ardamax | bd2f9149b4f60521071a3b9291435258d7585aee30b487dad53c05cd9ac74738

General

Target

JaffaCakes118_bbc5fe6e503d26b383d1d8cf58b8c7eb.exe
Size

624KB
MD5

bbc5fe6e503d26b383d1d8cf58b8c7eb
SHA1

d84cba222562337c6ec9f2cfe25a11a0f7af0863
SHA256

bd2f9149b4f60521071a3b9291435258d7585aee30b487dad53c05cd9ac74738
SHA512

809e8f3e8252895afe657f1abecfb31f88206ccc125b6066f7573eff633ea09a855fb2718b6c9eec56b9fb05cf7f0f4b3f426c7a2bd8d2d5c319cab370a2c8a3
SSDEEP

12288:1e4wCG9wNPyEUv5hdXKbcCbJ9I1q3nXPbpmCtgyG1XrE7UBSY1:84wCGpN5hkK1q3nXP1D/QggUY1

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023d80-12.dat	family_ardamax

Downloads MZ/PE file 1 IoCs

flow	pid	Process
31	1172	Process not Found

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2499155680-3253481302-763015360-1000\Control Panel\International\Geo\Nation	JaffaCakes118_bbc5fe6e503d26b383d1d8cf58b8c7eb.exe

Executes dropped EXE 2 IoCs

pid	Process
1076	YNS.exe
4724	Mensagem da VOXCARDS.com.scr

Loads dropped DLL 7 IoCs

pid	Process
2376	JaffaCakes118_bbc5fe6e503d26b383d1d8cf58b8c7eb.exe
1076	YNS.exe
4724	Mensagem da VOXCARDS.com.scr
1076	YNS.exe
1076	YNS.exe
4724	Mensagem da VOXCARDS.com.scr
4724	Mensagem da VOXCARDS.com.scr

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Windows\\hpztsb02.exe"	Mensagem da VOXCARDS.com.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\YNS = "C:\\Windows\\SysWOW64\\YNS.exe"	YNS.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\YNS.001	JaffaCakes118_bbc5fe6e503d26b383d1d8cf58b8c7eb.exe
File created	C:\Windows\SysWOW64\YNS.006	JaffaCakes118_bbc5fe6e503d26b383d1d8cf58b8c7eb.exe
File created	C:\Windows\SysWOW64\YNS.007	JaffaCakes118_bbc5fe6e503d26b383d1d8cf58b8c7eb.exe
File created	C:\Windows\SysWOW64\YNS.exe	JaffaCakes118_bbc5fe6e503d26b383d1d8cf58b8c7eb.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64	YNS.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_bbc5fe6e503d26b383d1d8cf58b8c7eb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YNS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mensagem da VOXCARDS.com.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1548	MicrosoftEdgeUpdate.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1076	YNS.exe
Token: SeIncBasePriorityPrivilege	1076	YNS.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1076	YNS.exe
1076	YNS.exe
1076	YNS.exe
1076	YNS.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 1076	2376	JaffaCakes118_bbc5fe6e503d26b383d1d8cf58b8c7eb.exe	90
PID 2376 wrote to memory of 1076	2376	JaffaCakes118_bbc5fe6e503d26b383d1d8cf58b8c7eb.exe	90
PID 2376 wrote to memory of 1076	2376	JaffaCakes118_bbc5fe6e503d26b383d1d8cf58b8c7eb.exe	90
PID 2376 wrote to memory of 4724	2376	JaffaCakes118_bbc5fe6e503d26b383d1d8cf58b8c7eb.exe	91
PID 2376 wrote to memory of 4724	2376	JaffaCakes118_bbc5fe6e503d26b383d1d8cf58b8c7eb.exe	91
PID 2376 wrote to memory of 4724	2376	JaffaCakes118_bbc5fe6e503d26b383d1d8cf58b8c7eb.exe	91

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbc5fe6e503d26b383d1d8cf58b8c7eb.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbc5fe6e503d26b383d1d8cf58b8c7eb.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Windows\SysWOW64\YNS.exe
  "C:\Windows\system32\YNS.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1076
- C:\Users\Admin\AppData\Local\Temp\Mensagem da VOXCARDS.com.scr
  "C:\Users\Admin\AppData\Local\Temp\Mensagem da VOXCARDS.com.scr" /S
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4724

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RDNFMDBCMjEtRDFFNC00MDk5LUE5QUYtOTBBMTlDRDAyQTdEfSIgdXNlcmlkPSJ7NjRCMUUyNkUtMzdGQS00RkUwLTk5QjQtRUIwOUZFNDYwREE3fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MjEzMEIyN0EtODJBQi00QzBBLTlEREQtMjU2ODNFMjk1QjIxfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIyIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDQ0OTciIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxNjkzODEzMjAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0OTU2MzA2MTY3Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:1548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@CA64.tmp

Filesize
4KB

MD5
683f1f1e72a9fd91018e379b0f45c646

SHA1
e715798afee630bca17bd35e382626399e608788

SHA256
0770043fa8f879787c32f97e915295320738b28dc5c7a07a033df6d9ac5b4e50

SHA512
490a8fcc256fb97bdaf0ef7a243998338b3796db448874ed85613a087e16a9e1b0105af3deb57e18db253e550e5c8a0fd02dba1e52f4959937ffb6c587e3b8f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mensagem da VOXCARDS.com.scr

Filesize
453KB

MD5
87d7325247e44aa3fe7c2469402887b7

SHA1
600ab0443e062b607210c6b389b788b558d52362

SHA256
d4ca9400c58d9caa3c2102fe309af208173842e9ed7f48ba7cd8d499412daed6

SHA512
900f66cb69acbdcf181556dce59592b251afafee58059756deddcadb579126272cc1cb4cab3d2a01dc2475dc44d4a1a7e0abfd8e46e62158878a693641d83413

Download Submit
C:\Windows\SysWOW64\YNS.001

Filesize
2KB

MD5
9504da7fb1828c9d20da49fb95064252

SHA1
7975798348ab31e2eacfb4ec48fec5ffe7f7b808

SHA256
046194e9ce1371604443f54e37083f3fdf9b6793d418345d6ab428c2adf7f36e

SHA512
dbb2b214bd93060065fb68de209ee3086ead23dd3a43e60eddfd0887f7e29a33f4af066e36c59d0ed3ff41587ec4de4dbfa38f708149cd5d592135139f282c65

Download Submit
C:\Windows\SysWOW64\YNS.006

Filesize
5KB

MD5
b8e130b146557e640cb3e198f3d9110e

SHA1
c1cbebfce4e3af8ced7d1019586e91c371432d78

SHA256
3dbca63a39382e4c25d0b02e668ba72c5c81071bb62937ec939325f1f89926a1

SHA512
bc858367e64188c3a365fff4c7986e86d6d666651b2421e3b96fe06836aede073f2228349f66f1836e6ef98bb8e5120354c54a0fb13059e5b875bbf34ed7868f

Download Submit
C:\Windows\SysWOW64\YNS.007

Filesize
4KB

MD5
097c525e86f64364479227f1603a0221

SHA1
c84897900f59cbff5f607368ceba93bfc5273998

SHA256
1b62745c0181f36b7c0227225da12c0d357fd6f14ff8a0ea8484fd4a9c6bf766

SHA512
b52b9d51c3bb50fab292c8bf13d2d87694391481742830c266f4512b2e33a16b852cdbf3faea7f5945b60415a12d1d6a0e9319500cb769b12e0a03357f66ef12

Download Submit
C:\Windows\SysWOW64\YNS.exe

Filesize
295KB

MD5
2b8def730c5bab9d9b58e117af9fb84a

SHA1
090c2c4f0309895bad639ba1c0af21d1eb70d987

SHA256
759f339edba9126cd77ee621e6852f281b9a3190bc4aa17711164bac5ece41a7

SHA512
809aa7300e4bef33489f4166fd5b8245a9b9523c9fd908a37b51a0384966f8f036ac09fbca3730bb04b98ff976c17380ddc4c2ed75dbda51350f049b3d0bf48a

Download Submit
memory/1076-19-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/1076-37-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/4724-26-0x0000000000400000-0x00000000008D7000-memory.dmp

Filesize
4.8MB

Download
memory/4724-31-0x0000000000400000-0x00000000008D7000-memory.dmp

Filesize
4.8MB

Download
memory/4724-27-0x0000000000400000-0x00000000008D7000-memory.dmp

Filesize
4.8MB

Download
memory/4724-25-0x0000000000400000-0x00000000008D7000-memory.dmp

Filesize
4.8MB

Download
memory/4724-38-0x0000000000400000-0x00000000008D7000-memory.dmp

Filesize
4.8MB

Download
memory/4724-40-0x0000000000400000-0x00000000008D7000-memory.dmp

Filesize
4.8MB

Download
memory/4724-41-0x0000000000400000-0x00000000008D7000-memory.dmp

Filesize
4.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads