ardamax | c6fc65385178249668171fed48e5e181fc2d4639236accae70038f7b9e4f83bb

General

Target

JaffaCakes118_174369d77153f3486c5052562ab45c17.exe
Size

412KB
MD5

174369d77153f3486c5052562ab45c17
SHA1

acdbe1e00cba24ee96136509954f5045c4cf5343
SHA256

c6fc65385178249668171fed48e5e181fc2d4639236accae70038f7b9e4f83bb
SHA512

03f80b2b115ec35df6d072ce46c4a637ff5f456d71b3fbf2bc21f23c47e4d80e29235455eca3659c65ccb22ff23c4df4819354c0d7a18836ad28f68cab742fdb
SSDEEP

12288:i0AfEnZcqwIt1z3rxbXXwoPhkA89WEkAPiBZCGNK4P:+QZcfgtb9woJkJ9Wl+iBZHNK4P

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023ca2-12.dat	family_ardamax

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JaffaCakes118_174369d77153f3486c5052562ab45c17.exe

Executes dropped EXE 2 IoCs

pid	Process
1884	PWUC.exe
4964	TibiCAM.exe

Loads dropped DLL 10 IoCs

pid	Process
1960	JaffaCakes118_174369d77153f3486c5052562ab45c17.exe
1884	PWUC.exe
4964	TibiCAM.exe
1884	PWUC.exe
1884	PWUC.exe
4964	TibiCAM.exe
4964	TibiCAM.exe
552	WerFault.exe
552	WerFault.exe
552	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PWUC Agent = "C:\\Windows\\SysWOW64\\28463\\PWUC.exe"	PWUC.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\28463\Language.dat	TibiCAM.exe
File created	C:\Windows\SysWOW64\28463\PWUC.001	JaffaCakes118_174369d77153f3486c5052562ab45c17.exe
File created	C:\Windows\SysWOW64\28463\PWUC.006	JaffaCakes118_174369d77153f3486c5052562ab45c17.exe
File created	C:\Windows\SysWOW64\28463\PWUC.007	JaffaCakes118_174369d77153f3486c5052562ab45c17.exe
File created	C:\Windows\SysWOW64\28463\PWUC.exe	JaffaCakes118_174369d77153f3486c5052562ab45c17.exe
File created	C:\Windows\SysWOW64\28463\TibiCAM.rtf	TibiCAM.exe
File opened for modification	C:\Windows\SysWOW64\28463	PWUC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
552	4964	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_174369d77153f3486c5052562ab45c17.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PWUC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TibiCAM.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1884	PWUC.exe
Token: SeIncBasePriorityPrivilege	1884	PWUC.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1884	PWUC.exe
1884	PWUC.exe
1884	PWUC.exe
1884	PWUC.exe
1884	PWUC.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 1884	1960	JaffaCakes118_174369d77153f3486c5052562ab45c17.exe	82
PID 1960 wrote to memory of 1884	1960	JaffaCakes118_174369d77153f3486c5052562ab45c17.exe	82
PID 1960 wrote to memory of 1884	1960	JaffaCakes118_174369d77153f3486c5052562ab45c17.exe	82
PID 1960 wrote to memory of 4964	1960	JaffaCakes118_174369d77153f3486c5052562ab45c17.exe	83
PID 1960 wrote to memory of 4964	1960	JaffaCakes118_174369d77153f3486c5052562ab45c17.exe	83
PID 1960 wrote to memory of 4964	1960	JaffaCakes118_174369d77153f3486c5052562ab45c17.exe	83

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_174369d77153f3486c5052562ab45c17.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_174369d77153f3486c5052562ab45c17.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Windows\SysWOW64\28463\PWUC.exe
  "C:\Windows\system32\28463\PWUC.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1884
- C:\Users\Admin\AppData\Local\Temp\TibiCAM.exe
  "C:\Users\Admin\AppData\Local\Temp\TibiCAM.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:4964
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 812
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4964 -ip 4964
1⤵
PID:2300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@BD35.tmp

Filesize
4KB

MD5
a33680859a24229dc931c0e8a82ae84a

SHA1
dff1e7e7160ffbfaae221cd3a85de40722fddde6

SHA256
d5913b88289154f5979c03325b29f00d1d8c6a1e5f6195df915d96a46d0f71f3

SHA512
a419214699ab3478926fbb7f621a616e192eae22db20e72c83a4b529ba5307ab4dc906e0b1286bc4e4cb13ba1e28fb93fa4918c3ff7345273197e39c206c10bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\TibiCAM.exe

Filesize
596KB

MD5
b6e194788efe686f969a02de97e88429

SHA1
84f45bc686e7eba9f3365cbcb1ae3cb5bcef713c

SHA256
1333092038762ffd7ceb1b9808a6102cd04f2961c57ef0bac71dd9e4205e7bab

SHA512
f4ffebb62871b182d4c7a7e6b81a3288394285f4ac22c442629f1bb94574840ef06c7a67b973a0efce45e8983f2f152f56f9a906b4d37e83c931af7c945f48e5

Download Submit
C:\Windows\SysWOW64\28463\PWUC.001

Filesize
494B

MD5
c9142751967f14acf8d40bb0701316a1

SHA1
29e8ebbde573fb7eb1abc639767297ac2ff59cfa

SHA256
595ee4a93d9cff04101c0fbb4bb17646c3027f726c2c2202772cb7fb2ac67f68

SHA512
1437f09a46c7285f60d0bfea0025933d727840b56ef8e476850abfcf287b6fc2e8f853ac019332a97145612535add20fd129b0058e4d688ba42ff54ef48931bc

Download Submit
C:\Windows\SysWOW64\28463\PWUC.006

Filesize
7KB

MD5
46e0f5831dfe24c3105ef20190c5f0d7

SHA1
dbd701062695f9df971bffc1fa433eb18ef61727

SHA256
d7c7932d10e19ebde38c50583b4f5a0215a0ac88a2b131ea1b2a97824af759f9

SHA512
3dbe9e90f989ae3939d304f9f7822c3886e2d76ef575162e6a0518b61f5a52fcd8d0c63e06bbcf920c6f8298cb918ef5f3c0b92d42e99fa3eaabd787fc686a61

Download Submit
C:\Windows\SysWOW64\28463\PWUC.007

Filesize
5KB

MD5
70c68ec7e4e7f18abf35d47976a47f0f

SHA1
f1263f67e712760e055833d3030ed4583611ad6f

SHA256
cb8664787c631611643518ca2853f10ba9d460c25e476f55fb1b9f79838801fb

SHA512
80cad83643c9c83be70809eebb4b662f58a323cbd5f1bfbc328722fbfa16f1a846f9ef159552a066850f12157cb7388d6ab37ea6f4e7563fff7cc26258b77a81

Download Submit
C:\Windows\SysWOW64\28463\PWUC.exe

Filesize
471KB

MD5
328ef8c28309203cfbe5655274d5ea48

SHA1
403399787e94f7d4e3c8e237e25399263e9f4047

SHA256
0f92918405d195ce10b0c897f07a73493d06e9e49505371a525d50cea75213bb

SHA512
93dde6ab2d06af2d09b7f52619f2f475912152bbfd4b4ff93796eeffe7363f0ee777f4a46edb808039466fe0f82036dc291a378d4a8c6e407f0e1d4f3f6ea40a

Download Submit
memory/1884-28-0x0000000000A80000-0x0000000000A81000-memory.dmp

Filesize
4KB

Download
memory/1884-36-0x0000000000A80000-0x0000000000A81000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads