ardamax | ce128edffa617b6a7f3f2f026edf1006f513cce6bffed1d2dbb2822ed04a0146

General

Target

JaffaCakes118_929d09ff18ff8d9c20ef83f909fa0da5.exe
Size

1.4MB
MD5

929d09ff18ff8d9c20ef83f909fa0da5
SHA1

cd975090ef80b4bbce53e6ef453da3d083ca87a3
SHA256

ce128edffa617b6a7f3f2f026edf1006f513cce6bffed1d2dbb2822ed04a0146
SHA512

4903ee2f32b329beca583df87dc96edf1b648d3b9d170f7d1dd983a040a2452e8bd0d3cea21183ade81830dc0a9d3582bc1d5473ff6ea3d1f3cbf01b66b4f594
SSDEEP

24576:Ckjc+wyNU7od/Z0shLxMypfybLVC9PzBRXPuiO7o6mTAyhIo490ZK5vY8NF8mAcq:CkjcQU7ah9tIg9zBR/SaDhIonkvpAcwD

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023b50-12.dat	family_ardamax

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Control Panel\International\Geo\Nation	JaffaCakes118_929d09ff18ff8d9c20ef83f909fa0da5.exe

Executes dropped EXE 2 IoCs

pid	Process
1948	SFKB.exe
4804	Revolution.exe

Loads dropped DLL 10 IoCs

pid	Process
1976	JaffaCakes118_929d09ff18ff8d9c20ef83f909fa0da5.exe
1948	SFKB.exe
1948	SFKB.exe
1948	SFKB.exe
4804	Revolution.exe
4804	Revolution.exe
4804	Revolution.exe
2176	WerFault.exe
2176	WerFault.exe
2176	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SFKB Agent = "C:\\Windows\\SysWOW64\\Sys32\\SFKB.exe"	SFKB.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Sys32\SFKB.001	JaffaCakes118_929d09ff18ff8d9c20ef83f909fa0da5.exe
File created	C:\Windows\SysWOW64\Sys32\SFKB.006	JaffaCakes118_929d09ff18ff8d9c20ef83f909fa0da5.exe
File created	C:\Windows\SysWOW64\Sys32\SFKB.007	JaffaCakes118_929d09ff18ff8d9c20ef83f909fa0da5.exe
File created	C:\Windows\SysWOW64\Sys32\SFKB.exe	JaffaCakes118_929d09ff18ff8d9c20ef83f909fa0da5.exe
File created	C:\Windows\SysWOW64\Sys32\AKV.exe	JaffaCakes118_929d09ff18ff8d9c20ef83f909fa0da5.exe
File opened for modification	C:\Windows\SysWOW64\Sys32	SFKB.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2176	4804	WerFault.exe	87

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_929d09ff18ff8d9c20ef83f909fa0da5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SFKB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Revolution.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	1948	SFKB.exe
Token: SeIncBasePriorityPrivilege	1948	SFKB.exe
Token: SeDebugPrivilege	4804	Revolution.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1948	SFKB.exe
1948	SFKB.exe
1948	SFKB.exe
1948	SFKB.exe
1948	SFKB.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 1948	1976	JaffaCakes118_929d09ff18ff8d9c20ef83f909fa0da5.exe	86
PID 1976 wrote to memory of 1948	1976	JaffaCakes118_929d09ff18ff8d9c20ef83f909fa0da5.exe	86
PID 1976 wrote to memory of 1948	1976	JaffaCakes118_929d09ff18ff8d9c20ef83f909fa0da5.exe	86
PID 1976 wrote to memory of 4804	1976	JaffaCakes118_929d09ff18ff8d9c20ef83f909fa0da5.exe	87
PID 1976 wrote to memory of 4804	1976	JaffaCakes118_929d09ff18ff8d9c20ef83f909fa0da5.exe	87
PID 1976 wrote to memory of 4804	1976	JaffaCakes118_929d09ff18ff8d9c20ef83f909fa0da5.exe	87

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_929d09ff18ff8d9c20ef83f909fa0da5.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_929d09ff18ff8d9c20ef83f909fa0da5.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Windows\SysWOW64\Sys32\SFKB.exe
  "C:\Windows\system32\Sys32\SFKB.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1948
- C:\Users\Admin\AppData\Local\Temp\Revolution.exe
  "C:\Users\Admin\AppData\Local\Temp\Revolution.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4804
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 712
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 4804 -ip 4804
1⤵
PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@8B96.tmp

Filesize
3KB

MD5
14c3321783fac66161b308d34c5b0eac

SHA1
021b4f77e27d6e0b032158936a752e27cdde09fa

SHA256
09e6cfa1698ed3cd3592fa4ed36eb970fa599cb86ce6975f5ef90dfbaf6a2f21

SHA512
9ba6f2992164e7e98084e3c3b5a4cd231edeca22b784d01e5e98078ed19a1114ba9f837aa77ec3303bfcff6fa6a7a3b4588ee6e3a444eb35fc5e8c1d732825ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Revolution.exe

Filesize
2.3MB

MD5
ed5e167bb7bf13ea0dd5a85cc05bb5b7

SHA1
f9460106df307d8b0558aa0c6cdc5b57acb36e62

SHA256
a2d8a23e08bfa3b4f3a19112313c7331f6053266d5f6fa69d2ab258a06be1168

SHA512
6bf2d006ed5192bb3980e7bd7c89074f2e74e180a09887cdb1c28b179c159381761797ebbe5d98bac03276633f2de41d739cf2f2499cae9d107dd2ffea59ace4

Download Submit
C:\Windows\SysWOW64\Sys32\AKV.exe

Filesize
389KB

MD5
53a578b112aeb18c5993556d4440ade1

SHA1
e51f2fcc784def3cc5ff594edfee5e25f1e9818c

SHA256
9170ccd49c118818a83d6ec5264e58519a986671828a144b70d9f601afd29156

SHA512
31357e35a4d31483951a7fbd0d774dffd880c8451e2410226dcfb8f8b1c24422febba81ae91aa2e5bb482bc0e662060f772417239e7e7a11c3c36ff8d716f352

Download Submit
C:\Windows\SysWOW64\Sys32\SFKB.001

Filesize
430B

MD5
92afb41d4a683f053bf3f3128cf52582

SHA1
a7ca614020770782af2b76ce4b02689fb3e4059a

SHA256
2b25c7f3a3406c6f6e9bd0a6364303bf98cafeaf8eca9dd2a487de8943aaea62

SHA512
95e5f8f7a8b31020e30ce716663f06216039fa49869a6ad149f13896be6913421954355bb9d9c015612294671e5ca462ae250964f48bcccb63cdc0448e28dcb3

Download Submit
C:\Windows\SysWOW64\Sys32\SFKB.006

Filesize
7KB

MD5
504f5a7e8447c65bc2218bb3d47c309b

SHA1
5d2d703cfa8b1c0fab1b13b01e2250e246e2eb44

SHA256
81f383d6a9a90d1587af3f2903d9fd4ce4b4843aa285928ba731a3ee8f60c39f

SHA512
b90427bc146e30a5db47aaea4d7ac559db679f64ce490eb2195106acbc3d266442d71a7c0b00762203010436ed86bc84ef59bc3269b7611f9a6b5025fc85190b

Download Submit
C:\Windows\SysWOW64\Sys32\SFKB.007

Filesize
5KB

MD5
22e9e9b13c2c676bec39178311d55253

SHA1
da60379e518feeb798005065dcf626a74afe1848

SHA256
3a77698cfcbbc40473f163c76838e6509c52bd6ffb97ba9d144ccd25ef5c7e14

SHA512
1d3b7eb4dcaa969a49786f1f55caa731e2e82dc79896985d50aa225fd7071bef521a6d85f56ee249db518cf0fc4a53f942299328bf54862307f742d3a6ca3dcc

Download Submit
C:\Windows\SysWOW64\Sys32\SFKB.exe

Filesize
475KB

MD5
9c3ff825312190802dc56c7b0d0ccebd

SHA1
58e200c00382b3d13c81c9e829da065ed45f5928

SHA256
e55fbc08da9dc8bfb13b1d649e117540ee2c416a678eafa40e49088c2864dcc4

SHA512
513f6e3ab1bc31d01c1730c04313a39df5f9a5e30db70699df0507fff4c82f36706a637d32f532985e551a5a835682ebdc077560fee2f9741cba7767a86b7968

Download Submit
memory/1948-34-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/1948-46-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/4804-41-0x0000000000400000-0x0000000000649000-memory.dmp

Filesize
2.3MB

Download
memory/4804-45-0x0000000000400000-0x0000000000649000-memory.dmp

Filesize
2.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads