ardamax | cff7d83527fc620cf1424d28b5670719a8fe2687cade5e14e9a05434407f0840

General

Target

JaffaCakes118_0dc17f724007acda1ca2f36d1be745d5.exe
Size

378KB
MD5

0dc17f724007acda1ca2f36d1be745d5
SHA1

312b8319e2c2e1040447136865d26d68d9c3d8b2
SHA256

cff7d83527fc620cf1424d28b5670719a8fe2687cade5e14e9a05434407f0840
SHA512

896c18db0807ca4daf70d7299dbcdbf14b184295593c921d879fa5f281115f09fb16fe16a380348b86587fc7545e8b4b1a67e15063a9b263c463bfa6301326bf
SSDEEP

6144:LmpyGUJlZvCKwaXreEOC3kBp4eMrS8ElA8Z8Bub81juaCvNJQa:LpnCKwabeh2X3rSRl3Kye16Jh

Score

10^/10

ardamax discovery keylogger stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023b9f-12.dat	family_ardamax

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	JaffaCakes118_0dc17f724007acda1ca2f36d1be745d5.exe

Executes dropped EXE 2 IoCs

pid	Process
4944	NIH.exe
3992	aimb0Yd.exe

Loads dropped DLL 7 IoCs

pid	Process
4056	JaffaCakes118_0dc17f724007acda1ca2f36d1be745d5.exe
4944	NIH.exe
3992	aimb0Yd.exe
4944	NIH.exe
4944	NIH.exe
3992	aimb0Yd.exe
3992	aimb0Yd.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\NIH.007	JaffaCakes118_0dc17f724007acda1ca2f36d1be745d5.exe
File created	C:\Windows\SysWOW64\NIH.exe	JaffaCakes118_0dc17f724007acda1ca2f36d1be745d5.exe
File created	C:\Windows\SysWOW64\NIH.001	JaffaCakes118_0dc17f724007acda1ca2f36d1be745d5.exe
File created	C:\Windows\SysWOW64\NIH.006	JaffaCakes118_0dc17f724007acda1ca2f36d1be745d5.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64	NIH.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0dc17f724007acda1ca2f36d1be745d5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NIH.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aimb0Yd.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3992	aimb0Yd.exe
3992	aimb0Yd.exe
3992	aimb0Yd.exe
3992	aimb0Yd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4944	NIH.exe
Token: SeIncBasePriorityPrivilege	4944	NIH.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4944	NIH.exe
4944	NIH.exe
4944	NIH.exe
4944	NIH.exe
3992	aimb0Yd.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4056 wrote to memory of 4944	4056	JaffaCakes118_0dc17f724007acda1ca2f36d1be745d5.exe	83
PID 4056 wrote to memory of 4944	4056	JaffaCakes118_0dc17f724007acda1ca2f36d1be745d5.exe	83
PID 4056 wrote to memory of 4944	4056	JaffaCakes118_0dc17f724007acda1ca2f36d1be745d5.exe	83
PID 4056 wrote to memory of 3992	4056	JaffaCakes118_0dc17f724007acda1ca2f36d1be745d5.exe	84
PID 4056 wrote to memory of 3992	4056	JaffaCakes118_0dc17f724007acda1ca2f36d1be745d5.exe	84
PID 4056 wrote to memory of 3992	4056	JaffaCakes118_0dc17f724007acda1ca2f36d1be745d5.exe	84

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0dc17f724007acda1ca2f36d1be745d5.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0dc17f724007acda1ca2f36d1be745d5.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4056
- C:\Windows\SysWOW64\NIH.exe
  "C:\Windows\system32\NIH.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4944
- C:\Users\Admin\AppData\Local\Temp\aimb0Yd.exe
  "C:\Users\Admin\AppData\Local\Temp\aimb0Yd.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@687E.tmp

Filesize
4KB

MD5
3e52aef4a9e1bbf25dc611e0f5c45934

SHA1
91862bee5ac57eb719cf9bc14c69f9ef5affcbbf

SHA256
1b881b4299a8555f785088bd0e1b6969e76dc470f1f67429678a678c5f8b349d

SHA512
e4bc9fab4d1c555a896936927ff5866634885401a41f2eade5a976311dad3cdc40c0c7229c61925a8b32ae7b69c4c99537dc10baf292375a82a885a7a908a807

Download Submit
C:\Users\Admin\AppData\Local\Temp\aimb0Yd.exe

Filesize
213KB

MD5
876a61a3cd4c2fd90eb4d78a3f6c3eb8

SHA1
23b6f19f7d50f9025e7e870ab71e0e98090a0870

SHA256
0eb717a3ade04361acf91d7298fa545071983f428eb8ef3a012cb89f63045a5f

SHA512
f6807249ee72d0b5048ef53ea9881708230ed178a26750a2ad0ad58928b4770c4cc0c4285dd3c1bcc4cdd0a889edcbee8658d9ffa65f831494ea77427fd79ae8

Download Submit
C:\Windows\SysWOW64\NIH.001

Filesize
2KB

MD5
abe1ed4b26798069d1c28f8f1b8d8b7d

SHA1
83c2f8de213866740dc6ed6a11a27e3c50a8d5bc

SHA256
f395e35395efb1a3be72850f27f8d701a6dba118987f9779bf0a6df77f2e3924

SHA512
de63ce8a7f5fe03815fd6313860eaf03c0240505282ae452ab0ae61422950f1f8f89c0ab0552e15b2d04fd3e81026f1675c13c08949e1aac32dc07f8706a4b06

Download Submit
C:\Windows\SysWOW64\NIH.006

Filesize
5KB

MD5
e98ae645054f00269eaad44b95c4e37c

SHA1
59bcfb291cb15f521e6e5982c12913052b5755b1

SHA256
028e4ef0ed6a7d9792ad2694c56b41ba247e72ef690089142c47bb6e1a693221

SHA512
ae4b1316c9785623944a0bc1884648f1382f3f8fb494927e7c872a72b0786fb5a1d090ebc2d5e468b91c8eef7663b43f73be4a1f65f7d8dd9bdaa6dfc694a35e

Download Submit
C:\Windows\SysWOW64\NIH.007

Filesize
4KB

MD5
ea32497496dd6b80be1c47fe5fac1fcf

SHA1
2bf9bee8e0f83b6785188a91047695ebcdf342da

SHA256
370a94fec91220668a370c2dcd0d2ac10c3f0a1d1befc7fee50db6f5e0b99676

SHA512
353d11071b695fe23080bc6d5cb5dc557b59b152b42921daec6f4124f9e8bb58555ac30c5ec96dae31871ff3d2416e91690b5f862d4feb5e7b038a996c8a1ff3

Download Submit
C:\Windows\SysWOW64\NIH.exe

Filesize
295KB

MD5
decf3769c920a9b642f56e24933cdf81

SHA1
930ddaf6b310fa2b3569580ff671e91d80b8b11b

SHA256
46a451f14816a0dc46d392158d1507f5806fe76e9fc9f0080d00d0b3dd26183b

SHA512
2807345e5ae0438c0bd41c3d0b6b09e3d1c04d0397e5e990d614125a14b6100de3c3f5bebab168f5654d6823eef5dbfd5a878aa0de64eec13bb546c8c32b8cb2

Download Submit
memory/3992-36-0x00000000028D0000-0x00000000028D1000-memory.dmp

Filesize
4KB

Download
memory/3992-33-0x0000000002900000-0x0000000002901000-memory.dmp

Filesize
4KB

Download
memory/3992-43-0x0000000002A70000-0x0000000002A78000-memory.dmp

Filesize
32KB

Download
memory/3992-42-0x0000000002A30000-0x0000000002A31000-memory.dmp

Filesize
4KB

Download
memory/3992-41-0x00000000028A0000-0x00000000028A1000-memory.dmp

Filesize
4KB

Download
memory/3992-32-0x0000000002850000-0x0000000002892000-memory.dmp

Filesize
264KB

Download
memory/3992-40-0x00000000028E0000-0x00000000028E1000-memory.dmp

Filesize
4KB

Download
memory/3992-39-0x0000000001FC0000-0x0000000001FC1000-memory.dmp

Filesize
4KB

Download
memory/3992-38-0x00000000028B0000-0x00000000028B1000-memory.dmp

Filesize
4KB

Download
memory/3992-37-0x00000000028C0000-0x00000000028C1000-memory.dmp

Filesize
4KB

Download
memory/3992-30-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3992-35-0x0000000001FA0000-0x0000000001FA1000-memory.dmp

Filesize
4KB

Download
memory/3992-34-0x0000000001FB0000-0x0000000001FB1000-memory.dmp

Filesize
4KB

Download
memory/3992-44-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/3992-67-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3992-49-0x0000000002AD0000-0x0000000002AD1000-memory.dmp

Filesize
4KB

Download
memory/3992-48-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

Filesize
4KB

Download
memory/3992-57-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3992-61-0x0000000002A80000-0x0000000002A81000-memory.dmp

Filesize
4KB

Download
memory/3992-59-0x0000000002850000-0x0000000002892000-memory.dmp

Filesize
264KB

Download
memory/3992-60-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/3992-63-0x0000000002A50000-0x0000000002A51000-memory.dmp

Filesize
4KB

Download
memory/3992-66-0x0000000003550000-0x0000000003551000-memory.dmp

Filesize
4KB

Download
memory/3992-65-0x0000000003660000-0x0000000003661000-memory.dmp

Filesize
4KB

Download
memory/3992-64-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/3992-62-0x0000000002A40000-0x0000000002A41000-memory.dmp

Filesize
4KB

Download
memory/4944-58-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/4944-31-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing