ardamax | 8226df556ab325861e3f9798d1da02a2e69d5850c6d5227f47b0d96b83cc30b4

General

Target

fd5f03aeac8aa32d5cc063ba8c0d660d_JaffaCakes118.exe
Size

932KB
MD5

fd5f03aeac8aa32d5cc063ba8c0d660d
SHA1

5fdbeacaa997f05db7ea48cd61415d23f7db498e
SHA256

8226df556ab325861e3f9798d1da02a2e69d5850c6d5227f47b0d96b83cc30b4
SHA512

0e7b2b3aed158be48098575a4273ab68405b070f5e7112e080be0b2e3f0388e0c86b4cde53f8a1dd393ac332ce8fa2bd92bf93d269f0c15da74746801fef09a1
SSDEEP

24576:cPeOAFkojOCbmJpppNlziUXCtgWa0yM0kh:gAFNTmrNClyZC

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023c9b-26.dat	family_ardamax

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	fd5f03aeac8aa32d5cc063ba8c0d660d_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Install.exe

Executes dropped EXE 2 IoCs

pid	Process
2064	Install.exe
4812	SCR.exe

Loads dropped DLL 3 IoCs

pid	Process
908	fd5f03aeac8aa32d5cc063ba8c0d660d_JaffaCakes118.exe
908	fd5f03aeac8aa32d5cc063ba8c0d660d_JaffaCakes118.exe
4812	SCR.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SCR Start = "C:\\Windows\\SysWOW64\\KDXNTY\\SCR.exe"	SCR.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\aplib.dll	fd5f03aeac8aa32d5cc063ba8c0d660d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\KDXNTY\SCR.004	Install.exe
File created	C:\Windows\SysWOW64\KDXNTY\SCR.001	Install.exe
File created	C:\Windows\SysWOW64\KDXNTY\SCR.002	Install.exe
File created	C:\Windows\SysWOW64\KDXNTY\SCR.exe	Install.exe
File opened for modification	C:\Windows\SysWOW64\KDXNTY\	SCR.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SCR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fd5f03aeac8aa32d5cc063ba8c0d660d_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4812	SCR.exe
Token: SeIncBasePriorityPrivilege	4812	SCR.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
908	fd5f03aeac8aa32d5cc063ba8c0d660d_JaffaCakes118.exe
4812	SCR.exe
4812	SCR.exe
4812	SCR.exe
4812	SCR.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 908 wrote to memory of 2064	908	fd5f03aeac8aa32d5cc063ba8c0d660d_JaffaCakes118.exe	83
PID 908 wrote to memory of 2064	908	fd5f03aeac8aa32d5cc063ba8c0d660d_JaffaCakes118.exe	83
PID 908 wrote to memory of 2064	908	fd5f03aeac8aa32d5cc063ba8c0d660d_JaffaCakes118.exe	83
PID 2064 wrote to memory of 4812	2064	Install.exe	84
PID 2064 wrote to memory of 4812	2064	Install.exe	84
PID 2064 wrote to memory of 4812	2064	Install.exe	84

C:\Users\Admin\AppData\Local\Temp\fd5f03aeac8aa32d5cc063ba8c0d660d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fd5f03aeac8aa32d5cc063ba8c0d660d_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:908
- C:\Users\Admin\AppData\Local\Temp\Install.exe
  "C:\Users\Admin\AppData\Local\Temp\Install.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Windows\SysWOW64\KDXNTY\SCR.exe
    "C:\Windows\system32\KDXNTY\SCR.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Install.exe

Filesize
875KB

MD5
7170559bd84b3991553f56c3f4a49fd3

SHA1
8f029313e75343c2058466cf93ad62f4946a4f7c

SHA256
4d484225e7df83624ae81c2b2ecfdd3ebc8d5891532d5c7b0e5707b5d00e1796

SHA512
bc34e7fdc6043db9dc62ff563181017c1c4d2f1428d2aa806dcea8930e2001ddce34695ad80d404d59e6903bcd3e75aeeb1920ef3c385ef66e481d2ec52b6712

Download Submit
C:\Windows\SysWOW64\KDXNTY\SCR.001

Filesize
61KB

MD5
31c866d8e4448c28ae63660a0521cd92

SHA1
0e4dcb44e3c8589688b8eacdd8cc463a920baab9

SHA256
dc0eaf9d62f0e40b6522d28b2e06b39ff619f9086ea7aa45fd40396a8eb61aa1

SHA512
1076da7f8137a90b5d3bbbbe2b24fd9774de6adbcdfd41fd55ae90c70b9eb4bbf441732689ad25e5b3048987bfb1d63ba59d5831a04c6d84cb05bbfd2d32f839

Download Submit
C:\Windows\SysWOW64\KDXNTY\SCR.002

Filesize
43KB

MD5
093e599a1281e943ce1592f61d9591af

SHA1
6896810fe9b7efe4f5ae68bf280fec637e97adf5

SHA256
1ac0964d97b02204f4d4ae79cd5244342f1a1798f5846e9dd7f3448d4177a009

SHA512
64cb58fbf6295d15d9ee6a8a7a325e7673af7ee02e4ece8da5a95257f666566a425b348b802b78ac82e7868ba7923f85255c2c31e548618afa9706c1f88d34dc

Download Submit
C:\Windows\SysWOW64\KDXNTY\SCR.004

Filesize
1KB

MD5
84c73b5eeb86c686cdfac71c65f27cf1

SHA1
1414b380838323816a645aaab2ac1a99e49e09c3

SHA256
e80332eb8b0f6e441f1d512660e6ad1e4f4ae3fe93b22893fd6076177fedc9e9

SHA512
f8ff1a62d1e402d3267a873d5cbbb345e36745ca8a0dc630634ef458eaba6421229ac70724f0696ff856d3eedd0221ed824e28afe439e8e62f16ab20d3503385

Download Submit
C:\Windows\SysWOW64\KDXNTY\SCR.exe

Filesize
1.5MB

MD5
0aaffc12ef1b416b9276bdc3fdec9dff

SHA1
9f38d7cf6241d867da58f89db9ff26544314b938

SHA256
42b33dd905c5668c2518a6a7d407fb10c303cfedeaefcd7b6e4c7cc1b891c73b

SHA512
bbde0986b298c6172e7c8e3f938db9425f54cca097e280736e1ba289afd06a0b86f7cbc91f6d46458bc8e75069c12cda1cf808acf3b6c773b0661d081136ee7c

Download Submit
C:\Windows\SysWOW64\aplib.dll

Filesize
12KB

MD5
35d174edd3c0bcfa9a32dce19e1abeb9

SHA1
c22638e64f8a5f34809811a2c286ae2f115028f8

SHA256
34194aa58d0eb70b513ea6a876a4f35ba6cc2f19c4fb6d408dd05580dcc74b04

SHA512
f807df3655e6dd0cea2412ae82aa7b3babe3862fa9eee5d38673ee30b26a528b9618e1a25d3a58ef1ff14be36a666fabd32968b5f4dc481539d2372b526c1ead

Download Submit
memory/4812-33-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/4812-35-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads