ardamax | e47172da926037ad8f4a3e732ddb98c1ec0636b2cb8b6f6e4313364eb3d0d7af

General

Target

JaffaCakes118_ee636d6510b4adc61e4def13a7892355.exe
Size

587KB
MD5

ee636d6510b4adc61e4def13a7892355
SHA1

913bd88e8c5a1d46331b6224a3d1a7dc32148e34
SHA256

e47172da926037ad8f4a3e732ddb98c1ec0636b2cb8b6f6e4313364eb3d0d7af
SHA512

c1aeafa51d416e4a26393a262bd3d4007e39d3961d29468672646a48e5c9884871d4ba46842b3bc084b072022549e923b398faa48940e7094c2c855b5eda4709
SSDEEP

12288:EztD6zWBlS3T0n/+elP4SdcO0j4MkBiiuNPVblTt/I8:ERD6qMTw+elP4/O00Mo9otlpr

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023cdc-29.dat	family_ardamax

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3311063739-2594902809-44604183-1000\Control Panel\International\Geo\Nation	JaffaCakes118_ee636d6510b4adc61e4def13a7892355.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3311063739-2594902809-44604183-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3311063739-2594902809-44604183-1000\Control Panel\International\Geo\Nation	RSBots Auth Generator v4.8.exe

Executes dropped EXE 4 IoCs

pid	Process
4244	Install.exe
4336	RSBots Auth Generator v4.8.exe
2812	AJCH.exe
744	RSBots Auth Generator v4.3.exe

Loads dropped DLL 3 IoCs

pid	Process
4244	Install.exe
2812	AJCH.exe
744	RSBots Auth Generator v4.3.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AJCH Agent = "C:\\Windows\\SysWOW64\\28463\\AJCH.exe"	AJCH.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\AJCH.001	Install.exe
File created	C:\Windows\SysWOW64\28463\AJCH.006	Install.exe
File created	C:\Windows\SysWOW64\28463\AJCH.007	Install.exe
File created	C:\Windows\SysWOW64\28463\AJCH.exe	Install.exe
File opened for modification	C:\Windows\SysWOW64\28463	AJCH.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_ee636d6510b4adc61e4def13a7892355.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RSBots Auth Generator v4.8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AJCH.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RSBots Auth Generator v4.3.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1976	MicrosoftEdgeUpdate.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2812	AJCH.exe
Token: SeIncBasePriorityPrivilege	2812	AJCH.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2812	AJCH.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2812	AJCH.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2812	AJCH.exe
2812	AJCH.exe
2812	AJCH.exe
2812	AJCH.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 924 wrote to memory of 4244	924	JaffaCakes118_ee636d6510b4adc61e4def13a7892355.exe	86
PID 924 wrote to memory of 4244	924	JaffaCakes118_ee636d6510b4adc61e4def13a7892355.exe	86
PID 924 wrote to memory of 4244	924	JaffaCakes118_ee636d6510b4adc61e4def13a7892355.exe	86
PID 924 wrote to memory of 4336	924	JaffaCakes118_ee636d6510b4adc61e4def13a7892355.exe	87
PID 924 wrote to memory of 4336	924	JaffaCakes118_ee636d6510b4adc61e4def13a7892355.exe	87
PID 924 wrote to memory of 4336	924	JaffaCakes118_ee636d6510b4adc61e4def13a7892355.exe	87
PID 4244 wrote to memory of 2812	4244	Install.exe	88
PID 4244 wrote to memory of 2812	4244	Install.exe	88
PID 4244 wrote to memory of 2812	4244	Install.exe	88
PID 4336 wrote to memory of 744	4336	RSBots Auth Generator v4.8.exe	89
PID 4336 wrote to memory of 744	4336	RSBots Auth Generator v4.8.exe	89
PID 4336 wrote to memory of 744	4336	RSBots Auth Generator v4.8.exe	89

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ee636d6510b4adc61e4def13a7892355.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ee636d6510b4adc61e4def13a7892355.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:924
- C:\Users\Admin\AppData\Local\Temp\Install.exe
  "C:\Users\Admin\AppData\Local\Temp\Install.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4244
- - C:\Windows\SysWOW64\28463\AJCH.exe
    "C:\Windows\system32\28463\AJCH.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:2812
- C:\Users\Admin\AppData\Local\Temp\RSBots Auth Generator v4.8.exe
  "C:\Users\Admin\AppData\Local\Temp\RSBots Auth Generator v4.8.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4336
- - C:\Users\Admin\AppData\Local\Temp\RSBots Auth Generator v4.3.exe
    "C:\Users\Admin\AppData\Local\Temp\RSBots Auth Generator v4.3.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:744

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7OEJEMURFQ0YtRTRCOC00Mzg0LTk3RjctNDg5NjZEQUM3OEU5fSIgdXNlcmlkPSJ7NEEzNUY0NDYtRjNGNi00QThELUI3MjgtRjhERjRBQzMyQkREfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7QzdFRkU3NTUtQTk0Ny00NzI1LTlGM0YtNzI5MzdGNTk5OTNDfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI0IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU5ODUiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODQ0NDQzNjAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MjAyNzI4NDA5Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:1976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@806B.tmp

Filesize
4KB

MD5
27092ec75c1839f36bfe900a38acc484

SHA1
fe14b750a0ed653246c5f358891f8c1241913bb2

SHA256
e6e29699840ae26c452227f9a1c9fd0e3cda0c2413c4255df9fc066c47af0e07

SHA512
815477e8681e38dd3110171adbaf06738eb9d63839671a959a296ec1a1fb17d788682dde5e6a1f0bffa3b4deda4577292ffa37ce10b95ad14276ffcd0795ac0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe

Filesize
458KB

MD5
91b96df9d206945411c2172117b8268d

SHA1
34d389534ed08a38a575943d06a51b49f7ff0381

SHA256
293aca8607498c16949ee2c3554f37689b16c715622d5604799b1445a9782ad8

SHA512
257869513622ebcc2f7be76bf4e90e32e2fdaeabe945fdcf27e47864ba2166b03d28c73609b91ca1dbb9ad18b574540fab4f73f32fedb0f0125a8b0bddbb49f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RSBots Auth Generator v4.3.exe

Filesize
103KB

MD5
02df8af30fe5d24e4b7ac48652ab98d6

SHA1
5a86da75b71502f5e0722f3e2e0216660351799f

SHA256
20e266109a97590da668cd6d6f9299b4528f9694b0585c9d835480c8ec6e0168

SHA512
4c0ac1c9e8e10e3621067810f8bf4a1d3ca8be030e90821a486a6a76ac5393b7ee1872c1281aaca551cefc7a12794f0902a90ed0028546b0693848baeb2c233d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RSBots Auth Generator v4.8.exe

Filesize
86KB

MD5
586bef6632fca77aa9f78cc368db62da

SHA1
6e175d3f8e7fca7ae051e25c99884f776ef42439

SHA256
a42bd7b06db11dabbaa5c3e0f01d5c27e67f0943f4ccec2e9469b7469de46729

SHA512
465e5f0eace342ae21ffcbe457a43a4ab38d3fe4a2cc53a205a94e993c3af1b2c6b30dd0d68a6dcaf22f8c8f99a667a7d847a24b3d07b7d8f9f6e624bd0ea268

Download Submit
C:\Windows\SysWOW64\28463\AJCH.001

Filesize
404B

MD5
34763375e4017130ee4a153665db2857

SHA1
a57a5378b6ea19dd164e778a7d27017d04f4bfaa

SHA256
3f2fb49930beef83f804352cdae35f8b0cbdecba74a19014576c128d43cde3d3

SHA512
3a1b9edb4629e384751469f97cf5b661959318eb0271b2c697ef1f814a896edec086e6d25203c6f9d4e7a1d195b681527c7d08469bd28c419648e73523a1cbd7

Download Submit
C:\Windows\SysWOW64\28463\AJCH.006

Filesize
8KB

MD5
aae8ccee5d5eed5748d13f474123efea

SHA1
6da78da4de3b99a55fad00be2ec53a3ad3bd06ae

SHA256
10c464d1675774e0282171555d59fb8975ed6c0e6a781182490f48e66823a5b8

SHA512
d370e1ffeeb81b3f07b83a9cf1e3b44635fde7aa6ac999bccafece8091dbf96f0a78257bb0e03b3689dc47fb4e96ec7deac7848a43ddef62afc9b8cc665ee8bd

Download Submit
C:\Windows\SysWOW64\28463\AJCH.007

Filesize
5KB

MD5
40685d22d05d92462a2cfc1bba9a81b7

SHA1
f0e19012d0ed000148898b1e1264736bed438da8

SHA256
cdca1e5bc4c5129caa8eeddf637c820b6241c8790ce1a341e38e8324ae95afa0

SHA512
21961d2dd118b45bde4cf00b4570712791a22769d05afb5b6c54355b0aaee9b7f7de00b357845349ef957807452365134d51e11181d2d45f98ed0cc9402de90b

Download Submit
C:\Windows\SysWOW64\28463\AJCH.exe

Filesize
473KB

MD5
339ae4ce820cda75bbb363b2ed1c06fd

SHA1
62399c6102cc98ed66cbcd88a63ff870cf7b2100

SHA256
1e4a463ac0d463cee1f52f9529474484157c85d671aea1ab5f4173df12de01b6

SHA512
5da8b333a839c4b169c6f4c9a1929918f166a895af7818c8223df7ed22279aac3b6ef88f89ee083a4f475f82ec6078f8e9800a9afc9547712245d090636a284a

Download Submit
memory/744-50-0x0000000000660000-0x0000000000682000-memory.dmp

Filesize
136KB

Download
memory/744-51-0x0000000004F20000-0x0000000004FBC000-memory.dmp

Filesize
624KB

Download
memory/744-53-0x0000000005630000-0x0000000005BD4000-memory.dmp

Filesize
5.6MB

Download
memory/744-54-0x0000000005080000-0x0000000005112000-memory.dmp

Filesize
584KB

Download
memory/744-55-0x0000000004FC0000-0x0000000004FCA000-memory.dmp

Filesize
40KB

Download
memory/744-56-0x0000000005240000-0x0000000005296000-memory.dmp

Filesize
344KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads