ardamax | c56ad6b5358fde733c12853fd16ec61b206ebb985085e0a403439477fa351213

General

Target

JaffaCakes118_6609e9e6b2400c5c12e4b7ca1131f8c0.exe
Size

168KB
MD5

6609e9e6b2400c5c12e4b7ca1131f8c0
SHA1

f7a8ff4d5b9642572ed1113fcbab4a68d45e05f2
SHA256

c56ad6b5358fde733c12853fd16ec61b206ebb985085e0a403439477fa351213
SHA512

21122de7d695d323d4f099268aa6846579b999d8e6683a107a94b0972839e3adc4cc7b404b379d548fdaaa47871c02d156e6921268f5edd164faac5f2d36eb4b
SSDEEP

3072:GCNmpyGcdbqFQqkJv9K3qq0pjFf7GGh/gBGYU+yhFA1bxcYh5x3fTNkaRSNUurNj:TmpyGEqFZeCUJFTbKnUTi11cYdPOhNnJ

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023c7e-12.dat	family_ardamax

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\Control Panel\International\Geo\Nation	JaffaCakes118_6609e9e6b2400c5c12e4b7ca1131f8c0.exe

Executes dropped EXE 1 IoCs

pid	Process
2476	Eamx.exe

Loads dropped DLL 2 IoCs

pid	Process
4792	JaffaCakes118_6609e9e6b2400c5c12e4b7ca1131f8c0.exe
2476	Eamx.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Eamx = "C:\\Windows\\SysWOW64\\Eamx.exe"	Eamx.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Eamx.001	JaffaCakes118_6609e9e6b2400c5c12e4b7ca1131f8c0.exe
File created	C:\Windows\SysWOW64\Eamx.006	JaffaCakes118_6609e9e6b2400c5c12e4b7ca1131f8c0.exe
File created	C:\Windows\SysWOW64\Eamx.007	JaffaCakes118_6609e9e6b2400c5c12e4b7ca1131f8c0.exe
File created	C:\Windows\SysWOW64\Eamx.exe	JaffaCakes118_6609e9e6b2400c5c12e4b7ca1131f8c0.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64	Eamx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6609e9e6b2400c5c12e4b7ca1131f8c0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eamx.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2476	Eamx.exe
Token: SeIncBasePriorityPrivilege	2476	Eamx.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2476	Eamx.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2476	Eamx.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2476	Eamx.exe
2476	Eamx.exe
2476	Eamx.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4792 wrote to memory of 2476	4792	JaffaCakes118_6609e9e6b2400c5c12e4b7ca1131f8c0.exe	86
PID 4792 wrote to memory of 2476	4792	JaffaCakes118_6609e9e6b2400c5c12e4b7ca1131f8c0.exe	86
PID 4792 wrote to memory of 2476	4792	JaffaCakes118_6609e9e6b2400c5c12e4b7ca1131f8c0.exe	86

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6609e9e6b2400c5c12e4b7ca1131f8c0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6609e9e6b2400c5c12e4b7ca1131f8c0.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4792
- C:\Windows\SysWOW64\Eamx.exe
  "C:\Windows\system32\Eamx.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@A6B0.tmp

Filesize
4KB

MD5
e5fb7457989a4bce5e8b24219b516c6f

SHA1
580ba07dc5c71115cad40fcda27a03f6605464d2

SHA256
5c34a7520cace89cc3b6a1c800e36817462e92ee628c9c1dd2ee34cbd379859b

SHA512
3ddfda190aae244a6a84ae7468b5946db4464e30d48f3db0de67e9bf5c3dadbff05cfb539577083c51bf8efd2098a95bf430278f5430f66691bc785329a0eca2

Download Submit
C:\Windows\SysWOW64\Eamx.001

Filesize
81B

MD5
35e4e23995b9c3a11fcdeb36d375ba97

SHA1
326a45c5a937df7a1ecaf45577c0f6a189c4bfa8

SHA256
5a618884539f4f8c084e7b881bd3d714e0c8651e2402979b29013d0595dbf7c1

SHA512
87ed226fd11a90b98847bd866b5ffdf9499f66700635a9dae9bd18a2c98cb5f567e88f49ee73c6a881d9693bd3cc1888d55c3f7f164d883a1e2a7e3cf94acfe6

Download Submit
C:\Windows\SysWOW64\Eamx.006

Filesize
5KB

MD5
db98486706de28b2f52ef5b74feacb47

SHA1
c3298decb5d15adb02016a7c14f39fcf179e33db

SHA256
d74d932e2e6833928a42c8ffa69132758b832f8d3eafef727e3690b441d972cb

SHA512
1d722b668d35b12637c8c427aca422dba828f17b9eb297fef63c3f7d03a4ba2d164fee825dee450208e1fbe2ce830b62060cc8be1b1dd7c41551efcdeb53f1b3

Download Submit
C:\Windows\SysWOW64\Eamx.exe

Filesize
286KB

MD5
47d45da7bc718cef809ecec470987248

SHA1
9137c8c0e84516bc08daf6b7e08192c7b9e17959

SHA256
d47237c917f006acc443546e338c68bad94c5cfa54eaabaffde0ad2dfbcdaa4e

SHA512
c8f39999ea258021318821a3336125fe1e41993572ec8264885437c689d080b2c606fbeecb72f0c6702e562f9598820d0105fee539cde51d8cf1b17119f4ffe9

Download Submit
memory/2476-19-0x0000000002080000-0x0000000002081000-memory.dmp

Filesize
4KB

Download
memory/2476-22-0x0000000002080000-0x0000000002081000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads