ardamax | e776426fb9c225dd40d4ca585a4be11c4ca868e8a4b604ded5cc03bd1e8060bc

General

Target

JaffaCakes118_d50af17c402177086fc756451041fcff.exe
Size

169KB
MD5

d50af17c402177086fc756451041fcff
SHA1

fae2c308ea6f84d080f4eb211a63231bf3bdbf23
SHA256

e776426fb9c225dd40d4ca585a4be11c4ca868e8a4b604ded5cc03bd1e8060bc
SHA512

70855b701626e9d9456e1886af87fa8954b2203c11196e5bdab28ac4570fdb972408cce415d1a5d77f83a857248b1f8e62068af7810020cd9e87a8a5d8839a10
SSDEEP

3072:8zc7yVkR+47FAqTODL128YZNR0iZlXIei5OsI+JyJpe7QmRSFAL9OM:8Y7yVkh7FAqTe233R3IeirI+Jc8kOh7

Score

10^/10

ardamax discovery keylogger stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x0009000000023d3f-46.dat	family_ardamax

Downloads MZ/PE file 1 IoCs

flow	pid	Process
37	3712	Process not Found

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2573923862-3221519550-2669654151-1000\Control Panel\International\Geo\Nation	JaffaCakes118_d50af17c402177086fc756451041fcff.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2573923862-3221519550-2669654151-1000\Control Panel\International\Geo\Nation	ope9105.exe

Executes dropped EXE 2 IoCs

pid	Process
1904	ope9105.exe
724	AKL.exe

Loads dropped DLL 4 IoCs

pid	Process
1904	ope9105.exe
724	AKL.exe
724	AKL.exe
724	AKL.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\AKL.exe	ope9105.exe
File created	C:\Windows\SysWOW64\ope9105.exe	JaffaCakes118_d50af17c402177086fc756451041fcff.exe
File created	C:\Windows\SysWOW64\AKL.001	ope9105.exe
File created	C:\Windows\SysWOW64\AKL.006	ope9105.exe
File created	C:\Windows\SysWOW64\AKL.007	ope9105.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64	AKL.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AKL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_d50af17c402177086fc756451041fcff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ope9105.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1004	MicrosoftEdgeUpdate.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	JaffaCakes118_d50af17c402177086fc756451041fcff.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	724	AKL.exe
Token: SeIncBasePriorityPrivilege	724	AKL.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
724	AKL.exe
724	AKL.exe
724	AKL.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1052 wrote to memory of 1904	1052	JaffaCakes118_d50af17c402177086fc756451041fcff.exe	87
PID 1052 wrote to memory of 1904	1052	JaffaCakes118_d50af17c402177086fc756451041fcff.exe	87
PID 1052 wrote to memory of 1904	1052	JaffaCakes118_d50af17c402177086fc756451041fcff.exe	87
PID 1904 wrote to memory of 724	1904	ope9105.exe	90
PID 1904 wrote to memory of 724	1904	ope9105.exe	90
PID 1904 wrote to memory of 724	1904	ope9105.exe	90

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d50af17c402177086fc756451041fcff.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d50af17c402177086fc756451041fcff.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1052
- C:\Windows\SysWOW64\ope9105.exe
  "C:\Windows\system32\ope9105.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1904
- - C:\Windows\SysWOW64\AKL.exe
    "C:\Windows\system32\AKL.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:724

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NTg3NkNERDctOThDMi00RjhBLUI1NzctOUU5NDVGQzdDMzkwfSIgdXNlcmlkPSJ7QjA1MTAxNjItRjFDMS00ODhDLThBREEtRDJEM0ZDQzI1RjQxfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NDE1NzdEMzYtOUQ1RC00QkI3LUJFRDEtMUEyMTBDNUEyQTFDfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIyIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU4MTUiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODE1MzQzMTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MzQ4NDQ2NTMwIi8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:1004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@93F3.tmp

Filesize
4KB

MD5
de3f9e4f680ff22e8712fa9b32ff85ee

SHA1
0cc885ed6502b3b610af57ee2095410751d9dd78

SHA256
477f789ffe931ee11197de814231fdc770e6e6c1e94b0fec5bee0adecd32dd03

SHA512
daf04bb16fec1130dc08e72b7f28b0041b2eb78900e1464e15f1e20e1705a0de24d3df0de8111a42aed03d73db6f8eb5e30c87f34b4a745d4aa27d84e09d9f90

Download Submit
C:\Windows\SysWOW64\AKL.001

Filesize
1KB

MD5
0db18ad4753e4a223df8ac4c1652d3bc

SHA1
e001009b063c74b079cee87aa165f5dd0734ed72

SHA256
955856731c54f886aaf83d20216e4b45abed5370cc71741fb7e612abda34f9ca

SHA512
692b4f29b057ebbc72be541c011a9d95272d8f9bbd268e4b33ee43dc95dcea091160d8d20b0b7a9429d29b2703af6868f017643aa05b8d86be7ce183f03e6cd4

Download Submit
C:\Windows\SysWOW64\AKL.006

Filesize
4KB

MD5
1153fe5fbe61266713539cae72d87ad3

SHA1
245047d3d158f4eda34290ed22e4bb13a28f9539

SHA256
3b2700a8033916afd0e89ab5519702720f35b94a570ebe865df113f2aacda16c

SHA512
24058cdebaf8ccfc00622301927b221116b846c2a8acf8f0935ba30e0d716bfecd6ab07aaf8d93030ec2149ee98eec5f6d2395ee8a1a62ad00e07124447c107c

Download Submit
C:\Windows\SysWOW64\AKL.007

Filesize
6KB

MD5
049989542b610261bde51aff6b71d4aa

SHA1
22de68b6548faf1ec1b52f14a1f197fa5152babd

SHA256
48cabcd5da354d4018809d12ca445c4c6324250f22450aca04222c214b9ae42d

SHA512
8cc0cb8167598e50a91230061cbe12d0d724151dc454f6cf0dcd5074efc704602796a9a136e53f609a6d54ad6c468aff2db263ad72b4b7d7febd32656eece34c

Download Submit
C:\Windows\SysWOW64\AKL.exe

Filesize
231KB

MD5
79c6903c4794af027053331946137b26

SHA1
b688916709014fc874c5b7870553105a9961c652

SHA256
f3cbf3dd3f229f6119a8be5357959b77af1a43f9d568a7febe9a06f7593b20ed

SHA512
ac28813dcdc38ff1b0736b1673ced7e35d7da5667b0224b88952908564373ae61aff1b0f03d27e40b613559c8d4e37c402269791db2ed1311f62d069a2e5111e

Download Submit
C:\Windows\SysWOW64\ope9105.exe

Filesize
156KB

MD5
b7ed055ed8d5cca59c101522d36e9d61

SHA1
cf067bee048691f621c4c550cc37e37f23a8578a

SHA256
b3028446a3ceaea50217d99fb43bafc9a2859e76db3acf53424094adcd086534

SHA512
de9834b050f05fad2b6eb1b71960d1f103f2c2dda76f201d4e1623a5579bf6e01b1efce91fe9897029d08c16a30e7662e1e3369c1cad415e545937ccdd6eb47a

Download Submit
memory/1052-0-0x0000000000400000-0x000000000042BE6A-memory.dmp

Filesize
175KB

Download
memory/1052-33-0x0000000000400000-0x000000000042BE6A-memory.dmp

Filesize
175KB

Download

Analysis

Sharing