ardamax | b04e5bc637d01985fcd9f1e54408eca9cfe24a255ed23d678e2865c8ca712ca0

General

Target

245dc58653953cf075d7a02fc770f39d_JaffaCakes118.exe
Size

1.2MB
MD5

245dc58653953cf075d7a02fc770f39d
SHA1

3ae3962b87744676a66fc030b70a1b592f067e9e
SHA256

b04e5bc637d01985fcd9f1e54408eca9cfe24a255ed23d678e2865c8ca712ca0
SHA512

00cc01d4d04304f9bc183e0977092bdeb628977a4f892d6984a8c1218a2e9913b2a1a06d81a47632d613e7822bb87be5f71fac484cdd23d399af62350bab4179
SSDEEP

24576:5zwTT6QuW9TYkTsEBtVh17TCiOYzrFPzDFGPW2Z7Bd7zTVYYCLmiUU:5z+TsW5XTH5dTCgZlgdn

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023b7e-8.dat	family_ardamax

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	245dc58653953cf075d7a02fc770f39d_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
4448	AIT.exe

Loads dropped DLL 1 IoCs

pid	Process
4448	AIT.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AIT Start = "C:\\Windows\\SysWOW64\\YBVFFP\\AIT.exe"	AIT.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\YBVFFP\	AIT.exe
File created	C:\Windows\SysWOW64\YBVFFP\AIT.004	245dc58653953cf075d7a02fc770f39d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\YBVFFP\AIT.001	245dc58653953cf075d7a02fc770f39d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\YBVFFP\AIT.002	245dc58653953cf075d7a02fc770f39d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\YBVFFP\AKV.exe	245dc58653953cf075d7a02fc770f39d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\YBVFFP\AIT.exe	245dc58653953cf075d7a02fc770f39d_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AIT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	245dc58653953cf075d7a02fc770f39d_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4448	AIT.exe
4448	AIT.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4448	AIT.exe
Token: SeIncBasePriorityPrivilege	4448	AIT.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4448	AIT.exe
4448	AIT.exe
4448	AIT.exe
4448	AIT.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1800 wrote to memory of 4448	1800	245dc58653953cf075d7a02fc770f39d_JaffaCakes118.exe	86
PID 1800 wrote to memory of 4448	1800	245dc58653953cf075d7a02fc770f39d_JaffaCakes118.exe	86
PID 1800 wrote to memory of 4448	1800	245dc58653953cf075d7a02fc770f39d_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\245dc58653953cf075d7a02fc770f39d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\245dc58653953cf075d7a02fc770f39d_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Windows\SysWOW64\YBVFFP\AIT.exe
  "C:\Windows\system32\YBVFFP\AIT.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\YBVFFP\AIT.001

Filesize
61KB

MD5
9681d3e1f2c53ad98b8467b3acca33fc

SHA1
04d5d08781f27d6e08ad0262f7325b2be4db7743

SHA256
baecddca15ea6932b9cd4e7f5bae848c3c290660a85c408b898150c6f8fd744e

SHA512
5c6191fb676ace9d1c2ddfd4e98651959ab24b718ab626c343e2bb271d31edd8ba43ed9de528c7832ddcc2137d2424c22bb19f115dc252e1400cfcd3edce2098

Download Submit
C:\Windows\SysWOW64\YBVFFP\AIT.002

Filesize
44KB

MD5
e65e4bdb2c86226589b88f101153c01b

SHA1
731be43621721dba20f0bb74966ea08043ef37fd

SHA256
e8a9477bc04824357c0f0bcc1cb665e1dfb6cf5c05f68517749f6cb11821cec2

SHA512
7700ee197f109a8f2cff2e529715e371e36c1d9924af0bedef9285f76898d3448847af3bff342813b9bd8ca619b7c39b9607150596008ffc6fe68b338f6769cd

Download Submit
C:\Windows\SysWOW64\YBVFFP\AIT.004

Filesize
1KB

MD5
539a202b3c25bd285b52c4e85aabd06d

SHA1
b4b1e06c3366c409ad81f803b7407143517b5eae

SHA256
01d834d5dd4c38331fda0011db658f97a127448b71f4251e2e7d477e8448e34b

SHA512
694ae360b486002b5d4bea785f7c146444a3f8155a76a668c29a2a0db81ca2e41613085df23f7b2a5e959173ede61b325a817af349f73de3ad0b3468dee66a31

Download Submit
C:\Windows\SysWOW64\YBVFFP\AIT.exe

Filesize
1.7MB

MD5
9a6a50772539f5a61fefa29c34666223

SHA1
b2b8650d817ef7d86bfef48420e9716f0ffdccce

SHA256
93db12799d366bbb10f28b923188e3f1457b3ec931ddf33ddeb131a80e46f00b

SHA512
eb5f89e6b27981d85dc235edc477a4397d08b9e89d638b0e07301a26ca6e640f12251fdcfe1386df4167a2928bc60959289329531bc7a9e14a232ead22935fed

Download Submit
C:\Windows\SysWOW64\YBVFFP\AKV.exe

Filesize
485KB

MD5
42150775d201a85ebc379d21aa253f85

SHA1
fccd7df34e16abaf8d55935016cdb15df8041e06

SHA256
00206ccef9ee8da111cc547c698b7e61736b328de48ac5c307d05f2921ef0b9c

SHA512
4ff3c587a8d88e319acb028829c75ecb3e11c16a62ba9c2090720613c51c6555af698ba8ff75672b405602f196ed1b99dbeb9395bae62aac2140fa31600b36e0

Download Submit
memory/4448-16-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download
memory/4448-18-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads