ardamax | 78f0ece4ea65947d76d9035ec0a8fd7089fce7cb41f50e33e085eacfdd5c001a

General

Target

7e1248e1bf6e55db50994e9db2068e33_JaffaCakes118.exe
Size

2.5MB
MD5

7e1248e1bf6e55db50994e9db2068e33
SHA1

4165df8ddcccf6f44c758757e8f0bf9f8bba3544
SHA256

78f0ece4ea65947d76d9035ec0a8fd7089fce7cb41f50e33e085eacfdd5c001a
SHA512

119f21e73416564c4a59046799215d210170b79c02bcb01504d25d04fcbd4b989bd09d55a0396eccd0d1027fdcd60e0eb2087e5bb5854730b02f8699c289e503
SSDEEP

49152:TwtJ0i/cgvnpUlLif3hAmaL5ZtQV803MJAoYvT94g6pvA3G7k:8tN/cCnpUlufGtQ3MJAoET0pvA3G7k

Score

10^/10

ardamax discovery evasion keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

Processes:

resource	yara_rule
C:\Windows\SysWOW64\28463\NSEQ.exe	family_ardamax

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7e1248e1bf6e55db50994e9db2068e33_JaffaCakes118.exerootZyn.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	7e1248e1bf6e55db50994e9db2068e33_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	rootZyn.exe

Executes dropped EXE 2 IoCs

Processes:

rootZyn.exeNSEQ.exe

pid process

4836 rootZyn.exe
1036 NSEQ.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

7e1248e1bf6e55db50994e9db2068e33_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine	7e1248e1bf6e55db50994e9db2068e33_JaffaCakes118.exe

Loads dropped DLL 7 IoCs

Processes:

rootZyn.exeNSEQ.exe7e1248e1bf6e55db50994e9db2068e33_JaffaCakes118.exe

pid	process
4836	rootZyn.exe
1036	NSEQ.exe
1036	NSEQ.exe
1036	NSEQ.exe
1544	7e1248e1bf6e55db50994e9db2068e33_JaffaCakes118.exe
1544	7e1248e1bf6e55db50994e9db2068e33_JaffaCakes118.exe
1544	7e1248e1bf6e55db50994e9db2068e33_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

NSEQ.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NSEQ Agent = "C:\\Windows\\SysWOW64\\28463\\NSEQ.exe"	NSEQ.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 9 IoCs

Processes:

rootZyn.exeNSEQ.exe

description	ioc	process
File created	C:\Windows\SysWOW64\28463\NSEQ.007	rootZyn.exe
File created	C:\Windows\SysWOW64\28463\NSEQ.exe	rootZyn.exe
File opened for modification	C:\Windows\SysWOW64\28463	NSEQ.exe
File created	C:\Windows\SysWOW64\28463\NSEQ.009	NSEQ.exe
File created	C:\Windows\SysWOW64\28463\NSEQ.001	rootZyn.exe
File created	C:\Windows\SysWOW64\28463\NSEQ.006	rootZyn.exe
File opened for modification	C:\Windows\SysWOW64\28463\NSEQ.009	NSEQ.exe
File created	C:\Windows\SysWOW64\28463\key.bin	rootZyn.exe
File created	C:\Windows\SysWOW64\28463\AKV.exe	rootZyn.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

7e1248e1bf6e55db50994e9db2068e33_JaffaCakes118.exe

pid process

1544 7e1248e1bf6e55db50994e9db2068e33_JaffaCakes118.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1544	7e1248e1bf6e55db50994e9db2068e33_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

NSEQ.exe7e1248e1bf6e55db50994e9db2068e33_JaffaCakes118.exerootZyn.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NSEQ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7e1248e1bf6e55db50994e9db2068e33_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rootZyn.exe

Modifies registry class 26 IoCs

Processes:

NSEQ.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{49E4D472-5950-66E9-519E-3360924552A9}\1.0\0\win64\ = "C:\\Windows\\SysWow64\\DMRServer.dll"	NSEQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{49E4D472-5950-66E9-519E-3360924552A9}\1.0\FLAGS\ = "0"	NSEQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BE13B868-1971-4D39-27A2-0734D9103719}\ = "Dogiza class"	NSEQ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BE13B868-1971-4D39-27A2-0734D9103719}\LocalServer32	NSEQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BE13B868-1971-4D39-27A2-0734D9103719}\LocalServer32\	NSEQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BE13B868-1971-4D39-27A2-0734D9103719}\ProgID\ = "OneNote.Application.14"	NSEQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{49E4D472-5950-66E9-519E-3360924552A9}\1.0\	NSEQ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{49E4D472-5950-66E9-519E-3360924552A9}\1.0	NSEQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{49E4D472-5950-66E9-519E-3360924552A9}\1.0\0\	NSEQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BE13B868-1971-4D39-27A2-0734D9103719}\TypeLib\	NSEQ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BE13B868-1971-4D39-27A2-0734D9103719}	NSEQ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BE13B868-1971-4D39-27A2-0734D9103719}\InprocServer32	NSEQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BE13B868-1971-4D39-27A2-0734D9103719}\InprocServer32\	NSEQ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BE13B868-1971-4D39-27A2-0734D9103719}\ProgID	NSEQ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{49E4D472-5950-66E9-519E-3360924552A9}	NSEQ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{49E4D472-5950-66E9-519E-3360924552A9}\1.0\FLAGS	NSEQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{49E4D472-5950-66E9-519E-3360924552A9}\1.0\FLAGS\	NSEQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BE13B868-1971-4D39-27A2-0734D9103719}\TypeLib\ = "{49E4D472-5950-66E9-519E-3360924552A9}"	NSEQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BE13B868-1971-4D39-27A2-0734D9103719}\LocalServer32\ = "C:\\Program Files\\Microsoft Office\\Root\\Office16\\ONENOTE.EXE"	NSEQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BE13B868-1971-4D39-27A2-0734D9103719}\ProgID\	NSEQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{49E4D472-5950-66E9-519E-3360924552A9}\1.0\ = "Digital Media Renderer"	NSEQ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{49E4D472-5950-66E9-519E-3360924552A9}\1.0\0\win64	NSEQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{49E4D472-5950-66E9-519E-3360924552A9}\1.0\0\win64\	NSEQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{49E4D472-5950-66E9-519E-3360924552A9}\	NSEQ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{49E4D472-5950-66E9-519E-3360924552A9}\1.0\0	NSEQ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BE13B868-1971-4D39-27A2-0734D9103719}\TypeLib	NSEQ.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

7e1248e1bf6e55db50994e9db2068e33_JaffaCakes118.exe

pid process

1544 7e1248e1bf6e55db50994e9db2068e33_JaffaCakes118.exe
1544 7e1248e1bf6e55db50994e9db2068e33_JaffaCakes118.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

NSEQ.exe

description pid process

Token: 33 1036 NSEQ.exe
Token: SeIncBasePriorityPrivilege 1036 NSEQ.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

NSEQ.exe

pid process

1036 NSEQ.exe
1036 NSEQ.exe
1036 NSEQ.exe
1036 NSEQ.exe
1036 NSEQ.exe

pid	process
1544	7e1248e1bf6e55db50994e9db2068e33_JaffaCakes118.exe
1544	7e1248e1bf6e55db50994e9db2068e33_JaffaCakes118.exe

description	pid	process
Token: 33	1036	NSEQ.exe
Token: SeIncBasePriorityPrivilege	1036	NSEQ.exe

pid	process
1036	NSEQ.exe
1036	NSEQ.exe
1036	NSEQ.exe
1036	NSEQ.exe
1036	NSEQ.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

7e1248e1bf6e55db50994e9db2068e33_JaffaCakes118.exerootZyn.exe

description	pid	process	target process
PID 1544 wrote to memory of 4836	1544	7e1248e1bf6e55db50994e9db2068e33_JaffaCakes118.exe	rootZyn.exe
PID 1544 wrote to memory of 4836	1544	7e1248e1bf6e55db50994e9db2068e33_JaffaCakes118.exe	rootZyn.exe
PID 1544 wrote to memory of 4836	1544	7e1248e1bf6e55db50994e9db2068e33_JaffaCakes118.exe	rootZyn.exe
PID 4836 wrote to memory of 1036	4836	rootZyn.exe	NSEQ.exe
PID 4836 wrote to memory of 1036	4836	rootZyn.exe	NSEQ.exe
PID 4836 wrote to memory of 1036	4836	rootZyn.exe	NSEQ.exe

C:\Users\Admin\AppData\Local\Temp\7e1248e1bf6e55db50994e9db2068e33_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7e1248e1bf6e55db50994e9db2068e33_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Users\Admin\AppData\Local\Temp\rootZyn.exe
  "C:\Users\Admin\AppData\Local\Temp\rootZyn.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4836
- - C:\Windows\SysWOW64\28463\NSEQ.exe
    "C:\Windows\system32\28463\NSEQ.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@8CFE.tmp

Filesize
4KB

MD5
f4523b5a3e4add9f35a2b2313db6117c

SHA1
cf63375a6c554829b548e125fb1458216d8b7c37

SHA256
b962debb1389f8eddcd8cecaf7f847c2c60ac1f5d9bd8870aa9dc0023702ba53

SHA512
6450e683a2eedc944084b73587810e987e0e8bc105b8036f630fa3d12f4caac4d1ddb42dff9436f9eb4a441d0d034f4fda0e8bb0bb9f1d59ab520ddcd2081dac

Download Submit
C:\Users\Admin\AppData\Local\Temp\rootZyn.exe

Filesize
1.2MB

MD5
130dc6d4daf2b252aad2af3b4141e180

SHA1
1071ec7a45c8cd1f3e06f80851d6ff470ca50000

SHA256
ac26ffec5a93399c41695a66e2dd04ee23d0a73ec36ed366bfcfb1abc1268c34

SHA512
34d5a9740e8d235089a5a2794e971ac557b8f82a70ea6d8f4a29f4ed86b07ba5fa12fd04f0570092cb5bdc0e67c92cee1d2d5ecf192bbd735a843db642a0b283

Download Submit
C:\Windows\SysWOW64\28463\AKV.exe

Filesize
457KB

MD5
46ccfd974518e5849738449034a05a17

SHA1
d391108816aed7ba8f7beb205ad7171c74eae6b2

SHA256
571aae1f8a260909dbc45c67b4c547fc573c07097b36d4e18db0e36d91deccfe

SHA512
773a40a37ebc54cbde7c40ca98001150e78da43726e475f1ee25ef869a39682c0fcd46fb57cf6130151cd8115aa6f2c196e57414affe464fd3b137eb5b317a7a

Download Submit
C:\Windows\SysWOW64\28463\NSEQ.001

Filesize
466B

MD5
0186a4e42c9940669b6cd3d4f5aabb33

SHA1
816763aeb1cfd0d6d38237f9cb28847a48ec3625

SHA256
579b94a827e502795880bfcfe36b6220556faca110c83f7ffd3b87becfc2b9aa

SHA512
6d399e4d9c5410181a1cc4540a5c646454095e7d72aec481a21d4916f44fa49521d5ddf2c8fced79032e82dcaa380891ff5afe315a6be9cb74111537db0d3a3d

Download Submit
C:\Windows\SysWOW64\28463\NSEQ.006

Filesize
8KB

MD5
395bbef326fa5ad1216b23f5debf167b

SHA1
aa4a7334b5a693b3f0d6f47b568e0d13a593d782

SHA256
7c1c4ba8978d3ec53bc6da4d8f9e5e1ca52edf5ccf5ec19ef06b02055ff3b3d1

SHA512
dc3f3d7501feb10623807e89f28a0e38bdbbd4a7e2ad964c8ab33c392bde61896fe40bb7773f6309cd59ad9a686decbd81c15b588ac8d311fd2a273ac9410679

Download Submit
C:\Windows\SysWOW64\28463\NSEQ.007

Filesize
5KB

MD5
1b5e72f0ebd49cf146f9ae68d792ffe5

SHA1
1e90a69c12b9a849fbbac0670296b07331c1cf87

SHA256
8f4485675fe35b14276f5c8af8a6b42f03cf1b5de638355e4c4b28397385e87e

SHA512
6364f5581de5aaec09b5d1c4e5745193f981ff93cf91e20c6c9ff56566b5d182ccbdacf9aeed1d7a01460eb21619e14ac4ab31b083a951b45b3b7f9d93a62ffc

Download Submit
C:\Windows\SysWOW64\28463\NSEQ.exe

Filesize
649KB

MD5
2bff0c75a04401dada0adfab933e46a7

SHA1
364d97f90b137f8e359d998164fb15d474be7bbb

SHA256
2aa53bc5da3294817f95d8806effdf28e5af49661a955256c46db2b67cb6e6da

SHA512
88b82973d3c042bceb75e12297111fa7b8bd4e2a7a37d26b698c595d8d75ec670cc7aebfa2572206c1b2a4ecbbfa3103affb8bee6d7ef47428a225e2cd1bea3f

Download Submit
C:\Windows\SysWOW64\28463\key.bin

Filesize
106B

MD5
639d75ab6799987dff4f0cf79fa70c76

SHA1
be2678476d07f78bb81e8813c9ee2bfff7cc7efb

SHA256
fc42ab050ffdfed8c8c7aac6d7e4a7cad4696218433f7ca327bcfdf9f318ac98

SHA512
4b511d0330d7204af948ce7b15615d745e8d4ea0a73bbece4e00fb23ba2635dd99e4fa54a76236d6f74bdbcdba57d32fd4c36b608d52628e72d11d5ed6f8cde2

Download Submit
memory/1036-64-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1036-56-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1036-50-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1036-33-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1544-47-0x0000000000400000-0x00000000008F0000-memory.dmp

Filesize
4.9MB

Download
memory/1544-57-0x0000000000400000-0x00000000008F0000-memory.dmp

Filesize
4.9MB

Download
memory/1544-45-0x0000000000400000-0x00000000008F0000-memory.dmp

Filesize
4.9MB

Download
memory/1544-46-0x0000000000400000-0x00000000008F0000-memory.dmp

Filesize
4.9MB

Download
memory/1544-0-0x0000000000400000-0x00000000008F0000-memory.dmp

Filesize
4.9MB

Download
memory/1544-48-0x0000000000400000-0x00000000008F0000-memory.dmp

Filesize
4.9MB

Download
memory/1544-4-0x0000000000400000-0x00000000008F0000-memory.dmp

Filesize
4.9MB

Download
memory/1544-51-0x0000000000400000-0x00000000008F0000-memory.dmp

Filesize
4.9MB

Download
memory/1544-53-0x0000000000400000-0x00000000008F0000-memory.dmp

Filesize
4.9MB

Download
memory/1544-55-0x0000000000400000-0x00000000008F0000-memory.dmp

Filesize
4.9MB

Download
memory/1544-3-0x0000000000400000-0x00000000008F0000-memory.dmp

Filesize
4.9MB

Download
memory/1544-19-0x0000000000400000-0x00000000008F0000-memory.dmp

Filesize
4.9MB

Download
memory/1544-59-0x0000000000400000-0x00000000008F0000-memory.dmp

Filesize
4.9MB

Download
memory/1544-63-0x0000000000400000-0x00000000008F0000-memory.dmp

Filesize
4.9MB

Download
memory/1544-2-0x0000000000401000-0x000000000042A000-memory.dmp

Filesize
164KB

Download
memory/1544-65-0x0000000000400000-0x00000000008F0000-memory.dmp

Filesize
4.9MB

Download
memory/1544-67-0x0000000000400000-0x00000000008F0000-memory.dmp

Filesize
4.9MB

Download
memory/1544-69-0x0000000000400000-0x00000000008F0000-memory.dmp

Filesize
4.9MB

Download
memory/1544-71-0x0000000000400000-0x00000000008F0000-memory.dmp

Filesize
4.9MB

Download
memory/1544-73-0x0000000000400000-0x00000000008F0000-memory.dmp

Filesize
4.9MB

Download
memory/1544-76-0x0000000000400000-0x00000000008F0000-memory.dmp

Filesize
4.9MB

Download
memory/1544-78-0x0000000000400000-0x00000000008F0000-memory.dmp

Filesize
4.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads