ardamax | bef6ea859b7387f77309e0f1dc843904a4f08762ca30a8be5bf5f3399fe8a9b9

General

Target

80133af519d0a42d729e5b1a6ba5cb43_JaffaCakes118.exe
Size

1.9MB
MD5

80133af519d0a42d729e5b1a6ba5cb43
SHA1

b76849043cd0f51106d752b5bb475cd4a335d124
SHA256

bef6ea859b7387f77309e0f1dc843904a4f08762ca30a8be5bf5f3399fe8a9b9
SHA512

6e8c8571cd23149409f59a6ab5c48a16b8edd040fe563faa282a5f664916ed9afa7c63718206ff81f7041ac576f63131d5e1b7fd9e7c5367ed2712ca191d31b3
SSDEEP

49152:E7Tt4cdMdnMzRC/VH6WKIqC8zHc9W/u0dTJO7wmM3rI9:KzdMdM1C/ZBDX2HOl0vQwmM3r

Score

10^/10

ardamax discovery keylogger persistence stealer upx

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

Processes:

resource	yara_rule
C:\Windows\SysWOW64\VEGDVL\WCS.exe	family_ardamax

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

80133af519d0a42d729e5b1a6ba5cb43_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	80133af519d0a42d729e5b1a6ba5cb43_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

Processes:

WCS.exeESET4 Box4EVER_v4.30A1.exe

pid process

1816 WCS.exe
1584 ESET4 Box4EVER_v4.30A1.exe
Loads dropped DLL 3 IoCs

Processes:

WCS.exe80133af519d0a42d729e5b1a6ba5cb43_JaffaCakes118.exeESET4 Box4EVER_v4.30A1.exe

pid process

1816 WCS.exe
4156 80133af519d0a42d729e5b1a6ba5cb43_JaffaCakes118.exe
1584 ESET4 Box4EVER_v4.30A1.exe

pid	process
1816	WCS.exe
1584	ESET4 Box4EVER_v4.30A1.exe

pid	process
1816	WCS.exe
4156	80133af519d0a42d729e5b1a6ba5cb43_JaffaCakes118.exe
1584	ESET4 Box4EVER_v4.30A1.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

WCS.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WCS Start = "C:\\Windows\\SysWOW64\\VEGDVL\\WCS.exe"	WCS.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral2/memory/1584-33-0x0000000000400000-0x00000000004CE000-memory.dmp	autoit_exe

Drops file in System32 directory 6 IoCs

Processes:

80133af519d0a42d729e5b1a6ba5cb43_JaffaCakes118.exeWCS.exe

description	ioc	process
File created	C:\Windows\SysWOW64\VEGDVL\WCS.004	80133af519d0a42d729e5b1a6ba5cb43_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\VEGDVL\WCS.001	80133af519d0a42d729e5b1a6ba5cb43_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\VEGDVL\WCS.002	80133af519d0a42d729e5b1a6ba5cb43_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\VEGDVL\AKV.exe	80133af519d0a42d729e5b1a6ba5cb43_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\VEGDVL\WCS.exe	80133af519d0a42d729e5b1a6ba5cb43_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\VEGDVL\	WCS.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\ESET4 Box4EVER_v4.30A1.exe	upx
behavioral2/memory/1584-30-0x0000000000400000-0x00000000004CE000-memory.dmp	upx
behavioral2/memory/1584-33-0x0000000000400000-0x00000000004CE000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

ESET4 Box4EVER_v4.30A1.exe80133af519d0a42d729e5b1a6ba5cb43_JaffaCakes118.exeWCS.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ESET4 Box4EVER_v4.30A1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	80133af519d0a42d729e5b1a6ba5cb43_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WCS.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

ESET4 Box4EVER_v4.30A1.exe

pid process

1584 ESET4 Box4EVER_v4.30A1.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

WCS.exe

description pid process

Token: 33 1816 WCS.exe
Token: SeIncBasePriorityPrivilege 1816 WCS.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

ESET4 Box4EVER_v4.30A1.exe

pid process

1584 ESET4 Box4EVER_v4.30A1.exe
1584 ESET4 Box4EVER_v4.30A1.exe
1584 ESET4 Box4EVER_v4.30A1.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

ESET4 Box4EVER_v4.30A1.exe

pid process

1584 ESET4 Box4EVER_v4.30A1.exe
1584 ESET4 Box4EVER_v4.30A1.exe
1584 ESET4 Box4EVER_v4.30A1.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

WCS.exe

pid process

1816 WCS.exe
1816 WCS.exe
1816 WCS.exe
1816 WCS.exe

pid	process
1584	ESET4 Box4EVER_v4.30A1.exe

description	pid	process
Token: 33	1816	WCS.exe
Token: SeIncBasePriorityPrivilege	1816	WCS.exe

pid	process
1584	ESET4 Box4EVER_v4.30A1.exe
1584	ESET4 Box4EVER_v4.30A1.exe
1584	ESET4 Box4EVER_v4.30A1.exe

pid	process
1584	ESET4 Box4EVER_v4.30A1.exe
1584	ESET4 Box4EVER_v4.30A1.exe
1584	ESET4 Box4EVER_v4.30A1.exe

pid	process
1816	WCS.exe
1816	WCS.exe
1816	WCS.exe
1816	WCS.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

80133af519d0a42d729e5b1a6ba5cb43_JaffaCakes118.exe

description	pid	process	target process
PID 4156 wrote to memory of 1816	4156	80133af519d0a42d729e5b1a6ba5cb43_JaffaCakes118.exe	WCS.exe
PID 4156 wrote to memory of 1816	4156	80133af519d0a42d729e5b1a6ba5cb43_JaffaCakes118.exe	WCS.exe
PID 4156 wrote to memory of 1816	4156	80133af519d0a42d729e5b1a6ba5cb43_JaffaCakes118.exe	WCS.exe
PID 4156 wrote to memory of 1584	4156	80133af519d0a42d729e5b1a6ba5cb43_JaffaCakes118.exe	ESET4 Box4EVER_v4.30A1.exe
PID 4156 wrote to memory of 1584	4156	80133af519d0a42d729e5b1a6ba5cb43_JaffaCakes118.exe	ESET4 Box4EVER_v4.30A1.exe
PID 4156 wrote to memory of 1584	4156	80133af519d0a42d729e5b1a6ba5cb43_JaffaCakes118.exe	ESET4 Box4EVER_v4.30A1.exe

C:\Users\Admin\AppData\Local\Temp\80133af519d0a42d729e5b1a6ba5cb43_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\80133af519d0a42d729e5b1a6ba5cb43_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4156
- C:\Windows\SysWOW64\VEGDVL\WCS.exe
  "C:\Windows\system32\VEGDVL\WCS.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1816
- C:\Users\Admin\AppData\Local\Temp\ESET4 Box4EVER_v4.30A1.exe
  "C:\Users\Admin\AppData\Local\Temp\ESET4 Box4EVER_v4.30A1.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ESET4 Box4EVER_v4.30A1.exe

Filesize
767KB

MD5
56cf0e2a47c5357d2d8fead6ac87608b

SHA1
672c467f658e7a5e7e0de138479b2293f262c76c

SHA256
5d946a8264d80998689c41352aa6ff131b2076ab0ec685118c6d7180c471298b

SHA512
fcbf8b5f02463a2c4d528e0f12b7a7fb326555db014625fc0f2e76794e46928db5d07be26a73f8f2970c9d1e5f92e685929540eab950c8e55d434b0b25be9bde

Download Submit
C:\Windows\SysWOW64\VEGDVL\AKV.exe

Filesize
448KB

MD5
c49125a39e0ae69b1cc77040ba8a9441

SHA1
92941e9559d9b1a0a944595377b6c5d44b53a6a4

SHA256
f7e3d70532b7a0b04bde2fc3a9439b8a95ba7b89eff5f214ef53041a58c97524

SHA512
f61f42e500ebdd0559c420f05849265964e58aba7bb2be1095d41dddc1393ccf2191de0ed61d5fefd3957c4890c61fced1497481b76f158a12f7d95e626224c6

Download Submit
C:\Windows\SysWOW64\VEGDVL\WCS.001

Filesize
61KB

MD5
29136121b1c0307a02a8826477995613

SHA1
4dffe908036a21be56a9caa739ec1bf1cf9bd0ca

SHA256
f9dd403e696d2128cafe9a4bab54a28161745934df6d3479a066083a61515402

SHA512
2c7077ff82e948b9a9b6b16214dfdd11e222f07fb0a75aec59a9dafc29906907f24e0c625cefd5032321cc7883c00fd0abc7801f185983190f353b6dff2774c7

Download Submit
C:\Windows\SysWOW64\VEGDVL\WCS.002

Filesize
43KB

MD5
d977f26d7f7ffcb0f002813b55ff032d

SHA1
7e17b642dc1286908c18caba6fedb890de8fcc86

SHA256
2ce6c66843f0d0f156ae523f25d2cf4c9886fcae7b4f69deefbde4bc5328bf29

SHA512
e291f6acf5df88c52eb9232d55eb43fc08cbd423b7ae46148f710de909db49c04fc1d64e05b8e307ddd880134c525188109b94182ca99ea5934b66b9316e9e25

Download Submit
C:\Windows\SysWOW64\VEGDVL\WCS.004

Filesize
690B

MD5
9efee5f66330f55f621e352a926159e5

SHA1
abd239c05d3c933d8f9d25b723e38bdd4027b696

SHA256
06172a780a541f3cad17ac55d6ac1192afc1162bcd9bce735ec6f43d7975b96d

SHA512
02f61f762b833e5354ac7471584f0a95fb5d0815ca0e9c254313d42677b502db1457cb2e1c0a0dfc320354eef498bbf44537eeaf551c335afdc7d73effe875c9

Download Submit
C:\Windows\SysWOW64\VEGDVL\WCS.exe

Filesize
1.4MB

MD5
27a49221ba75a90934342bbe70f6c954

SHA1
751e322d6f7e46c132f0f97c56d60344248f1959

SHA256
946611f5091452aa46310d3ba8a885e808617b8ae9c57a468f7fe3abda4b052d

SHA512
9476f49d2e3c10f3e5cd91313e03405f944bc9887fd65e6c2236caab3a42e2c9a5392d7c34f6c5787a7dc8c3cfd43a3a90a6e052176aa60a43da0327d7ff78d6

Download Submit
memory/1584-30-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/1584-33-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/1816-17-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/1816-32-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads