ardamax | ea19a14c3aa72d8091fb61bbcd2f931aec0cdb45b971e3ef11d825cdd6e76b36

General

Target

JaffaCakes118_a61a8ddafa7ed068d6a5e6b4e96fbade.exe
Size

327KB
MD5

a61a8ddafa7ed068d6a5e6b4e96fbade
SHA1

e448f68dfeb935c9d3a3343b2e691d6f2f9c6910
SHA256

ea19a14c3aa72d8091fb61bbcd2f931aec0cdb45b971e3ef11d825cdd6e76b36
SHA512

d1d48b4014734c4fbbc7e8240fa2a749e5012f0b10c6c9e7f0bdd802ef0abc6165719e1c5b764c2958a7173a80d02e9be0a1a836dee44509343ed7fb58008564
SSDEEP

6144:kmpyGG+hzvmAdB5R5HCDONBof6ib1BYK7qQGq/itmF4Cwky+IQ3+FrMT0ys:k1OyAl22BoiibTYOqQGdewhlrM8

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023c8b-12.dat	family_ardamax

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation	JaffaCakes118_a61a8ddafa7ed068d6a5e6b4e96fbade.exe

Executes dropped EXE 1 IoCs

pid	Process
1964	TND.exe

Loads dropped DLL 2 IoCs

pid	Process
1752	JaffaCakes118_a61a8ddafa7ed068d6a5e6b4e96fbade.exe
1964	TND.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TND = "C:\\Windows\\SysWOW64\\Sys\\TND.exe"	TND.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Sys\TND.006	JaffaCakes118_a61a8ddafa7ed068d6a5e6b4e96fbade.exe
File created	C:\Windows\SysWOW64\Sys\TND.007	JaffaCakes118_a61a8ddafa7ed068d6a5e6b4e96fbade.exe
File created	C:\Windows\SysWOW64\Sys\TND.exe	JaffaCakes118_a61a8ddafa7ed068d6a5e6b4e96fbade.exe
File opened for modification	C:\Windows\SysWOW64\Sys	TND.exe
File created	C:\Windows\SysWOW64\Sys\TND.009	TND.exe
File opened for modification	C:\Windows\SysWOW64\Sys\TND.009	TND.exe
File created	C:\Windows\SysWOW64\Sys\TND.001	JaffaCakes118_a61a8ddafa7ed068d6a5e6b4e96fbade.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_a61a8ddafa7ed068d6a5e6b4e96fbade.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TND.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1964	TND.exe
Token: SeIncBasePriorityPrivilege	1964	TND.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1964	TND.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1964	TND.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1964	TND.exe
1964	TND.exe
1964	TND.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 1964	1752	JaffaCakes118_a61a8ddafa7ed068d6a5e6b4e96fbade.exe	85
PID 1752 wrote to memory of 1964	1752	JaffaCakes118_a61a8ddafa7ed068d6a5e6b4e96fbade.exe	85
PID 1752 wrote to memory of 1964	1752	JaffaCakes118_a61a8ddafa7ed068d6a5e6b4e96fbade.exe	85

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a61a8ddafa7ed068d6a5e6b4e96fbade.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a61a8ddafa7ed068d6a5e6b4e96fbade.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Windows\SysWOW64\Sys\TND.exe
  "C:\Windows\system32\Sys\TND.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@B853.tmp

Filesize
4KB

MD5
fec74da36beb4457716675804f74221c

SHA1
1c02ce33852f00dd896b4bb1d93fbba663dd329d

SHA256
e47ac7649f18595fbd2281a8cdff82a2b488b8dd56bc1ae88930b521f24b1c89

SHA512
64b1d6912b2d6336f2ec7abd240215c842970eece0007afb4c939cf40becb437d6d6708d840035c935d96742918de07b52a96708388cbcda438e8c56d49ede06

Download Submit
C:\Windows\SysWOW64\Sys\TND.001

Filesize
3KB

MD5
9d3f7ef38ffaf63e61c32d8408c3aa5e

SHA1
03548a2feeaf4932af2ce37779a247aa2cc1e192

SHA256
d128c6f6f542dc6bc55827027e864e7ced49b846951ced0ba6111ba2df67fb27

SHA512
e9021b2c44450446b1f30d012352df69bd34848af9edf2b670f30e411d11bb6af5850beef95b6bfa078ed493e67c05a0e723aee7423d59235beed147b793bf74

Download Submit
C:\Windows\SysWOW64\Sys\TND.006

Filesize
5KB

MD5
81684ae4865ec5f66d24e892b03cdb28

SHA1
71e0129317001cbf9fc0876a6ea15886c0caa987

SHA256
b036f867ef31023198260a6610a57cc9148a547103b17de934e607aca580eb23

SHA512
adac78672fa35ad5aef8afac26c6360f06f98783fc3527c558b6fcadfd6d22b06ef4a8c0f6c076da3b270f83265eb4d20d58fc514932ad3d16554c3fd33f4fec

Download Submit
C:\Windows\SysWOW64\Sys\TND.007

Filesize
4KB

MD5
ac152720163090f4c0fb7f5c7e1638dc

SHA1
4fec3f24e3f9221c7c7cf918d7507586bf0cf48a

SHA256
fdc0467059610b4055818e2e499c1ed17705397383a61245917bb93ba0f8e3ef

SHA512
d62d827530d421735e95620f57230b1d7376a1055ddfb32d00db8df7764618f442a5166bdb765babf85695b7138ac7c4c71c231e5c745ed7d8113e6394acd301

Download Submit
C:\Windows\SysWOW64\Sys\TND.exe

Filesize
459KB

MD5
b7a532f4b00925d636882e80f49305a8

SHA1
ae88858ea8c3a7ba2ed373cb104ef2152fb44b54

SHA256
f417f9088e6c39c418ecf8efbf0038362945788838bd7e67efd89199ada15ccd

SHA512
551fe3425b17f29b1c8157b2fdf6c6c0ed15c655bc14e9b73ec38209c55191444762eeef61ae933047079243b9487f92b649f5852b3f22d4bac5d070f523b706

Download Submit
memory/1964-22-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/1964-24-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads