ardamax | d0ec6a99028b91e7b9ad774d2f3d3db698b1e527ea8386960ed29abf8cb3e8cf

General

Target

JaffaCakes118_7e7b955a0ac5591aacb492a6a0339967.exe
Size

846KB
MD5

7e7b955a0ac5591aacb492a6a0339967
SHA1

6696fcd1755d312df08322ec573b2e58ed24b564
SHA256

d0ec6a99028b91e7b9ad774d2f3d3db698b1e527ea8386960ed29abf8cb3e8cf
SHA512

e0c4f7e1d67be201994960385466c790fc3489f71ade782975e5bbaa80d042cac915b9ec7b093cffda318efd8483d37c887f6d6103e4ace81d6c129681f95dfb
SSDEEP

24576:DbPTUO2Tjtaa4SoGifmHlPdHr3eUJFoTWM3zsH:D7TUTTxitff2PdHr3Pys

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x00070000000242df-7.dat	family_ardamax

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	JaffaCakes118_7e7b955a0ac5591aacb492a6a0339967.exe

Executes dropped EXE 1 IoCs

pid	Process
4168	FPB.exe

Loads dropped DLL 1 IoCs

pid	Process
4168	FPB.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FPB Start = "C:\\Windows\\SysWOW64\\JHRXXY\\FPB.exe"	FPB.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\JHRXXY\	FPB.exe
File created	C:\Windows\SysWOW64\JHRXXY\FPB.004	JaffaCakes118_7e7b955a0ac5591aacb492a6a0339967.exe
File created	C:\Windows\SysWOW64\JHRXXY\FPB.001	JaffaCakes118_7e7b955a0ac5591aacb492a6a0339967.exe
File created	C:\Windows\SysWOW64\JHRXXY\FPB.002	JaffaCakes118_7e7b955a0ac5591aacb492a6a0339967.exe
File created	C:\Windows\SysWOW64\JHRXXY\FPB.exe	JaffaCakes118_7e7b955a0ac5591aacb492a6a0339967.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7e7b955a0ac5591aacb492a6a0339967.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FPB.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4168	FPB.exe
Token: SeIncBasePriorityPrivilege	4168	FPB.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4168	FPB.exe
4168	FPB.exe
4168	FPB.exe
4168	FPB.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 6088 wrote to memory of 4168	6088	JaffaCakes118_7e7b955a0ac5591aacb492a6a0339967.exe	86
PID 6088 wrote to memory of 4168	6088	JaffaCakes118_7e7b955a0ac5591aacb492a6a0339967.exe	86
PID 6088 wrote to memory of 4168	6088	JaffaCakes118_7e7b955a0ac5591aacb492a6a0339967.exe	86

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e7b955a0ac5591aacb492a6a0339967.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e7b955a0ac5591aacb492a6a0339967.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:6088
- C:\Windows\SysWOW64\JHRXXY\FPB.exe
  "C:\Windows\system32\JHRXXY\FPB.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\JHRXXY\FPB.001

Filesize
61KB

MD5
1d6f0b3843d17046be7669262085fb67

SHA1
703b2d00731920b77041908ee4ec44ed10d6f8f9

SHA256
88c91de925b84024367fd2a0a2597ef884c16f424771ca1a17780fb4cff7c591

SHA512
23c6e8c94908bce7400527c7ad4bdd030074d45c48421140eeee6a9e156571d5a31c4ad7bb0f2042b2dfceab14f36044c433c0b2d4cdee4dfed1dccb9b28188a

Download Submit
C:\Windows\SysWOW64\JHRXXY\FPB.002

Filesize
43KB

MD5
4207e94e5371e60c5a1c8a3a1bf7169a

SHA1
469d55baaed9f93dd74bdf41383a760fd8690342

SHA256
0caf0bcee50026d048e8c02345be9d6aa387db5245d99c2dcc255c75eccbcec5

SHA512
c85ed60aefd0bc7105760df5d969ab606e1d6775de20b11ef14b454fc27f1308e91111786895e42c38b019f286425f980ac113086809ed3c6babc778af5deec1

Download Submit
C:\Windows\SysWOW64\JHRXXY\FPB.004

Filesize
618B

MD5
3372b51ca49cb3e6c6b8707862d2a357

SHA1
1aa336ade11fa236a1d6bbbdde4a6451e9ebc4cb

SHA256
ec43985c259e14bcc9b2626ab1e43ef4f34b31448dabbea329254fa85dc85145

SHA512
9087d10a2c2de87778be425b65567169c46d2e6139e30ee2f09373e2b042ea4e0ba31860b93c9d90dfb58fb0eef2415273966c6d8d070d99875c88c26eed1dab

Download Submit
C:\Windows\SysWOW64\JHRXXY\FPB.exe

Filesize
1.4MB

MD5
3c0034d74caf9846686a2d93fd3079ac

SHA1
949adf7912c74ca8517d70f30b823264a5a7e067

SHA256
55750ec7e5c987dbe2585f0e4b1728999b3bb94d5efd458f4aed75efa960855b

SHA512
5c25cfbbdb2f794a484a2a1d9a454d9b13ab90cba0313ce995330e97516b422524cd388a357d211addfdfcec06d681edf131a3b98839a3f6d3d9863d97ad1399

Download Submit
memory/4168-14-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/4168-16-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads