ardamax | 47e2aa2d9c93a000c634f4cf3b8f2f9fb84d04f8ecf21e79adac912bc8578257

General

Target

JaffaCakes118_82a10c3d88bde601bbe9dc598278bba0.exe
Size

299KB
MD5

82a10c3d88bde601bbe9dc598278bba0
SHA1

fe9d6b9b41ce6043046e1422fa8fe1ef293f74ed
SHA256

47e2aa2d9c93a000c634f4cf3b8f2f9fb84d04f8ecf21e79adac912bc8578257
SHA512

dfbf515c46e7ac33ff3c5cca30dfbfa41ce080790ced2e3a741b54860cccf5a280f026b797f056b4a17f85f501c19143e37375c6ccefc50f8734e73c85797252
SSDEEP

6144:0RXe6tGa25QPQ3LFLF1Tp55/SzS74etBNbc88eYYTeuw0JBOmtb/RSxQwXzQ8R97:0RXeKQbVV5hkgHbhQYT5w0POkpSSwXh

Score

10^/10

ardamax discovery keylogger persistence stealer upx

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x00070000000242e8-12.dat	family_ardamax

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	JaffaCakes118_82a10c3d88bde601bbe9dc598278bba0.exe

Executes dropped EXE 2 IoCs

pid	Process
3032	WFSE.exe
2104	Nostale GoldHack.exe

Loads dropped DLL 2 IoCs

pid	Process
5628	JaffaCakes118_82a10c3d88bde601bbe9dc598278bba0.exe
3032	WFSE.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WFSE Agent = "C:\\Windows\\Sys32\\WFSE.exe"	WFSE.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00070000000242e9-20.dat	upx
behavioral2/memory/2104-28-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/2104-38-0x0000000000400000-0x0000000000412000-memory.dmp	upx

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Sys32\WFSE.001	JaffaCakes118_82a10c3d88bde601bbe9dc598278bba0.exe
File created	C:\Windows\Sys32\WFSE.006	JaffaCakes118_82a10c3d88bde601bbe9dc598278bba0.exe
File created	C:\Windows\Sys32\WFSE.007	JaffaCakes118_82a10c3d88bde601bbe9dc598278bba0.exe
File created	C:\Windows\Sys32\WFSE.exe	JaffaCakes118_82a10c3d88bde601bbe9dc598278bba0.exe
File opened for modification	C:\Windows\Sys32	WFSE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_82a10c3d88bde601bbe9dc598278bba0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WFSE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nostale GoldHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	3032	WFSE.exe
Token: SeIncBasePriorityPrivilege	3032	WFSE.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3032	WFSE.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
3032	WFSE.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3032	WFSE.exe
3032	WFSE.exe
3032	WFSE.exe
3032	WFSE.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5628 wrote to memory of 3032	5628	JaffaCakes118_82a10c3d88bde601bbe9dc598278bba0.exe	87
PID 5628 wrote to memory of 3032	5628	JaffaCakes118_82a10c3d88bde601bbe9dc598278bba0.exe	87
PID 5628 wrote to memory of 3032	5628	JaffaCakes118_82a10c3d88bde601bbe9dc598278bba0.exe	87
PID 5628 wrote to memory of 2104	5628	JaffaCakes118_82a10c3d88bde601bbe9dc598278bba0.exe	89
PID 5628 wrote to memory of 2104	5628	JaffaCakes118_82a10c3d88bde601bbe9dc598278bba0.exe	89
PID 5628 wrote to memory of 2104	5628	JaffaCakes118_82a10c3d88bde601bbe9dc598278bba0.exe	89
PID 2104 wrote to memory of 3904	2104	Nostale GoldHack.exe	91
PID 2104 wrote to memory of 3904	2104	Nostale GoldHack.exe	91
PID 2104 wrote to memory of 3904	2104	Nostale GoldHack.exe	91

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_82a10c3d88bde601bbe9dc598278bba0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_82a10c3d88bde601bbe9dc598278bba0.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5628
- C:\Windows\Sys32\WFSE.exe
  "C:\Windows\Sys32\WFSE.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3032
- C:\Users\Admin\AppData\Local\Temp\Nostale GoldHack.exe
  "C:\Users\Admin\AppData\Local\Temp\Nostale GoldHack.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2104
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\81D2.tmp\Nostale GoldHack.bat""
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81D2.tmp\Nostale GoldHack.bat

Filesize
373B

MD5
0e3b61d6c0925acf68c96a8ed77ed143

SHA1
66d6b5a574cb9a81930f5624fb34fface3629923

SHA256
efc139e4ddf46154acaf29b8e157ca6f055af4b96edefb68a7f43c20b5ed88dc

SHA512
9c123a7beda62fdc655da745576342f7bfaa61c8cc3f36e8d08d6edb8875c8b17ca0c79ab32fc27ce6c58703fe900d0c6dbfd04d9fb855066a871c4cee7ac400

Download Submit
C:\Users\Admin\AppData\Local\Temp\@7F90.tmp

Filesize
4KB

MD5
33303ca8abef9221cb410b8a232e9fe4

SHA1
0cdfc25dbf0e9ad7d4585cd9037dc2e6604be00c

SHA256
5110301dee966f0f26307ab1b430279d1e4999c2c4a0ea924ff32f1a9ded869a

SHA512
da29821045773ba776def985966b62e09e69bb5bf1786b16c2fff6feb68a03b9e22c5f7d081e3dd58d1785cd7ac64736497c043b7cf6c7149c3a54f8ef111800

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nostale GoldHack.exe

Filesize
27KB

MD5
1c022a600a3512e2f667469a95de5b9b

SHA1
d354b76ea4fd679c93230c5385fd8868d9e214f5

SHA256
7bf9799f7d35cc5dabd057f8fbe4afe8c56a8bcec1b8accc2579eb1c68bdff5a

SHA512
3653ca83afa2a1575cfe26d2e67be056611d3ee35d56ac95d72428f1ad85c397212f3dafe3504741d48ce6a1a638be10feb50bc684711f849cb7ef8f1f7888f5

Download Submit
C:\Windows\Sys32\WFSE.001

Filesize
476B

MD5
fd136a563e95338c2dbce7e8a9c20f7c

SHA1
bfc5fa28f996e1e54dd46e83fb98f44c379a7241

SHA256
008167c6a9e8a1f6277c0de4d669e001661fbee1c2227a83537459076608b79a

SHA512
ea6ad21f7b68e55e4a626f564a36d691eea154ef67a8b5b94826d776e4c5af8504abb50c0d92e3837daf919e9b639e43c0ba3bb484673aea92c8a752779e8b96

Download Submit
C:\Windows\Sys32\WFSE.006

Filesize
7KB

MD5
928cc65dc793834c709a054ca57c19c8

SHA1
a1e5d8407199c1bd6a4b274044de640fe0d9e99b

SHA256
e3473d81a02ed30e4236591384136f41f17b6a4aae24b5468789644ccd4bf192

SHA512
f7c8f7a75c4f8a418630e2ac15676740a902449d9a3c4baf3184409f8701c9caa3e82304d141362d95503f1af6b693eed7b77f690d92ca0162f7ea3ecbc80fdf

Download Submit
C:\Windows\Sys32\WFSE.007

Filesize
5KB

MD5
3e1f5d5a06cf97b0495b8d129fbe02e4

SHA1
b0de258a813f5edde85004f6865b6ed91f6d6f8f

SHA256
f49448fc7c567e64eaeb9cc4dbd3c8021a82b5d9df0a622a439f7b42dc2f26d7

SHA512
b0e0b81cb5776d298e96346aa61027c9799a47191c94de50be2209c32747774959d002ddeb98fd15556ee893b0d7bd1f0c8a901469dce4e3acf94e2c4c3e2bfd

Download Submit
C:\Windows\Sys32\WFSE.exe

Filesize
476KB

MD5
ef52b540cb404d908338e9cbf7cff283

SHA1
778765e1736c0a197685978c3fee7a44e7bde419

SHA256
39d8bdb975fbfcbcec8fe63be4e9fe6ce39ae5d23a005118aeffa07b17a3f815

SHA512
596b77bf5b15455c326a5a2efd66bc69685eb625e3e211ea0341ad4d8920ada7618a7107e42f2c0963fe6c2d92f2acf47b641ef33071a7c42004e5874d5219a6

Download Submit
memory/2104-28-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2104-38-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3032-32-0x0000000000A90000-0x0000000000A91000-memory.dmp

Filesize
4KB

Download
memory/3032-40-0x0000000000A90000-0x0000000000A91000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads