ardamax | a54c6bc0fc02a0d927162bad14d7c98112a119e9b153007c252c3a2d92cc6ff8

General

Target

0dc73286e68d6afbb8ea5e3d37d43afb_JaffaCakes118.exe
Size

598KB
MD5

0dc73286e68d6afbb8ea5e3d37d43afb
SHA1

2829cd925521f8e1f35c8fa5ca526bfdfa995647
SHA256

a54c6bc0fc02a0d927162bad14d7c98112a119e9b153007c252c3a2d92cc6ff8
SHA512

546fe7b8a6c603c8cc579039687764cbb776faa7fe3eb403eef1c6858fd0918859b26c32cdf751c640a6cb28524dfc18bd5da7918409cc5bb1056ff1a5aade86
SSDEEP

12288:OEW+WI0sHSSQoa478qBhINa3R3NW8RlPmJmjn97A8j1AtwAnWmgU+b3hEnqzxP3f:I+QsHSSQoWa3R3NW8n6mj97Dj1AiAWmy

Score

10^/10

ardamax defense_evasion discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023489-12.dat	family_ardamax

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	0dc73286e68d6afbb8ea5e3d37d43afb_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	LYDT.exe

Executes dropped EXE 1 IoCs

pid	Process
1600	LYDT.exe

Loads dropped DLL 5 IoCs

pid	Process
4340	0dc73286e68d6afbb8ea5e3d37d43afb_JaffaCakes118.exe
1600	LYDT.exe
1600	LYDT.exe
1600	LYDT.exe
3924	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LYDT Agent = "C:\\Windows\\SysWOW64\\28463\\LYDT.exe"	LYDT.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\LYDT.001	0dc73286e68d6afbb8ea5e3d37d43afb_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\28463\LYDT.006	0dc73286e68d6afbb8ea5e3d37d43afb_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\28463\LYDT.007	0dc73286e68d6afbb8ea5e3d37d43afb_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\28463\LYDT.exe	0dc73286e68d6afbb8ea5e3d37d43afb_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\28463	LYDT.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3924	1600	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0dc73286e68d6afbb8ea5e3d37d43afb_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LYDT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	1600	LYDT.exe
Token: SeIncBasePriorityPrivilege	1600	LYDT.exe
Token: SeIncBasePriorityPrivilege	1600	LYDT.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1600	LYDT.exe
1600	LYDT.exe
1600	LYDT.exe
1600	LYDT.exe
1600	LYDT.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4340 wrote to memory of 1600	4340	0dc73286e68d6afbb8ea5e3d37d43afb_JaffaCakes118.exe	82
PID 4340 wrote to memory of 1600	4340	0dc73286e68d6afbb8ea5e3d37d43afb_JaffaCakes118.exe	82
PID 4340 wrote to memory of 1600	4340	0dc73286e68d6afbb8ea5e3d37d43afb_JaffaCakes118.exe	82
PID 1600 wrote to memory of 1972	1600	LYDT.exe	95
PID 1600 wrote to memory of 1972	1600	LYDT.exe	95
PID 1600 wrote to memory of 1972	1600	LYDT.exe	95

C:\Users\Admin\AppData\Local\Temp\0dc73286e68d6afbb8ea5e3d37d43afb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0dc73286e68d6afbb8ea5e3d37d43afb_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4340
- C:\Windows\SysWOW64\28463\LYDT.exe
  "C:\Windows\system32\28463\LYDT.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1600
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 1116
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:3924
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\28463\LYDT.exe > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1600 -ip 1600
1⤵
PID:3596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

1

T1070

File Deletion

Modify Registry

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@8F11.tmp

Filesize
4KB

MD5
b89311bdf4e6640cc9051e629476cbe4

SHA1
ced30235482232b045cd5d8004e8ead01b30f9ca

SHA256
db0e9d83d8a5309ae4ab4747ff6ce506a2f85b01a598caad697a69b3ddb557a1

SHA512
8e71c2238e23cd793feb061736d00f8aea0002f79e2632093529ed6242f9af2a99baa598d58c04bbc9c02715d7f18955ae88334e39caa2978e88904cf27911d4

Download Submit
C:\Windows\SysWOW64\28463\LYDT.001

Filesize
392B

MD5
4e282ffa5d664bb70fffeaa663e7b3fa

SHA1
7ef5fa2d83df69a823da821034ad545c4a9e644c

SHA256
62bc6d88c863a01400c5cf37be1cfe967d17f3d53e532e8d222f1f3d3608c125

SHA512
05dfc123a9daac70ec434070f6557866f7057230860b207933a1d3fa760aaac6298dc0894697fc22a00b93f9be759b5f536befc82d8463bc3870de051456e313

Download Submit
C:\Windows\SysWOW64\28463\LYDT.006

Filesize
8KB

MD5
911a5a213762001178a48b2ceefa1880

SHA1
de9b25ac58e893397ab9ad3331bd922bbd5043ae

SHA256
273375c7be87b6da793320ee25ea08967bf8cb43e6213e4af94955e565afabc9

SHA512
cc4f95dc64085033a6f5308d61bce83991a8949ec89513fa0428527b6c20f40bc4ce0b323da3020f405f29bf3fcf703722082247f591568d39e8e355543f04c9

Download Submit
C:\Windows\SysWOW64\28463\LYDT.007

Filesize
5KB

MD5
2183e6a435b000fc6e85b712513c3480

SHA1
c088b82494aaeca23a5acfaf83f55597bd0bdc6e

SHA256
9a1a58cea0b0cfe3479d29bb39b0a5af0ee75fbd94254529ad28f2e54aec30e5

SHA512
94ffbd46b10cf71ea59d3d44ceece691d7d50e8e111e330d44346f1e56e62d7a3b5c375917494fff89966d0ea5fc562d45b14b983269eba72b2831abce7a1afe

Download Submit
C:\Windows\SysWOW64\28463\LYDT.exe

Filesize
912KB

MD5
6768ba61744862704760b66ce8f8fdd4

SHA1
e86cbed8cf20c2a9c76219d0c434bc310ffb2392

SHA256
4cf4bf2b7d2bb4215e255e1f2b1238ad989f3c8a98ebfd5cb033bccf32fedaa0

SHA512
eadb56b633707724ef4f47f8b421b0f3b2afa5a9800fae030f81aefae483eed6b494da470278273f388c3ae346a33cbbfe742924d231dab1c9b42bbefaf95a61

Download Submit
memory/1600-17-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/1600-22-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/1600-26-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/1600-27-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/1600-29-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads