ardamax | e812e270cef6517426a9a5734863d22772ffe33366b91edfddec905b47f7c37c

General

Target

JaffaCakes118_f4fdc2ac69cb2ea0617dd933852a35a9.exe
Size

265KB
MD5

f4fdc2ac69cb2ea0617dd933852a35a9
SHA1

ef8a47707d5f2938e75392a08d05b41895ed06e5
SHA256

e812e270cef6517426a9a5734863d22772ffe33366b91edfddec905b47f7c37c
SHA512

067d14bfe997d4b573b380cb1945262f63456dd31a65c80beb72f58b7e98f3a4eaa4bdd1c31cd71c8fb24edc3dee178ee739fbbc30e6eba4444babf412c35a5d
SSDEEP

6144:RmpyGNDEeBT1dBb0ilG2bcHzkLjCyuIGrmu2Ys4WGPYlF:RODlRYKnIHgjjuIGrmu2F4WGPQF

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023daa-12.dat	family_ardamax

Downloads MZ/PE file 1 IoCs

flow	pid	Process
48	1280	Process not Found

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1318997816-2171176372-1451785247-1000\Control Panel\International\Geo\Nation	JaffaCakes118_f4fdc2ac69cb2ea0617dd933852a35a9.exe

Executes dropped EXE 1 IoCs

pid	Process
4440	av.exe

Loads dropped DLL 1 IoCs

pid	Process
3932	JaffaCakes118_f4fdc2ac69cb2ea0617dd933852a35a9.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\av = "C:\\Windows\\SysWOW64\\Sys\\av.exe"	av.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Sys\av.007	JaffaCakes118_f4fdc2ac69cb2ea0617dd933852a35a9.exe
File created	C:\Windows\SysWOW64\Sys\av.exe	JaffaCakes118_f4fdc2ac69cb2ea0617dd933852a35a9.exe
File opened for modification	C:\Windows\SysWOW64\Sys\av.001	av.exe
File created	C:\Windows\SysWOW64\Sys\av.001	JaffaCakes118_f4fdc2ac69cb2ea0617dd933852a35a9.exe
File created	C:\Windows\SysWOW64\Sys\av.006	JaffaCakes118_f4fdc2ac69cb2ea0617dd933852a35a9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_f4fdc2ac69cb2ea0617dd933852a35a9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	av.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3268	MicrosoftEdgeUpdate.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3932 wrote to memory of 4440	3932	JaffaCakes118_f4fdc2ac69cb2ea0617dd933852a35a9.exe	90
PID 3932 wrote to memory of 4440	3932	JaffaCakes118_f4fdc2ac69cb2ea0617dd933852a35a9.exe	90
PID 3932 wrote to memory of 4440	3932	JaffaCakes118_f4fdc2ac69cb2ea0617dd933852a35a9.exe	90

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f4fdc2ac69cb2ea0617dd933852a35a9.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f4fdc2ac69cb2ea0617dd933852a35a9.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3932
- C:\Windows\SysWOW64\Sys\av.exe
  "C:\Windows\system32\Sys\av.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:4440

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NTEwOUNGNzctOENBQS00OTBELUE3MTctRUNBQTU4OTU2MjA3fSIgdXNlcmlkPSJ7REI4QUU1OEYtN0I5QS00NDAyLUIwNTQtQjczQTc3MTYyOUNBfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NTk2RDFEM0EtRDU0My00ODE1LUI3OEUtRUJGN0JCMDk0NzRCfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIyIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODMzNzEiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NDE5Mjc1MzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MTc5NTEyNTY2Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:3268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@BFC6.tmp

Filesize
4KB

MD5
fec74da36beb4457716675804f74221c

SHA1
1c02ce33852f00dd896b4bb1d93fbba663dd329d

SHA256
e47ac7649f18595fbd2281a8cdff82a2b488b8dd56bc1ae88930b521f24b1c89

SHA512
64b1d6912b2d6336f2ec7abd240215c842970eece0007afb4c939cf40becb437d6d6708d840035c935d96742918de07b52a96708388cbcda438e8c56d49ede06

Download Submit
C:\Windows\SysWOW64\Sys\av.001

Filesize
3KB

MD5
b3bd5bba288b65c6af849ec7646975f7

SHA1
0d28f43c999c6ed5c755afb20c41aebf03cf6ced

SHA256
8141dc03e59c0928e151c3d1dcf1b759b2655516c76f02db9cec3747c6b1cd09

SHA512
19ed6e8481c51ecc47b8d7f9f507418879a326021e00b3c28b2d4b4eaff9c81938dab9cf71aa53356e9c83dc840f352030440520e1d746ea1f640a9044ce9f05

Download Submit
C:\Windows\SysWOW64\Sys\av.006

Filesize
5KB

MD5
81684ae4865ec5f66d24e892b03cdb28

SHA1
71e0129317001cbf9fc0876a6ea15886c0caa987

SHA256
b036f867ef31023198260a6610a57cc9148a547103b17de934e607aca580eb23

SHA512
adac78672fa35ad5aef8afac26c6360f06f98783fc3527c558b6fcadfd6d22b06ef4a8c0f6c076da3b270f83265eb4d20d58fc514932ad3d16554c3fd33f4fec

Download Submit
C:\Windows\SysWOW64\Sys\av.007

Filesize
4KB

MD5
ac152720163090f4c0fb7f5c7e1638dc

SHA1
4fec3f24e3f9221c7c7cf918d7507586bf0cf48a

SHA256
fdc0467059610b4055818e2e499c1ed17705397383a61245917bb93ba0f8e3ef

SHA512
d62d827530d421735e95620f57230b1d7376a1055ddfb32d00db8df7764618f442a5166bdb765babf85695b7138ac7c4c71c231e5c745ed7d8113e6394acd301

Download Submit
C:\Windows\SysWOW64\Sys\av.exe

Filesize
459KB

MD5
b7a532f4b00925d636882e80f49305a8

SHA1
ae88858ea8c3a7ba2ed373cb104ef2152fb44b54

SHA256
f417f9088e6c39c418ecf8efbf0038362945788838bd7e67efd89199ada15ccd

SHA512
551fe3425b17f29b1c8157b2fdf6c6c0ed15c655bc14e9b73ec38209c55191444762eeef61ae933047079243b9487f92b649f5852b3f22d4bac5d070f523b706

Download Submit
memory/4440-21-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads