ardamax | 8ce0f5a4817ac353db8c9c559bc80f67c4b4383f005eb25e053feba9cce1fd84

General

Target

JaffaCakes118_839da67a9f654982617d092823062d98.exe
Size

3.8MB
MD5

839da67a9f654982617d092823062d98
SHA1

930ec9d2ad19b22531cb30174cfb356230211d02
SHA256

8ce0f5a4817ac353db8c9c559bc80f67c4b4383f005eb25e053feba9cce1fd84
SHA512

c7c770dc30da9975cb97257c86e732ca694048dcb771bf92d272f0201079c64b13b61948bfef8b22cf47b5f4beed2f96194d7e8f38ee7c937631420048bf6e0f
SSDEEP

98304:7ydA3JRlWA66I3KogwNldX33xQK7xfk6JN6axe63dfjyHJi+kf0:7yqZn7ogwNlVRxVRrCJb

Score

10^/10

ardamax defense_evasion discovery keylogger persistence stealer upx

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000024089-12.dat	family_ardamax

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	JaffaCakes118_839da67a9f654982617d092823062d98.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	MHHF.exe

Executes dropped EXE 3 IoCs

pid	Process
1892	MHHF.exe
4956	Ran Online Chnse translated to english.exe
4672	xte80D8.tmp

Loads dropped DLL 8 IoCs

pid	Process
2996	JaffaCakes118_839da67a9f654982617d092823062d98.exe
1892	MHHF.exe
4956	Ran Online Chnse translated to english.exe
1892	MHHF.exe
1892	MHHF.exe
4956	Ran Online Chnse translated to english.exe
4956	Ran Online Chnse translated to english.exe
3252	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MHHF Agent = "C:\\Windows\\SysWOW64\\Sys32\\MHHF.exe"	MHHF.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Sys32\MHHF.exe	JaffaCakes118_839da67a9f654982617d092823062d98.exe
File opened for modification	C:\Windows\SysWOW64\Sys32	MHHF.exe
File created	C:\Windows\SysWOW64\Sys32\MHHF.001	JaffaCakes118_839da67a9f654982617d092823062d98.exe
File created	C:\Windows\SysWOW64\Sys32\MHHF.006	JaffaCakes118_839da67a9f654982617d092823062d98.exe
File created	C:\Windows\SysWOW64\Sys32\MHHF.007	JaffaCakes118_839da67a9f654982617d092823062d98.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000700000002408a-20.dat	upx
behavioral2/memory/4956-26-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/files/0x0008000000024081-42.dat	upx
behavioral2/memory/4672-43-0x0000000000400000-0x000000000047C000-memory.dmp	upx
behavioral2/memory/4672-78-0x0000000000400000-0x000000000047C000-memory.dmp	upx
behavioral2/memory/4956-79-0x0000000000400000-0x0000000000426000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3252	1892	WerFault.exe	88

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_839da67a9f654982617d092823062d98.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MHHF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ran Online Chnse translated to english.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xte80D8.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	1892	MHHF.exe
Token: SeIncBasePriorityPrivilege	1892	MHHF.exe
Token: SeIncBasePriorityPrivilege	1892	MHHF.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1892	MHHF.exe
1892	MHHF.exe
1892	MHHF.exe
1892	MHHF.exe
1892	MHHF.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2996 wrote to memory of 1892	2996	JaffaCakes118_839da67a9f654982617d092823062d98.exe	88
PID 2996 wrote to memory of 1892	2996	JaffaCakes118_839da67a9f654982617d092823062d98.exe	88
PID 2996 wrote to memory of 1892	2996	JaffaCakes118_839da67a9f654982617d092823062d98.exe	88
PID 2996 wrote to memory of 4956	2996	JaffaCakes118_839da67a9f654982617d092823062d98.exe	89
PID 2996 wrote to memory of 4956	2996	JaffaCakes118_839da67a9f654982617d092823062d98.exe	89
PID 2996 wrote to memory of 4956	2996	JaffaCakes118_839da67a9f654982617d092823062d98.exe	89
PID 4956 wrote to memory of 4672	4956	Ran Online Chnse translated to english.exe	96
PID 4956 wrote to memory of 4672	4956	Ran Online Chnse translated to english.exe	96
PID 4956 wrote to memory of 4672	4956	Ran Online Chnse translated to english.exe	96
PID 1892 wrote to memory of 5076	1892	MHHF.exe	112
PID 1892 wrote to memory of 5076	1892	MHHF.exe	112
PID 1892 wrote to memory of 5076	1892	MHHF.exe	112

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_839da67a9f654982617d092823062d98.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_839da67a9f654982617d092823062d98.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Windows\SysWOW64\Sys32\MHHF.exe
  "C:\Windows\system32\Sys32\MHHF.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1892
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1892 -s 1148
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:3252
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\Sys32\MHHF.exe > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5076
- C:\Users\Admin\AppData\Local\Temp\Ran Online Chnse translated to english.exe
  "C:\Users\Admin\AppData\Local\Temp\Ran Online Chnse translated to english.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4956
- - C:\Users\Admin\AppData\Local\Temp\xte80D8.tmp
    x -y+ -t"C:\Users\Admin\AppData\Local\Temp" "C:\Users\Admin\AppData\Local\Temp\Ran Online Chnse translated to english.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1892 -ip 1892
1⤵
PID:3132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

1

T1070

File Deletion

Modify Registry

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@7C15.tmp

Filesize
4KB

MD5
070dbaaff6fc4389cf2f22d071d21c26

SHA1
536ecaadbcbcf2f4c16a7c47d8ee2f71921957da

SHA256
83ea6f0a401f215e90ca73b97575a56da6ca420872603179bd5db5ec76f85081

SHA512
8fdc34084f119dad46c0f4699acb0478a0b17bb065cb68527f556c16fb20891d7a69276ffd2c1d7568a2350112ddecc182c28fae8d0e7b77db88be9fd14f0609

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ran Online Chnse translated to english.exe

Filesize
3.5MB

MD5
b107da1b4da49d7df76bce25bafa0f96

SHA1
0d81598bb716da49807acf11f0baa6fa1a6607ea

SHA256
767c2962b58696eebc2783ed6a1b22c0157e42c62183ef3b469cfda8e7ddfada

SHA512
7e5d11407b040a7f6f4d774eab79fcf985ce02187d90ec02bc554e62700eaa1faf3a4f1524c5b6c906dfb985f7bf31323cc636debe1faaaf0d6f3c0aff719dd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\xte80D8.tmp

Filesize
73KB

MD5
4a068d3013a25918f2809640ce9df860

SHA1
3af1c595f15d5ca94996520790dcf61875a99a4d

SHA256
1128a2b2766b714b1408c0afdcf1bd969db1ee8b45963a2c6d8dd57a10fac22f

SHA512
604e586931a3f5b3f11b6f514866211ba898f1846de1b5793dba6e61982fd79f68131498304d310188efcd7442bb4d696c19cc3e752083e52fc3fea8c653e267

Download Submit
C:\Windows\SysWOW64\Sys32\MHHF.001

Filesize
466B

MD5
dec41ee8440f125c17c91116905c0825

SHA1
e3aec5c5ada1c84261461a6907ead58fcd8fac9f

SHA256
f7146a26dc8cbd5ce33888f50d256de0fdb037ac9294a749e8374d021f70538c

SHA512
8145aa2b25e2e4334da840a26c199d20e71cbdd6299f270b10d11e57d0a76d7195d81887a42ee937cfabebb1431d7fb294fa28f4821ef4fc08540f7085380a8c

Download Submit
C:\Windows\SysWOW64\Sys32\MHHF.006

Filesize
7KB

MD5
6d97151278f4a6c0273d92bed593e49a

SHA1
c2cbe640b2531f5b51ae461a4f213294b106c7e4

SHA256
7a572090797699c09c8f369f1d646d4340aea4c0bbd8f5383a3747478b99aa60

SHA512
0ec5bfb032c8d1d911faafbe63a4739d23dc3368f9d6b8b2fb4a6a92f9ae6c5e5e1a21acb879eef0ea592646c69483338504048cf16ed9be827cf6fbe70d63de

Download Submit
C:\Windows\SysWOW64\Sys32\MHHF.007

Filesize
5KB

MD5
5ff123f581e889ec2d72e5e91762250c

SHA1
036f31e9303b85dbc0bde419674654743b4135d4

SHA256
1dbf1be7742842553d83dd0c2b39855828c8be7715fd40d2ab464a2a13b82116

SHA512
21dc1dcd42bcd7f5ff28b3023141f6e58229c7b34a6deae966c3fb13f8c4e8aeeb20a4615bd0d2912441298d870c7a9a50667d6e7e58a16519f9051186616207

Download Submit
C:\Windows\SysWOW64\Sys32\MHHF.exe

Filesize
477KB

MD5
75f85a9486fbf3f06af7ee61303deca5

SHA1
e5df6099c029ae4a77d9e9a116992ff55a73a546

SHA256
54841077de626fa46dd196c12fae104d2669cd3ea7d8988ed8637fbe552ae200

SHA512
58f7a4dcb59ccb046b80165f34b62f00accd5c1ac58681f75b08177b07835ccee9b569508dab2115805b114e5839911aca1e762baad4a3002083a51bc97419e6

Download Submit
memory/1892-80-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/1892-30-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/4672-43-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4672-78-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4956-79-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4956-26-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads