ardamax | 9210482e654a31df2084dea63dae1f2d028d8201379e7aa0ba596850700d460a

General

Target

JaffaCakes118_b406c31d83723140d615063dbfde3663.exe
Size

599KB
MD5

b406c31d83723140d615063dbfde3663
SHA1

02b7037aa5a2c3921d637542cf4b7ccb9b50865d
SHA256

9210482e654a31df2084dea63dae1f2d028d8201379e7aa0ba596850700d460a
SHA512

879d7587ee20aac253a0626d1fa2a25de48bb806c691d0f63e8b4de53f882108b2b86145fb86a08d4533fb4b1464cf6d4e724234f70753f9e2be3908caae08e1
SSDEEP

12288:pM8pLhsZtAL4qON/9i+uU/36TK4VrMMU6BhjUVWNuJ0aSKTQa8w4X0a3U7:OiatALwV9iFlTK4xBl2WNc0aS+Dc0aE

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x000700000002425d-12.dat	family_ardamax

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation	JaffaCakes118_b406c31d83723140d615063dbfde3663.exe

Executes dropped EXE 2 IoCs

pid	Process
1800	system32ALJV.exe
3260	system32ALJV.exe

Loads dropped DLL 7 IoCs

pid	Process
3780	JaffaCakes118_b406c31d83723140d615063dbfde3663.exe
1800	system32ALJV.exe
1800	system32ALJV.exe
1800	system32ALJV.exe
3260	system32ALJV.exe
3260	system32ALJV.exe
3260	system32ALJV.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system32ALJV Agent = "C:\\Windows\\system32ALJV.exe"	system32ALJV.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\system32ALJV.007	JaffaCakes118_b406c31d83723140d615063dbfde3663.exe
File created	C:\Windows\system32ALJV.exe	JaffaCakes118_b406c31d83723140d615063dbfde3663.exe
File created	C:\Windows\system32AKV.exe	JaffaCakes118_b406c31d83723140d615063dbfde3663.exe
File created	C:\Windows\system32ALJV.001	JaffaCakes118_b406c31d83723140d615063dbfde3663.exe
File created	C:\Windows\system32ALJV.006	JaffaCakes118_b406c31d83723140d615063dbfde3663.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b406c31d83723140d615063dbfde3663.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system32ALJV.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system32ALJV.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1800	system32ALJV.exe
Token: SeIncBasePriorityPrivilege	1800	system32ALJV.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1800	system32ALJV.exe
1800	system32ALJV.exe
1800	system32ALJV.exe
1800	system32ALJV.exe
1800	system32ALJV.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3780 wrote to memory of 1800	3780	JaffaCakes118_b406c31d83723140d615063dbfde3663.exe	87
PID 3780 wrote to memory of 1800	3780	JaffaCakes118_b406c31d83723140d615063dbfde3663.exe	87
PID 3780 wrote to memory of 1800	3780	JaffaCakes118_b406c31d83723140d615063dbfde3663.exe	87
PID 4052 wrote to memory of 3260	4052	cmd.exe	91
PID 4052 wrote to memory of 3260	4052	cmd.exe	91
PID 4052 wrote to memory of 3260	4052	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b406c31d83723140d615063dbfde3663.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b406c31d83723140d615063dbfde3663.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3780
- C:\Windows\system32ALJV.exe
  "C:\Windows\system32ALJV.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32ALJV.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4052
- C:\Windows\system32ALJV.exe
  C:\Windows\system32ALJV.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3260

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@8685.tmp

Filesize
4KB

MD5
08c0e7cb9f56d7a8f6acfd2268ea7142

SHA1
e885ffa0db9b4dd38e547135eb5446cc89fe6865

SHA256
fe9304a2f41e446e3672a26b338cde680d34fd07b0c5a6866ef108366ed92eb9

SHA512
6325410c99d703b3181c4eb4d9cbcdf1d8e08cc57a8ef7c8334e5be02b2499997829a3d6fd708dd83541efd1712330c5163daffe68a09aa2863cc76d5cbdccf9

Download Submit
C:\Windows\system32ALJV.001

Filesize
526B

MD5
d607b4ffe88cbedd2b4d40779ff4c640

SHA1
b2bef593e9adea79fd1ba0b8dfe0be9f79502d44

SHA256
5f95c1cd9e53b448ea50460f4590dace149f18f03df916922be5ed63f9d706df

SHA512
7b0a6e86289174fe295f045fc6a2b07bbbed9c112a3f878664878fb7ddfb30877462a13ea17c35c08e836071f776166af05ba260a19c06ed360b34ad2aebc7b7

Download Submit
C:\Windows\system32ALJV.006

Filesize
7KB

MD5
840a1ae793d07aed4585781697178bc1

SHA1
5d42f9763e32c1dced9cdd14144926c43044d6ad

SHA256
af73b0a6c98eec78e121cb1fed4ee4b5df052833242179cdeec04c75b6df2cfc

SHA512
078ddc10ebccd4c108e52555ae7aeb644aadfc006dbc2aa1aad319b6e9bd35b779fee9e3d063c22f48a7e082e1a01e1f70ab11f8c26827750b13a1c8cb636689

Download Submit
C:\Windows\system32ALJV.007

Filesize
5KB

MD5
530d177fa3d66ca092ecbdb4eb02a0d9

SHA1
868a3c3fa51df0fe5ffbba3aeeca20aa23da0fc4

SHA256
037e9a3e82e1a8902d8220c82650e52f549d6acc490ff30481a497130b7208f2

SHA512
44d84513aaab0eb5f2c0c9be64cc78beb8caf0ddf6039fe726d39834d19d4c1084cec1611b565529920d4edf4d432dba6e67a01d94a845b7fd083dd284545002

Download Submit
C:\Windows\system32ALJV.exe

Filesize
471KB

MD5
040be8249f1b7b90730867c398e40568

SHA1
d6908d242bed9d7d04dcf98c7e46571121f0b7f1

SHA256
84ce204e2d8ef6cc519fbabf8356999de06af6250ca4a170ecfb776952d855ca

SHA512
3c63436c6412f127a2ca64891af185678cde71846c52331ae4dda03b1313392ba3655699305d6ce05723d50aec0e4d227616536592bb5a23449e1eaddba94516

Download Submit
memory/1800-19-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/1800-31-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads