ardamax | b3ba59dcd59a9ca660792d77ed49d2ef3ef03b588c3c0cbc3c28eb327aa96675

General

Target

JaffaCakes118_78c82bfa843649efd961288a07c76425.exe
Size

499KB
MD5

78c82bfa843649efd961288a07c76425
SHA1

4066208f57cf650b6a265b50e1bcff3463e4fa8d
SHA256

b3ba59dcd59a9ca660792d77ed49d2ef3ef03b588c3c0cbc3c28eb327aa96675
SHA512

3c41df102ecbe99cd0c4f6b7c9c35d1f5509faf55802cd4eec01f8e58d1754b85c5da58a8ec1feda90d0303b76f39981db389b0f885314aec9ab9907f26af88a
SSDEEP

6144:qG6vyhUywhCjJGtrFOXy6MqG44Ctyn7swTRZp9wSM3ceMB+mHzgNLo4ErprTz9Lw:qLpYoPq7txwTRCCeeil49TKVd

Score

10^/10

ardamax discovery keylogger stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023b7e-12.dat	family_ardamax

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	JaffaCakes118_78c82bfa843649efd961288a07c76425.exe

Executes dropped EXE 1 IoCs

pid	Process
1080	DXDU.exe

Loads dropped DLL 1 IoCs

pid	Process
2296	JaffaCakes118_78c82bfa843649efd961288a07c76425.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\DXDU.001	JaffaCakes118_78c82bfa843649efd961288a07c76425.exe
File created	C:\Windows\SysWOW64\28463\DXDU.006	JaffaCakes118_78c82bfa843649efd961288a07c76425.exe
File created	C:\Windows\SysWOW64\28463\DXDU.007	JaffaCakes118_78c82bfa843649efd961288a07c76425.exe
File created	C:\Windows\SysWOW64\28463\DXDU.exe	JaffaCakes118_78c82bfa843649efd961288a07c76425.exe
File created	C:\Windows\SysWOW64\28463\AKV.exe	JaffaCakes118_78c82bfa843649efd961288a07c76425.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1432	1080	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_78c82bfa843649efd961288a07c76425.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DXDU.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	JaffaCakes118_78c82bfa843649efd961288a07c76425.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 1080	2296	JaffaCakes118_78c82bfa843649efd961288a07c76425.exe	83
PID 2296 wrote to memory of 1080	2296	JaffaCakes118_78c82bfa843649efd961288a07c76425.exe	83
PID 2296 wrote to memory of 1080	2296	JaffaCakes118_78c82bfa843649efd961288a07c76425.exe	83
PID 2296 wrote to memory of 3468	2296	JaffaCakes118_78c82bfa843649efd961288a07c76425.exe	85
PID 2296 wrote to memory of 3468	2296	JaffaCakes118_78c82bfa843649efd961288a07c76425.exe	85
PID 2296 wrote to memory of 3468	2296	JaffaCakes118_78c82bfa843649efd961288a07c76425.exe	85

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_78c82bfa843649efd961288a07c76425.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_78c82bfa843649efd961288a07c76425.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Windows\SysWOW64\28463\DXDU.exe
  "C:\Windows\system32\28463\DXDU.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1080
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 516
    3⤵
    - Program crash
    PID:1432
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\first reed this.txt
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1080 -ip 1080
1⤵
PID:4448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@7251.tmp

Filesize
4KB

MD5
c3679c3ff636d1a6b8c65323540da371

SHA1
d184758721a426467b687bec2a4acc80fe44c6f8

SHA256
d4eba51c616b439a8819218bddf9a6fa257d55c9f04cf81441cc99cc945ad3eb

SHA512
494a0a32eef4392ecb54df6e1da7d93183473c4e45f4ac4bd6ec3b0ed8c85c58303a0d36edec41420d05ff624195f08791b6b7e018419a3251b7e71ec9b730e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\first reed this.txt

Filesize
70B

MD5
fd9e26aa68a1d5743d3935797c78f97c

SHA1
a8fd97fdc258fc4234510ce522910dc7c934b90a

SHA256
cbe3269319af150eaad2ffe8791527c3ed3f0d3e9cef3dbdf8f1f7b16326873e

SHA512
2fb88e130584641fc050446ebcb12e2613e277862a3a9cf9634c9365d59ae6f8142a3832a2727291d1cc151f58d081557aab965695d1d40599b5c1b1dbf04dcc

Download Submit
C:\Windows\SysWOW64\28463\DXDU.exe

Filesize
483KB

MD5
0f4d1a1a047534a950e6858787e49748

SHA1
808a216779059e635e374c0a884f129fdec1e86f

SHA256
032d78a9b85f85716efbca9a24092d414c78df5ac92a907beb4a83cb5ec33c99

SHA512
c1660c164b317db3a4197c281928c6c6396a729e621a39c6c967c8563eed95d741678d5b2c31217155f302d3335c1f139d53ace790ba76dae4e7a848bc01fffc

Download Submit
memory/1080-18-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1080-23-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing