ardamax | 9f315947a8415008ccbd8f70f1023bad0330ce353af0e2695509f02ece556af0

General

Target

0aff2624b2ccabf568578930e2f21e73_JaffaCakes118.exe
Size

743KB
MD5

0aff2624b2ccabf568578930e2f21e73
SHA1

fc539643be3096539da67257d2c423f9aa39644d
SHA256

9f315947a8415008ccbd8f70f1023bad0330ce353af0e2695509f02ece556af0
SHA512

91bf820dfa97e200df58d35e2fe6c6d50c3a655212038d6410fcc85c1e355e6a5d2cf0dacb2086a14e7ce0838ca1b3afc4f796f15885744ffcca09751fda8fd7
SSDEEP

12288:ke0HJ0cfjY2dAJLSSUT9fslxsLuu7a+1mES+/2jsxf1do4bLmHUKL9LQgvpTI:ke0p0cfzvT9UlxMBaIm1jsxlC0QNjTI

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x00070000000234a9-33.dat	family_ardamax

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	0aff2624b2ccabf568578930e2f21e73_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Install.exe

Executes dropped EXE 3 IoCs

pid	Process
3040	Install.exe
2452	SuPerCraCk.exe
3052	LSXR.exe

Loads dropped DLL 4 IoCs

pid	Process
3040	Install.exe
3052	LSXR.exe
3052	LSXR.exe
3052	LSXR.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LSXR Agent = "C:\\Windows\\SysWOW64\\28463\\LSXR.exe"	LSXR.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\28463	LSXR.exe
File created	C:\Windows\SysWOW64\28463\LSXR.001	Install.exe
File created	C:\Windows\SysWOW64\28463\LSXR.006	Install.exe
File created	C:\Windows\SysWOW64\28463\LSXR.007	Install.exe
File created	C:\Windows\SysWOW64\28463\LSXR.exe	Install.exe
File created	C:\Windows\SysWOW64\28463\AKV.exe	Install.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0aff2624b2ccabf568578930e2f21e73_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SuPerCraCk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LSXR.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	3052	LSXR.exe
Token: SeIncBasePriorityPrivilege	3052	LSXR.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2452	SuPerCraCk.exe
3052	LSXR.exe
3052	LSXR.exe
3052	LSXR.exe
3052	LSXR.exe
3052	LSXR.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 3040	3000	0aff2624b2ccabf568578930e2f21e73_JaffaCakes118.exe	82
PID 3000 wrote to memory of 3040	3000	0aff2624b2ccabf568578930e2f21e73_JaffaCakes118.exe	82
PID 3000 wrote to memory of 3040	3000	0aff2624b2ccabf568578930e2f21e73_JaffaCakes118.exe	82
PID 3000 wrote to memory of 2452	3000	0aff2624b2ccabf568578930e2f21e73_JaffaCakes118.exe	83
PID 3000 wrote to memory of 2452	3000	0aff2624b2ccabf568578930e2f21e73_JaffaCakes118.exe	83
PID 3000 wrote to memory of 2452	3000	0aff2624b2ccabf568578930e2f21e73_JaffaCakes118.exe	83
PID 3040 wrote to memory of 3052	3040	Install.exe	88
PID 3040 wrote to memory of 3052	3040	Install.exe	88
PID 3040 wrote to memory of 3052	3040	Install.exe	88

C:\Users\Admin\AppData\Local\Temp\0aff2624b2ccabf568578930e2f21e73_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0aff2624b2ccabf568578930e2f21e73_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Users\Admin\AppData\Local\Temp\Install.exe
  "C:\Users\Admin\AppData\Local\Temp\Install.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Windows\SysWOW64\28463\LSXR.exe
    "C:\Windows\system32\28463\LSXR.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3052
- C:\Users\Admin\AppData\Local\Temp\SuPerCraCk.exe
  "C:\Users\Admin\AppData\Local\Temp\SuPerCraCk.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@A27A.tmp

Filesize
4KB

MD5
fc0fea286539e5d84ccf49020ca3823b

SHA1
d43711c776edf9a07abed6bb95ed4a0e45e14d52

SHA256
2520256a587481813a5557e54a65f2fca97baee5df333102adfff2dbdabb4828

SHA512
70e1a5ec247d5e3057fe19f7f34b31ee7a79ab16dca73794829d9d81e3ed891881df424f7aa44b9424550574ab61c95d376163b16080aa7cfd61e986e6988ea2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe

Filesize
496KB

MD5
7b1eeae8e0eedecc5f1892ed668ecc07

SHA1
1b22ed88bd85316cac22c0d5940a322e014e51f8

SHA256
34077737b28abe724656e3d2235d3521461105c053459db83fc6982a741c3217

SHA512
bdf606851287c77ee072a4af6a80ed2de3b9573d86057a63643d4c01c7ebc50446f1a0ff22ee6eb50102a5059660c0e2069a023f7d8c04903fb3505c0a06fb94

Download Submit
C:\Users\Admin\AppData\Local\Temp\SuPerCraCk.exe

Filesize
892KB

MD5
b33e34e8bd36b810a745a2f79f82495c

SHA1
a77f7f0a6daddbe6d9554d0e64d38d1fca4a5d05

SHA256
cc812a9a366b960d653253f6209a9a24b5f493526e61e488cfd252b273d70601

SHA512
e9738be05955b8d82718dfbb443a34dc113eb9f0b161c8687b6c981f6546163e10bafc087aa4f9aef808596942a2e70c4cfd8548d8abebeabae68e6d19a33670

Download Submit
C:\Windows\SysWOW64\28463\AKV.exe

Filesize
408KB

MD5
9f298a92f457a6c240b70393f336a17a

SHA1
1acfd6d9856cdd6ca71b6efcc55040e97904aa58

SHA256
557cfe249fa1838dc600ca8b137b1dc2dde3d9552b9ee4186bdca34b0401164e

SHA512
17cb2cc5b337a2b55b94ccc3ce7661fe2b502ce309a012eabfd4d88797a85a3fe3dae53e34891e5b295f7764494836b62a0d24b0b03ac6c93f77cc1f5dd0484c

Download Submit
C:\Windows\SysWOW64\28463\LSXR.001

Filesize
426B

MD5
34270499df8222dae71c926563263c6a

SHA1
b36f7c7e8251c5e4a47ee2e999f73ec32a0809a7

SHA256
8757a79ec463c0984de2de44a589fc7db7cf0bebd005359c4ca1e696a7cea1d3

SHA512
48654107c6a973f14acda9aa3cc1a9c64222b2bfc0d672428fa4c9bb44a325db143b1bbebb0f9d3e6483b6dcc48b296a0d375ee87483fa7720bf3af558f9209c

Download Submit
C:\Windows\SysWOW64\28463\LSXR.006

Filesize
8KB

MD5
75f215af21ded98ab7a1a2a0ea1f1a30

SHA1
e85649693a178064da1aa4cc7c8e34c92472ba0d

SHA256
af46dca2a4f77f0c977fec74312a41e20bd064bd2ca17bec0f09afd67d7e1e3d

SHA512
1582847dae80134e5272fc1b125d6af13746263601ebc8b540ea5fd3e4fc0a05f6e783c59a6052b971efd15d26d9d55b86345292160e9c79041b7c57f9a74f54

Download Submit
C:\Windows\SysWOW64\28463\LSXR.007

Filesize
5KB

MD5
528f383007234b421e3f1072fae5af11

SHA1
b19c49e17263d940ffa4d46c60a7cf2d03525f09

SHA256
531958a2b1de11d2da2eb8a5409f57c1f31253f79f790473d0efc0ae5567b61f

SHA512
d1813fc77b21ebcdada0cc9c410e533a39a436a038d91cb131bf03c987dab6e7e5b4c99f1a135adde84b4afcbd0a9f0f13931bae3c45c5782d7557fa620b4830

Download Submit
C:\Windows\SysWOW64\28463\LSXR.exe

Filesize
513KB

MD5
1800b0b263035d94f7bb5e9e70270032

SHA1
c8ba77fa2e414ad11e39a6493e15c078c99d80e6

SHA256
0b15e820894e38d036e75abd442e1cebbfb734c4a50fd0f3adcd3b77211caa5e

SHA512
1431bedcba045f110354c7ec8a34ad5677447aa647581ebc86c25ee38397d2eff4b02d438227144b934ce65b26a2be65c44b761bd4b46518ff44ba6aaf06f29f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads