ardamax | 95d350a65ba24015a4670d1de663d8d96cbb2ae5645c37f969ebd6bfc7e74ae9

General

Target

JaffaCakes118_b7accc8156cd14696a6dc68f6bed14b1.exe
Size

1.3MB
MD5

b7accc8156cd14696a6dc68f6bed14b1
SHA1

81214bddc3a2698a1d928082ea909795cba614f6
SHA256

95d350a65ba24015a4670d1de663d8d96cbb2ae5645c37f969ebd6bfc7e74ae9
SHA512

0983e19dbfc09a2b2dc046e6556935a7deaaaff1b48a534c20b0c65e1fe01ea02cad693f89738db42c3b9866a3e5115eec953c719797e242a9ef65a4549a4239
SSDEEP

24576:Mwl0LNbsgyk+x64Ehekzb/OvAyrx4KNR/vQFQh1OMYozV8aQb/tm75gH6:MwliPj4EheoOj/vQFQ7YoB8JFm9ga

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x000c000000024138-16.dat	family_ardamax

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	JaffaCakes118_b7accc8156cd14696a6dc68f6bed14b1.exe

Executes dropped EXE 2 IoCs

pid	Process
4764	WYB.exe
5652	WYB.exe

Loads dropped DLL 3 IoCs

pid	Process
4764	WYB.exe
2984	JaffaCakes118_b7accc8156cd14696a6dc68f6bed14b1.exe
5652	WYB.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WYB Start = "C:\\Windows\\SysWOW64\\TWISWT\\WYB.exe"	WYB.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\TWISWT\WYB.002	JaffaCakes118_b7accc8156cd14696a6dc68f6bed14b1.exe
File created	C:\Windows\SysWOW64\TWISWT\AKV.exe	JaffaCakes118_b7accc8156cd14696a6dc68f6bed14b1.exe
File created	C:\Windows\SysWOW64\TWISWT\WYB.exe	JaffaCakes118_b7accc8156cd14696a6dc68f6bed14b1.exe
File opened for modification	C:\Windows\SysWOW64\TWISWT\	WYB.exe
File created	C:\Windows\SysWOW64\TWISWT\WYB.004	JaffaCakes118_b7accc8156cd14696a6dc68f6bed14b1.exe
File created	C:\Windows\SysWOW64\TWISWT\WYB.001	JaffaCakes118_b7accc8156cd14696a6dc68f6bed14b1.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1652 set thread context of 2984	1652	JaffaCakes118_b7accc8156cd14696a6dc68f6bed14b1.exe	91

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b7accc8156cd14696a6dc68f6bed14b1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b7accc8156cd14696a6dc68f6bed14b1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WYB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WYB.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	JaffaCakes118_b7accc8156cd14696a6dc68f6bed14b1.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4764	WYB.exe
Token: SeIncBasePriorityPrivilege	4764	WYB.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1652	JaffaCakes118_b7accc8156cd14696a6dc68f6bed14b1.exe
1652	JaffaCakes118_b7accc8156cd14696a6dc68f6bed14b1.exe
4764	WYB.exe
4764	WYB.exe
4764	WYB.exe
4764	WYB.exe
1584	OpenWith.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1652 wrote to memory of 2984	1652	JaffaCakes118_b7accc8156cd14696a6dc68f6bed14b1.exe	91
PID 1652 wrote to memory of 2984	1652	JaffaCakes118_b7accc8156cd14696a6dc68f6bed14b1.exe	91
PID 1652 wrote to memory of 2984	1652	JaffaCakes118_b7accc8156cd14696a6dc68f6bed14b1.exe	91
PID 1652 wrote to memory of 2984	1652	JaffaCakes118_b7accc8156cd14696a6dc68f6bed14b1.exe	91
PID 1652 wrote to memory of 2984	1652	JaffaCakes118_b7accc8156cd14696a6dc68f6bed14b1.exe	91
PID 1652 wrote to memory of 2984	1652	JaffaCakes118_b7accc8156cd14696a6dc68f6bed14b1.exe	91
PID 1652 wrote to memory of 2984	1652	JaffaCakes118_b7accc8156cd14696a6dc68f6bed14b1.exe	91
PID 1652 wrote to memory of 2984	1652	JaffaCakes118_b7accc8156cd14696a6dc68f6bed14b1.exe	91
PID 1652 wrote to memory of 2984	1652	JaffaCakes118_b7accc8156cd14696a6dc68f6bed14b1.exe	91
PID 1652 wrote to memory of 2984	1652	JaffaCakes118_b7accc8156cd14696a6dc68f6bed14b1.exe	91
PID 2984 wrote to memory of 4764	2984	JaffaCakes118_b7accc8156cd14696a6dc68f6bed14b1.exe	94
PID 2984 wrote to memory of 4764	2984	JaffaCakes118_b7accc8156cd14696a6dc68f6bed14b1.exe	94
PID 2984 wrote to memory of 4764	2984	JaffaCakes118_b7accc8156cd14696a6dc68f6bed14b1.exe	94
PID 4656 wrote to memory of 5652	4656	cmd.exe	98
PID 4656 wrote to memory of 5652	4656	cmd.exe	98
PID 4656 wrote to memory of 5652	4656	cmd.exe	98

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b7accc8156cd14696a6dc68f6bed14b1.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b7accc8156cd14696a6dc68f6bed14b1.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b7accc8156cd14696a6dc68f6bed14b1.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b7accc8156cd14696a6dc68f6bed14b1.exe"
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Windows\SysWOW64\TWISWT\WYB.exe
    "C:\Windows\system32\TWISWT\WYB.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4764

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\TWISWT\WYB.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4656
- C:\Windows\SysWOW64\TWISWT\WYB.exe
  C:\Windows\SysWOW64\TWISWT\WYB.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:5652

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\TWISWT\AKV.exe

Filesize
449KB

MD5
c9c6aba587fe42be25665749af41b886

SHA1
00a21ba1606bfdc82d28f6446098e7f449c25380

SHA256
ca69b6956a1d6008375b891f38325dce4ce53714eac11d6813ccf3c966b77256

SHA512
30bac4fd9675b08da828b54a479d83f2878acbb6c6a04d6d5a4b51a9932193ad82a2a8dde801549f915d821b3c43ec785a436de8cebd0f3e502c352d85919533

Download Submit
C:\Windows\SysWOW64\TWISWT\WYB.001

Filesize
61KB

MD5
95b07437917e9503258bb0be7ed990c9

SHA1
33ac620bc8ce3e81003f0ed8b2d86bbb78b0627a

SHA256
d2d7d89210612058fc0e25c006741b43470abe49e0cc6814ad74167e0360b082

SHA512
0f416247527c4c111a173aead637f69ca834d6839edb3cd4b5ea51341b968c6d33ac95e7c0efcca50ae600a45c4c87fd73d975dbb976300c8c6e9c8022df4916

Download Submit
C:\Windows\SysWOW64\TWISWT\WYB.002

Filesize
43KB

MD5
67d88bedc71d3d792be6670c1ef430f3

SHA1
b17be4fbdab99d43947eebf89a571c54dff378ee

SHA256
9854dc77f77358bdb1cdb66eaccb30c5ab7d0012628753a177018577e493ea85

SHA512
891e09ac0b7c2f996fd4c2349bcd15f7aee21f9e0c5ba19a5ca3b6783190d9bcd6890544ecc77faeb129ebffec23f2c951ffd5b68d61c2841754c7e5189276ae

Download Submit
C:\Windows\SysWOW64\TWISWT\WYB.004

Filesize
658B

MD5
a113a06996b79d17e779d27a0c20ea74

SHA1
76b75b4b754518dc1dbcde5698988fd4d2889153

SHA256
f548f255197a03ca8df2c157efd0f2a642bfcdc0b2537b67a534567d1151705a

SHA512
1daeed24983d20088d4742b110c160d289246a3556ced4c1fa606c7ae891443dc8f409d8c666f3316cebb950833cb0a380d7396fd4e6b2d448bdae9ebe7cc62c

Download Submit
C:\Windows\SysWOW64\TWISWT\WYB.exe

Filesize
1.4MB

MD5
0df9e23abc4065b8bb5d05dfbd763846

SHA1
4009325028ba008fe8c8cc45f58964a7b88aab26

SHA256
bae7e866a2a189073427edbaf6f0e1576b439356c6216a717452039f63b3b35b

SHA512
38ec2de32b0965a6596f1f43e7baafa2567600a123d5e59b5018aec10b0cc9f34e326bb48aeba4bb7ad07f352e8ba244da46212ba4256c9b99fa5c1ba25fe814

Download Submit
memory/1652-0-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1652-12-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2984-4-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2984-10-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2984-5-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2984-3-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2984-29-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/4764-26-0x0000000000400000-0x000000000056E000-memory.dmp

Filesize
1.4MB

Download
memory/4764-33-0x0000000000400000-0x000000000056E000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads