ardamax | 4a6ab18bf14c50dde51d38789bf9e9c40ff86e411857dbbca0d63c9d548a5edb

General

Target

JaffaCakes118_6a1b21281c07f4ec9638a13bb548700b.exe
Size

1.0MB
MD5

6a1b21281c07f4ec9638a13bb548700b
SHA1

0fc9910ac97ae497212221a718ec4f523bf84de3
SHA256

4a6ab18bf14c50dde51d38789bf9e9c40ff86e411857dbbca0d63c9d548a5edb
SHA512

c7d1c395396792a9427f3a91ae533bcfc091027427fd77e4836e525be0afe3d31f69184277ac2aa03addf3cd84b7eacb45ecc0b039b7dbcbefa222ae0f0e5bad
SSDEEP

24576:cTEKijc8BQcWLICUtfMJtcO8ILEIuxKo/Gd/rDftxeSHK5+O3LNeKWuv/k:crqEcWLICyZFIuhGd/rD10SHK5tQ

Score

10^/10

ardamax defense_evasion discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023ca1-14.dat	family_ardamax

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JaffaCakes118_6a1b21281c07f4ec9638a13bb548700b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	TDA.exe

Executes dropped EXE 1 IoCs

pid	Process
3716	TDA.exe

Loads dropped DLL 1 IoCs

pid	Process
3716	TDA.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TDA Start = "C:\\Windows\\SysWOW64\\DCCEGF\\TDA.exe"	TDA.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\DCCEGF\TDA.003	JaffaCakes118_6a1b21281c07f4ec9638a13bb548700b.exe
File created	C:\Windows\SysWOW64\DCCEGF\TDA.exe	JaffaCakes118_6a1b21281c07f4ec9638a13bb548700b.exe
File opened for modification	C:\Windows\SysWOW64\DCCEGF\	TDA.exe
File created	C:\Windows\SysWOW64\DCCEGF\TDA.004	JaffaCakes118_6a1b21281c07f4ec9638a13bb548700b.exe
File created	C:\Windows\SysWOW64\DCCEGF\TDA.001	JaffaCakes118_6a1b21281c07f4ec9638a13bb548700b.exe
File created	C:\Windows\SysWOW64\DCCEGF\TDA.002	JaffaCakes118_6a1b21281c07f4ec9638a13bb548700b.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4796 set thread context of 2100	4796	JaffaCakes118_6a1b21281c07f4ec9638a13bb548700b.exe	82

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6a1b21281c07f4ec9638a13bb548700b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6a1b21281c07f4ec9638a13bb548700b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TDA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	3716	TDA.exe
Token: SeIncBasePriorityPrivilege	3716	TDA.exe
Token: SeIncBasePriorityPrivilege	3716	TDA.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4796	JaffaCakes118_6a1b21281c07f4ec9638a13bb548700b.exe
3716	TDA.exe
3716	TDA.exe
3716	TDA.exe
3716	TDA.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 4796 wrote to memory of 2100	4796	JaffaCakes118_6a1b21281c07f4ec9638a13bb548700b.exe	82
PID 4796 wrote to memory of 2100	4796	JaffaCakes118_6a1b21281c07f4ec9638a13bb548700b.exe	82
PID 4796 wrote to memory of 2100	4796	JaffaCakes118_6a1b21281c07f4ec9638a13bb548700b.exe	82
PID 4796 wrote to memory of 2100	4796	JaffaCakes118_6a1b21281c07f4ec9638a13bb548700b.exe	82
PID 4796 wrote to memory of 2100	4796	JaffaCakes118_6a1b21281c07f4ec9638a13bb548700b.exe	82
PID 4796 wrote to memory of 2100	4796	JaffaCakes118_6a1b21281c07f4ec9638a13bb548700b.exe	82
PID 4796 wrote to memory of 2100	4796	JaffaCakes118_6a1b21281c07f4ec9638a13bb548700b.exe	82
PID 4796 wrote to memory of 2100	4796	JaffaCakes118_6a1b21281c07f4ec9638a13bb548700b.exe	82
PID 4796 wrote to memory of 2100	4796	JaffaCakes118_6a1b21281c07f4ec9638a13bb548700b.exe	82
PID 4796 wrote to memory of 2100	4796	JaffaCakes118_6a1b21281c07f4ec9638a13bb548700b.exe	82
PID 2100 wrote to memory of 3716	2100	JaffaCakes118_6a1b21281c07f4ec9638a13bb548700b.exe	83
PID 2100 wrote to memory of 3716	2100	JaffaCakes118_6a1b21281c07f4ec9638a13bb548700b.exe	83
PID 2100 wrote to memory of 3716	2100	JaffaCakes118_6a1b21281c07f4ec9638a13bb548700b.exe	83
PID 3716 wrote to memory of 1920	3716	TDA.exe	93
PID 3716 wrote to memory of 1920	3716	TDA.exe	93
PID 3716 wrote to memory of 1920	3716	TDA.exe	93

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6a1b21281c07f4ec9638a13bb548700b.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6a1b21281c07f4ec9638a13bb548700b.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4796
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6a1b21281c07f4ec9638a13bb548700b.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6a1b21281c07f4ec9638a13bb548700b.exe
  2⤵
  - Checks computer location settings
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2100
- - C:\Windows\SysWOW64\DCCEGF\TDA.exe
    "C:\Windows\system32\DCCEGF\TDA.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3716
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\DCCEGF\TDA.exe > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

1

T1070

File Deletion

Modify Registry

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\DCCEGF\TDA.001

Filesize
60KB

MD5
a15c556f17d7db8287e023138942d5db

SHA1
880bf8ec944120830dc2e2e040e5996e4e0e6c83

SHA256
f3716810ab011a4cb7693d31b69cd540380ef2a067724e0d568070c8a558694e

SHA512
930339711e3d73e5af0778367a648c94411c20d23bf4c27ec5d72222e76b8902eb3fc0992d70cc4141600c19087159514246d42f1e762c98dad306f8e0bd99cd

Download Submit
C:\Windows\SysWOW64\DCCEGF\TDA.002

Filesize
43KB

MD5
daabecdfba287a3333b60ae82211acd7

SHA1
e67b4c7bf0dd71ad47263a58bb60be4bce504b84

SHA256
12981c35adf6f00c7dddbc3ab23c04c30133cc5be107015dab9fd7ba4e8b4173

SHA512
937f551f959bd823292fe5983bbfb1c3a6dd86426a5da228dc7ddba38138c898599bc713d707b9d3463b20825cee0783d92c1c19019cd0328986a8aef5c1222f

Download Submit
C:\Windows\SysWOW64\DCCEGF\TDA.003

Filesize
65KB

MD5
50148e8898154d41dca9bbb93d89b26e

SHA1
0821bb26168c7fc10dbd2dc689bc9fa4d7921a9f

SHA256
3914b3af63db284678a342c124410143ba35926f72ea47c71af7776b50f1f9a2

SHA512
97365b487e9961b06eb7a3d0e26963dc4d1236a3174af6d8287dd2d31db34ece59ec0dd4fb193d2e320cc53a4f83676a64f0069cfbdce19ea9aa3ea2478fe583

Download Submit
C:\Windows\SysWOW64\DCCEGF\TDA.004

Filesize
1KB

MD5
dc37808e4d853b9893a4a1ce4066e8cc

SHA1
9562412276396d18c0b12c9385b4c1cfc7be786b

SHA256
a033a2a56aec06708f6b0bf437554c25320c3d34385e3e504873fccf81a26bf9

SHA512
637642c5f3049a91829856a6aff807f46f750eb20b3bd7c7bbb7bab32900763e271e5127892b50d58246014f9101ba19dd721d7cf57799f21699cc0d646dc71a

Download Submit
C:\Windows\SysWOW64\DCCEGF\TDA.exe

Filesize
1.7MB

MD5
f3819a6cab8ae058254c4abb3844d87e

SHA1
0f8b1a74af87f1823ec0d76e21a8d54d55a53a8b

SHA256
3d656d1364b4b2382020f64990a2c630b7b9422ca7b7fe2c30646fda3303e6c9

SHA512
dfe9d342f3ad543fec8bd278e21ac5059b1c36ed3f735734e9b92d639cb25609f9307862ab2b35ea3e88713f4a652abe5863871225f915462c79d493ac5e1f57

Download Submit
memory/2100-9-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/2100-2-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/2100-3-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/2100-25-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/2100-4-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/3716-26-0x0000000000400000-0x00000000005B3000-memory.dmp

Filesize
1.7MB

Download
memory/3716-28-0x0000000000400000-0x00000000005B3000-memory.dmp

Filesize
1.7MB

Download
memory/3716-29-0x0000000000400000-0x00000000005B3000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads