ardamax | 3c7ead5c94a2d6945e2b780520c1dc74cfc657e4226f05ee6a7ff60917ee973b

General

Target

edd117ef838fab200dca687b64390c2e_JaffaCakes118.exe
Size

4.1MB
MD5

edd117ef838fab200dca687b64390c2e
SHA1

c1e5500ea62222ac0d9f2777dcde754c753ca96e
SHA256

3c7ead5c94a2d6945e2b780520c1dc74cfc657e4226f05ee6a7ff60917ee973b
SHA512

9f198d3b509dcfb60d0dddef0826a222d69907a47beaafe73cf6d69d424a0f8ed9cb86f2d430d25e9003dca3ccf6639c8c81fcc60a1ee79936260fc95afefdd8
SSDEEP

98304:n603aLE0sjelIAZgxTvqxbUjh4jqMHk/LFBhc4eFHJnXrJV/gH:nDa4djMIAeTiKjhulEi4ejrJV/g

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000015c73-5.dat	family_ardamax

Executes dropped EXE 2 IoCs

pid	Process
1480	RPD.exe
2552	dll_308.exe

Loads dropped DLL 8 IoCs

pid	Process
2512	edd117ef838fab200dca687b64390c2e_JaffaCakes118.exe
1480	RPD.exe
2512	edd117ef838fab200dca687b64390c2e_JaffaCakes118.exe
2512	edd117ef838fab200dca687b64390c2e_JaffaCakes118.exe
2552	dll_308.exe
2552	dll_308.exe
2552	dll_308.exe
2552	dll_308.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RPD Start = "C:\\Windows\\SysWOW64\\VFQCXX\\RPD.exe"	RPD.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\VFQCXX\RPD.004	edd117ef838fab200dca687b64390c2e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\VFQCXX\RPD.001	edd117ef838fab200dca687b64390c2e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\VFQCXX\RPD.002	edd117ef838fab200dca687b64390c2e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\VFQCXX\RPD.exe	edd117ef838fab200dca687b64390c2e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\VFQCXX\	RPD.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1480	RPD.exe
Token: SeIncBasePriorityPrivilege	1480	RPD.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1480	RPD.exe
1480	RPD.exe
1480	RPD.exe
1480	RPD.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 1480	2512	edd117ef838fab200dca687b64390c2e_JaffaCakes118.exe	28
PID 2512 wrote to memory of 1480	2512	edd117ef838fab200dca687b64390c2e_JaffaCakes118.exe	28
PID 2512 wrote to memory of 1480	2512	edd117ef838fab200dca687b64390c2e_JaffaCakes118.exe	28
PID 2512 wrote to memory of 1480	2512	edd117ef838fab200dca687b64390c2e_JaffaCakes118.exe	28
PID 2512 wrote to memory of 2552	2512	edd117ef838fab200dca687b64390c2e_JaffaCakes118.exe	29
PID 2512 wrote to memory of 2552	2512	edd117ef838fab200dca687b64390c2e_JaffaCakes118.exe	29
PID 2512 wrote to memory of 2552	2512	edd117ef838fab200dca687b64390c2e_JaffaCakes118.exe	29
PID 2512 wrote to memory of 2552	2512	edd117ef838fab200dca687b64390c2e_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\edd117ef838fab200dca687b64390c2e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\edd117ef838fab200dca687b64390c2e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Windows\SysWOW64\VFQCXX\RPD.exe
  "C:\Windows\system32\VFQCXX\RPD.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1480
- C:\Users\Admin\AppData\Local\Temp\dll_308.exe
  "C:\Users\Admin\AppData\Local\Temp\dll_308.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\VFQCXX\RPD.001

Filesize
61KB

MD5
383d5f5d4240d590e7dec3f7312a4ac7

SHA1
f6bcade8d37afb80cf52a89b3e84683f4643fbce

SHA256
7e87f6817b17a75106d34ce9884c40ddfb381bf8f2013930916498d1df0a6422

SHA512
e652c41ec95d653940b869426bc2cbd8e5b3159110ffaab7d623e23eebe1f34ca65be6a9a9cdcd5f41aec7567469d6b4d6362d24ae92267cddb8940e1265806a

Download Submit
C:\Windows\SysWOW64\VFQCXX\RPD.002

Filesize
43KB

MD5
93df156c4bd9d7341f4c4a4847616a69

SHA1
c7663b32c3c8e247bc16b51aff87b45484652dc1

SHA256
e55b6eabf0f99b90bd4cf3777c25813bded7b6fc5c9955188c8aa5224d299c3e

SHA512
ed2e98c5fd1f0d49e5bac8baa515d489c89f8d42772ae05e4b7a32da8f06d511adad27867034ca0865beae9f78223e95c7d0f826154fc663f2fab9bd61e36e35

Download Submit
C:\Windows\SysWOW64\VFQCXX\RPD.004

Filesize
1KB

MD5
bbd6b674edf81f69cb9091fabf7b9e64

SHA1
a08f4c4ee5403c07355ad3da184293cebf55d4a0

SHA256
13cd04d6de10ebc36f97f838d25e29dd5f9c804d822f12fbeb40ea3186616e9d

SHA512
761bee536f3dffbbc8e45f559aae9e3fe96154908486cfc136d70f05da799f80a6046aa932f855a6d7ad753372603f2870fa93f86ee365cda752d4a51bc2132b

Download Submit
\Users\Admin\AppData\Local\Temp\PSE11\php\modules\php_bcompiler.dll

Filesize
46KB

MD5
a44bca08e8ed65e636f8b68960b8d7ea

SHA1
1803024e3e62f51d474e832b67d2d8ec167b96de

SHA256
26bb0541924fd7f96c22df5b4f7b8cabd88ea440dd19ddefb4e2754f17eb0df4

SHA512
c83a5c4b5f38767e74b67b81f83635459e9165e4bc6574c53e77e57cfb1107aa435172375e8eee44e7fce2b50ec8f108dc8d609bad332798740de7cb6cf51e4c

Download Submit
\Users\Admin\AppData\Local\Temp\PSE11\php\modules\php_bz2.dll

Filesize
68KB

MD5
2f8bc6c1741bc86ee012f444c56d192e

SHA1
c4840d4d39dd8fafe4248ab96082860a0db02f6f

SHA256
ec6f6310e3a08ad80ea159c336e93cc024dae223a5bd4b08ae2e0351941aec07

SHA512
6a8e415f5d14f56a29541d50f7277f66222f4f1374fdb1f1892ce51dbc29e5ef766552518a2c78b8ae0bb5820b6eb3330b2dc9595f80b78ef6131de069a8c76e

Download Submit
\Users\Admin\AppData\Local\Temp\PSE11\php\php5ts.dll

Filesize
4.6MB

MD5
5483bd2f68e4be087be99e938c4de8fc

SHA1
e5e56d93b69197f11f87d8dd3e84a9697b4ced29

SHA256
e452640009a12c3a666a425515953ebd3ca29a9064ed616671d722d31f9d2dfd

SHA512
3619d7f95d48c0840439d59a81bf3e6050f445e0158527aa24d98702f5cd6a67298947e999d23cfba80b0d279afae81eddc75d24a455bc484f7b3586482b2bb2

Download Submit
\Users\Admin\AppData\Local\Temp\dll_308.exe

Filesize
6.5MB

MD5
f7b757e71a97d8f584c094813adf77b7

SHA1
7d8159f03d9eb24906d79ec216e8a2c0d25006c5

SHA256
8025071f40344b85ada40556375e09dca10ab4a0979b4cc0a544e17dbe8d6d55

SHA512
f64efa71295e5d4959c022d856b6c4681ffbc2410f3738277a30dc7af7e17907b499ad92a2c25fd7384cd86eb1a631f98c0627f5d7d2b35b695fdad1a1deaba8

Download Submit
\Windows\SysWOW64\VFQCXX\RPD.exe

Filesize
1.7MB

MD5
3cd29c0df98a7aeb69a9692843ca3edb

SHA1
7c86aea093f1979d18901bd1b89a2b02a60ac3e2

SHA256
5a37cd66508fa3fc85ae547de3498e709bd45167cb57f5e9b271dc3a1cb71a32

SHA512
e78f3206b1878e8db1766d4038a375bbebcbcdb8d1b0a0cb9b0dc72c54881392b9c27e2864ad9118702da58f203f13e0ad5d230980ad1ef2370391a2c4acffc9

Download Submit
memory/1480-14-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1480-44-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2552-30-0x0000000003030000-0x000000000350C000-memory.dmp

Filesize
4.9MB

Download
memory/2552-35-0x0000000000280000-0x000000000028F000-memory.dmp

Filesize
60KB

Download
memory/2552-37-0x0000000000400000-0x00000000005C0000-memory.dmp

Filesize
1.8MB

Download
memory/2552-32-0x0000000003030000-0x000000000350C000-memory.dmp

Filesize
4.9MB

Download
memory/2552-39-0x0000000000390000-0x00000000003A1000-memory.dmp

Filesize
68KB

Download
memory/2552-43-0x0000000000400000-0x00000000005C0000-memory.dmp

Filesize
1.8MB

Download
memory/2552-23-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2552-46-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2552-47-0x0000000000400000-0x00000000005C0000-memory.dmp

Filesize
1.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads