ardamax | 5648e7f0c1c172d3a1a0a6138545833d08179509924729e4d945841c68f2ef6d

General

Target

943a1bf091abdb69bceb69deeb02b6ce_JaffaCakes118.exe
Size

1.4MB
MD5

943a1bf091abdb69bceb69deeb02b6ce
SHA1

64539fd7fd1c1d245f82b2ae23f51a94c283ff40
SHA256

5648e7f0c1c172d3a1a0a6138545833d08179509924729e4d945841c68f2ef6d
SHA512

c54a7620f65514998b2c1151f86226208b5a7eef53e0be31d141a5620ea0c877f59f808cd2203d4f7676602f833cfb9b4e63f2a589017a78d2aec6f794de357f
SSDEEP

24576:JbPTojo66fP6fDn/wycw83Iefrj7llQRccdnZB7p2AetQp:J7Tojo9nw4ycwSIefrgRccdnZBcAet

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x0008000000023ace-8.dat	family_ardamax

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

943a1bf091abdb69bceb69deeb02b6ce_JaffaCakes118.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	943a1bf091abdb69bceb69deeb02b6ce_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

Processes:

VBP.exesetup.exeis-TI2N9.tmp

pid	Process
2952	VBP.exe
3416	setup.exe
2832	is-TI2N9.tmp

Loads dropped DLL 4 IoCs

Processes:

VBP.exe943a1bf091abdb69bceb69deeb02b6ce_JaffaCakes118.exesetup.exeis-TI2N9.tmp

pid	Process
2952	VBP.exe
4216	943a1bf091abdb69bceb69deeb02b6ce_JaffaCakes118.exe
3416	setup.exe
2832	is-TI2N9.tmp

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

VBP.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VBP Start = "C:\\Windows\\SysWOW64\\XCWVKV\\VBP.exe"	VBP.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

Processes:

943a1bf091abdb69bceb69deeb02b6ce_JaffaCakes118.exeVBP.exe

description	ioc	Process
File created	C:\Windows\SysWOW64\XCWVKV\VBP.exe	943a1bf091abdb69bceb69deeb02b6ce_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\XCWVKV\	VBP.exe
File created	C:\Windows\SysWOW64\XCWVKV\VBP.004	943a1bf091abdb69bceb69deeb02b6ce_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\XCWVKV\VBP.001	943a1bf091abdb69bceb69deeb02b6ce_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\XCWVKV\VBP.002	943a1bf091abdb69bceb69deeb02b6ce_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\XCWVKV\AKV.exe	943a1bf091abdb69bceb69deeb02b6ce_JaffaCakes118.exe

Drops file in Program Files directory 3 IoCs

Processes:

is-TI2N9.tmp

description	ioc	Process
File created	C:\Program Files (x86)\Capcom\Resident Evil 4\unins000.dat	is-TI2N9.tmp
File created	C:\Program Files (x86)\Capcom\Resident Evil 4\is-1OGD9.tmp	is-TI2N9.tmp
File created	C:\Program Files (x86)\Capcom\Resident Evil 4\is-DMJ73.tmp	is-TI2N9.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

VBP.exesetup.exeis-TI2N9.tmp943a1bf091abdb69bceb69deeb02b6ce_JaffaCakes118.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VBP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	is-TI2N9.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	943a1bf091abdb69bceb69deeb02b6ce_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

VBP.exe

description	pid	Process
Token: 33	2952	VBP.exe
Token: SeIncBasePriorityPrivilege	2952	VBP.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

VBP.exe

pid	Process
2952	VBP.exe
2952	VBP.exe
2952	VBP.exe
2952	VBP.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

943a1bf091abdb69bceb69deeb02b6ce_JaffaCakes118.exesetup.exe

description	pid	Process	procid_target
PID 4216 wrote to memory of 2952	4216	943a1bf091abdb69bceb69deeb02b6ce_JaffaCakes118.exe	84
PID 4216 wrote to memory of 2952	4216	943a1bf091abdb69bceb69deeb02b6ce_JaffaCakes118.exe	84
PID 4216 wrote to memory of 2952	4216	943a1bf091abdb69bceb69deeb02b6ce_JaffaCakes118.exe	84
PID 4216 wrote to memory of 3416	4216	943a1bf091abdb69bceb69deeb02b6ce_JaffaCakes118.exe	85
PID 4216 wrote to memory of 3416	4216	943a1bf091abdb69bceb69deeb02b6ce_JaffaCakes118.exe	85
PID 4216 wrote to memory of 3416	4216	943a1bf091abdb69bceb69deeb02b6ce_JaffaCakes118.exe	85
PID 3416 wrote to memory of 2832	3416	setup.exe	86
PID 3416 wrote to memory of 2832	3416	setup.exe	86
PID 3416 wrote to memory of 2832	3416	setup.exe	86

C:\Users\Admin\AppData\Local\Temp\943a1bf091abdb69bceb69deeb02b6ce_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\943a1bf091abdb69bceb69deeb02b6ce_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4216
- C:\Windows\SysWOW64\XCWVKV\VBP.exe
  "C:\Windows\system32\XCWVKV\VBP.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2952
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3416
- - C:\Users\Admin\AppData\Local\Temp\is-DO7PC.tmp\is-TI2N9.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-DO7PC.tmp\is-TI2N9.tmp" /SL4 $10004E "C:\Users\Admin\AppData\Local\Temp\setup.exe" 52736 0
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-DO7PC.tmp\is-TI2N9.tmp

Filesize
658KB

MD5
f627721a34c13a5307779a498e8f6519

SHA1
9e54ec07e780eb1ccbbd61bb1a24238e46c01e18

SHA256
13c6a795a259a9731d5c00f35e6eeeeae840423d3e1783fd6c75509a3b7cb348

SHA512
c2dc88b441539b8827f0ef2a4c6b404cebaa5452d884d0174a2447347a462552f47a9d6521ecfa660cd9f0e0771fc192438865dcda305ab373c6f9a0c694aecc

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
392KB

MD5
296a4b5f6c15bb19b4d922f98a07d9b5

SHA1
7f991084bdc6f413432eedaf98bebb9908bf0890

SHA256
d482a0dd5d72cb2e02e54688ce31fb5da4d320ae2df84c7856cea71788494412

SHA512
f9a46b412cfaddf247a6fa983d649b844df5536b4d793c01467231cdd20439f2fe67e5a32912876b22fc74d4e09522dffc848a5d55cb14952383097effa40852

Download Submit
C:\Windows\SysWOW64\XCWVKV\AKV.exe

Filesize
449KB

MD5
83fec9657eb13e74504a6efb3f1aad0e

SHA1
cb2f84288a5435bab248716c0855601ee66a5983

SHA256
8ca4fb9f3830165b3e03b6797ba5f1147fa884e4c4a5f16f6d64620ba670d50d

SHA512
ea7cce2c602497c8c6da31a00f90fb08a4b27d3593ca330dc16937dff518fbb22c89fbd47396a5c8cc740dd2589d2db577b570aaf898bb44c57999512a6f05b7

Download Submit
C:\Windows\SysWOW64\XCWVKV\VBP.001

Filesize
61KB

MD5
1d6f0b3843d17046be7669262085fb67

SHA1
703b2d00731920b77041908ee4ec44ed10d6f8f9

SHA256
88c91de925b84024367fd2a0a2597ef884c16f424771ca1a17780fb4cff7c591

SHA512
23c6e8c94908bce7400527c7ad4bdd030074d45c48421140eeee6a9e156571d5a31c4ad7bb0f2042b2dfceab14f36044c433c0b2d4cdee4dfed1dccb9b28188a

Download Submit
C:\Windows\SysWOW64\XCWVKV\VBP.002

Filesize
43KB

MD5
4207e94e5371e60c5a1c8a3a1bf7169a

SHA1
469d55baaed9f93dd74bdf41383a760fd8690342

SHA256
0caf0bcee50026d048e8c02345be9d6aa387db5245d99c2dcc255c75eccbcec5

SHA512
c85ed60aefd0bc7105760df5d969ab606e1d6775de20b11ef14b454fc27f1308e91111786895e42c38b019f286425f980ac113086809ed3c6babc778af5deec1

Download Submit
C:\Windows\SysWOW64\XCWVKV\VBP.004

Filesize
644B

MD5
89e3b96ba07f77df0f2cb959cd83f075

SHA1
65b9e9b50f91b71f35f2b45d89c78a34a0d90cf6

SHA256
13cab272ff48f6618268f3e53fbc3dfd684f4cfc4c613dff405951fecbd63184

SHA512
cafa36eee35ac080e6ac18df39b0a37daa888a7e5fa0cb830e6b60f589e33b8f7ac01804d2c6594d5d24a117ad85f453c6bc7ed284011f0a3098c6decde37ac3

Download Submit
C:\Windows\SysWOW64\XCWVKV\VBP.exe

Filesize
1.4MB

MD5
3c0034d74caf9846686a2d93fd3079ac

SHA1
949adf7912c74ca8517d70f30b823264a5a7e067

SHA256
55750ec7e5c987dbe2585f0e4b1728999b3bb94d5efd458f4aed75efa960855b

SHA512
5c25cfbbdb2f794a484a2a1d9a454d9b13ab90cba0313ce995330e97516b422524cd388a357d211addfdfcec06d681edf131a3b98839a3f6d3d9863d97ad1399

Download Submit
memory/2832-46-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2832-64-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2832-74-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2832-72-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2832-70-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2832-68-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2832-48-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2832-52-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2832-54-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2832-56-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2832-58-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2832-60-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2832-62-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2832-66-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2952-17-0x0000000000B20000-0x0000000000B21000-memory.dmp

Filesize
4KB

Download
memory/2952-44-0x0000000000B20000-0x0000000000B21000-memory.dmp

Filesize
4KB

Download
memory/3416-30-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3416-45-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3416-32-0x0000000000401000-0x000000000040A000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads