ardamax | 35f7e35cbc0454bb5fd0c1f0281286d1870fdfae1296d781e6334537ea13dd26

General

Target

JaffaCakes118_7c28b4f5e5ef9ce6f00e407a2ae79506.exe
Size

488KB
MD5

7c28b4f5e5ef9ce6f00e407a2ae79506
SHA1

afb3f897a54886824832706342e4e490d8029ea4
SHA256

35f7e35cbc0454bb5fd0c1f0281286d1870fdfae1296d781e6334537ea13dd26
SHA512

142df43a2b84ae6620d721cf346a3bda476ac26ebb997404f0b0a61f4d59ca07dc452aa1b2331eb1bd8ea17cddfce54119a422da15615d298e9ce78369cc991f
SSDEEP

12288:lWPbHtkak9viyKYzIo94eMnAMMckn4jNdEnGm9ucQDH5f0Vp:kPK1xiKzIoDyMckoT25QT5f0f

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000700000002426d-12.dat	family_ardamax

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	JaffaCakes118_7c28b4f5e5ef9ce6f00e407a2ae79506.exe

Executes dropped EXE 2 IoCs

pid	Process
3068	JCLN.exe
3880	Limewire Pro 4.18.2.exe

Loads dropped DLL 7 IoCs

pid	Process
4248	JaffaCakes118_7c28b4f5e5ef9ce6f00e407a2ae79506.exe
3068	JCLN.exe
3880	Limewire Pro 4.18.2.exe
3068	JCLN.exe
3068	JCLN.exe
3880	Limewire Pro 4.18.2.exe
3880	Limewire Pro 4.18.2.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JCLN Agent = "C:\\Windows\\SysWOW64\\28463\\JCLN.exe"	JCLN.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\AKV.exe	JaffaCakes118_7c28b4f5e5ef9ce6f00e407a2ae79506.exe
File opened for modification	C:\Windows\SysWOW64\28463	JCLN.exe
File created	C:\Windows\SysWOW64\28463\JCLN.001	JaffaCakes118_7c28b4f5e5ef9ce6f00e407a2ae79506.exe
File created	C:\Windows\SysWOW64\28463\JCLN.006	JaffaCakes118_7c28b4f5e5ef9ce6f00e407a2ae79506.exe
File created	C:\Windows\SysWOW64\28463\JCLN.007	JaffaCakes118_7c28b4f5e5ef9ce6f00e407a2ae79506.exe
File created	C:\Windows\SysWOW64\28463\JCLN.exe	JaffaCakes118_7c28b4f5e5ef9ce6f00e407a2ae79506.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7c28b4f5e5ef9ce6f00e407a2ae79506.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JCLN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Limewire Pro 4.18.2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	3068	JCLN.exe
Token: SeIncBasePriorityPrivilege	3068	JCLN.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3068	JCLN.exe
3068	JCLN.exe
3068	JCLN.exe
3068	JCLN.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4248 wrote to memory of 3068	4248	JaffaCakes118_7c28b4f5e5ef9ce6f00e407a2ae79506.exe	86
PID 4248 wrote to memory of 3068	4248	JaffaCakes118_7c28b4f5e5ef9ce6f00e407a2ae79506.exe	86
PID 4248 wrote to memory of 3068	4248	JaffaCakes118_7c28b4f5e5ef9ce6f00e407a2ae79506.exe	86
PID 4248 wrote to memory of 3880	4248	JaffaCakes118_7c28b4f5e5ef9ce6f00e407a2ae79506.exe	88
PID 4248 wrote to memory of 3880	4248	JaffaCakes118_7c28b4f5e5ef9ce6f00e407a2ae79506.exe	88
PID 4248 wrote to memory of 3880	4248	JaffaCakes118_7c28b4f5e5ef9ce6f00e407a2ae79506.exe	88

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7c28b4f5e5ef9ce6f00e407a2ae79506.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7c28b4f5e5ef9ce6f00e407a2ae79506.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4248
- C:\Windows\SysWOW64\28463\JCLN.exe
  "C:\Windows\system32\28463\JCLN.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3068
- C:\Users\Admin\AppData\Local\Temp\Limewire Pro 4.18.2.exe
  "C:\Users\Admin\AppData\Local\Temp\Limewire Pro 4.18.2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@4BED.tmp

Filesize
4KB

MD5
91374d9ab21e5ebc2cc82c2b5d46d116

SHA1
2107cdb63bd762a1d12c5b7475f73fc433fd05b6

SHA256
2aaf236aefea2d3500d57b78cc683a50843e73b8270279686a1eb78e37937d23

SHA512
465061b230203c464cbfea3447249d7b603773b60c3c882a254b19699dd825ddc01bba2c475dd2fc1081927b97de0d395b99d6afe365faf8b0c9db24c0d4323b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Limewire Pro 4.18.2.exe

Filesize
15KB

MD5
2881ec11b38db6156dbaffa4597dbe1a

SHA1
7d5e6aa959692471b705037204d171dd6e7f3086

SHA256
e380410daa4959cee05113bf7797471b9a8d23cb4f1caaa7e1ef8a57a730f5d6

SHA512
33aac37317fdca8f6f4d84525ce3dc8b36847af36849f821a1cd542091394b7617b272e22d2ab73c0bcad281cf5bccc6417c0a9e2ba73a421fc92ebf717a53c6

Download Submit
C:\Windows\SysWOW64\28463\AKV.exe

Filesize
393KB

MD5
a655980f1ccb7e183aef71419e01051f

SHA1
26bf8f2a1c096fcf014f4d38a7262d4c8a5eae5e

SHA256
d2af94a00c4de38dbc481c50e439768a9aa0ee2cca057efb759a10068c66e57b

SHA512
66fed05ff2a9dd9ea9565274cd32dec3ad42a0ff41ab468f1d751697fbf246a5ed1112ce8f556ffcec607eefce1cdfd5a3d9954a99b1b58e342a9239592c97ad

Download Submit
C:\Windows\SysWOW64\28463\JCLN.001

Filesize
390B

MD5
4ff9345c85f118606cc71b015155241d

SHA1
73e17ad7861348860fff63d70d86f750fae8431b

SHA256
a2ac698934f200f3dd5e77fecaa3ba9e8a858ddb0560973d051630c9aa7f37bb

SHA512
2364da6cf44d132594b0e0c2ba056e10fdea89c74a60d42c230e602b779de6f7bca58bbda67b7616d730db141a66531dbf85b354d82c977a6c708a301115c24b

Download Submit
C:\Windows\SysWOW64\28463\JCLN.006

Filesize
7KB

MD5
c8cea38934bbb1d53dabd5680d12612e

SHA1
438b909d2a80b2995e2eb5e4fc12d21185bd7f9e

SHA256
77d3390580bc51da413b5a4fdce4f70c23dba979904f0f64f5aa8091e300c8ad

SHA512
4fd62a8b1260e6ead4c1ea178e35255ed8a1f31819080ef358f8b6f1975f705f9df0b901c870be58b10aa7b34263bd670afaeee315247fb5eb262caf70fc10a8

Download Submit
C:\Windows\SysWOW64\28463\JCLN.007

Filesize
5KB

MD5
00ff3cd6c61e7d48ee1ae5f6b6b3876b

SHA1
efe6bcdb012525d11d2f2f10a3c362c06fe48a22

SHA256
043b156e49a23c85ea6524729ca89c0932a7ffa5d39328182be212c7f403719e

SHA512
52aa11472123dc19a2bea54fbf18b3cb5803ce47f831427d0316421653826a945a8cb914e592b4e9311ff97884f998021d8dbc0c94e2c69e04c99103e55986a4

Download Submit
C:\Windows\SysWOW64\28463\JCLN.exe

Filesize
471KB

MD5
b19358a11fc5bf245df5816361d4d24c

SHA1
22c92178047080c254aa2ed601f027a52f22c44b

SHA256
fb6bd2ac12914944697900aeaaf5606c475e8d3c5a5c9bdc345ce037a2218a74

SHA512
e92f9d73b25c1d922dd742ca63a0af7152eb6e748d2b06e84993273636a31fdf09071414c3576f4734da70f0f15835caaaa812da1a928abff1d67879ed6a2d45

Download Submit
memory/3068-30-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/3068-38-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads