ardamax | c9478d5c941e82c3979d3b8a9ddfa253db268f24daf5534b9ee243600d8be5fe

General

Target

774e06db0c880a85059f50f6d566386b_JaffaCakes118.exe
Size

566KB
MD5

774e06db0c880a85059f50f6d566386b
SHA1

ef246badd7e5590c5b0ef33a711e36c7794b7790
SHA256

c9478d5c941e82c3979d3b8a9ddfa253db268f24daf5534b9ee243600d8be5fe
SHA512

e049a5bcfa627ff293ae7647b8a3a6a6b8e27679530b657b98cb6e09a1bf2341c87f5d0e4858ce0f9f6a7fff4844b003bed83ec77130b1b78c9f60282efc7f57
SSDEEP

12288:FtU8E3hZrKJBipU5yrQyGtEqTK78ap1sprEETQDtonarE3LusCDoEm4:PUL3hZWrfyr78rTMOaYzJS

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023b71-12.dat	family_ardamax

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	774e06db0c880a85059f50f6d566386b_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
2936	TND.exe
3480	Launcher.exe

Loads dropped DLL 5 IoCs

pid	Process
4156	774e06db0c880a85059f50f6d566386b_JaffaCakes118.exe
2936	TND.exe
2936	TND.exe
2936	TND.exe
3480	Launcher.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TND = "C:\\Windows\\SysWOW64\\Sys\\TND.exe"	TND.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Sys\TND.001	774e06db0c880a85059f50f6d566386b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Sys\TND.006	774e06db0c880a85059f50f6d566386b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Sys\TND.007	774e06db0c880a85059f50f6d566386b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Sys\TND.exe	774e06db0c880a85059f50f6d566386b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Sys	TND.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Launcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	774e06db0c880a85059f50f6d566386b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TND.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2936	TND.exe
Token: SeIncBasePriorityPrivilege	2936	TND.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2936	TND.exe
2936	TND.exe
3480	Launcher.exe
3480	Launcher.exe
2936	TND.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4156 wrote to memory of 2936	4156	774e06db0c880a85059f50f6d566386b_JaffaCakes118.exe	84
PID 4156 wrote to memory of 2936	4156	774e06db0c880a85059f50f6d566386b_JaffaCakes118.exe	84
PID 4156 wrote to memory of 2936	4156	774e06db0c880a85059f50f6d566386b_JaffaCakes118.exe	84
PID 4156 wrote to memory of 3480	4156	774e06db0c880a85059f50f6d566386b_JaffaCakes118.exe	86
PID 4156 wrote to memory of 3480	4156	774e06db0c880a85059f50f6d566386b_JaffaCakes118.exe	86
PID 4156 wrote to memory of 3480	4156	774e06db0c880a85059f50f6d566386b_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\774e06db0c880a85059f50f6d566386b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\774e06db0c880a85059f50f6d566386b_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4156
- C:\Windows\SysWOW64\Sys\TND.exe
  "C:\Windows\system32\Sys\TND.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2936
- C:\Users\Admin\AppData\Local\Temp\Launcher.exe
  "C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@6E98.tmp

Filesize
4KB

MD5
3f7d2f5330a268d87032e7485cf5863f

SHA1
b2b5270be96137acfd5be89785e11349fbe3c9b9

SHA256
64fdf2bb9073999fa36a3f7c4aeb42ef0cfbb989aaa18069a1a69d8075409138

SHA512
3a0a065c8f79d24f1fbb46e952a696a98a8d05ce06685dc67a8e81cd0c14990c0a9b8ef82870b3e4e38ad5abdc3669434d1844cca837de410d4c0abe982315a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Launcher.exe

Filesize
312KB

MD5
423f0f6845e49b1b00fcf5ba9345217c

SHA1
eb54a8d0478858e2cf61b1e2d3e5d00c4f74a518

SHA256
9701f6351a40fdd887689913deb968f521b29e5e50b1d9862aed97ea4fc4d356

SHA512
6179716b5d07fec99172d47ded8078ba5842bdf0c9c40b33f4fb3bba0590c5b4e54c938b7f64ad5ccae28ac44b3353a9004139f1cdabeb001cefc4f4b76cb338

Download Submit
C:\Windows\SysWOW64\Sys\TND.001

Filesize
3KB

MD5
e08177d4e7338f421e318f381d832a2c

SHA1
9ee6fe8be4b540bc9486d1cdd326bacf3ea8ff0c

SHA256
231b47eea9dc0a29860a9f82afad0671a968803db5239955cf4a1021f3cb22aa

SHA512
5de8ffdcc482c744fa09be5925cb7169b3c9ddd389cb1a4818efc1bffa9e2056bf2a4da57fa9437f43ffc018c3c209d90bc891b0d510589df681f9b7be1defc4

Download Submit
C:\Windows\SysWOW64\Sys\TND.006

Filesize
5KB

MD5
5030abad48124a2602b6c92f16b5af0e

SHA1
0bdb4bc9341d00ed035c3814d9872d254af160b8

SHA256
399b2f9759183393df584af3bc75739224e7e05c77e9f5830782fccb01974d48

SHA512
ed087615100900e6886b3f204e17f723b631f09caa4aa645247bd268606857d81799a82306e242ac3977523b6d9d4a0cb0d1cbd94279e6647cc258a976606148

Download Submit
C:\Windows\SysWOW64\Sys\TND.007

Filesize
4KB

MD5
de928b5da2aa61f79788fb52f9fc764d

SHA1
eafe870c5208335fa3a6480d70aa3ab2373d324c

SHA256
c6edef1f4ce1b891443798a522a64d30b2843f9e74a5f97664b4e467c8f19273

SHA512
b2eee3e5c74dfeef522c0823922f7f6ad837646bf7954d7de68a6976ac55bee1af921687d7af2f657f248c88b54603c465277b34258ec510c85bf8b51c1fe8d7

Download Submit
C:\Windows\SysWOW64\Sys\TND.exe

Filesize
460KB

MD5
5d6ab450b17f4b783f11958ea941008e

SHA1
cdbd0a69fa73d9e0ad5704517dab1c96f018f729

SHA256
e3bf498b7353baa701363d216ca1b8766f82ff6e851d0585958476e36bf1143d

SHA512
b34ad4d6182923d75b3e42e08b40bea18ae8c9b05c70bd4bae490cb9a44335b57d206a2b620d74d033b38eca5cb16123fca1015585c00944f7f2500bc02224e5

Download Submit
memory/2936-40-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download
memory/2936-33-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download
memory/3480-28-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/3480-39-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/3480-34-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download
memory/3480-42-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download
memory/3480-44-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads