ardamax | dac99b3f7bca64c10334202ee05fd698d45b638da793eb3db5cc0bf18a5f80ba

General

Target

JaffaCakes118_4e534732c2e89e5592d0fac5a7b510d5.exe
Size

555KB
MD5

4e534732c2e89e5592d0fac5a7b510d5
SHA1

d7859363b43d332ffbbb2c31cffd030258a0f2cf
SHA256

dac99b3f7bca64c10334202ee05fd698d45b638da793eb3db5cc0bf18a5f80ba
SHA512

db73c1767dfaaf8e18ee8ab23370dc4fe8aaf0d249da1db140279571832f9962f5f72293c3548f3d4dfbb0e29de8495c0c3a0b19148743309dff4d320951b509
SSDEEP

12288:jneXedgDU+A5AZPuW5DMxSRY0sQhZICF/e16m217C:iXgKU+AaPuKMx2YGgC9m07C

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023c7c-12.dat	family_ardamax

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JaffaCakes118_4e534732c2e89e5592d0fac5a7b510d5.exe

Executes dropped EXE 1 IoCs

pid	Process
880	BEPG.exe

Loads dropped DLL 7 IoCs

pid	Process
3436	JaffaCakes118_4e534732c2e89e5592d0fac5a7b510d5.exe
880	BEPG.exe
2676	NOTEPAD.EXE
880	BEPG.exe
880	BEPG.exe
2676	NOTEPAD.EXE
2676	NOTEPAD.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BEPG Agent = "C:\\Windows\\SysWOW64\\Sys32\\BEPG.exe"	BEPG.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Sys32\BEPG.001	JaffaCakes118_4e534732c2e89e5592d0fac5a7b510d5.exe
File created	C:\Windows\SysWOW64\Sys32\BEPG.006	JaffaCakes118_4e534732c2e89e5592d0fac5a7b510d5.exe
File created	C:\Windows\SysWOW64\Sys32\BEPG.007	JaffaCakes118_4e534732c2e89e5592d0fac5a7b510d5.exe
File created	C:\Windows\SysWOW64\Sys32\BEPG.exe	JaffaCakes118_4e534732c2e89e5592d0fac5a7b510d5.exe
File created	C:\Windows\SysWOW64\Sys32\AKV.exe	JaffaCakes118_4e534732c2e89e5592d0fac5a7b510d5.exe
File opened for modification	C:\Windows\SysWOW64\Sys32	BEPG.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_4e534732c2e89e5592d0fac5a7b510d5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BEPG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	JaffaCakes118_4e534732c2e89e5592d0fac5a7b510d5.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2676	NOTEPAD.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	880	BEPG.exe
Token: SeIncBasePriorityPrivilege	880	BEPG.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
880	BEPG.exe
880	BEPG.exe
880	BEPG.exe
880	BEPG.exe
880	BEPG.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3436 wrote to memory of 880	3436	JaffaCakes118_4e534732c2e89e5592d0fac5a7b510d5.exe	82
PID 3436 wrote to memory of 880	3436	JaffaCakes118_4e534732c2e89e5592d0fac5a7b510d5.exe	82
PID 3436 wrote to memory of 880	3436	JaffaCakes118_4e534732c2e89e5592d0fac5a7b510d5.exe	82
PID 3436 wrote to memory of 2676	3436	JaffaCakes118_4e534732c2e89e5592d0fac5a7b510d5.exe	83
PID 3436 wrote to memory of 2676	3436	JaffaCakes118_4e534732c2e89e5592d0fac5a7b510d5.exe	83
PID 3436 wrote to memory of 2676	3436	JaffaCakes118_4e534732c2e89e5592d0fac5a7b510d5.exe	83

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4e534732c2e89e5592d0fac5a7b510d5.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4e534732c2e89e5592d0fac5a7b510d5.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3436
- C:\Windows\SysWOW64\Sys32\BEPG.exe
  "C:\Windows\system32\Sys32\BEPG.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:880
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Crack.txt
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Opens file in notepad (likely ransom note)
  PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@8879.tmp

Filesize
3KB

MD5
2faa832b62991d302b56093477a76363

SHA1
2a26e0173a78c9c106ea799cce92ea163b44a345

SHA256
a2076664d1267efa8b69a307b0cbde8521631f2789e06f5caa96799e7f34de48

SHA512
20da18fb1350a441517498a1efeae9a21ead7592f9cdae724973c58385765100a2de5651fa991cdcc4668be777fe26bfba969dbc9706f16a54f5be258a84f347

Download Submit
C:\Users\Admin\AppData\Local\Temp\Crack.txt

Filesize
51B

MD5
e9635b4af57cd80242523b0f0152a3cd

SHA1
16a15ede39d98bc85dcb99e161bfc1ec382a6e77

SHA256
b88272ca83364f989f3d86b8b38cf94e86d4c9015b0ecd48db2c4679b7baef8b

SHA512
5fcccb024bbe08ded53b511d9d792db20d79d414fc84d3d02b9147443fa24ce9445238a96b39ad07185e1d39b331694956c9e5421eecb4931ee6967bdd12b44e

Download Submit
C:\Windows\SysWOW64\Sys32\AKV.exe

Filesize
389KB

MD5
0a4d2002c7355a6c0d8e846fe02e7e89

SHA1
cc1bf70d3d718d3d3dc1b43405d36285933feac7

SHA256
be2cc3bda4c0e231ebae65a7c79ed1313d422e5fb2f871330080f8ca1792e455

SHA512
9e229232bbc8e4faa0ea63e1069000c2e1582a5d7b72abb5535b003d339a0984b08a34a86b36e17dad61277f0456fe98fab2dbcd2db493feee927892ef7cba57

Download Submit
C:\Windows\SysWOW64\Sys32\BEPG.001

Filesize
474B

MD5
a13e5ba68584b4af4f702cfe582f5113

SHA1
663e546ea46bb96d212035600a344eef785f5fcc

SHA256
fae347579e55bd0fa413fff7c1e4efaffca631cc84f9cab254a8fdeb7c025636

SHA512
7ea3acaacf3852e5675f5bf85c84dbef46e4623f8921fce6ca62d4c46ea4798f3b629469ce377c0831a8903f4ca888f62168c7768a004cabd418ab2752d15b34

Download Submit
C:\Windows\SysWOW64\Sys32\BEPG.006

Filesize
7KB

MD5
8013928e1446be1b8e77ca35211fd17e

SHA1
c03a6c0516d1763bacc4da535383d3b4ddb506c3

SHA256
d82bb0b7a29a9500a79e52b2ea84ea244f250cc7ff25174aa4ed5826d6b9c828

SHA512
d5e55bb8dda7f44918bafb16098d39e363237053f84377d5d591d9010b0f14a6eb2260f9dd356e32e133ab2a42c1debed0424fbe7de932d8d363ac8a09a7660f

Download Submit
C:\Windows\SysWOW64\Sys32\BEPG.007

Filesize
5KB

MD5
bb3520f108916b0967e74a9167b44925

SHA1
29dd637355ec7d38955af75775a72ac32903d40c

SHA256
f9be7b7c760a59f4d98213f4f80d45e405d1d0ac564d4f880ec820da178d45e5

SHA512
7700bf7e8fd15df753bc83b8e243e4b62095824b8bea3f40d7213a5c6307f17d9fbab2f6c737e19ede5330539014ba6c583b25bd2d58b05f05f23683affe1d53

Download Submit
C:\Windows\SysWOW64\Sys32\BEPG.exe

Filesize
475KB

MD5
3d9eaf31ec5138624f1cf21706264bd6

SHA1
f2c397f042c38862034333ed3c142a54896e0305

SHA256
17c47ecc3481cb85c0336e7bd58f141f54fa1bbe604892c41d3e6a1945b43811

SHA512
a849c329950bb015cc32624968c39c9f3f70fb37500e0292bbccb79a6413d4088d68d481e3c8c2ac0b8975b885387abe581d597892d906e357ac573c3525ed9e

Download Submit
memory/880-23-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/880-33-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads