ardamax | a60bb5639ce74b653dd63a979ba79af58b139cc51531038c24d30626fb0477e4

General

Target

62b49060fec089977f2b765de5c01c95_JaffaCakes118.exe
Size

1.3MB
MD5

62b49060fec089977f2b765de5c01c95
SHA1

73f5831615236f1657d50c1deacb2fff938a3170
SHA256

a60bb5639ce74b653dd63a979ba79af58b139cc51531038c24d30626fb0477e4
SHA512

25318b648a37fca44446574ce264b3d74338cad2e6b7d35d24287c89e6403999018b920f5d65616b779606b92b44084bbac49bb29ae5b4ab85f24c1ac9ab9290
SSDEEP

24576:uHVK/PmqiEGSQy/guUWg71mHc3zQWKI3/XdaxvBHle0ak4rU0g+Of5z3E:uIiEGHV7HYnccE

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023c9f-25.dat	family_ardamax

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	write.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	process32.exe

Executes dropped EXE 3 IoCs

pid	Process
3936	process32.exe
1108	write.exe
2584	FTS.exe

Loads dropped DLL 1 IoCs

pid	Process
2584	FTS.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\siVjiNscyt = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tempfile.exe\""	62b49060fec089977f2b765de5c01c95_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FTS Start = "C:\\Windows\\FSNAQI\\FTS.exe"	FTS.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4868 set thread context of 3936	4868	62b49060fec089977f2b765de5c01c95_JaffaCakes118.exe	85

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\FSNAQI\FTS.004	process32.exe
File created	C:\Windows\FSNAQI\FTS.001	process32.exe
File created	C:\Windows\FSNAQI\FTS.002	process32.exe
File created	C:\Windows\FSNAQI\FTS.exe	process32.exe
File opened for modification	C:\Windows\FSNAQI\	FTS.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	62b49060fec089977f2b765de5c01c95_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	process32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FTS.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4868	62b49060fec089977f2b765de5c01c95_JaffaCakes118.exe
Token: 33	2584	FTS.exe
Token: SeIncBasePriorityPrivilege	2584	FTS.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
3148	wordpad.exe
3148	wordpad.exe
3148	wordpad.exe
2584	FTS.exe
3148	wordpad.exe
3148	wordpad.exe
2584	FTS.exe
2584	FTS.exe
2584	FTS.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4868 wrote to memory of 3936	4868	62b49060fec089977f2b765de5c01c95_JaffaCakes118.exe	85
PID 4868 wrote to memory of 3936	4868	62b49060fec089977f2b765de5c01c95_JaffaCakes118.exe	85
PID 4868 wrote to memory of 3936	4868	62b49060fec089977f2b765de5c01c95_JaffaCakes118.exe	85
PID 4868 wrote to memory of 3936	4868	62b49060fec089977f2b765de5c01c95_JaffaCakes118.exe	85
PID 4868 wrote to memory of 3936	4868	62b49060fec089977f2b765de5c01c95_JaffaCakes118.exe	85
PID 4868 wrote to memory of 3936	4868	62b49060fec089977f2b765de5c01c95_JaffaCakes118.exe	85
PID 4868 wrote to memory of 3936	4868	62b49060fec089977f2b765de5c01c95_JaffaCakes118.exe	85
PID 4868 wrote to memory of 3936	4868	62b49060fec089977f2b765de5c01c95_JaffaCakes118.exe	85
PID 4868 wrote to memory of 3936	4868	62b49060fec089977f2b765de5c01c95_JaffaCakes118.exe	85
PID 4868 wrote to memory of 3936	4868	62b49060fec089977f2b765de5c01c95_JaffaCakes118.exe	85
PID 4868 wrote to memory of 1108	4868	62b49060fec089977f2b765de5c01c95_JaffaCakes118.exe	86
PID 4868 wrote to memory of 1108	4868	62b49060fec089977f2b765de5c01c95_JaffaCakes118.exe	86
PID 1108 wrote to memory of 3148	1108	write.exe	88
PID 1108 wrote to memory of 3148	1108	write.exe	88
PID 3936 wrote to memory of 2584	3936	process32.exe	89
PID 3936 wrote to memory of 2584	3936	process32.exe	89
PID 3936 wrote to memory of 2584	3936	process32.exe	89

C:\Users\Admin\AppData\Local\Temp\62b49060fec089977f2b765de5c01c95_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\62b49060fec089977f2b765de5c01c95_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4868
- C:\Users\Admin\AppData\Local\Temp\process32.exe
  C:\Users\Admin\AppData\Local\Temp\\process32.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3936
- - C:\Windows\FSNAQI\FTS.exe
    "C:\Windows\FSNAQI\FTS.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2584
- C:\Users\Admin\AppData\Local\Temp\write.exe
  C:\Users\Admin\AppData\Local\Temp\write.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1108
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:3148

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\process32.exe

Filesize
5KB

MD5
d2ed8fa3208e702b7d61728af768eed1

SHA1
54094aa272cb866a46c2ca5b56f4a094e0f48ffb

SHA256
9236208e312b2f47a0ef40e59fc0f364fc8e401717e1e46555c26bec8ab3de1f

SHA512
42442dc0b98f2abaea0c6516602d80df8a2a680278ecdc2b96fe5ce44685f7442347fd4ad13d9d99e0330cf0be7c0e9bbf22bd78c0173066221e430203c76313

Download Submit
C:\Users\Admin\AppData\Local\Temp\write.exe

Filesize
10KB

MD5
f8ed3b4b209e2cb49028e36cf06ca851

SHA1
71e0c405d0e615d55367df1bce4ceb19b3937a5c

SHA256
e46620bd4eb048fcb2a8f1541d2dbda8299e38e01a4eef9c4e7c3c43b96d0629

SHA512
87563891548b0eae7b410ad0877713216ed43c9160814a8bd14bc895eb8fafe2ab807d7666cf08e4882d8df2d46449d46bb347afe3bdcdb8034e533e135138b2

Download Submit
C:\Windows\FSNAQI\FTS.001

Filesize
61KB

MD5
383d5f5d4240d590e7dec3f7312a4ac7

SHA1
f6bcade8d37afb80cf52a89b3e84683f4643fbce

SHA256
7e87f6817b17a75106d34ce9884c40ddfb381bf8f2013930916498d1df0a6422

SHA512
e652c41ec95d653940b869426bc2cbd8e5b3159110ffaab7d623e23eebe1f34ca65be6a9a9cdcd5f41aec7567469d6b4d6362d24ae92267cddb8940e1265806a

Download Submit
C:\Windows\FSNAQI\FTS.002

Filesize
43KB

MD5
93df156c4bd9d7341f4c4a4847616a69

SHA1
c7663b32c3c8e247bc16b51aff87b45484652dc1

SHA256
e55b6eabf0f99b90bd4cf3777c25813bded7b6fc5c9955188c8aa5224d299c3e

SHA512
ed2e98c5fd1f0d49e5bac8baa515d489c89f8d42772ae05e4b7a32da8f06d511adad27867034ca0865beae9f78223e95c7d0f826154fc663f2fab9bd61e36e35

Download Submit
C:\Windows\FSNAQI\FTS.004

Filesize
1KB

MD5
9d329e80694c9ba8ce266d4cdf670a5d

SHA1
9aa99e4199ad6b842d81340ded2a5784c893b07c

SHA256
34997fd6fdc6136d9d0a5649d1bd572b278b4df9f0f43486660cf19da4759c80

SHA512
ac84eb12d056fdb2c2f243a3cefb51f5b956733caa4a198be23cf4fa6b3b8cb274cbe20d556dd0d66b1e2c589b5df95b05131a4f5658ec70e0d59be4f920900e

Download Submit
C:\Windows\FSNAQI\FTS.exe

Filesize
1.7MB

MD5
3cd29c0df98a7aeb69a9692843ca3edb

SHA1
7c86aea093f1979d18901bd1b89a2b02a60ac3e2

SHA256
5a37cd66508fa3fc85ae547de3498e709bd45167cb57f5e9b271dc3a1cb71a32

SHA512
e78f3206b1878e8db1766d4038a375bbebcbcdb8d1b0a0cb9b0dc72c54881392b9c27e2864ad9118702da58f203f13e0ad5d230980ad1ef2370391a2c4acffc9

Download Submit
memory/3936-16-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/3936-5-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/3936-8-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/3936-28-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/3936-9-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/4868-0-0x00000000753F2000-0x00000000753F3000-memory.dmp

Filesize
4KB

Download
memory/4868-21-0x00000000753F0000-0x00000000759A1000-memory.dmp

Filesize
5.7MB

Download
memory/4868-2-0x00000000753F0000-0x00000000759A1000-memory.dmp

Filesize
5.7MB

Download
memory/4868-1-0x00000000753F0000-0x00000000759A1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads