ardamax | 662430432d7d3b5dbbe4617e35a62f1c5d936a503a9fb40f6813acab471c2f19

General

Target

86258ec2b0f4deed7884bafb13fc14ff_JaffaCakes118.exe
Size

1.1MB
MD5

86258ec2b0f4deed7884bafb13fc14ff
SHA1

f6d38d10e26435bf8b9ad4c85264f8eac2e3747c
SHA256

662430432d7d3b5dbbe4617e35a62f1c5d936a503a9fb40f6813acab471c2f19
SHA512

253ed313ca4a8f3fd90bca1707a660b70ec5a9071aa13bbce833a54dcf19586e919812b6e0996b5881c8882ea5b8e31c24c9ad560ba2c617636561f6f028e2a4
SSDEEP

24576:LesT4eB1GjMWN7jMWNpIAUl2W8QLL3/3poVA7geYdBp0Ky1Qb8PqmbR:L3T4eBQjMWN7jMWNBq/L3hJsp0Ky1Qb+

Score

10^/10

ardamax defense_evasion discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023b80-7.dat	family_ardamax

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	86258ec2b0f4deed7884bafb13fc14ff_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	KXL.exe

Executes dropped EXE 1 IoCs

pid	Process
968	KXL.exe

Loads dropped DLL 1 IoCs

pid	Process
968	KXL.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\KXL Start = "C:\\Windows\\SysWOW64\\TJDVPB\\KXL.exe"	KXL.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\TJDVPB\KXL.exe	86258ec2b0f4deed7884bafb13fc14ff_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\TJDVPB\	KXL.exe
File created	C:\Windows\SysWOW64\TJDVPB\KXL.004	86258ec2b0f4deed7884bafb13fc14ff_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\TJDVPB\KXL.001	86258ec2b0f4deed7884bafb13fc14ff_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\TJDVPB\KXL.002	86258ec2b0f4deed7884bafb13fc14ff_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	86258ec2b0f4deed7884bafb13fc14ff_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KXL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Web3.6 = "1730560902"	KXL.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	968	KXL.exe
Token: SeIncBasePriorityPrivilege	968	KXL.exe
Token: SeIncBasePriorityPrivilege	968	KXL.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
968	KXL.exe
968	KXL.exe
968	KXL.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1188 wrote to memory of 968	1188	86258ec2b0f4deed7884bafb13fc14ff_JaffaCakes118.exe	86
PID 1188 wrote to memory of 968	1188	86258ec2b0f4deed7884bafb13fc14ff_JaffaCakes118.exe	86
PID 1188 wrote to memory of 968	1188	86258ec2b0f4deed7884bafb13fc14ff_JaffaCakes118.exe	86
PID 968 wrote to memory of 4512	968	KXL.exe	101
PID 968 wrote to memory of 4512	968	KXL.exe	101
PID 968 wrote to memory of 4512	968	KXL.exe	101

C:\Users\Admin\AppData\Local\Temp\86258ec2b0f4deed7884bafb13fc14ff_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\86258ec2b0f4deed7884bafb13fc14ff_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1188
- C:\Windows\SysWOW64\TJDVPB\KXL.exe
  "C:\Windows\system32\TJDVPB\KXL.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:968
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\TJDVPB\KXL.exe > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

1

T1070

File Deletion

Modify Registry

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\TJDVPB\KXL.001

Filesize
60KB

MD5
4d27afcd3bc55a673ac837b0843ae3a6

SHA1
84ba0f52ca5dce772e72eefc91db9dbf92ea3af9

SHA256
bd16730cf1ad55455d3e01528db4112250d304bbe51f726eb7b9548b08abb6cd

SHA512
b032514230a06b6c56f21511c397e1c15e150cad34e7dd9521d1e937f2ad4246deb64f5a62fe1a13baa472730f81c86cc49db629c763a7d831995a6f872d718f

Download Submit
C:\Windows\SysWOW64\TJDVPB\KXL.002

Filesize
42KB

MD5
e79dd15e468db97575743ccc5d3ff8d2

SHA1
bf39037ad7e0c8834c9d71fb6461e217dda3d58e

SHA256
6ca86deb3f23decc00de2e3aee0544164e7de527781c714591377a9428c7257e

SHA512
1fe7e2ce5ba62dbe04e2ee5da5aa874506066711f270e624ff471b68e7c44ec16fb0751e074d15488a9680ee03350f0ac1e58626d44400727b62ed77427a80a8

Download Submit
C:\Windows\SysWOW64\TJDVPB\KXL.004

Filesize
608B

MD5
c9b0c01fce3d66c53763d368ef7374e0

SHA1
3916c47d06952ae27ef81d7dafd140271186ae3c

SHA256
44e20b5eab8e2f5386ec82717f58a042c5cdfb16a5d9ceab1bc488373fb9badd

SHA512
618d6f4999f03d64cccb875b048f2dba28882beb2d1cebe18ca2dd38de5e2fe196ed70e95496bf7a195deddfa370530568a5e24f4722744d6d84833acb6b0f46

Download Submit
C:\Windows\SysWOW64\TJDVPB\KXL.exe

Filesize
1.4MB

MD5
3e0f8d178e37f27c9a7bebd425a71822

SHA1
0dab0ca8e4d7741f4a53901b906566a06f83b33f

SHA256
187df1cefc9dbc3a7d6febdc4ad03cac8e15fcae8078605d632771606c5d7c3b

SHA512
684b7418c603008f0247023b57156cc83eecd3cb0a094a55bd12ca33bbb622c12f09539c2be0a2be4716c5b33b1859901251cce3ea81092549290b705afec023

Download Submit
memory/968-14-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/968-16-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads