ardamax | af767d080a74637105d7c56a724c665f6a15c3d29fa9f4792ba6a8681c4e3398

General

Target

JaffaCakes118_d53e78fe3cddbaaad3ecf367ef3b43eb.exe
Size

175KB
MD5

d53e78fe3cddbaaad3ecf367ef3b43eb
SHA1

905021038017709e4284f31f3800038cbd7e0f24
SHA256

af767d080a74637105d7c56a724c665f6a15c3d29fa9f4792ba6a8681c4e3398
SHA512

ddc2381a9a1f54a829705150603c15fc3377bc7aa41e71b3973186afe923416ed9dad296e0538776b016054d3a8a35e1c90c4df87aa7cb9ad0a5aee47e8812c8
SSDEEP

3072:OO6QmEGX0JFD4nQsh1r+EVFGYt6GXiv1ystW2ei+jw2NbCnt6kRWwg9tdRRvjjSS:RGXS4nQM+EjGIXZstyi0VCnbReJRJSBc

Score

10^/10

ardamax discovery keylogger stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023ddf-12.dat	family_ardamax

Downloads MZ/PE file 1 IoCs

flow	pid	Process
53	1784	Process not Found

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1290774215-692483676-1419523182-1000\Control Panel\International\Geo\Nation	JaffaCakes118_d53e78fe3cddbaaad3ecf367ef3b43eb.exe

Executes dropped EXE 2 IoCs

pid	Process
64	NSK.exe
3376	mircex.exe

Loads dropped DLL 5 IoCs

pid	Process
4884	JaffaCakes118_d53e78fe3cddbaaad3ecf367ef3b43eb.exe
64	NSK.exe
64	NSK.exe
64	NSK.exe
3376	mircex.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\NSK.007	JaffaCakes118_d53e78fe3cddbaaad3ecf367ef3b43eb.exe
File created	C:\Windows\SysWOW64\NSK.exe	JaffaCakes118_d53e78fe3cddbaaad3ecf367ef3b43eb.exe
File created	C:\Windows\SysWOW64\NSK.001	JaffaCakes118_d53e78fe3cddbaaad3ecf367ef3b43eb.exe
File created	C:\Windows\SysWOW64\NSK.006	JaffaCakes118_d53e78fe3cddbaaad3ecf367ef3b43eb.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Winamp\Plugins\gen_ircex.dll	mircex.exe
File created	C:\Program Files (x86)\Winamp\Plugins\ircex-readme.txt	mircex.exe
File created	C:\Program Files (x86)\Winamp\Plugins\gpl.txt	mircex.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64	NSK.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NSK.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mircex.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_d53e78fe3cddbaaad3ecf367ef3b43eb.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1688	MicrosoftEdgeUpdate.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	64	NSK.exe
Token: SeIncBasePriorityPrivilege	64	NSK.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
64	NSK.exe
64	NSK.exe
64	NSK.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4884 wrote to memory of 64	4884	JaffaCakes118_d53e78fe3cddbaaad3ecf367ef3b43eb.exe	86
PID 4884 wrote to memory of 64	4884	JaffaCakes118_d53e78fe3cddbaaad3ecf367ef3b43eb.exe	86
PID 4884 wrote to memory of 64	4884	JaffaCakes118_d53e78fe3cddbaaad3ecf367ef3b43eb.exe	86
PID 4884 wrote to memory of 3376	4884	JaffaCakes118_d53e78fe3cddbaaad3ecf367ef3b43eb.exe	88
PID 4884 wrote to memory of 3376	4884	JaffaCakes118_d53e78fe3cddbaaad3ecf367ef3b43eb.exe	88
PID 4884 wrote to memory of 3376	4884	JaffaCakes118_d53e78fe3cddbaaad3ecf367ef3b43eb.exe	88
PID 3376 wrote to memory of 1728	3376	mircex.exe	91
PID 3376 wrote to memory of 1728	3376	mircex.exe	91

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d53e78fe3cddbaaad3ecf367ef3b43eb.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d53e78fe3cddbaaad3ecf367ef3b43eb.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4884
- C:\Windows\SysWOW64\NSK.exe
  "C:\Windows\system32\NSK.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:64
- C:\Users\Admin\AppData\Local\Temp\mircex.exe
  "C:\Users\Admin\AppData\Local\Temp\mircex.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3376
- - C:\Windows\notepad.exe
    "C:\Windows\notepad.exe" C:\Program Files (x86)\Winamp\Plugins\\ircex-readme.txt
    3⤵
    PID:1728

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MEFCQ0FDRDctNjQxNC00ODM1LUEyN0EtMUIzOUFEMzQ4NEUxfSIgdXNlcmlkPSJ7MEQyOTQ2REEtRjY3NS00RjlGLTg1RDYtMkMwOEU4NzlFNTlDfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NTAwQTIyNzUtRkMzMy00NjkwLUIwQTctMENCOEExN0Y3QjQ5fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIyIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDQ5MjgiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxNzQzMjM4OTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0OTczNDgxODA4Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:1688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Winamp\Plugins\ircex-readme.txt

Filesize
2KB

MD5
7c4e4ed4e787b53023ec2efa6be264e6

SHA1
7cf456e062eed320dafb545c6e85f391f7862649

SHA256
bbebffedc4187980721fabbf3b6b6b050998d87ef5035d1bc6a8ac086fc19243

SHA512
0027caa3271b6080448ec8204c2c3e37a62f0e106045f31644c8dc5be3ac6a13fec9b4c4eec1fb9408a5f7cdaf0f19240bf21ab4d69138ccb775279b933fa51a

Download Submit
C:\Users\Admin\AppData\Local\Temp\@A76B.tmp

Filesize
4KB

MD5
ccfd350414f3804bbb32ddd7eb3f6153

SHA1
e91d270b8481d456a3beabf617ef3379a93f1137

SHA256
1dabedfe9c7cda2d8aa74c95ba57fb832a4066b20f4051c0330b4422de237eb3

SHA512
328e069aaced9217eb9f4b4f20e27cd7ef933427e3388b3a0829089d694ea2280a2e5511a9eb577cec2a7b409cf367b0f17d8654076931648e152936fad810bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\mircex.exe

Filesize
51KB

MD5
40d9bfda1019eee29733fb6e0ac88a1f

SHA1
c6f37298115f7d3bb780a0717c9383722db5f30e

SHA256
1debeaa110534a3330a4b6461e292578b631cac2ba3f3c79e8c8b6f990fbf68c

SHA512
fc599e53dddb68a65b7cabf8d84afb3669a3b0f43fa4bcb444847892e505ad6645121fd456249755593cd0672f73953afbe6dcdbd7983cba792001911e2eacb7

Download Submit
C:\Windows\SysWOW64\NSK.001

Filesize
1KB

MD5
ee51e44a66b8b05c5fbf06984dc460f6

SHA1
41124b42a9c76f4e11b309379b5c1c0fb3ba02af

SHA256
b3bb8a3042579c6737f2cfac5f5507dc2d5b02c0f5e6044f097148f6733320a1

SHA512
60b43e0230b116064964d3c5a7b8606802ef4aa3ab3725f0504fb6fee08f72ff1bee199f8963f42ba49e664e856204e5e92f694db8192369a79202a555acb4fc

Download Submit
C:\Windows\SysWOW64\NSK.006

Filesize
4KB

MD5
0868167c8915fb3d87d4e5a775a57ffd

SHA1
5f223134e003382fd8c191a1f4ca94922f1d802e

SHA256
6a28449ee15745e772f877b6133913325400a2ca3dbf829d76cf42e0c8d6da4c

SHA512
d9f82239d6990b3dcc261f99f5acf20d71965b08146821575f830698fa07a5ec7ba0553494bb779e427692ada39ed5973489d1077aeec5ddfdf5a73d9c91b058

Download Submit
C:\Windows\SysWOW64\NSK.007

Filesize
6KB

MD5
5e023770dfb9d9068706facc958c7d66

SHA1
9cf95074a78239da000452362c2167991970e972

SHA256
f16ca7e5533eb28fa882eb500add2a936f8d0a705cfc9f4e6c8f4c522a2cf6db

SHA512
a9621e77fe22b054686924cebee3c9a5c448b2f60bd1d4c8a6d6bda161ec270d9a5c76cbe07dcd1d0ee59fdc071de1d271344c629181e14c2c0a54cbac7831af

Download Submit
C:\Windows\SysWOW64\NSK.exe

Filesize
239KB

MD5
2bada91f44e2a5133a5c056b31866112

SHA1
9fbe664832d04d79f96fa090191b73d9811ef08d

SHA256
c742feab59b4e1b7b188b02ed91ab34eaeb83c87ac6babfb5f08649ed2b8cd02

SHA512
dc797a06061937f8dd657a34d4373d3069c9c1a6752752516042e5d135fc41257c7a3a6738b3accd626a02f1887476197eca0ab28cf568daf57269cbe9c8eb41

Download Submit

Analysis

Sharing