ardamax | cf47b9dd42fb33fcbaf81254bd5b15147ba9d2056d0247c3f4ddcf1c8e482344

General

Target

18f18eaef6414526d2930736bd312a03_JaffaCakes118.exe
Size

398KB
MD5

18f18eaef6414526d2930736bd312a03
SHA1

49e8a64057c722d85de07e7f294ef462cf3b2e42
SHA256

cf47b9dd42fb33fcbaf81254bd5b15147ba9d2056d0247c3f4ddcf1c8e482344
SHA512

b6989ad187532cf5820a16fc5b8930ba6b9d3cc3a03431427f576899aa9abc6531b6aa354c4d9d1f73d6ac45c646ad93194d63c95b164383f9a1a7ceb7b5d838
SSDEEP

6144:b1dlZro5yPHqhT9SBf3dBbiMEX7YKS8pchNHE77hpcEhCW6nX53e0Vji9PdI:b1dlZo5yPmSl3bKionhl6nXoyePdI

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x0009000000023c6e-37.dat	family_ardamax

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	18f18eaef6414526d2930736bd312a03_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	Install.exe

Executes dropped EXE 2 IoCs

pid	Process
2444	Install.exe
2964	TOHP.exe

Loads dropped DLL 4 IoCs

pid	Process
2444	Install.exe
2964	TOHP.exe
2964	TOHP.exe
2964	TOHP.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TOHP Agent = "C:\\Windows\\SysWOW64\\28463\\TOHP.exe"	TOHP.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\28463	TOHP.exe
File created	C:\Windows\SysWOW64\28463\TOHP.001	Install.exe
File created	C:\Windows\SysWOW64\28463\TOHP.006	Install.exe
File created	C:\Windows\SysWOW64\28463\TOHP.007	Install.exe
File created	C:\Windows\SysWOW64\28463\TOHP.exe	Install.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	18f18eaef6414526d2930736bd312a03_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TOHP.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2964	TOHP.exe
Token: SeIncBasePriorityPrivilege	2964	TOHP.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2964	TOHP.exe
2964	TOHP.exe
2964	TOHP.exe
2964	TOHP.exe
2964	TOHP.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 264 wrote to memory of 2444	264	18f18eaef6414526d2930736bd312a03_JaffaCakes118.exe	84
PID 264 wrote to memory of 2444	264	18f18eaef6414526d2930736bd312a03_JaffaCakes118.exe	84
PID 264 wrote to memory of 2444	264	18f18eaef6414526d2930736bd312a03_JaffaCakes118.exe	84
PID 2444 wrote to memory of 2964	2444	Install.exe	94
PID 2444 wrote to memory of 2964	2444	Install.exe	94
PID 2444 wrote to memory of 2964	2444	Install.exe	94

C:\Users\Admin\AppData\Local\Temp\18f18eaef6414526d2930736bd312a03_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\18f18eaef6414526d2930736bd312a03_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:264
- C:\Extracted\Install.exe
  "C:\Extracted\Install.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2444
- - C:\Windows\SysWOW64\28463\TOHP.exe
    "C:\Windows\system32\28463\TOHP.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Extracted\Install.exe

Filesize
282KB

MD5
9ac4caff8b8328b504d009a3b8562024

SHA1
ec1b53fbdcd9c58ff91059dec68c040189422b25

SHA256
f0846f026924ba9cd9ecbec1e1d5dad46af4b372af10b2a64269eefc9b67dbe6

SHA512
9f4c5f79e48ffdb73e19b41c78316efa47ee8072628309e2cff5d35a7ecebd57ab53fd80368e3ab550cb9096940aed530b7e40d43c5664cc6ca09d394f56a706

Download Submit
C:\Users\Admin\AppData\Local\Temp\@C36F.tmp

Filesize
4KB

MD5
7741621eab37d5237984566a87e022b7

SHA1
ecba0f2ff82abd940266b80eb12ccce900c05787

SHA256
d77ae70c89844988980f043d2dd99f819ca3770b4a2cd951f9db46c6ad97b0e1

SHA512
b4c57bb22a5f6b996ba799edca026f2a6ebfff942561cfe22010961f6ee231e9dc9b957aabf80943122ef6b607e91585bd8c3524ddbd3df711b0e66a4f13e624

Download Submit
C:\Users\Admin\AppData\Local\Temp\sfx.ini

Filesize
239B

MD5
332a9f4bda3d52de0d03b9f4b82bf803

SHA1
9e794b5d0ea4e722723423414bdd2162fb04de69

SHA256
2e886bd4bfa014e416c7bd3c2f1a2c2b71b1ffb57793779283e6c915c713bb7e

SHA512
53829c662c5336aa8573ae9c71514ee7fce72a4be12c6b169743984873043a15d41e6298726081a323740ecdfc426b30482c3ba4b806ccad688110352adbf836

Download Submit
C:\Windows\SysWOW64\28463\TOHP.001

Filesize
410B

MD5
33fb352c37e00d59baa50af8fc45f257

SHA1
2a8bb9490a0ea7bb2ecf0993f2eac258290c0a8d

SHA256
826df67464b3c30c19e32a2cd47f286acbdb47bf06956b242776575c18455b30

SHA512
12608accb4e3cef1947bcc64a2b28f23d52df9aefa064a6dd1647afe497e79897ad03131bcf14dfc3c2ae36f460758ff4d9988f5c49cad85f05bf80a34cbaf45

Download Submit
C:\Windows\SysWOW64\28463\TOHP.006

Filesize
8KB

MD5
5cf4da269bc6e9a340c9d6f6f9958ef6

SHA1
236a1cf80f7bdc4da0396e865ad817ab0c87216c

SHA256
1b2bcca1e79c10cf32e816d435feacf12997aa5aeb8ed040068b82d28e6509bc

SHA512
cb84d5d848d19286ed14fb0273cddbf95781b5531117584a69c3afeba119f00dda37f9899a1af6ef900cabe1648c49643b97bd1f0d07944ffef19890d24ea258

Download Submit
C:\Windows\SysWOW64\28463\TOHP.007

Filesize
5KB

MD5
da590fabc3a6aaee518db39de8d73fb5

SHA1
a89ae670988af95714840aa463e5aeb649eb009b

SHA256
e57ffb72fdd0367510e0e9ea62b4c34a58d90a452ed4451eef50610bc27d7bd2

SHA512
5653a8d8d19b70cf094456978e3520fb80f6b56047860b53a95cd2d2fbf6fd947ff09c69090e3b956f0ed7d616237e5b6b59f899da7764c52ca1b444381159b4

Download Submit
C:\Windows\SysWOW64\28463\TOHP.exe

Filesize
513KB

MD5
d6f4bfc4e4ed7157506eab4740a55c30

SHA1
14d1b95c66de54c23ef4dcaf3e6e001455fb2048

SHA256
115484f3468e91accd0352039a3ba0530eb5e102d9115f73d86ff521abb78f12

SHA512
bae882ddc779227316d186583de259c0adfbba9d0354ae944f67e661d08a505be86035d1bf5021e06c1e92ee07bb93ed5e691bcf98073fd8da0d89535a2c2d0c

Download Submit
memory/2964-46-0x0000000000A80000-0x0000000000A81000-memory.dmp

Filesize
4KB

Download
memory/2964-50-0x0000000000A80000-0x0000000000A81000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads