ardamax | 519f9e2b62195e69015ba75647abb6f68c3a212ac158326373181c2ee0582938

General

Target

2dacbdfe164e8058e19f47adb34c7952_JaffaCakes118.exe
Size

1.0MB
MD5

2dacbdfe164e8058e19f47adb34c7952
SHA1

2424eb596ea4ea068dbc7ed0a92b8832b25f1cdc
SHA256

519f9e2b62195e69015ba75647abb6f68c3a212ac158326373181c2ee0582938
SHA512

8459608c2b60bf55ae926372208ec3953293fb613c53c8a5126aa64a666660d8cff074795ff8d051dbf18bd41bfc03379eb9eb1b44d810dad5db7310c8f174fe
SSDEEP

24576:hbPTZuhrv2964f6EgrppvKx9s8wJIRkhbI0:h7TZuhi9Llkp4x9s8wti

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x0031000000023b71-8.dat	family_ardamax

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	2dacbdfe164e8058e19f47adb34c7952_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2320	LIQ.exe

Loads dropped DLL 2 IoCs

pid	Process
2320	LIQ.exe
3816	2dacbdfe164e8058e19f47adb34c7952_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LIQ Start = "C:\\Windows\\SysWOW64\\HVSMTG\\LIQ.exe"	LIQ.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HVSMTG\LIQ.004	2dacbdfe164e8058e19f47adb34c7952_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\HVSMTG\LIQ.001	2dacbdfe164e8058e19f47adb34c7952_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\HVSMTG\LIQ.002	2dacbdfe164e8058e19f47adb34c7952_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\HVSMTG\AKV.exe	2dacbdfe164e8058e19f47adb34c7952_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\HVSMTG\LIQ.exe	2dacbdfe164e8058e19f47adb34c7952_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\HVSMTG\	LIQ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LIQ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2dacbdfe164e8058e19f47adb34c7952_JaffaCakes118.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	2dacbdfe164e8058e19f47adb34c7952_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2320	LIQ.exe
Token: SeIncBasePriorityPrivilege	2320	LIQ.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2320	LIQ.exe
2320	LIQ.exe
2320	LIQ.exe
2320	LIQ.exe
1500	OpenWith.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3816 wrote to memory of 2320	3816	2dacbdfe164e8058e19f47adb34c7952_JaffaCakes118.exe	86
PID 3816 wrote to memory of 2320	3816	2dacbdfe164e8058e19f47adb34c7952_JaffaCakes118.exe	86
PID 3816 wrote to memory of 2320	3816	2dacbdfe164e8058e19f47adb34c7952_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\2dacbdfe164e8058e19f47adb34c7952_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2dacbdfe164e8058e19f47adb34c7952_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3816
- C:\Windows\SysWOW64\HVSMTG\LIQ.exe
  "C:\Windows\system32\HVSMTG\LIQ.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2320

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\HVSMTG\AKV.exe

Filesize
449KB

MD5
c9c6aba587fe42be25665749af41b886

SHA1
00a21ba1606bfdc82d28f6446098e7f449c25380

SHA256
ca69b6956a1d6008375b891f38325dce4ce53714eac11d6813ccf3c966b77256

SHA512
30bac4fd9675b08da828b54a479d83f2878acbb6c6a04d6d5a4b51a9932193ad82a2a8dde801549f915d821b3c43ec785a436de8cebd0f3e502c352d85919533

Download Submit
C:\Windows\SysWOW64\HVSMTG\LIQ.001

Filesize
61KB

MD5
95b07437917e9503258bb0be7ed990c9

SHA1
33ac620bc8ce3e81003f0ed8b2d86bbb78b0627a

SHA256
d2d7d89210612058fc0e25c006741b43470abe49e0cc6814ad74167e0360b082

SHA512
0f416247527c4c111a173aead637f69ca834d6839edb3cd4b5ea51341b968c6d33ac95e7c0efcca50ae600a45c4c87fd73d975dbb976300c8c6e9c8022df4916

Download Submit
C:\Windows\SysWOW64\HVSMTG\LIQ.002

Filesize
43KB

MD5
67d88bedc71d3d792be6670c1ef430f3

SHA1
b17be4fbdab99d43947eebf89a571c54dff378ee

SHA256
9854dc77f77358bdb1cdb66eaccb30c5ab7d0012628753a177018577e493ea85

SHA512
891e09ac0b7c2f996fd4c2349bcd15f7aee21f9e0c5ba19a5ca3b6783190d9bcd6890544ecc77faeb129ebffec23f2c951ffd5b68d61c2841754c7e5189276ae

Download Submit
C:\Windows\SysWOW64\HVSMTG\LIQ.004

Filesize
696B

MD5
b110d448903177ac7aba5b0477e0797d

SHA1
169333e673ba47e8c25e57f652344fd8d91d6fca

SHA256
7275903cddb0507bd20307a5c0d03ccdba757b6ec21c7caf925767693a02ba72

SHA512
f070050cdad722d45d6cd67cb98b05ecb0696f421e67c3b1290e8232fa8903bb79d4f5850cf2f666636aed74dac762a0fa22dbf73c7c0adf1973ec81aa2a8c65

Download Submit
C:\Windows\SysWOW64\HVSMTG\LIQ.exe

Filesize
1.4MB

MD5
0df9e23abc4065b8bb5d05dfbd763846

SHA1
4009325028ba008fe8c8cc45f58964a7b88aab26

SHA256
bae7e866a2a189073427edbaf6f0e1576b439356c6216a717452039f63b3b35b

SHA512
38ec2de32b0965a6596f1f43e7baafa2567600a123d5e59b5018aec10b0cc9f34e326bb48aeba4bb7ad07f352e8ba244da46212ba4256c9b99fa5c1ba25fe814

Download Submit
memory/2320-17-0x0000000000B10000-0x0000000000B11000-memory.dmp

Filesize
4KB

Download
memory/2320-21-0x0000000000B10000-0x0000000000B11000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads