ardamax | fc34808d6b69e771ee0ba123878b763200f83a7a7cdc469e8bc22e02dbd5094c

General

Target

ea531d84e1c5965133114b27d62000ee_JaffaCakes118.exe
Size

282KB
MD5

ea531d84e1c5965133114b27d62000ee
SHA1

ab74a79ae5dd9037697561977f0b8e27028cf3d8
SHA256

fc34808d6b69e771ee0ba123878b763200f83a7a7cdc469e8bc22e02dbd5094c
SHA512

2a0cb68be5fecede46adffff37ddda620d3ed5e9c6e7fbec669b22ceebc281a49cfd9b707a37495175e46d7bb1a289aabf3293de0adcbaa86464c0863ed466ae
SSDEEP

6144:nlG6ixJL6JMMHntiZh6WCUoSB+qY1qdvow4rimsqWAduFGfI9Z1oXB1YbRH:nlWmSk8yTqz4imsqWMHfqZSXO

Score

10^/10

ardamax defense_evasion discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023ca6-12.dat	family_ardamax

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	ea531d84e1c5965133114b27d62000ee_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	AJCE.exe

Executes dropped EXE 2 IoCs

pid	Process
820	AJCE.exe
1152	DOB Bruteforcer (habbo.nl).exe

Loads dropped DLL 8 IoCs

pid	Process
2304	ea531d84e1c5965133114b27d62000ee_JaffaCakes118.exe
820	AJCE.exe
1152	DOB Bruteforcer (habbo.nl).exe
820	AJCE.exe
820	AJCE.exe
1152	DOB Bruteforcer (habbo.nl).exe
1152	DOB Bruteforcer (habbo.nl).exe
1688	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AJCE Agent = "C:\\Windows\\SysWOW64\\28463\\AJCE.exe"	AJCE.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\AJCE.001	ea531d84e1c5965133114b27d62000ee_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\28463\AJCE.006	ea531d84e1c5965133114b27d62000ee_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\28463\AJCE.007	ea531d84e1c5965133114b27d62000ee_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\28463\AJCE.exe	ea531d84e1c5965133114b27d62000ee_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\28463	AJCE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1688	820	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ea531d84e1c5965133114b27d62000ee_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AJCE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DOB Bruteforcer (habbo.nl).exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	820	AJCE.exe
Token: SeIncBasePriorityPrivilege	820	AJCE.exe
Token: SeIncBasePriorityPrivilege	820	AJCE.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1152	DOB Bruteforcer (habbo.nl).exe
820	AJCE.exe
820	AJCE.exe
820	AJCE.exe
820	AJCE.exe
820	AJCE.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 820	2304	ea531d84e1c5965133114b27d62000ee_JaffaCakes118.exe	82
PID 2304 wrote to memory of 820	2304	ea531d84e1c5965133114b27d62000ee_JaffaCakes118.exe	82
PID 2304 wrote to memory of 820	2304	ea531d84e1c5965133114b27d62000ee_JaffaCakes118.exe	82
PID 2304 wrote to memory of 1152	2304	ea531d84e1c5965133114b27d62000ee_JaffaCakes118.exe	83
PID 2304 wrote to memory of 1152	2304	ea531d84e1c5965133114b27d62000ee_JaffaCakes118.exe	83
PID 2304 wrote to memory of 1152	2304	ea531d84e1c5965133114b27d62000ee_JaffaCakes118.exe	83
PID 820 wrote to memory of 3144	820	AJCE.exe	96
PID 820 wrote to memory of 3144	820	AJCE.exe	96
PID 820 wrote to memory of 3144	820	AJCE.exe	96

C:\Users\Admin\AppData\Local\Temp\ea531d84e1c5965133114b27d62000ee_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ea531d84e1c5965133114b27d62000ee_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Windows\SysWOW64\28463\AJCE.exe
  "C:\Windows\system32\28463\AJCE.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:820
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 1108
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1688
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\28463\AJCE.exe > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3144
- C:\Users\Admin\AppData\Local\Temp\DOB Bruteforcer (habbo.nl).exe
  "C:\Users\Admin\AppData\Local\Temp\DOB Bruteforcer (habbo.nl).exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 820 -ip 820
1⤵
PID:4144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

1

T1070

File Deletion

Modify Registry

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@A160.tmp

Filesize
4KB

MD5
27092ec75c1839f36bfe900a38acc484

SHA1
fe14b750a0ed653246c5f358891f8c1241913bb2

SHA256
e6e29699840ae26c452227f9a1c9fd0e3cda0c2413c4255df9fc066c47af0e07

SHA512
815477e8681e38dd3110171adbaf06738eb9d63839671a959a296ec1a1fb17d788682dde5e6a1f0bffa3b4deda4577292ffa37ce10b95ad14276ffcd0795ac0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DOB Bruteforcer (habbo.nl).exe

Filesize
44KB

MD5
4ab7d597765442295f94d1efa635e2f4

SHA1
d419ddaa981d9f90e68e5e4b5e5f3b9deab7f918

SHA256
6c36357cc35ba64093851f31bf028c4f8ba063fad25fbfff9b5f3d2dcc02afde

SHA512
dc48e254d3b162adb915916ef911b560a2ba04dcd08a5b91d55aace3542afb03d4d7d187a7a0c92e6c6162cfdff21cfa8e7e40da019eb63767e78f4ba5f0feff

Download Submit
C:\Windows\SysWOW64\28463\AJCE.001

Filesize
454B

MD5
228f7589b66df398039886fd3d825b36

SHA1
a05d80de4a33cd1227ba8912249d63849bb28177

SHA256
56f5d9e98474d29b0173687f468011c028ec47e95d74a9b6f906a5baa59a5c9e

SHA512
13853050505c3fdd507f38cf46cb54deb53026b463e26c84c9e32139793b1a7a54934d5cd965f1df5939cb18783f8db0cb1040f4707214154065bf1e9c507c0a

Download Submit
C:\Windows\SysWOW64\28463\AJCE.006

Filesize
8KB

MD5
aae8ccee5d5eed5748d13f474123efea

SHA1
6da78da4de3b99a55fad00be2ec53a3ad3bd06ae

SHA256
10c464d1675774e0282171555d59fb8975ed6c0e6a781182490f48e66823a5b8

SHA512
d370e1ffeeb81b3f07b83a9cf1e3b44635fde7aa6ac999bccafece8091dbf96f0a78257bb0e03b3689dc47fb4e96ec7deac7848a43ddef62afc9b8cc665ee8bd

Download Submit
C:\Windows\SysWOW64\28463\AJCE.007

Filesize
5KB

MD5
40685d22d05d92462a2cfc1bba9a81b7

SHA1
f0e19012d0ed000148898b1e1264736bed438da8

SHA256
cdca1e5bc4c5129caa8eeddf637c820b6241c8790ce1a341e38e8324ae95afa0

SHA512
21961d2dd118b45bde4cf00b4570712791a22769d05afb5b6c54355b0aaee9b7f7de00b357845349ef957807452365134d51e11181d2d45f98ed0cc9402de90b

Download Submit
C:\Windows\SysWOW64\28463\AJCE.exe

Filesize
473KB

MD5
339ae4ce820cda75bbb363b2ed1c06fd

SHA1
62399c6102cc98ed66cbcd88a63ff870cf7b2100

SHA256
1e4a463ac0d463cee1f52f9529474484157c85d671aea1ab5f4173df12de01b6

SHA512
5da8b333a839c4b169c6f4c9a1929918f166a895af7818c8223df7ed22279aac3b6ef88f89ee083a4f475f82ec6078f8e9800a9afc9547712245d090636a284a

Download Submit
memory/820-33-0x00000000020E0000-0x00000000020E1000-memory.dmp

Filesize
4KB

Download
memory/820-41-0x00000000020E0000-0x00000000020E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads