ardamax | af6c02fb621efa3d6294d13a090c7fb2024510cc73bfe1aa0959255adc84b0d0

General

Target

25713456cd39bef8601f473fad4c81d2_JaffaCakes118.exe
Size

2.6MB
MD5

25713456cd39bef8601f473fad4c81d2
SHA1

bdb37f5e6cff9dc92996afa29093826142dfd5ca
SHA256

af6c02fb621efa3d6294d13a090c7fb2024510cc73bfe1aa0959255adc84b0d0
SHA512

ff6e80850b3e84acb25c9488cccc9d26d8c2023a06fb81b6e05b41b714e335a06c51a7e7423ae41db50880f40d53ef34ab1929696e4ae15a70ba471b7c90af84
SSDEEP

49152:PoTXyVmmSjf1OjSSywGOBSKh1D3n1pHdLHRMZvmL8OfrcL9s6Kpedop8zcTy2ray:G8rSjfk37XTnNjRqvROfrAQpQS4H2r8G

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023b62-8.dat	family_ardamax

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	25713456cd39bef8601f473fad4c81d2_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

pid	Process
3848	AEA.exe
1616	artmoney737rus.exe
3692	artmoney737rus.tmp

Loads dropped DLL 3 IoCs

pid	Process
3848	AEA.exe
1616	artmoney737rus.exe
3692	artmoney737rus.tmp

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AEA Start = "C:\\Windows\\SysWOW64\\AFTDRK\\AEA.exe"	AEA.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\AFTDRK\AEA.004	25713456cd39bef8601f473fad4c81d2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\AFTDRK\AEA.001	25713456cd39bef8601f473fad4c81d2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\AFTDRK\AEA.002	25713456cd39bef8601f473fad4c81d2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\AFTDRK\AKV.exe	25713456cd39bef8601f473fad4c81d2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\AFTDRK\AEA.exe	25713456cd39bef8601f473fad4c81d2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\AFTDRK\	AEA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	25713456cd39bef8601f473fad4c81d2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AEA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	artmoney737rus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	artmoney737rus.tmp

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	3848	AEA.exe
Token: SeIncBasePriorityPrivilege	3848	AEA.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3848	AEA.exe
3848	AEA.exe
3848	AEA.exe
3848	AEA.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1888 wrote to memory of 3848	1888	25713456cd39bef8601f473fad4c81d2_JaffaCakes118.exe	86
PID 1888 wrote to memory of 3848	1888	25713456cd39bef8601f473fad4c81d2_JaffaCakes118.exe	86
PID 1888 wrote to memory of 3848	1888	25713456cd39bef8601f473fad4c81d2_JaffaCakes118.exe	86
PID 1888 wrote to memory of 1616	1888	25713456cd39bef8601f473fad4c81d2_JaffaCakes118.exe	87
PID 1888 wrote to memory of 1616	1888	25713456cd39bef8601f473fad4c81d2_JaffaCakes118.exe	87
PID 1888 wrote to memory of 1616	1888	25713456cd39bef8601f473fad4c81d2_JaffaCakes118.exe	87
PID 1616 wrote to memory of 3692	1616	artmoney737rus.exe	88
PID 1616 wrote to memory of 3692	1616	artmoney737rus.exe	88
PID 1616 wrote to memory of 3692	1616	artmoney737rus.exe	88

C:\Users\Admin\AppData\Local\Temp\25713456cd39bef8601f473fad4c81d2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\25713456cd39bef8601f473fad4c81d2_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1888
- C:\Windows\SysWOW64\AFTDRK\AEA.exe
  "C:\Windows\system32\AFTDRK\AEA.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3848
- C:\Users\Admin\AppData\Local\Temp\artmoney737rus.exe
  "C:\Users\Admin\AppData\Local\Temp\artmoney737rus.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1616
- - C:\Users\Admin\AppData\Local\Temp\is-HJMIG.tmp\artmoney737rus.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-HJMIG.tmp\artmoney737rus.tmp" /SL5="$7003A,1295646,50688,C:\Users\Admin\AppData\Local\Temp\artmoney737rus.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:3692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\artmoney737rus.exe

Filesize
1.5MB

MD5
0fa3b3ed73dc061a9fcf18a1bcbb0b09

SHA1
4c043c15032a05205a3679f0af4ce4e6a6a60e65

SHA256
7ff638f38570f16e927b326dbdd4c160792dc07436035e9433f6e43c96c5a139

SHA512
d5edadeeebb45f9a9c0cdae918df277c2842cc42d8add81ee265459c842714dfbb6dc313baca0bed3606197c31e511ed0021dcff84985622fdbe3ef5fdafb98a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HJMIG.tmp\artmoney737rus.tmp

Filesize
666KB

MD5
385aa258a917e2085d16b8477fe7685a

SHA1
897d73efffd1c3601cdb4db4d0b747fdaf1b39f2

SHA256
5fc2a69c35f5ef706807d20f570bfaf04f03173d50391fe3210d3a46b554cd41

SHA512
a244c2beebcffae1cde9c7dc3089a98d8414512a6369f25190e3e869f37a9e87278eb790142fd9f2b998b431d80bcb7071d1fb28eba6e96980908ee9ecd867d4

Download Submit
C:\Windows\SysWOW64\AFTDRK\AEA.001

Filesize
61KB

MD5
7a5612cc859be918c5767487f8a6815a

SHA1
a855d3a3e6336ac0508a8099e8ace14680394c36

SHA256
643419bc7e3a46ecdd7196858b3489c806c5edc486b513ce58519a109544c9d1

SHA512
31c541870dbc695c34d132c4232accc2fe511f30188a4db33d5c41758cf5af00a4906b55b0a208b5848436313fd3d8ccf6be7f1af62ecedd3a5c4c301dc5e11d

Download Submit
C:\Windows\SysWOW64\AFTDRK\AEA.002

Filesize
43KB

MD5
b2bcd668abf17ee408d232cc636614b2

SHA1
c354f941121515536c4f0d9ae49ed1a9b28534b4

SHA256
563f5e99f0beb961ecf6a8284bf41fee3e85d6f63cdff1669438f5a2168bfd99

SHA512
ba1be164de5919ae45f4bedfebe7e7799626b457f07b42fc43b8912f2932955833617b45e147e2e4d406f57f57f50c1869aa611db18a569919395e42fa53a702

Download Submit
C:\Windows\SysWOW64\AFTDRK\AEA.004

Filesize
1KB

MD5
942ceb1f859c7c1de714aa9ab0110a0a

SHA1
315536015ff280cbbf0c50b32483db4bba1c4e6d

SHA256
397b063658ac1570f9197c98570940d6df37d8d39f40dbd3f3f0f2ddbbc7821d

SHA512
188bd7ad4c8cecd424ab231566119043a1eb6906efdcd944de3fe74440f60fad0b9bf1cbde01de9454ed99b2185dc284b91f0ce2309894585e1fcbcc05e9285c

Download Submit
C:\Windows\SysWOW64\AFTDRK\AEA.exe

Filesize
1.5MB

MD5
a9ea3f61a57b36cde9953afd91f18d34

SHA1
e7e931b96b6e39b64a2a38d704bbe9561a234cbc

SHA256
accbdc6de9b6b671e6dc5bda9f1f983fbfcaa07467fbf6eabd25b9d5314d82ec

SHA512
0a6a42a772a3afd66233d9d3abb962b3a8cbf3d6e0e719352795b6441a148617dbe788991f0cead29d4b1540726504c9c56bebd9836ae6263b82a121fafd89fc

Download Submit
C:\Windows\SysWOW64\AFTDRK\AKV.exe

Filesize
466KB

MD5
4c5711d8a02899113661bdff195d80d5

SHA1
263592abea6d60887defb4b1bcb47dbb383edfb6

SHA256
661eee852ace18c0fe63548e3ca276866b40dd0dce722f67976b8c4bfdb92195

SHA512
4b16ee6c75a169ad02c6b30d08efcd969ba8840adf49f6eeec3abbe8b9f5f288e1b1cfb4431711a74510a6973663335e43d256ae0dcd1a68f55331152a4f64ae

Download Submit
memory/1616-23-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1616-24-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/1616-44-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3692-40-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3692-45-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3848-29-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/3848-43-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads