ardamax | a1cd5999912fc8aab71c72e6854a46c316e92f72712e18925c529f1bd7701ac8

General

Target

825eef10d648a3e457fc5c5c0282f9ad_JaffaCakes118.exe
Size

503KB
MD5

825eef10d648a3e457fc5c5c0282f9ad
SHA1

104d982d560991099302eb4d85cce5d02709fda1
SHA256

a1cd5999912fc8aab71c72e6854a46c316e92f72712e18925c529f1bd7701ac8
SHA512

958b44b8aca36d0e5fb52c6a8c82b5062e9470863a4482e0a501c7f0e82dddc1ae723ceed2047cb7cc7a2e94118e1038b43c6e10029ca3b559cf27e994ae661c
SSDEEP

12288:qne9dh6ZeN7qysPgD7FGyUcJUhPGLV/JPR/s2wwv:d9ZN7qX+7IyU5EReKv

Score

10^/10

ardamax defense_evasion discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023c33-12.dat	family_ardamax

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	825eef10d648a3e457fc5c5c0282f9ad_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	LIRE.exe

Executes dropped EXE 1 IoCs

pid	Process
1368	LIRE.exe

Loads dropped DLL 8 IoCs

pid	Process
1200	825eef10d648a3e457fc5c5c0282f9ad_JaffaCakes118.exe
1368	LIRE.exe
4396	NOTEPAD.EXE
1368	LIRE.exe
1368	LIRE.exe
4396	NOTEPAD.EXE
4396	NOTEPAD.EXE
1820	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LIRE Agent = "C:\\Windows\\SysWOW64\\Sys32\\LIRE.exe"	LIRE.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Sys32\AKV.exe	825eef10d648a3e457fc5c5c0282f9ad_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Sys32	LIRE.exe
File created	C:\Windows\SysWOW64\Sys32\LIRE.001	825eef10d648a3e457fc5c5c0282f9ad_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Sys32\LIRE.006	825eef10d648a3e457fc5c5c0282f9ad_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Sys32\LIRE.007	825eef10d648a3e457fc5c5c0282f9ad_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Sys32\LIRE.exe	825eef10d648a3e457fc5c5c0282f9ad_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1820	1368	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	825eef10d648a3e457fc5c5c0282f9ad_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LIRE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	825eef10d648a3e457fc5c5c0282f9ad_JaffaCakes118.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4396	NOTEPAD.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	1368	LIRE.exe
Token: SeIncBasePriorityPrivilege	1368	LIRE.exe
Token: SeIncBasePriorityPrivilege	1368	LIRE.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1368	LIRE.exe
1368	LIRE.exe
1368	LIRE.exe
1368	LIRE.exe
1368	LIRE.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1200 wrote to memory of 1368	1200	825eef10d648a3e457fc5c5c0282f9ad_JaffaCakes118.exe	84
PID 1200 wrote to memory of 1368	1200	825eef10d648a3e457fc5c5c0282f9ad_JaffaCakes118.exe	84
PID 1200 wrote to memory of 1368	1200	825eef10d648a3e457fc5c5c0282f9ad_JaffaCakes118.exe	84
PID 1200 wrote to memory of 4396	1200	825eef10d648a3e457fc5c5c0282f9ad_JaffaCakes118.exe	85
PID 1200 wrote to memory of 4396	1200	825eef10d648a3e457fc5c5c0282f9ad_JaffaCakes118.exe	85
PID 1200 wrote to memory of 4396	1200	825eef10d648a3e457fc5c5c0282f9ad_JaffaCakes118.exe	85
PID 1368 wrote to memory of 1192	1368	LIRE.exe	102
PID 1368 wrote to memory of 1192	1368	LIRE.exe	102
PID 1368 wrote to memory of 1192	1368	LIRE.exe	102

C:\Users\Admin\AppData\Local\Temp\825eef10d648a3e457fc5c5c0282f9ad_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\825eef10d648a3e457fc5c5c0282f9ad_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1200
- C:\Windows\SysWOW64\Sys32\LIRE.exe
  "C:\Windows\system32\Sys32\LIRE.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1368
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 1144
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1820
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\Sys32\LIRE.exe > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1192
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Tutorial.txt
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Opens file in notepad (likely ransom note)
  PID:4396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1368 -ip 1368
1⤵
PID:4436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

1

T1070

File Deletion

Modify Registry

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@8453.tmp

Filesize
3KB

MD5
2faa832b62991d302b56093477a76363

SHA1
2a26e0173a78c9c106ea799cce92ea163b44a345

SHA256
a2076664d1267efa8b69a307b0cbde8521631f2789e06f5caa96799e7f34de48

SHA512
20da18fb1350a441517498a1efeae9a21ead7592f9cdae724973c58385765100a2de5651fa991cdcc4668be777fe26bfba969dbc9706f16a54f5be258a84f347

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tutorial.txt

Filesize
61B

MD5
c47c45bc16c077e0180c46710ce54d18

SHA1
977868f75b7e8fac74a0b49487a5777ec61fe76a

SHA256
29c4303eb2e1a9eb84c4297d8c69a1de1411ad429532c308bc7b2f8dd121c1e8

SHA512
559d03f1b5fa3c05f2501e1313ece3ff1f0f0b97565dbe8c8dc9302dc10940fa6d87f7d65a2ea1f019ac5fa9cbd111162eaf145bc317d95ce9d2cd3684b99711

Download Submit
C:\Windows\SysWOW64\Sys32\AKV.exe

Filesize
389KB

MD5
0a4d2002c7355a6c0d8e846fe02e7e89

SHA1
cc1bf70d3d718d3d3dc1b43405d36285933feac7

SHA256
be2cc3bda4c0e231ebae65a7c79ed1313d422e5fb2f871330080f8ca1792e455

SHA512
9e229232bbc8e4faa0ea63e1069000c2e1582a5d7b72abb5535b003d339a0984b08a34a86b36e17dad61277f0456fe98fab2dbcd2db493feee927892ef7cba57

Download Submit
C:\Windows\SysWOW64\Sys32\LIRE.001

Filesize
448B

MD5
8aa7b74d76efa8c439665222c54d6564

SHA1
0f19873f53ac5a6f91032b969af8544c80f999fd

SHA256
51ca0277014fe3807225507f8e1c7c9aead46f6fc9f0e3f1658c40422683db5e

SHA512
ee109a336634aa632c07f2dc02880b6c029b39c8a63d0beea4b7371117639840317dab88d4fe2388c8020b17bc585e8fc342815828421f964255cfad69a772b1

Download Submit
C:\Windows\SysWOW64\Sys32\LIRE.006

Filesize
7KB

MD5
8013928e1446be1b8e77ca35211fd17e

SHA1
c03a6c0516d1763bacc4da535383d3b4ddb506c3

SHA256
d82bb0b7a29a9500a79e52b2ea84ea244f250cc7ff25174aa4ed5826d6b9c828

SHA512
d5e55bb8dda7f44918bafb16098d39e363237053f84377d5d591d9010b0f14a6eb2260f9dd356e32e133ab2a42c1debed0424fbe7de932d8d363ac8a09a7660f

Download Submit
C:\Windows\SysWOW64\Sys32\LIRE.007

Filesize
5KB

MD5
bb3520f108916b0967e74a9167b44925

SHA1
29dd637355ec7d38955af75775a72ac32903d40c

SHA256
f9be7b7c760a59f4d98213f4f80d45e405d1d0ac564d4f880ec820da178d45e5

SHA512
7700bf7e8fd15df753bc83b8e243e4b62095824b8bea3f40d7213a5c6307f17d9fbab2f6c737e19ede5330539014ba6c583b25bd2d58b05f05f23683affe1d53

Download Submit
C:\Windows\SysWOW64\Sys32\LIRE.exe

Filesize
475KB

MD5
3d9eaf31ec5138624f1cf21706264bd6

SHA1
f2c397f042c38862034333ed3c142a54896e0305

SHA256
17c47ecc3481cb85c0336e7bd58f141f54fa1bbe604892c41d3e6a1945b43811

SHA512
a849c329950bb015cc32624968c39c9f3f70fb37500e0292bbccb79a6413d4088d68d481e3c8c2ac0b8975b885387abe581d597892d906e357ac573c3525ed9e

Download Submit
memory/1368-23-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/1368-33-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads