ardamax | 969429401a7dfa0eaae80438f340ca74060c60076144937291ebe9a1a0cdef53

General

Target

JaffaCakes118_bd7d3c280ad0ef7f34dd3828e72b00d4.exe
Size

534KB
MD5

bd7d3c280ad0ef7f34dd3828e72b00d4
SHA1

626bc847a865666c23f0d2da004be5ae52e1d573
SHA256

969429401a7dfa0eaae80438f340ca74060c60076144937291ebe9a1a0cdef53
SHA512

8dc4211d09ec26e807cde4a63834f0c0b91131b244cab2bec0999e8478516e7e8ffab2f84e11b73436df100cc12910f9fd3969459b62acd48d60c59d5ccaf774
SSDEEP

12288:oIE7Ix3qDYI+XzREE5c278iTG6jvU8BKnN685lwtC:z3qQXzR1780G6J4nN685lwtC

Score

10^/10

ardamax discovery keylogger persistence stealer upx

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000024231-12.dat	family_ardamax

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\International\Geo\Nation	JaffaCakes118_bd7d3c280ad0ef7f34dd3828e72b00d4.exe

Executes dropped EXE 3 IoCs

pid	Process
2024	IPUF.exe
5528	Patch09c.exe
5492	IPUF.exe

Loads dropped DLL 9 IoCs

pid	Process
1976	JaffaCakes118_bd7d3c280ad0ef7f34dd3828e72b00d4.exe
5528	Patch09c.exe
2024	IPUF.exe
2024	IPUF.exe
2024	IPUF.exe
5528	Patch09c.exe
5528	Patch09c.exe
5528	Patch09c.exe
5528	Patch09c.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\IPUF Agent = "C:\\Windows\\SysWOW64\\Sys\\IPUF.exe"	IPUF.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\BASSMOD.dll	Patch09c.exe
File opened for modification	C:\Windows\SysWOW64\Sys	IPUF.exe
File created	C:\Windows\SysWOW64\Sys\IPUF.001	JaffaCakes118_bd7d3c280ad0ef7f34dd3828e72b00d4.exe
File created	C:\Windows\SysWOW64\Sys\IPUF.006	JaffaCakes118_bd7d3c280ad0ef7f34dd3828e72b00d4.exe
File created	C:\Windows\SysWOW64\Sys\IPUF.007	JaffaCakes118_bd7d3c280ad0ef7f34dd3828e72b00d4.exe
File created	C:\Windows\SysWOW64\Sys\IPUF.exe	JaffaCakes118_bd7d3c280ad0ef7f34dd3828e72b00d4.exe
File created	C:\Windows\SysWOW64\Sys\AKV.exe	JaffaCakes118_bd7d3c280ad0ef7f34dd3828e72b00d4.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000024233-21.dat	upx
behavioral1/memory/5528-27-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/5528-45-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/5528-46-0x0000000000400000-0x000000000041D000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Patch09c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IPUF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_bd7d3c280ad0ef7f34dd3828e72b00d4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IPUF.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	5920	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5920	AUDIODG.EXE
Token: 33	2024	IPUF.exe
Token: SeIncBasePriorityPrivilege	2024	IPUF.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2024	IPUF.exe
2024	IPUF.exe
2024	IPUF.exe
2024	IPUF.exe
2024	IPUF.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 2024	1976	JaffaCakes118_bd7d3c280ad0ef7f34dd3828e72b00d4.exe	86
PID 1976 wrote to memory of 2024	1976	JaffaCakes118_bd7d3c280ad0ef7f34dd3828e72b00d4.exe	86
PID 1976 wrote to memory of 2024	1976	JaffaCakes118_bd7d3c280ad0ef7f34dd3828e72b00d4.exe	86
PID 1976 wrote to memory of 5528	1976	JaffaCakes118_bd7d3c280ad0ef7f34dd3828e72b00d4.exe	87
PID 1976 wrote to memory of 5528	1976	JaffaCakes118_bd7d3c280ad0ef7f34dd3828e72b00d4.exe	87
PID 1976 wrote to memory of 5528	1976	JaffaCakes118_bd7d3c280ad0ef7f34dd3828e72b00d4.exe	87
PID 5828 wrote to memory of 5492	5828	cmd.exe	92
PID 5828 wrote to memory of 5492	5828	cmd.exe	92
PID 5828 wrote to memory of 5492	5828	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bd7d3c280ad0ef7f34dd3828e72b00d4.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bd7d3c280ad0ef7f34dd3828e72b00d4.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Windows\SysWOW64\Sys\IPUF.exe
  "C:\Windows\system32\Sys\IPUF.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2024
- C:\Users\Admin\AppData\Local\Temp\Patch09c.exe
  "C:\Users\Admin\AppData\Local\Temp\Patch09c.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:5528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\Sys\IPUF.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5828
- C:\Windows\SysWOW64\Sys\IPUF.exe
  C:\Windows\SysWOW64\Sys\IPUF.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5492

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2ec 0x4c8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5920

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@9E34.tmp

Filesize
4KB

MD5
730e7e458c7770fd80947b6ce9f7109a

SHA1
ef07be19ec55590ffce101951d12e7c6c5b7aaca

SHA256
70033d7c8520fb53a247b355559c3a156e22719e52cf55102edbbcfabc5ad096

SHA512
12f141144761e880af6567048036c7c482e6306158454f4c3a7821c1a5f5526771e3c473ddcc9cbe0860d4e61a5d5f092a59567222d0a995cdd1aeda5667a596

Download Submit
C:\Users\Admin\AppData\Local\Temp\Patch09c.exe

Filesize
57KB

MD5
180751cebbcefeafa80976033e077367

SHA1
f08e27c40e28cca5ce6bed6d59045e8e551a9905

SHA256
6a062798c39dd29322e215c593b2dc6b07db9ee152ec2e705dc105a4e5594065

SHA512
21a0565bfb2950a6cff3c597a709408455ae8cbbc96ab1eaad4c0a467759b01fee47137bd364722d3ee33a70e582f2b0294d362b9a1d8ab9876a28c4e6f9dacd

Download Submit
C:\Windows\SysWOW64\BASSMOD.dll

Filesize
15KB

MD5
048c336274723710201a3ab5ce7af260

SHA1
c72d1d72b9cc49e11fa3d2cd3d9366bc9be19277

SHA256
454deb7962edbeb3260decec8b51a8c2febb9226ebaf627859c02f455af5bcd3

SHA512
acd01168b04dd528f583239cc9b2ddf6411a74da0da8e4ab332a8d03cd32381cbf8931e13e027f4a69c0a1a4abe8472f163d33f03b22b76df7d2ef66ad9c7c95

Download Submit
C:\Windows\SysWOW64\Sys\AKV.exe

Filesize
390KB

MD5
5255e3bd1037d42bbba2365412623a3b

SHA1
b473061ee152172ba5e33cae18f55774467a070f

SHA256
8e7e780b484bf5a5edce3dbdee2374ace11214b122560146b5859d8359c93655

SHA512
86af1d593b480622dcb4835d5f10045452eb20a01a04eba13734fd5bfec2515321072747c8fd4c95714022058e891f7cd55efee00b95d7e51c845aaabf4a793e

Download Submit
C:\Windows\SysWOW64\Sys\IPUF.001

Filesize
422B

MD5
77f1742aee4a12bac61003faf8dc684b

SHA1
21e0273eda131753cc07e175bea9d80385c3a697

SHA256
573c4653551a6c6e241800347dac07d661d2050911f48fa6cb4e053239bfcdeb

SHA512
a624fcf4b19bd56ffd5f2e72331e7a135524a9156c1fed403debf1a072b490a81a7d87d079dc59a4ee37b195c20ef6b5f7535531966e0d6e75fcb55d5d8ae24d

Download Submit
C:\Windows\SysWOW64\Sys\IPUF.006

Filesize
7KB

MD5
385d77949ecf6cfdb4f3d15bf29dfbe4

SHA1
09bd106320e68a5a14aeb2a34e4f0a6a627c0d36

SHA256
39659a7497354c9329be266683ae28be650b7639bca1def42af5d351e265762c

SHA512
b9baea0afb78944080598fc11c5f6c76b3adde37838f4fe3c9371fb9508fea03b7ec6775e9fdc65f39a94103cb061970ea8c51ded113701eede00d4a2fda0db9

Download Submit
C:\Windows\SysWOW64\Sys\IPUF.007

Filesize
5KB

MD5
f50daad1c62b3af9daceddc982d3a28c

SHA1
8519625cc16fac60381ea27b3339e62cef15c629

SHA256
246af3478a40b10bb54bbfb2aab8fb9965e702836f049dd9db714da8873b42d5

SHA512
8451a35d6a037f0224f292baf151e1c367df394bdca0c7c4c90f43c6b275f1f8173af1bf1791005398ca36678b76df3e8e49f51438f9deec86a529a9c81925fc

Download Submit
C:\Windows\SysWOW64\Sys\IPUF.exe

Filesize
476KB

MD5
b22ecd38fb2828478a5ff60e7a255e16

SHA1
078d9e7d975a2769e8c2ad40279e265eff89b033

SHA256
c2280b3b99486452228dd51dbd61db2afeb98d3cc5e8e48c5fb314c5af1a913a

SHA512
336de2a0a9975a254dad2e87b3c5388e6fd5560fd5d47d0f4f882f216a4e23dc3d8cb894161587d6a1d0d8845fce92589afc41a6db7947de81ffd023764762cd

Download Submit
memory/2024-32-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/2024-47-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/5528-27-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/5528-45-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/5528-46-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads