ardamax | d9d77004855a304157bcbcbf25fe28cdf72b46a588850dea16cbf7ce77c9279f

General

Target

JaffaCakes118_17a427946a42858cb79e83fa6cc30140.exe
Size

860KB
MD5

17a427946a42858cb79e83fa6cc30140
SHA1

40961292519afe020b7db6573f1bb02690cc7448
SHA256

d9d77004855a304157bcbcbf25fe28cdf72b46a588850dea16cbf7ce77c9279f
SHA512

1375bc4992bd230ce431bbed08f06b4cb40870dac208af79c07d7f22503184c0eadef9a9a3ca6bf243df9c38bc20be4c79dc2100c91130552fcf4744b62c3976
SSDEEP

24576:QCRSrKNLMRSE5wWNxf2t/M6HMwUp7Pbo2ea6m:QCRmgeuWNOk6HMwOSm

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023ca5-12.dat	family_ardamax

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	JaffaCakes118_17a427946a42858cb79e83fa6cc30140.exe

Executes dropped EXE 2 IoCs

pid	Process
648	BTVA.exe
4732	enviador.exe

Loads dropped DLL 7 IoCs

pid	Process
4828	JaffaCakes118_17a427946a42858cb79e83fa6cc30140.exe
648	BTVA.exe
4732	enviador.exe
648	BTVA.exe
648	BTVA.exe
4732	enviador.exe
4732	enviador.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BTVA Agent = "C:\\Windows\\SysWOW64\\Sys32\\BTVA.exe"	BTVA.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Sys32\BTVA.exe	JaffaCakes118_17a427946a42858cb79e83fa6cc30140.exe
File created	C:\Windows\SysWOW64\Sys32\AKV.exe	JaffaCakes118_17a427946a42858cb79e83fa6cc30140.exe
File opened for modification	C:\Windows\SysWOW64\Sys32	BTVA.exe
File created	C:\Windows\SysWOW64\Sys32\BTVA.001	JaffaCakes118_17a427946a42858cb79e83fa6cc30140.exe
File created	C:\Windows\SysWOW64\Sys32\BTVA.006	JaffaCakes118_17a427946a42858cb79e83fa6cc30140.exe
File created	C:\Windows\SysWOW64\Sys32\BTVA.007	JaffaCakes118_17a427946a42858cb79e83fa6cc30140.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_17a427946a42858cb79e83fa6cc30140.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BTVA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	enviador.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	648	BTVA.exe
Token: SeIncBasePriorityPrivilege	648	BTVA.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
648	BTVA.exe
648	BTVA.exe
648	BTVA.exe
648	BTVA.exe
648	BTVA.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4828 wrote to memory of 648	4828	JaffaCakes118_17a427946a42858cb79e83fa6cc30140.exe	83
PID 4828 wrote to memory of 648	4828	JaffaCakes118_17a427946a42858cb79e83fa6cc30140.exe	83
PID 4828 wrote to memory of 648	4828	JaffaCakes118_17a427946a42858cb79e83fa6cc30140.exe	83
PID 4828 wrote to memory of 4732	4828	JaffaCakes118_17a427946a42858cb79e83fa6cc30140.exe	84
PID 4828 wrote to memory of 4732	4828	JaffaCakes118_17a427946a42858cb79e83fa6cc30140.exe	84
PID 4828 wrote to memory of 4732	4828	JaffaCakes118_17a427946a42858cb79e83fa6cc30140.exe	84

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_17a427946a42858cb79e83fa6cc30140.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_17a427946a42858cb79e83fa6cc30140.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4828
- C:\Windows\SysWOW64\Sys32\BTVA.exe
  "C:\Windows\system32\Sys32\BTVA.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:648
- C:\Users\Admin\AppData\Local\Temp\enviador.exe
  "C:\Users\Admin\AppData\Local\Temp\enviador.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@B70B.tmp

Filesize
4KB

MD5
dea4d795cffc12e0553011a7676222d5

SHA1
7e92b8858ba3bc5b2e9c4673f80275649a662e72

SHA256
2c5b7076d86922eb75f1f515197f521f9f0d45b739c00a63f5252cb757170e1e

SHA512
a2761ba62b3ee8ef422ad7664971da8922c21699a0c922a575c3c01c66b39eee49fd9f8639f2f4132e444f15dc6d2319e1bb850fe439cc64e918d3bf415fe192

Download Submit
C:\Users\Admin\AppData\Local\Temp\enviador.exe

Filesize
703KB

MD5
306f71a9c30fd5ef45954a3d03555760

SHA1
db69c383e05f3e1122ad43c0239e2724e44de5b0

SHA256
2bcfba4891e5f36257c46faef60de9c0dc9bfb23fe2f5849c608f009a83ba6ef

SHA512
8e637b17472ea65d71158bd433938b1586fc11fd7792b9a3df8125ffdf92d81a3b25f802573d49b466cdf89bdbe9647c313509dbbad8ec330db38156771006b9

Download Submit
C:\Windows\SysWOW64\Sys32\AKV.exe

Filesize
391KB

MD5
d9318ccb813912fb2a7d7985e8abf577

SHA1
895eb9477bcc04e2f1c8ea8a17e5c7f866bf993c

SHA256
53b78cce47985aad3fbd8155ba27700f90195ca58fb034ca6ea05dabdf6975fe

SHA512
efc921d27df5737eb8404c65b32a81339244d04d7f3d8610610fdc0a012273065aece7686be60bc994cc601a6bbe8f7654eece5145634d5bc76d64d273ee3201

Download Submit
C:\Windows\SysWOW64\Sys32\BTVA.001

Filesize
430B

MD5
eef17a0a50014f41c8fcbc1e089ae602

SHA1
66ba353b6d7dc47a797c93ea34eda18c74e4e051

SHA256
0137e9aa54747c967b653d980d32cea1d27939dcb04279eaf0100f9951520344

SHA512
283df24234c153f0989f0c060890fe290c3588cccb0964d9f52071032abba62e1831f24659089d725da164e3ad9d2ba8bc5f658150f3adb8fc3fb7b35c5dd9a7

Download Submit
C:\Windows\SysWOW64\Sys32\BTVA.006

Filesize
7KB

MD5
3be36950b4999a5dcb5675ced94abe76

SHA1
f51bbeb3a42743671167a32cfffc4683e4f62f11

SHA256
94b7b4ca983ee77d74e0fe3540ce500ff69110e7cdb97d7482a474e67d193754

SHA512
2634418624b1ffea297500e96fd1897d26d8164e24227b89122167ffcc49bad46074679d75ecb081d6c4d240be3d789c5096a11063178b16270e8176c04a6e56

Download Submit
C:\Windows\SysWOW64\Sys32\BTVA.007

Filesize
5KB

MD5
a99aa01d91919119cb3fa0f01bb76cf5

SHA1
9bc393f0efb2ab03ea5e37db6d1c57539c6b9035

SHA256
9dac1a4e37d390659eca426f9e3a4244d0dc718e6d473c1a74be22b24e91b722

SHA512
871758327ac01cb95ddbba5cb62d7306c7e74dc14f223def627992217660a7e5e3cedc5b762e8f28026fe74dba949ec8bcb78ecb6b44d191ae0d7354a9306af6

Download Submit
C:\Windows\SysWOW64\Sys32\BTVA.exe

Filesize
476KB

MD5
faa80a9d2345270ed469fb25fed79452

SHA1
aac94c09b8fa844937cfcc17f41be2917bd3f533

SHA256
1390bd4539b578b9019efc0eed117f69098c20a9a2ab29c83ed8e00ed2a84d24

SHA512
3a312e981356fe9dad0733591af73b2e7beb234f42dce6ba3875b0d3074c7f95cafbd94bf14368d7fe6a556f99580f509ece7af2d4d85c348efcdeb5d4077daa

Download Submit
memory/648-44-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download
memory/648-35-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download
memory/4732-31-0x0000000002110000-0x0000000002111000-memory.dmp

Filesize
4KB

Download
memory/4732-42-0x0000000002110000-0x0000000002111000-memory.dmp

Filesize
4KB

Download
memory/4732-43-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/4732-45-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads