ardamax | e1119169e982255f08a1184a8da59b4eb10232131a3ae773df77f2f7ac404c00

General

Target

453f68c9d9a808022fce0ddaa0ce3612_JaffaCakes118.exe
Size

564KB
MD5

453f68c9d9a808022fce0ddaa0ce3612
SHA1

e2b987661704fdf7f902b385a3b24c6ab4f6296a
SHA256

e1119169e982255f08a1184a8da59b4eb10232131a3ae773df77f2f7ac404c00
SHA512

f6f447ffa4e288a8ba99389147603364b0edf6c8d59f9f05d5087c13b3e51cb8d64b9cf47c879704900f1dd9caa49bc48e6616150a68fbcb515b8c82b9642722
SSDEEP

12288:1hq/CZhbmlqkJFNlV+40GcNtobu1xZZw3fvSVN4OMwUD5y7wc9xd/twNC:HRZhbmlqkJFNv+HGXbu1Gvv6N3Gowc9p

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023ca4-19.dat	family_ardamax

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	453f68c9d9a808022fce0ddaa0ce3612_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	tmps.execu

Executes dropped EXE 2 IoCs

pid	Process
1788	tmps.execu
2376	GLMH.exe

Loads dropped DLL 4 IoCs

pid	Process
1788	tmps.execu
2376	GLMH.exe
2376	GLMH.exe
2376	GLMH.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\GLMH Agent = "C:\\Windows\\SysWOW64\\28463\\GLMH.exe"	GLMH.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\GLMH.006	tmps.execu
File created	C:\Windows\SysWOW64\28463\GLMH.007	tmps.execu
File created	C:\Windows\SysWOW64\28463\GLMH.exe	tmps.execu
File created	C:\Windows\SysWOW64\28463\AKV.exe	tmps.execu
File opened for modification	C:\Windows\SysWOW64\28463	GLMH.exe
File opened for modification	C:\Windows\SysWOW64\tmps.execu	453f68c9d9a808022fce0ddaa0ce3612_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\28463\GLMH.001	tmps.execu

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GLMH.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	453f68c9d9a808022fce0ddaa0ce3612_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmps.execu

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.execu	453f68c9d9a808022fce0ddaa0ce3612_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.execu\PresistentHandler	453f68c9d9a808022fce0ddaa0ce3612_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.execu\ = "exefile"	453f68c9d9a808022fce0ddaa0ce3612_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.execu\Content Type = "application/x-msdownload"	453f68c9d9a808022fce0ddaa0ce3612_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.execu\PresistentHandler\ = "{098f2470-bae0-11cd-b579-08002b30bfeb}"	453f68c9d9a808022fce0ddaa0ce3612_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2376	GLMH.exe
Token: SeIncBasePriorityPrivilege	2376	GLMH.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2452	453f68c9d9a808022fce0ddaa0ce3612_JaffaCakes118.exe
2376	GLMH.exe
2376	GLMH.exe
2376	GLMH.exe
2376	GLMH.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2452 wrote to memory of 1788	2452	453f68c9d9a808022fce0ddaa0ce3612_JaffaCakes118.exe	84
PID 2452 wrote to memory of 1788	2452	453f68c9d9a808022fce0ddaa0ce3612_JaffaCakes118.exe	84
PID 2452 wrote to memory of 1788	2452	453f68c9d9a808022fce0ddaa0ce3612_JaffaCakes118.exe	84
PID 1788 wrote to memory of 2376	1788	tmps.execu	86
PID 1788 wrote to memory of 2376	1788	tmps.execu	86
PID 1788 wrote to memory of 2376	1788	tmps.execu	86

C:\Users\Admin\AppData\Local\Temp\453f68c9d9a808022fce0ddaa0ce3612_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\453f68c9d9a808022fce0ddaa0ce3612_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2452
- C:\Windows\SysWOW64\tmps.execu
  "C:\Windows\system32\tmps.execu"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1788
- - C:\Windows\SysWOW64\28463\GLMH.exe
    "C:\Windows\system32\28463\GLMH.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@A6FE.tmp

Filesize
4KB

MD5
9dc64557fcebd521ca4b267da15c2914

SHA1
c2247f9e0f0c8d11c7b9ab93f43ed53943d0bdd2

SHA256
a49cb9cbab2a60418b2079d4110123682fc980bb6b46ac5ada144797b5fa2cf4

SHA512
00241a139ca307c5eb4d89fa8b6296833961091286282c3482746e4a3589ef61e6d007edb6aa6fa1ef812d57bf63a8e495e0db712e17decc77bbae2490cdbe01

Download Submit
C:\Windows\SysWOW64\28463\AKV.exe

Filesize
394KB

MD5
10e53b4b4502bab5358837983b15d83e

SHA1
2845bb0d6667be127bab7676b6800994239850ce

SHA256
e91b458384ad38f5e81766bc7ae213025f27f30c69b72550731159aa60d62910

SHA512
35b2071598af5840ed0843e39f81b778660310725975c2b2cc8cd20ad37954bea04c4a2f173cdaffa467e9585b7f573b99fd444f659d11360bd7a8219c851cd7

Download Submit
C:\Windows\SysWOW64\28463\GLMH.001

Filesize
516B

MD5
c595cdffc9c616a8cf5cff727dededc2

SHA1
b8a332a24d5765951f484dcc934a425bb9d28ed6

SHA256
c7f0fd693f46b8368a433fa4bd92b3da780784cecb69c636d60a4704dc5c6e1b

SHA512
a86e9e4b91077dfaa2038fe9c41c54a0fc51e2ff909ed0eb7cd45d26f5d2ac335314c1a6a2e125107cf6c8a28953412c6f52b6e384bc15c2af2f6cad9091aa72

Download Submit
C:\Windows\SysWOW64\28463\GLMH.006

Filesize
8KB

MD5
86d96c93965255cef35ca42413188b75

SHA1
9d77f203267febe047d049584e5c79f1c1801b2d

SHA256
b796bd1f5cdb1d1db91c3aca1ac700c015775b9caf2725fbf4b6089a096f21c5

SHA512
2db81080a16494ec549f4f39ee382580ba12cd5cbfe31632c8459ba94d767ce1ad3e9c0e6643f80530ae5e316fc42dca05708eeade7ce3c0341d669325cdb095

Download Submit
C:\Windows\SysWOW64\28463\GLMH.007

Filesize
5KB

MD5
b73942c11844487ca7fc3e78062c8abb

SHA1
28f4c4159528ccbe9d83b5cd5e157861d11ff04c

SHA256
4ba88f8964ee02a395d88974fd43b05610cf520b4ab40f36b3f98715ce1e0984

SHA512
d4c782f5abd91b3396b243345f968eb5a705a7aefeedf92e62047309f7ccf223c0825623c184de66e3667c22eb371f0329be97ea70f6d72b54f98b22042e1f9c

Download Submit
C:\Windows\SysWOW64\28463\GLMH.exe

Filesize
472KB

MD5
324154483b20e6f67a3c1486e3fc7c6a

SHA1
d6630eb1d8555b48413434b4a5d54c8de819cbf8

SHA256
ded1c934280294375d7b926773511e4d5e6c8dbb22b0dd25a80a6b0b3af065d3

SHA512
36349f7c53b9989eac63e8c91b7fb009a5a0dce934242ae5956a5e3d3764949a87296adeba81f3da96b5e035f3755b4dd75de2ffa211b7db296313c52f6d478b

Download Submit
C:\Windows\SysWOW64\tmps.execu

Filesize
508KB

MD5
9bbc3bc4e687f0aeb278a90b7182964a

SHA1
1d79a8a325fb3aa067803bd4476c6ba80e96e00d

SHA256
fd61e7301c7732e9fef9f8e83943a3796eb633a7fa8181374e9b3f71136c8de0

SHA512
998efee23733383680eafbbedbf4b00f487db8da87c888af5878ba69bf55b34cbcca420ee08c98ac2d18930273619792b9bd0b3c56f285a31fa6230b39fbd293

Download Submit
memory/2376-31-0x0000000000A70000-0x0000000000A71000-memory.dmp

Filesize
4KB

Download
memory/2376-35-0x0000000000A70000-0x0000000000A71000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads