ardamax | f39c071864ac2d31da766c72d42193f1a13b0e4393205e9a4405bc780b5118d3

General

Target

0cec24b08acb166ba5b171c9192b3bcf_JaffaCakes118.exe
Size

377KB
MD5

0cec24b08acb166ba5b171c9192b3bcf
SHA1

6655a9b921136203597a2d1a5f743d274f58c471
SHA256

f39c071864ac2d31da766c72d42193f1a13b0e4393205e9a4405bc780b5118d3
SHA512

a8e7229a80bc6bb1da86dd1b68fad2b52cf9e479b37ac046a6d20a7c0aa5d8186d977ca0062bac2242af4e2d014f21772b655ea6fb7ca73618600a5a83e9e8c8
SSDEEP

6144:DR+21RZ6MNoeS68wVxqhwdsp/1624Qlq0udJ:Y2fZ5Noj680quC1VlqPJ

Score

10^/10

ardamax discovery keylogger stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x00090000000193e1-34.dat	family_ardamax

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	0cec24b08acb166ba5b171c9192b3bcf_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
1948	Exporer32.exe
1932	scvhost.exe

Loads dropped DLL 7 IoCs

pid	Process
1288	0cec24b08acb166ba5b171c9192b3bcf_JaffaCakes118.exe
1288	0cec24b08acb166ba5b171c9192b3bcf_JaffaCakes118.exe
1948	Exporer32.exe
1948	Exporer32.exe
1948	Exporer32.exe
1932	scvhost.exe
1932	scvhost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	0cec24b08acb166ba5b171c9192b3bcf_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	0cec24b08acb166ba5b171c9192b3bcf_JaffaCakes118.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Sys\scvhost.001	Exporer32.exe
File created	C:\Windows\SysWOW64\Sys\scvhost.006	Exporer32.exe
File created	C:\Windows\SysWOW64\Sys\scvhost.007	Exporer32.exe
File created	C:\Windows\SysWOW64\Sys\scvhost.exe	Exporer32.exe
File opened for modification	C:\Windows\SysWOW64\Sys	scvhost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\PCGWIN32.LI4	0cec24b08acb166ba5b171c9192b3bcf_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0cec24b08acb166ba5b171c9192b3bcf_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Exporer32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scvhost.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	0cec24b08acb166ba5b171c9192b3bcf_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	0cec24b08acb166ba5b171c9192b3bcf_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	0cec24b08acb166ba5b171c9192b3bcf_JaffaCakes118.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\{D50DBC70-EDF2330C-38FF8F7C}	0cec24b08acb166ba5b171c9192b3bcf_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\{D50DBC70-EDF2330C-38FF8F7C}\ = "2163993797"	0cec24b08acb166ba5b171c9192b3bcf_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\{5B87C4F3-665110BF-5BB9BC80-F89A0DC4}\ = be32101401b9461927426873b5ecda0ec34f84308a172a87ed37d2580385dcd6c1f92e66efb7f0171738375928fe945f740069886e32d15d41be3ee1b2c60d69ab62748e8fef50efc9ef166f889056c687c8378a278a38cd9eae4090613c76a0a7ee57ee48ae934e83916c75136abb6b23ec2b6c7473d71c7703184c7d13de3b406445250a2a0d8cb14e61af6a6fab30b3e793274bd8cc84cc1ab04566b6d798374068e713c70ce76d37f2289516caf96ba1f459e5c2ea2c536fb4101637375868fb11647e55df0a8032d193363b575c384124d2a53235951a767ba9e476495936466797f8879fa73f6860cdbff29fa5bf895fcd00719bd203f43cda633a3ce55fd9c00159ca7ab4656a9ad545f97aa16559dac243ca5cf44326bcd9a2fd9add4541f6bed91ebe00a0612212aa458a96d3f6449839845e38ffe560c51dd9813939da19ba025a92bb3c5b207c0f61d092bf7c6063cb5cd4c1b50d66aec94f0eb0ae268ef7cfd7703729e88d8c0d2c524f43901ccfc3f04c5b6d846e38afe350c309dbf27b2de4d2b6cdd612780cdf2dbfee1f4f40907dcddece3f8f9f8f7fcf604f9bf083e09bc4037afcdb1d83c213b3bb649b99c47ea55fb980e17781289dcd3d52e2b33cecdfd3ff8cdfae3fce2070dde1be895f0d806e1691c7b5e705812c60fda7d51a3df8cd6cda70034afb90f08d99515e53f797605e7844dfddc68ecc199e39d9927c71a859be59df08ee909a	0cec24b08acb166ba5b171c9192b3bcf_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\{5B87C4F3-665110BF-5BB9BC80-F89A0DC4}	0cec24b08acb166ba5b171c9192b3bcf_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\{5B87C4F3-665110BF-5BB9BC80-F89A0DC4}\ = be32101401b9461927426873b5ecda0ec34f84308a172a87ed37d2580385dcd6c1f92e66efb7f0171738375928fe945f740069886e32d15d8f755007b5c60d696e8e8f0e8fef50efc9ef166f889056c687c8378a278a38cd9eae4090613c76a0a7ee57ee48ae934e83916c75136abb6b23ec2b6c7473d71c7703184c7d13de3b406445250a2a0d8cb14e61af6a6fab30b3e793274bd8cc84cc1ab04566b6d798374068e713c70ce76d37f2289516caf96ba1f459e5c2ea2c536fb4101637375868fb11647e55df0a8032d193363b575c384124d2a53235951a767ba9e476495936466797f8879fa73f6860cdbff29fa5bf895fcd00719bd203f43cda633a3ce55fd9c00159ca7ab4656a9ad545f97aa16559dac243ca5cf44326bcd9a2fd9add4541f6bed91ebe00a0612212aa458a96d3f6449839845e38ffe560c51dd9813939da19ba025a92bb3c5b207c0f61d092bf7c6063cb5cd4c1b50d66aec94f0eb0ae268ef7cfd7703729e88d8c0d2c524f43901ccfc3f04c5b6d846e38afe350c309dbf27b2de4d2b6cdd612780cdf2dbfee1f4f40907dcddece3f8f9f8f7fcf604f9bf083e09bc4037afcdb1d83c213b3bb649b99c47ea55fb980e17781289dcd3d52e2b33cecdfd3ff8cdfae3fce2070dde1be895f0d806e1691c7b5e705812c60fda7d51a3df8cd6cda70034afb90f08d99515e53f797605e7844dfddc68ecc199e39d9927c71a859be59df0e7f9ff8	0cec24b08acb166ba5b171c9192b3bcf_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\{5B87C4F3-665110BF-5BB9BC80-F89A0DC4}\ = be32101401b9461927426873b5ecda0ec34f84308a172a87ed37d2580385dcd6c1f92e66efb7f0171738375928fe945f740069886e32d15d41be3ee1b2c60d696e8e8f0e8fef50efc9ef166f889056c687c8378a278a38cd9eae4090613c76a0a7ee57ee48ae934e83916c75136abb6b23ec2b6c7473d71c7703184c7d13de3b406445250a2a0d8cb14e61af6a6fab30b3e793274bd8cc84cc1ab04566b6d798374068e713c70ce76d37f2289516caf96ba1f459e5c2ea2c536fb4101637375868fb11647e55df0a8032d193363b575c384124d2a53235951a767ba9e476495936466797f8879fa73f6860cdbff29fa5bf895fcd00719bd203f43cda633a3ce55fd9c00159ca7ab4656a9ad545f97aa16559dac243ca5cf44326bcd9a2fd9add4541f6bed91ebe00a0612212aa458a96d3f6449839845e38ffe560c51dd9813939da19ba025a92bb3c5b207c0f61d092bf7c6063cb5cd4c1b50d66aec94f0eb0ae268ef7cfd7703729e88d8c0d2c524f43901ccfc3f04c5b6d846e38afe350c309dbf27b2de4d2b6cdd612780cdf2dbfee1f4f40907dcddece3f8f9f8f7fcf604f9bf083e09bc4037afcdb1d83c213b3bb649b99c47ea55fb980e17781289dcd3d52e2b33cecdfd3ff8cdfae3fce2070dde1be895f0d806e1691c7b5e705812c60fda7d51a3df8cd6cda70034afb90f08d99515e53f797605e7844dfddc68ecc199e39d9927c71a859be59df5b4f8da0	0cec24b08acb166ba5b171c9192b3bcf_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1932	scvhost.exe
Token: SeIncBasePriorityPrivilege	1932	scvhost.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1288	0cec24b08acb166ba5b171c9192b3bcf_JaffaCakes118.exe
1932	scvhost.exe
1932	scvhost.exe
1932	scvhost.exe
1932	scvhost.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1288 wrote to memory of 1948	1288	0cec24b08acb166ba5b171c9192b3bcf_JaffaCakes118.exe	30
PID 1288 wrote to memory of 1948	1288	0cec24b08acb166ba5b171c9192b3bcf_JaffaCakes118.exe	30
PID 1288 wrote to memory of 1948	1288	0cec24b08acb166ba5b171c9192b3bcf_JaffaCakes118.exe	30
PID 1288 wrote to memory of 1948	1288	0cec24b08acb166ba5b171c9192b3bcf_JaffaCakes118.exe	30
PID 1948 wrote to memory of 1932	1948	Exporer32.exe	31
PID 1948 wrote to memory of 1932	1948	Exporer32.exe	31
PID 1948 wrote to memory of 1932	1948	Exporer32.exe	31
PID 1948 wrote to memory of 1932	1948	Exporer32.exe	31

C:\Users\Admin\AppData\Local\Temp\0cec24b08acb166ba5b171c9192b3bcf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0cec24b08acb166ba5b171c9192b3bcf_JaffaCakes118.exe"
1⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1288
- C:\Users\Admin\AppData\Local\Temp\Exporer32.exe
  "C:\Users\Admin\AppData\Local\Temp\Exporer32.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Windows\SysWOW64\Sys\scvhost.exe
    "C:\Windows\system32\Sys\scvhost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

4

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Exporer32.exe

Filesize
273KB

MD5
11090b00130b4908a5b12fe7a93cca4a

SHA1
0e1d85a34bbf2d2efe5054e325f9b90351f5d4fb

SHA256
2b8404fd30e5f7247cea6bdbd72e046834824bc0401eb18d2579e36b7c0fdb90

SHA512
2516f00f45bde2cb8d82dfe70aa2494a9f50e7c300b080f254d22c9dc01b15069b63a1c79235d361cf99b641d35f45d4b65aa2eac9965feede2aefa9bd849c5c

Download Submit
C:\Windows\PCGWIN32.LI4

Filesize
528B

MD5
e441a65d06795e104868ea7f955d38e6

SHA1
9b86eed96216c7a7e6b0ad966fe460b76bcc7a5d

SHA256
705d0a04c29b8db87a0216a1196d3e5f5f67cd5fbc752afdcdee2a79ddc89306

SHA512
0a9dcbdc6a84e48c2ae9f131bf28d7f77fdbe33031ad2e17838471d7863404cad017cc8e489bd69e3ce1b1985876074df19bd3523e5ea76e69e195457bcd6b36

Download Submit
C:\Windows\SysWOW64\Sys\scvhost.001

Filesize
3KB

MD5
40e6df4721dcbbaef60a201f65769423

SHA1
e10a1701343fe832aa2dd09fb795d4987f8f7a94

SHA256
10c05e4ff0c3cd33d6b92f45c94ec564891fa909263a3abc3a8d9ae0139354cb

SHA512
a919cce9b9bc7713333c273953f89da24dd57ef26821f81bf3e30986e8303bb4b82fdf448e5c1354fdddecbae87fdc1dd867867a5908e3f411a38b2f89cbc04c

Download Submit
C:\Windows\SysWOW64\Sys\scvhost.006

Filesize
5KB

MD5
ff2bc313174a6ccfe1e0b5b1a58f0f49

SHA1
4e983cdee788faf6a13a9d5bf3f00f4a17dd6e8e

SHA256
f212c83897599d81f4010f1ef3a43e5709e874912072d38d26a5ef5644462318

SHA512
418083066ba5505267f4de91c9e439674e02645c430360dae22dfc390c33b4e0c01857634d1dcb5dc298c296a5f4130397388bceee2ad82ba0a711ab56d1bd0f

Download Submit
C:\Windows\SysWOW64\Sys\scvhost.007

Filesize
4KB

MD5
50c8c542dca77df82f5925b145567611

SHA1
64bdce386146e3548d3d85cf16fdd0d34cbafe2f

SHA256
0692f76ec589e517f0a5205e658ca44656322c0382cee2af53890324818b3e0f

SHA512
f7df5e9ac0c81f832e8dfe882eb1c4746f30131bef5a56947634146c813df079acd57b3fc954254684c6f4ef291802cd9629e6af3ced9be1f381fdd858a327c2

Download Submit
\Users\Admin\AppData\Local\Temp\@C590.tmp

Filesize
4KB

MD5
a9680f653434b4766fdc2a3c592af879

SHA1
fd8e999c43fa83df3144aa5bbaae73bac3834296

SHA256
30e084f531980a35b79dd36ac9ee0022d0aba792da99b3d71eea26d327db9ad3

SHA512
685fe7bbaf9fe5d140f07e9fe0f1eff0cecf8a3a4d050fe917ce8eddac3394ab7b8cea575e2d6f3dace309716662fbb5a9016850b120ea2099a00cfc848f57ac

Download Submit
\Windows\SysWOW64\Sys\scvhost.exe

Filesize
459KB

MD5
4db1b69341dc88b901d85be34278a634

SHA1
0d55d2852a58b597c96c1dcec25efc961d882ba1

SHA256
c3f29e3f8b9eb7c20a0046fc105d2199dc5327a570e8c76908e44be1200fb893

SHA512
e11ee43c65179a562254cc63fda5c25ae228603bd88fd357faea2a5b49b4df11dfde5efe46544ac138d008cdffc419c793b35781ef201a9462a9eda30b52dee0

Download Submit
memory/1288-23-0x0000000000220000-0x0000000000235000-memory.dmp

Filesize
84KB

Download
memory/1288-22-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1288-0-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1288-9-0x0000000000220000-0x0000000000235000-memory.dmp

Filesize
84KB

Download
memory/1932-47-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1932-50-0x0000000076EAF000-0x0000000076EB0000-memory.dmp

Filesize
4KB

Download
memory/1932-51-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads