ardamax | e2d86bbf7ad8127397c094465b1031249f91ee121be99c2cbfe45ed039b2cc92

General

Target

4ad09d2e3b24851316cdf96f4221cf26_JaffaCakes118.exe
Size

1005KB
MD5

4ad09d2e3b24851316cdf96f4221cf26
SHA1

e400de946cb81953bddf439ea95fd0e535209eea
SHA256

e2d86bbf7ad8127397c094465b1031249f91ee121be99c2cbfe45ed039b2cc92
SHA512

5a48e2be5956b6d0e1893f2c656b01bc6080316bfb1545e6208d2eedea7d2af3b72a97648c388552ec3f8cddf8dd119ff284c935c4dc1e2f82d901742defa728
SSDEEP

24576:bWwTucz5PcaTPJMb12YsEUFtFpfhd5TBTV:SwTuWHxMIY+FDpJxR

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023cbc-12.dat	family_ardamax

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	4ad09d2e3b24851316cdf96f4221cf26_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
1140	UMUF.exe

Loads dropped DLL 7 IoCs

pid	Process
1820	4ad09d2e3b24851316cdf96f4221cf26_JaffaCakes118.exe
1140	UMUF.exe
1140	UMUF.exe
1140	UMUF.exe
2104	WerFault.exe
2104	WerFault.exe
2104	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UMUF Agent = "C:\\Windows\\SysWOW64\\9283\\UMUF.exe"	UMUF.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\9283	UMUF.exe
File created	C:\Windows\SysWOW64\9283\UMUF.001	4ad09d2e3b24851316cdf96f4221cf26_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\9283\UMUF.006	4ad09d2e3b24851316cdf96f4221cf26_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\9283\UMUF.007	4ad09d2e3b24851316cdf96f4221cf26_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\9283\UMUF.exe	4ad09d2e3b24851316cdf96f4221cf26_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\9283\AKV.exe	4ad09d2e3b24851316cdf96f4221cf26_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2104	1820	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4ad09d2e3b24851316cdf96f4221cf26_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UMUF.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Web3.5 = "1729041853"	UMUF.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1140	UMUF.exe
Token: SeIncBasePriorityPrivilege	1140	UMUF.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1140	UMUF.exe
1140	UMUF.exe
1140	UMUF.exe
1140	UMUF.exe
1140	UMUF.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1820 wrote to memory of 1140	1820	4ad09d2e3b24851316cdf96f4221cf26_JaffaCakes118.exe	92
PID 1820 wrote to memory of 1140	1820	4ad09d2e3b24851316cdf96f4221cf26_JaffaCakes118.exe	92
PID 1820 wrote to memory of 1140	1820	4ad09d2e3b24851316cdf96f4221cf26_JaffaCakes118.exe	92

C:\Users\Admin\AppData\Local\Temp\4ad09d2e3b24851316cdf96f4221cf26_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4ad09d2e3b24851316cdf96f4221cf26_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Windows\SysWOW64\9283\UMUF.exe
  "C:\Windows\system32\9283\UMUF.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1140
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 920
  2⤵
  - Loads dropped DLL
  - Program crash
  PID:2104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1820 -ip 1820
1⤵
PID:3676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@C65D.tmp

Filesize
41KB

MD5
c103dd8cfc71e50400bb22e01cc90e74

SHA1
8e80d54d9927f351e557b99432af89dd4c5843ab

SHA256
647416d984740785203c48faea961dac06d5d465789a4764a68a3b7161ef0c99

SHA512
ea8f46086a542423cbbf90d9321e2bf2fa593e0aa7c3c40ca3fac22555caf7dca8d4ab30065860ad827d660e812f4b39cbe1dc05dadd1b71a56620170183444c

Download Submit
C:\Windows\SysWOW64\9283\AKV.exe

Filesize
486KB

MD5
2e451cf07d5556a2e5dec56484973795

SHA1
d4738db3a6f907de6971708d10682cfe227a701f

SHA256
7080859f952de87a0db34f7138fcd097c461d8d0b3757fa2a816553fd92533c0

SHA512
0a4a25b4712afe80d07530da18ea07bdcd4fe3e2a9e9feb844c36946b96840f3e91198243c4b6223d4968280f7c17635cdf8bbfa483a3c76c03f17e2714c87fa

Download Submit
C:\Windows\SysWOW64\9283\UMUF.001

Filesize
774B

MD5
a2c9176f696ef39f3dc035fee0322789

SHA1
a2e0c6bce19e1f2fec4861087f542bfc0cce093e

SHA256
3c37fc367ac61dbc3e3731dcd7a61966987494c9501729d65b8ecc0229861706

SHA512
14c987a41c448c537046a9485c56e39cbd4e4210a64331c5c6f65c98dce6dbc710fae9b32394bae15fbd11bb268f45e2df111648b9cc045b6d82c8b3e9e7713f

Download Submit
C:\Windows\SysWOW64\9283\UMUF.006

Filesize
60KB

MD5
8ca14e67822ef959b3934e6bc4caf5c4

SHA1
318d1a7b296bf7a9719160f55800fd4ed55fc458

SHA256
16ecec3e8e8fa9d72421e0823adc9811ecadee7ecd946bc14a24dffdd901e952

SHA512
5b26c6180d07b5c4b01d6207fe680f9443eda26a2a678d44a0c6f792549549b85adec1c09ab777f68bcd425d8e6b76b7f74bc25398eeae7ea4f3d652c2db95dd

Download Submit
C:\Windows\SysWOW64\9283\UMUF.007

Filesize
42KB

MD5
2cafc86224d99e34614a97f55f0a051a

SHA1
660e25698426da6d4e9040d6a445915af0a88622

SHA256
a533cd921eb312f7b77415bcb17e174a79b03771b65ce883d0be109418a9d378

SHA512
e235665aef221e93cb2c4fbb853c76d8d0105c03f52d8f514e583058cfb849192ea0b30cf149e4ae665f820f181abf670f271298dac01e04b4b64fe88f5ac1a5

Download Submit
C:\Windows\SysWOW64\9283\UMUF.exe

Filesize
1.2MB

MD5
c0e301bac810e4787b54a6fb3107fe6f

SHA1
146fc627271c7afa69fb14cd56f3ac53e0b06b54

SHA256
bd8bf5088c5e512e76a8be647925a434adc96d9add3afe3328a4df70b94cc2d0

SHA512
39c83705df36e43f2276070e1aae20da460919ab599b585e12af1ef6a8bd19cdd13fca18087665fe03016dcbc4aebd24ce03b439daa8b4ddfdfabd83786eb68d

Download Submit
memory/1140-22-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/1140-26-0x0000000002490000-0x000000000249E000-memory.dmp

Filesize
56KB

Download
memory/1140-30-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads