ardamax | fb1e676ff62b35666abf1afa470e23e043ff7596d0313e72dbc822eae4bb88ba

General

Target

JaffaCakes118_503d45ce4500390b8399973771f364bd.exe
Size

847KB
MD5

503d45ce4500390b8399973771f364bd
SHA1

d5e7d73dadf94de5037847ddd7ddc65b7a926e02
SHA256

fb1e676ff62b35666abf1afa470e23e043ff7596d0313e72dbc822eae4bb88ba
SHA512

47887e42aa31fad9b59ac29e6812fc078bed53b7967cbeb18eb56802966f12207ddba8f5bbc0ffe07834185e4cfac484c45f32dfe33a4f7117278d067700eacc
SSDEEP

24576:EBKiQHSxmGBoU/qJsJ2BK4EEq6ZQ05BeV6pUn5jj7:ynI5GSUiaIw4EEOI+6pUB7

Score

10^/10

ardamax defense_evasion discovery keylogger stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023b91-12.dat	family_ardamax

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	JaffaCakes118_503d45ce4500390b8399973771f364bd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	klss.exe

Executes dropped EXE 2 IoCs

pid	Process
2108	klss.exe
212	neverland.exe

Loads dropped DLL 4 IoCs

pid	Process
640	JaffaCakes118_503d45ce4500390b8399973771f364bd.exe
2108	klss.exe
2108	klss.exe
2108	klss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\klss.001	JaffaCakes118_503d45ce4500390b8399973771f364bd.exe
File created	C:\Windows\SysWOW64\klss.006	JaffaCakes118_503d45ce4500390b8399973771f364bd.exe
File created	C:\Windows\SysWOW64\klss.007	JaffaCakes118_503d45ce4500390b8399973771f364bd.exe
File created	C:\Windows\SysWOW64\klss.exe	JaffaCakes118_503d45ce4500390b8399973771f364bd.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64	klss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	klss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	neverland.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_503d45ce4500390b8399973771f364bd.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	2108	klss.exe
Token: SeIncBasePriorityPrivilege	2108	klss.exe
Token: SeIncBasePriorityPrivilege	2108	klss.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2108	klss.exe
2108	klss.exe
2108	klss.exe
2108	klss.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 640 wrote to memory of 2108	640	JaffaCakes118_503d45ce4500390b8399973771f364bd.exe	84
PID 640 wrote to memory of 2108	640	JaffaCakes118_503d45ce4500390b8399973771f364bd.exe	84
PID 640 wrote to memory of 2108	640	JaffaCakes118_503d45ce4500390b8399973771f364bd.exe	84
PID 640 wrote to memory of 212	640	JaffaCakes118_503d45ce4500390b8399973771f364bd.exe	85
PID 640 wrote to memory of 212	640	JaffaCakes118_503d45ce4500390b8399973771f364bd.exe	85
PID 640 wrote to memory of 212	640	JaffaCakes118_503d45ce4500390b8399973771f364bd.exe	85
PID 2108 wrote to memory of 3776	2108	klss.exe	89
PID 2108 wrote to memory of 3776	2108	klss.exe	89
PID 2108 wrote to memory of 3776	2108	klss.exe	89

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_503d45ce4500390b8399973771f364bd.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_503d45ce4500390b8399973771f364bd.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:640
- C:\Windows\SysWOW64\klss.exe
  "C:\Windows\system32\klss.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2108
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\klss.exe > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3776
- C:\Users\Admin\AppData\Local\Temp\neverland.exe
  "C:\Users\Admin\AppData\Local\Temp\neverland.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

1

T1070

File Deletion

1

T1070.004

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@A539.tmp

Filesize
4KB

MD5
e5fb7457989a4bce5e8b24219b516c6f

SHA1
580ba07dc5c71115cad40fcda27a03f6605464d2

SHA256
5c34a7520cace89cc3b6a1c800e36817462e92ee628c9c1dd2ee34cbd379859b

SHA512
3ddfda190aae244a6a84ae7468b5946db4464e30d48f3db0de67e9bf5c3dadbff05cfb539577083c51bf8efd2098a95bf430278f5430f66691bc785329a0eca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\neverland.exe

Filesize
2.9MB

MD5
d57c6fada3db8d522608a1ea17651099

SHA1
bb06514be34e00094d348c73c7342fa6ea32afd8

SHA256
01317e2aea327446867cc1b6f30d11b03e38267ea40d9b9b66b50377952b11f8

SHA512
379e5c915696dfad865521964f6a8368cfd3c7590c1f235fbac1b2768943b26e85482bc9bb2503a904cf77760681e07539096f5f8544154737de1884888542d7

Download Submit
C:\Windows\SysWOW64\klss.001

Filesize
2KB

MD5
28adc00d8c026e9a43e0b2800dbd59fd

SHA1
1c06694c096ed2d43897e0043406737faa71ad06

SHA256
a6af9fe29a19367ceafc37c9687c2f7001f850ba92a336e466c619029f21b57e

SHA512
6bfc723f595e622f922fafde0223434458df81bdf38891110939a8354aa3428105f2cfe341963ac5801dbe3cf0ffa02ac2ccbfa03eef46fe45df150688ac9cf7

Download Submit
C:\Windows\SysWOW64\klss.006

Filesize
5KB

MD5
db98486706de28b2f52ef5b74feacb47

SHA1
c3298decb5d15adb02016a7c14f39fcf179e33db

SHA256
d74d932e2e6833928a42c8ffa69132758b832f8d3eafef727e3690b441d972cb

SHA512
1d722b668d35b12637c8c427aca422dba828f17b9eb297fef63c3f7d03a4ba2d164fee825dee450208e1fbe2ce830b62060cc8be1b1dd7c41551efcdeb53f1b3

Download Submit
C:\Windows\SysWOW64\klss.007

Filesize
4KB

MD5
7204d2265d5122969600bef372f1d436

SHA1
1e341404855a878f00c7f54d867ae7f587f627b5

SHA256
aaa51161654a83fd74d25fc56d568eff773f78efc4223e2eaded0afc94f5dcec

SHA512
c74c0a4cbb044820094382941f4c967e1a12e22fcb81c77a5497e68f2ec42ba0f6696c78db2db73bab74a148a232ae7c61b6ccb47ded4182df0420d761279cc7

Download Submit
C:\Windows\SysWOW64\klss.exe

Filesize
286KB

MD5
47d45da7bc718cef809ecec470987248

SHA1
9137c8c0e84516bc08daf6b7e08192c7b9e17959

SHA256
d47237c917f006acc443546e338c68bad94c5cfa54eaabaffde0ad2dfbcdaa4e

SHA512
c8f39999ea258021318821a3336125fe1e41993572ec8264885437c689d080b2c606fbeecb72f0c6702e562f9598820d0105fee539cde51d8cf1b17119f4ffe9

Download Submit
memory/2108-22-0x0000000000A20000-0x0000000000A21000-memory.dmp

Filesize
4KB

Download
memory/2108-33-0x0000000000A20000-0x0000000000A21000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing