

SHA1
c565f5f7ca1eae6af9c7e7d07092031975ddf356

SHA256
900f9e42b5157d485000517997655dea2b5a36b249295e16a650ea38a8992de4

SHA512
a25712fa2ca973a3d73fc9fd59bd4c4734cb31f1683d0960e86fb0d1f078f011c8c9aebd85b6513f434c4e96cc8dd4367620a9b5c55112b586187ee2fed96c9a

Download Submit
C:\Windows\SysWOW64\WIMXOD\OLG.001

Filesize
60KB

MD5
2bfb29b33b47a062d48c9ad462cc06c2

SHA1
1b39d2cb07740cfafe6809d30431952e2b7c2a5f

SHA256
f5b12e8464198b5c9cb2308e86942ef6d49ad0aeb844b47a385e90f0977d9001

SHA512
3521cca90074871f0e28706061e4a6ec8c0abca1c36ac73e860216be46df06c89ec8a5690677c4df0bf451ba2d2374351009a459101de459b71efa3889a043ee

Download Submit
C:\Windows\SysWOW64\WIMXOD\OLG.002

Filesize
42KB

MD5
afa4b981d51f73aaa544fac1a7108ab3

SHA1
8dd9f0811c98175b1cf9d73893e03283e020ada2

SHA256
456ed6eae6b31494b782f8786d28f22a96f38abcc81e93cc9802dac6bb1b9238

SHA512
4e0234d692b5eb91cfe5f2f2926a0b0f49dc43510c695dd6bff78071c86dfad91cbcde3428d4965026fd980c1a353b221b0a3fa35d223d678ef82cfb9e0294e5

Download Submit
C:\Windows\SysWOW64\WIMXOD\OLG.004

Filesize
472B

MD5
ada3399e268ec1b7e105d01a7cede4cb

SHA1
45318021c8bb41859b0712820b7e9a9c7f7ae423

SHA256
0da7114554cb1b900e462b6e13ce27365912b7e374523f5c1c1d445a54c16490

SHA512
ac3b0ad654a7c8835ceb2146f4c6b6ee7317bf960153b6c9748ac85a9f7af51edea29b0215ba7d841289cb4a6541c6cf6abfb89b81f086896ebd2455d05b0df9

Download Submit
C:\Windows\SysWOW64\WIMXOD\OLG.exe

Filesize
1.3MB

MD5
93e6298315cf566b520382d6c701dc62

SHA1
ab5ee9810535cfee6fb1f751d63cc5a0ed0e256e

SHA256
035a7419c78813bae698ee98db9f48302d4de0bd011ac573eb457f65268b702b

SHA512
1c37c580578964ea00a3fd193ba04ca81ed2e5cf3e74395e90994b3dd0e22d3c55fb640eb8138af81eef6d88af37459dcc6bb6bd035fc1aaa71476ba4634a8ee

Download Submit
memory/3240-17-0x00000000006E0000-0x00000000006E1000-memory.dmp

Filesize
4KB

Download
memory/3240-19-0x00000000006E0000-0x00000000006E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads