ardamax | ec3f2b91f627bde9fabe473a295dc7241fd65fe534534846aba2aaacb0f19ef1

General

Target

JaffaCakes118_be0f4d73e879f9dd75eca20a8cc3e554.exe
Size

949KB
MD5

be0f4d73e879f9dd75eca20a8cc3e554
SHA1

58987e6986573513514a3455f505debbd71d915d
SHA256

ec3f2b91f627bde9fabe473a295dc7241fd65fe534534846aba2aaacb0f19ef1
SHA512

10068b3c35176f9f73f1f012964045a1cc5b79824a18affc436a2bd949fe1dc5b5b171c9fee87642f29ff9d9b17be310783976b957ef99def9de773bcd7e0f5e
SSDEEP

24576:lY/PalRV4QKzaWBwR/peQutHb4kMGBzU3E/yUez:+qz2zjaRijBU0/4

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x00070000000241ad-22.dat	family_ardamax

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation	JaffaCakes118_be0f4d73e879f9dd75eca20a8cc3e554.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation	Le!Tj0 CoDeR.exe

Executes dropped EXE 3 IoCs

pid	Process
5340	Le!Tj0 CoDeR.exe
6132	GPEO.exe
4172	GPEO.exe

Loads dropped DLL 7 IoCs

pid	Process
5340	Le!Tj0 CoDeR.exe
6132	GPEO.exe
6132	GPEO.exe
6132	GPEO.exe
4172	GPEO.exe
4172	GPEO.exe
4172	GPEO.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\GPEO Agent = "C:\\Windows\\SysWOW64\\28463\\GPEO.exe"	GPEO.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\GPEO.001	Le!Tj0 CoDeR.exe
File created	C:\Windows\SysWOW64\28463\GPEO.006	Le!Tj0 CoDeR.exe
File created	C:\Windows\SysWOW64\28463\GPEO.007	Le!Tj0 CoDeR.exe
File created	C:\Windows\SysWOW64\28463\GPEO.exe	Le!Tj0 CoDeR.exe
File opened for modification	C:\Windows\SysWOW64\28463	GPEO.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GPEO.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GPEO.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_be0f4d73e879f9dd75eca20a8cc3e554.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Le!Tj0 CoDeR.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	6132	GPEO.exe
Token: SeIncBasePriorityPrivilege	6132	GPEO.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1552	JaffaCakes118_be0f4d73e879f9dd75eca20a8cc3e554.exe
6132	GPEO.exe
6132	GPEO.exe
6132	GPEO.exe
6132	GPEO.exe
6132	GPEO.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1552 wrote to memory of 5340	1552	JaffaCakes118_be0f4d73e879f9dd75eca20a8cc3e554.exe	85
PID 1552 wrote to memory of 5340	1552	JaffaCakes118_be0f4d73e879f9dd75eca20a8cc3e554.exe	85
PID 1552 wrote to memory of 5340	1552	JaffaCakes118_be0f4d73e879f9dd75eca20a8cc3e554.exe	85
PID 5340 wrote to memory of 6132	5340	Le!Tj0 CoDeR.exe	87
PID 5340 wrote to memory of 6132	5340	Le!Tj0 CoDeR.exe	87
PID 5340 wrote to memory of 6132	5340	Le!Tj0 CoDeR.exe	87
PID 5764 wrote to memory of 4172	5764	cmd.exe	90
PID 5764 wrote to memory of 4172	5764	cmd.exe	90
PID 5764 wrote to memory of 4172	5764	cmd.exe	90

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_be0f4d73e879f9dd75eca20a8cc3e554.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_be0f4d73e879f9dd75eca20a8cc3e554.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1552
- C:\Users\Admin\AppData\Local\Temp\Le!Tj0 CoDeR.exe
  "C:\Users\Admin\AppData\Local\Temp\Le!Tj0 CoDeR.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5340
- - C:\Windows\SysWOW64\28463\GPEO.exe
    "C:\Windows\system32\28463\GPEO.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:6132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\28463\GPEO.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5764
- C:\Windows\SysWOW64\28463\GPEO.exe
  C:\Windows\SysWOW64\28463\GPEO.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4172

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@4AD4.tmp

Filesize
4KB

MD5
a55cbc0f0125b005ef369020b4c17806

SHA1
010af3e2e84b337e91f5e0c791b01e1d527211ce

SHA256
27cfe74936e4090aafbef07ee45725923f4b1243135e1e3a51e3385dbcd7b637

SHA512
88e5f7905c86d73bc5af028f20c8bf49f700307926c5b92814c245abe08e9c35841116d428ddbd7b957b47ccc8980684c12608b6818e4b6c1c8c0d27d54a07be

Download Submit
C:\Users\Admin\AppData\Local\Temp\Le!Tj0 CoDeR.exe

Filesize
929KB

MD5
ed679369d1b8ac1f05ec3384f9740a5c

SHA1
f8987e76a3da118f7c43f935932cf76cf5b8d63a

SHA256
bafe121c4affc3f798af4bac3b6c74817c9fdccfe2d83c0c3d61ef9b505205c7

SHA512
30a0dbe5c515abe1d40c4eb1d24201dc6d215e40a64347f429881fa3f4f402d3a99949393b12690bc18efe8bdd790fd3a50951b8580305c715db1667fda36f8d

Download Submit
C:\Windows\SysWOW64\28463\GPEO.001

Filesize
384B

MD5
96de7d5eb76653d8b1db730a141e9993

SHA1
c1b8539edddf04d44770467b70ca83b937cce408

SHA256
dc41bb6ae3cf016c8ad8dd753d275e7b53d8cc52fcc36a06c7a03d2ac84d8173

SHA512
a798b71e096c414f2b75383167e87e4a14b1adde89565a0b287d53a507108052c3a836fb3c8c0c620fdcdffd6585668f4c44aec2743ce8735c416a6578a4419f

Download Submit
C:\Windows\SysWOW64\28463\GPEO.006

Filesize
8KB

MD5
395bbef326fa5ad1216b23f5debf167b

SHA1
aa4a7334b5a693b3f0d6f47b568e0d13a593d782

SHA256
7c1c4ba8978d3ec53bc6da4d8f9e5e1ca52edf5ccf5ec19ef06b02055ff3b3d1

SHA512
dc3f3d7501feb10623807e89f28a0e38bdbbd4a7e2ad964c8ab33c392bde61896fe40bb7773f6309cd59ad9a686decbd81c15b588ac8d311fd2a273ac9410679

Download Submit
C:\Windows\SysWOW64\28463\GPEO.007

Filesize
5KB

MD5
1b5e72f0ebd49cf146f9ae68d792ffe5

SHA1
1e90a69c12b9a849fbbac0670296b07331c1cf87

SHA256
8f4485675fe35b14276f5c8af8a6b42f03cf1b5de638355e4c4b28397385e87e

SHA512
6364f5581de5aaec09b5d1c4e5745193f981ff93cf91e20c6c9ff56566b5d182ccbdacf9aeed1d7a01460eb21619e14ac4ab31b083a951b45b3b7f9d93a62ffc

Download Submit
C:\Windows\SysWOW64\28463\GPEO.exe

Filesize
912KB

MD5
6768ba61744862704760b66ce8f8fdd4

SHA1
e86cbed8cf20c2a9c76219d0c434bc310ffb2392

SHA256
4cf4bf2b7d2bb4215e255e1f2b1238ad989f3c8a98ebfd5cb033bccf32fedaa0

SHA512
eadb56b633707724ef4f47f8b421b0f3b2afa5a9800fae030f81aefae483eed6b494da470278273f388c3ae346a33cbbfe742924d231dab1c9b42bbefaf95a61

Download Submit
memory/4172-40-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/6132-28-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/6132-32-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/6132-41-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/6132-42-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads