ardamax | d63de465624796397a0aa147400f7e12c2ab0d5edca384cbd9b424c8b0a02e16

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
15/04/2024, 14:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f141189e5399f7017ddccb9819399d6d_JaffaCakes118.exe
Size

2.1MB
MD5

f141189e5399f7017ddccb9819399d6d
SHA1

895b3e076487b92d550de926b147b19474d55ea8
SHA256

d63de465624796397a0aa147400f7e12c2ab0d5edca384cbd9b424c8b0a02e16
SHA512

f5e2bd12688d83e4ed0d377548022a088fc5dae6b29f2888c0155dc62b310f2f628eaacf5e2c1bc0413f1c93ec23083ef62286fa2b5ba9af83b12810470d04a0
SSDEEP

49152:SY3jbmFa55o8HIxSm7+JWrERE/67pBDvo:SYzaFiH6Su+Jf66jA

Score

10^/10

ardamax keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Executes dropped EXE 1 IoCs

pid	Process
2536	MRP.exe

Loads dropped DLL 2 IoCs

pid	Process
1624	f141189e5399f7017ddccb9819399d6d_JaffaCakes118.exe
2536	MRP.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MRP Start = "C:\\ProgramData\\XERULY\\MRP.exe"	MRP.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2536	MRP.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2536	MRP.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2536	MRP.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2536	MRP.exe
2536	MRP.exe
2536	MRP.exe
2536	MRP.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1624 wrote to memory of 2536	1624	f141189e5399f7017ddccb9819399d6d_JaffaCakes118.exe	28
PID 1624 wrote to memory of 2536	1624	f141189e5399f7017ddccb9819399d6d_JaffaCakes118.exe	28
PID 1624 wrote to memory of 2536	1624	f141189e5399f7017ddccb9819399d6d_JaffaCakes118.exe	28
PID 1624 wrote to memory of 2536	1624	f141189e5399f7017ddccb9819399d6d_JaffaCakes118.exe	28
PID 2536 wrote to memory of 2144	2536	MRP.exe	31
PID 2536 wrote to memory of 2144	2536	MRP.exe	31
PID 2536 wrote to memory of 2144	2536	MRP.exe	31
PID 2536 wrote to memory of 2144	2536	MRP.exe	31

C:\Users\Admin\AppData\Local\Temp\f141189e5399f7017ddccb9819399d6d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f141189e5399f7017ddccb9819399d6d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1624
- C:\ProgramData\XERULY\MRP.exe
  "C:\ProgramData\XERULY\MRP.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\PROGRA~3\XERULY\MRP.exe > nul
    3⤵
    PID:2144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\XERULY\MRP.00

Filesize
2KB

MD5
314b674c28b9b5647c98e4676c8738fc

SHA1
9f7247a2ae75b1e53eb3cfde78606ffb8f92bc9a

SHA256
c78544e5e75d837221b6594884979509ad53c2b024d01eaa7177f128972107d2

SHA512
00e720b42b7a6cc5097ce03dbc94d20bddcb037ba556c3d1508a8185f6b477842c8c91b1fd300125e8094c7561d1ea3eda63bf2ebcd782789323733513dc772f

Download Submit
C:\ProgramData\XERULY\MRP.01

Filesize
79KB

MD5
c3fd0cd65ed63f682a5bf98aa90e774f

SHA1
90da7bb0256b0b1c9130078f91996c8e768522ea

SHA256
d5dd6bf3f86b7bc87241eac5d5a937d2dd4bb2dd0e6238a6fab4f54d16f6ba95

SHA512
9b7ddae51ef758b350c4d137341f366f23378e290267eae3f6fded0a63c61c97d27f3ba1fb2555bc4648d1442ba157abbc3d15a2d30a75cb809850497497e6e5

Download Submit
\ProgramData\XERULY\MRP.exe

Filesize
2.6MB

MD5
2bafb32eee4371dfea195eac8e1cb926

SHA1
15fba7eb3a98790778be5d238c37dfbe5c6b93b7

SHA256
6dc4e4712ec2b46c0400a69887fa195757050c415931a622a18bbd4fad8c2f30

SHA512
bf34a316d96d5cf20688716aba67180d87faed27eb5e2fac1822e86e88a8eb3bdbf4367513cf4417fd8d1acd1b8e421043675f0a6da7e5c9a6f027ad03e5a6c9

Download Submit
memory/2536-10-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2536-13-0x0000000001F20000-0x0000000001F39000-memory.dmp

Filesize
100KB

Download
memory/2536-14-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download