ardamax | 11d3520d3ba6d44f876b1c59c2a846e622575777cf6142aaa9a50831e84c3dc2

General

Target

19ff2e4cad737f2a66830c1faee2190f_JaffaCakes118.exe
Size

1.3MB
MD5

19ff2e4cad737f2a66830c1faee2190f
SHA1

9c1b2345f27a606783e1cb849756aed45c2bf14d
SHA256

11d3520d3ba6d44f876b1c59c2a846e622575777cf6142aaa9a50831e84c3dc2
SHA512

a0d8ef268b2f376fcc3070151171b2b744e9df3f38f0f9d91d166b2b293328c4ad6e9279515221bce2520b3bdba96ec6509bd3c0cc523800344abed6dba162b1
SSDEEP

12288:l1WpiZrhguethA30FtDCdi/ytgAP66qexxDlvPVyCa/7WsUiWp0vNXtuQRNvpanC:MzJJA/d70R8++6cx2vX4F

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x00070000000234cb-21.dat	family_ardamax

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	605.exe

Executes dropped EXE 2 IoCs

pid	Process
2976	605.exe
4620	HENV.exe

Loads dropped DLL 4 IoCs

pid	Process
2976	605.exe
4620	HENV.exe
4620	HENV.exe
4620	HENV.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HENV Agent = "C:\\Windows\\SysWOW64\\28463\\HENV.exe"	HENV.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\HENV.006	605.exe
File created	C:\Windows\SysWOW64\28463\HENV.007	605.exe
File created	C:\Windows\SysWOW64\28463\HENV.exe	605.exe
File created	C:\Windows\SysWOW64\28463\AKV.exe	605.exe
File opened for modification	C:\Windows\SysWOW64\28463	HENV.exe
File created	C:\Windows\SysWOW64\28463\HENV.001	605.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	605.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HENV.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4620	HENV.exe
Token: SeIncBasePriorityPrivilege	4620	HENV.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4620	HENV.exe
4620	HENV.exe
4620	HENV.exe
4620	HENV.exe
4620	HENV.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1468 wrote to memory of 2976	1468	19ff2e4cad737f2a66830c1faee2190f_JaffaCakes118.exe	84
PID 1468 wrote to memory of 2976	1468	19ff2e4cad737f2a66830c1faee2190f_JaffaCakes118.exe	84
PID 1468 wrote to memory of 2976	1468	19ff2e4cad737f2a66830c1faee2190f_JaffaCakes118.exe	84
PID 2976 wrote to memory of 4620	2976	605.exe	85
PID 2976 wrote to memory of 4620	2976	605.exe	85
PID 2976 wrote to memory of 4620	2976	605.exe	85

C:\Users\Admin\AppData\Local\Temp\19ff2e4cad737f2a66830c1faee2190f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\19ff2e4cad737f2a66830c1faee2190f_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1468
- C:\Users\Admin\AppData\Local\Temp\605.exe
  C:\Users\Admin\AppData\Local\Temp\605.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\Windows\SysWOW64\28463\HENV.exe
    "C:\Windows\system32\28463\HENV.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\605.exe

Filesize
495KB

MD5
2eb9e3e2f2106bc22257b4876d6da90f

SHA1
11383c179a419dd21fbc4fe8acacc5ab5f7d1160

SHA256
7ecb4702ba213d917ad0bf677e9c4a391de5fe8d809ba49b1063024b164c8b7f

SHA512
258cf73b602aceb78cc738fb27c322440d161bd44f3c248a6926cd6cd578bcf8efdd877e5aac6b2046df071cea8143f3156f6abab0eaef4a4c7cda7ff1facb7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\@B621.tmp

Filesize
4KB

MD5
13e10cd76f11d6cb43182dcba7370171

SHA1
e6b8ce329e49ff09f1cb529c60fc466cb9a579c8

SHA256
f1265c88f0077009eaa18db413f156cc7ad8d41dc9d797dd1032b0e0ae9c40d5

SHA512
ee32ef3f50838936417e51dfd365b166456900e327dbe51902700bb3d562dea22e6fbd9009c822ba0562687001802a2e61d38123f81ae19f7b3d05bb1fd5cda8

Download Submit
C:\Windows\SysWOW64\28463\AKV.exe

Filesize
395KB

MD5
adbec81b510dcfe49835f95940ef961d

SHA1
77940f6e46fbd5f53de23bd49afe9172470769d0

SHA256
466efb4b00255f21075b340fc2d2444f182947ab90270840543658c5fd3a9b95

SHA512
ef4324a06fbe960933f5551ea6ac587cd87cb6025bc6879a2b81a4d1033cfe87e244b6a87fb5db5ad065321ccbe8035cf24a668452d5b0c6a4063a355a12b2a7

Download Submit
C:\Windows\SysWOW64\28463\HENV.001

Filesize
388B

MD5
1b8355fec0657d66fc3614e315caa9c8

SHA1
8dc5f89c100fe424a7b5fc24666229238ccb6f51

SHA256
ce0076bac41214d403ac2c8dac73a827cc6c2dcf0372357e819da0e1b503c7a3

SHA512
12aead4a3abc388cfe583e8332c94e8040008a73489bb6fdd6447c9e5dcdfcc6c1355c7bb3806f41c493fe9fe73f3405b07c2dadf07499d22ac40c744b0e4afc

Download Submit
C:\Windows\SysWOW64\28463\HENV.006

Filesize
8KB

MD5
f5eff4f716427529b003207d5c953df5

SHA1
79696d6c8d67669ea690d240ef8978672e3d151c

SHA256
ac54ebb9eec3212f294462ce012fdc42f4b0896d785d776a5a2cc3599dc5bcde

SHA512
5a48599a5855f06c3e7d6f89c4e06bab1f4381b9d30cf3824c465b8fd6c142b316e6bd6aaad73d1f9b3e84d96113fb5e7374831bf503744013c9e1a0632a0caf

Download Submit
C:\Windows\SysWOW64\28463\HENV.007

Filesize
5KB

MD5
bc75eddaa64823014fef0fe70bd34ffc

SHA1
15cd2ace3b68257faed33c78b794b2333eab7c0a

SHA256
9eada36d17635bedb85ce96a62cb019dbfee696b9986f69de7d5b5bc1f44df5d

SHA512
20db25f32f9cfdbffa4f30c0065125052c6e20b7dcc147fa7ebff38e37b51f6a43e48e486f148d7ee11671479b9fb0bbe1c6df151101af3b50c65fd334d13baa

Download Submit
C:\Windows\SysWOW64\28463\HENV.exe

Filesize
473KB

MD5
3c90d45b1c004e86a7f7a7a340f1abc8

SHA1
10602c450bcbda2735dc036f2e399646f0c64f4c

SHA256
f6d9c3bba7fc4dfa681cadf68f41093e3c431501c6789e891e599719e5d2781c

SHA512
85457be4c2aa76ede288cd185131d46e5f0b37187313f3a54fe789e28929ec6e44282f4ba0981f46354705cd5da83990586c8846f52fcdb807908254c8719cc1

Download Submit
memory/1468-22-0x00007FFB9A380000-0x00007FFB9AD21000-memory.dmp

Filesize
9.6MB

Download
memory/1468-0-0x00007FFB9A635000-0x00007FFB9A636000-memory.dmp

Filesize
4KB

Download
memory/1468-4-0x00007FFB9A380000-0x00007FFB9AD21000-memory.dmp

Filesize
9.6MB

Download
memory/1468-2-0x00007FFB9A380000-0x00007FFB9AD21000-memory.dmp

Filesize
9.6MB

Download
memory/1468-1-0x000000001BF10000-0x000000001BFB6000-memory.dmp

Filesize
664KB

Download
memory/4620-33-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/4620-37-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads