ardamax | ab1fe1fe5fa13d93735123b47a4d29215146978d8fb26d4176c3bdeeb3b447fa

General

Target

8720ba5c05129f74e068a7d8096bd332_JaffaCakes118.exe
Size

3.0MB
MD5

8720ba5c05129f74e068a7d8096bd332
SHA1

568cf19b66f6656f6cf9d20070ea8531cb9a383b
SHA256

ab1fe1fe5fa13d93735123b47a4d29215146978d8fb26d4176c3bdeeb3b447fa
SHA512

b501974c9e7229936c476f4d59d239a4f58fbc768c4fce6a77878027df267bd2bb480e0752d51174abf33eb1c971d0a70439000ed5b312aa0e0fca8c93718576
SSDEEP

49152:S2sGvURF4T9QERWhQ6HBc+anFCbQGbm6J0+Ys6lAqFlAtp5odXQ5hB:BUve9Q0WhZBcgEUm6JDyAYlAt7ogD

Score

10^/10

ardamax defense_evasion discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000b000000023b9b-12.dat	family_ardamax

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	8720ba5c05129f74e068a7d8096bd332_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	MGXW.exe

Executes dropped EXE 2 IoCs

pid	Process
1304	MGXW.exe
3176	sro_client.exe

Loads dropped DLL 8 IoCs

pid	Process
2268	8720ba5c05129f74e068a7d8096bd332_JaffaCakes118.exe
1304	MGXW.exe
1304	MGXW.exe
1304	MGXW.exe
3176	sro_client.exe
3176	sro_client.exe
3176	sro_client.exe
1332	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MGXW Agent = "C:\\Windows\\SysWOW64\\Sys32\\MGXW.exe"	MGXW.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Videos\Captures\desktop.ini	svchost.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Sys32\MGXW.006	8720ba5c05129f74e068a7d8096bd332_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Sys32\MGXW.007	8720ba5c05129f74e068a7d8096bd332_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Sys32\MGXW.exe	8720ba5c05129f74e068a7d8096bd332_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Sys32	MGXW.exe
File created	C:\Windows\SysWOW64\Sys32\MGXW.001	8720ba5c05129f74e068a7d8096bd332_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1332	1304	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sro_client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8720ba5c05129f74e068a7d8096bd332_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MGXW.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2045521122-590294423-3465680274-1000\{E7ECAE24-E4D5-463D-8F05-DAE4243C1661}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2045521122-590294423-3465680274-1000\{9BD64224-8CEA-41FB-8111-27E46E05A6F1}	svchost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	1304	MGXW.exe
Token: SeIncBasePriorityPrivilege	1304	MGXW.exe
Token: SeIncBasePriorityPrivilege	1304	MGXW.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1304	MGXW.exe
1304	MGXW.exe
1304	MGXW.exe
1304	MGXW.exe
1304	MGXW.exe
224	OpenWith.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 1304	2268	8720ba5c05129f74e068a7d8096bd332_JaffaCakes118.exe	84
PID 2268 wrote to memory of 1304	2268	8720ba5c05129f74e068a7d8096bd332_JaffaCakes118.exe	84
PID 2268 wrote to memory of 1304	2268	8720ba5c05129f74e068a7d8096bd332_JaffaCakes118.exe	84
PID 2268 wrote to memory of 3176	2268	8720ba5c05129f74e068a7d8096bd332_JaffaCakes118.exe	86
PID 2268 wrote to memory of 3176	2268	8720ba5c05129f74e068a7d8096bd332_JaffaCakes118.exe	86
PID 2268 wrote to memory of 3176	2268	8720ba5c05129f74e068a7d8096bd332_JaffaCakes118.exe	86
PID 1304 wrote to memory of 3628	1304	MGXW.exe	114
PID 1304 wrote to memory of 3628	1304	MGXW.exe	114
PID 1304 wrote to memory of 3628	1304	MGXW.exe	114

C:\Users\Admin\AppData\Local\Temp\8720ba5c05129f74e068a7d8096bd332_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8720ba5c05129f74e068a7d8096bd332_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Windows\SysWOW64\Sys32\MGXW.exe
  "C:\Windows\system32\Sys32\MGXW.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1304
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1304 -s 1112
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1332
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\Sys32\MGXW.exe > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3628
- C:\Users\Admin\AppData\Local\Temp\sro_client.exe
  "C:\Users\Admin\AppData\Local\Temp\sro_client.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3176

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:224

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
PID:5028

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Checks processor information in registry
- Modifies registry class
PID:4040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1304 -ip 1304
1⤵
PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

1

T1070

File Deletion

Modify Registry

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@B7A7.tmp

Filesize
4KB

MD5
070dbaaff6fc4389cf2f22d071d21c26

SHA1
536ecaadbcbcf2f4c16a7c47d8ee2f71921957da

SHA256
83ea6f0a401f215e90ca73b97575a56da6ca420872603179bd5db5ec76f85081

SHA512
8fdc34084f119dad46c0f4699acb0478a0b17bb065cb68527f556c16fb20891d7a69276ffd2c1d7568a2350112ddecc182c28fae8d0e7b77db88be9fd14f0609

Download Submit
C:\Users\Admin\AppData\Local\Temp\sro_client.exe

Filesize
7.2MB

MD5
011d6636c60fbaf9d0febcee68ea63e1

SHA1
043979cfc93ab50660141f1bf7d0002da96baeec

SHA256
f5c631ee4c700d37385de0b88cdbfaa6c0409abea4da681a48ff728caeedbf8f

SHA512
ad7ddd5650bd1cd078e93199e1a2a2a5530995660373708fffdeff4635108e2bc431accc53c13296f81ea324f3fde5fe0f37a256f497f7fe6b09bf29a3c87f5f

Download Submit
C:\Users\Admin\Videos\Captures\desktop.ini

Filesize
190B

MD5
b0d27eaec71f1cd73b015f5ceeb15f9d

SHA1
62264f8b5c2f5034a1e4143df6e8c787165fbc2f

SHA256
86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

SHA512
7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

Download Submit
C:\Windows\SysWOW64\Sys32\MGXW.001

Filesize
434B

MD5
f19f43c8367e0e7a975f33572dbe0750

SHA1
5604b137e3c67aab87404eef7c5d51aca62b9a74

SHA256
2a100867f815cfbaf97e4e57c67dc1ee023ef82cedb86e40976049837212b568

SHA512
8a3fefc2037a7f94f5855b3fccb38bbc6b97043245a847b7df7d7d0e676414435d191c2b72e33a49f16d3b03fd87e9513d411b633169cacbcb3ee3219360d3c4

Download Submit
C:\Windows\SysWOW64\Sys32\MGXW.006

Filesize
7KB

MD5
6d97151278f4a6c0273d92bed593e49a

SHA1
c2cbe640b2531f5b51ae461a4f213294b106c7e4

SHA256
7a572090797699c09c8f369f1d646d4340aea4c0bbd8f5383a3747478b99aa60

SHA512
0ec5bfb032c8d1d911faafbe63a4739d23dc3368f9d6b8b2fb4a6a92f9ae6c5e5e1a21acb879eef0ea592646c69483338504048cf16ed9be827cf6fbe70d63de

Download Submit
C:\Windows\SysWOW64\Sys32\MGXW.007

Filesize
5KB

MD5
5ff123f581e889ec2d72e5e91762250c

SHA1
036f31e9303b85dbc0bde419674654743b4135d4

SHA256
1dbf1be7742842553d83dd0c2b39855828c8be7715fd40d2ab464a2a13b82116

SHA512
21dc1dcd42bcd7f5ff28b3023141f6e58229c7b34a6deae966c3fb13f8c4e8aeeb20a4615bd0d2912441298d870c7a9a50667d6e7e58a16519f9051186616207

Download Submit
C:\Windows\SysWOW64\Sys32\MGXW.exe

Filesize
477KB

MD5
75f85a9486fbf3f06af7ee61303deca5

SHA1
e5df6099c029ae4a77d9e9a116992ff55a73a546

SHA256
54841077de626fa46dd196c12fae104d2669cd3ea7d8988ed8637fbe552ae200

SHA512
58f7a4dcb59ccb046b80165f34b62f00accd5c1ac58681f75b08177b07835ccee9b569508dab2115805b114e5839911aca1e762baad4a3002083a51bc97419e6

Download Submit
memory/1304-22-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/1304-50-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads