ardamax | 063578f02f438cc15d8be2d46636f4754959c2552c9ce2fe4436b6fe6d222953

General

Target

2921d545258105bed4f82e815201051e_JaffaCakes118.exe
Size

478KB
MD5

2921d545258105bed4f82e815201051e
SHA1

55ef1a551875ed0816612fa5ee776f0cbc3bfb00
SHA256

063578f02f438cc15d8be2d46636f4754959c2552c9ce2fe4436b6fe6d222953
SHA512

953d6e75172703e97bb7c14198225cd7838d66da5e41f4e4059278383aeb997721ee1b656cf4fb0d33203ea731e35989ee87555a91cf67ae5ed1d4792ccc38d8
SSDEEP

12288:PdeOmafA+k8RE3RtGTpdRq7mxqtTeRQP1HESfc7auB:gOmIHe3RtGzNxqtyROJESMB

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023b97-12.dat	family_ardamax

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	2921d545258105bed4f82e815201051e_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
4892	JITX.exe

Loads dropped DLL 4 IoCs

pid	Process
3452	2921d545258105bed4f82e815201051e_JaffaCakes118.exe
4892	JITX.exe
4892	JITX.exe
4892	JITX.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JITX Agent = "C:\\Windows\\SysWOW64\\Sys32\\JITX.exe"	JITX.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Sys32	JITX.exe
File created	C:\Windows\SysWOW64\Sys32\JITX.001	2921d545258105bed4f82e815201051e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Sys32\JITX.006	2921d545258105bed4f82e815201051e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Sys32\JITX.007	2921d545258105bed4f82e815201051e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Sys32\JITX.exe	2921d545258105bed4f82e815201051e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Sys32\AKV.exe	2921d545258105bed4f82e815201051e_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2921d545258105bed4f82e815201051e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JITX.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4892	JITX.exe
Token: SeIncBasePriorityPrivilege	4892	JITX.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4892	JITX.exe
4892	JITX.exe
4892	JITX.exe
4892	JITX.exe
4892	JITX.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3452 wrote to memory of 4892	3452	2921d545258105bed4f82e815201051e_JaffaCakes118.exe	85
PID 3452 wrote to memory of 4892	3452	2921d545258105bed4f82e815201051e_JaffaCakes118.exe	85
PID 3452 wrote to memory of 4892	3452	2921d545258105bed4f82e815201051e_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\2921d545258105bed4f82e815201051e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2921d545258105bed4f82e815201051e_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3452
- C:\Windows\SysWOW64\Sys32\JITX.exe
  "C:\Windows\system32\Sys32\JITX.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@73E8.tmp

Filesize
3KB

MD5
14c3321783fac66161b308d34c5b0eac

SHA1
021b4f77e27d6e0b032158936a752e27cdde09fa

SHA256
09e6cfa1698ed3cd3592fa4ed36eb970fa599cb86ce6975f5ef90dfbaf6a2f21

SHA512
9ba6f2992164e7e98084e3c3b5a4cd231edeca22b784d01e5e98078ed19a1114ba9f837aa77ec3303bfcff6fa6a7a3b4588ee6e3a444eb35fc5e8c1d732825ad

Download Submit
C:\Windows\SysWOW64\Sys32\AKV.exe

Filesize
389KB

MD5
53a578b112aeb18c5993556d4440ade1

SHA1
e51f2fcc784def3cc5ff594edfee5e25f1e9818c

SHA256
9170ccd49c118818a83d6ec5264e58519a986671828a144b70d9f601afd29156

SHA512
31357e35a4d31483951a7fbd0d774dffd880c8451e2410226dcfb8f8b1c24422febba81ae91aa2e5bb482bc0e662060f772417239e7e7a11c3c36ff8d716f352

Download Submit
C:\Windows\SysWOW64\Sys32\JITX.001

Filesize
518B

MD5
ff10776e73e28696fa2d2b8f8d854ab7

SHA1
6bfc8e6d9aff9e9553209466c15e71da2d769563

SHA256
2568d67d4c672379e872b6d2510425960d29c9908e3bb4724d5e2ef86c42fe73

SHA512
a4a0d104d1118771f3f5dc8a2f47a38b57c34bcaad367f548b1e68af7283836b20b347dbec1ec8da4a8567439d2a974549171e4de38c68ea31ed02d12080e967

Download Submit
C:\Windows\SysWOW64\Sys32\JITX.006

Filesize
7KB

MD5
504f5a7e8447c65bc2218bb3d47c309b

SHA1
5d2d703cfa8b1c0fab1b13b01e2250e246e2eb44

SHA256
81f383d6a9a90d1587af3f2903d9fd4ce4b4843aa285928ba731a3ee8f60c39f

SHA512
b90427bc146e30a5db47aaea4d7ac559db679f64ce490eb2195106acbc3d266442d71a7c0b00762203010436ed86bc84ef59bc3269b7611f9a6b5025fc85190b

Download Submit
C:\Windows\SysWOW64\Sys32\JITX.007

Filesize
5KB

MD5
22e9e9b13c2c676bec39178311d55253

SHA1
da60379e518feeb798005065dcf626a74afe1848

SHA256
3a77698cfcbbc40473f163c76838e6509c52bd6ffb97ba9d144ccd25ef5c7e14

SHA512
1d3b7eb4dcaa969a49786f1f55caa731e2e82dc79896985d50aa225fd7071bef521a6d85f56ee249db518cf0fc4a53f942299328bf54862307f742d3a6ca3dcc

Download Submit
C:\Windows\SysWOW64\Sys32\JITX.exe

Filesize
475KB

MD5
9c3ff825312190802dc56c7b0d0ccebd

SHA1
58e200c00382b3d13c81c9e829da065ed45f5928

SHA256
e55fbc08da9dc8bfb13b1d649e117540ee2c416a678eafa40e49088c2864dcc4

SHA512
513f6e3ab1bc31d01c1730c04313a39df5f9a5e30db70699df0507fff4c82f36706a637d32f532985e551a5a835682ebdc077560fee2f9741cba7767a86b7968

Download Submit
memory/4892-23-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/4892-27-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads