ardamax | 850c3c57df93d7181d62330050ec51881e95c6dfddca0e65cbd98409c6933f4f

General

Target

02def8406306f175c3244c679916e7a1_JaffaCakes118.exe
Size

3.1MB
MD5

02def8406306f175c3244c679916e7a1
SHA1

4513f4c91b789678aaf2c6c75e8ec23852ad63f1
SHA256

850c3c57df93d7181d62330050ec51881e95c6dfddca0e65cbd98409c6933f4f
SHA512

07d20607688d02a8294265b7bc3ddb317b873717d9ba4b56ba8959a4d06f58cc069977c2f0d0c646be1aa0cd2b9911aab1fa6e1c5a38cccf173d3f73e62e91a0
SSDEEP

98304:B1P6QjGxqQrgP12Ao6bbpiWbGTypAHmqr:vvGLrq+GggGTnX

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000016411-6.dat	family_ardamax

Executes dropped EXE 1 IoCs

pid	Process
1648	VGQ.exe

Loads dropped DLL 3 IoCs

pid	Process
1312	02def8406306f175c3244c679916e7a1_JaffaCakes118.exe
1648	VGQ.exe
1312	02def8406306f175c3244c679916e7a1_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VGQ Start = "C:\\Windows\\SysWOW64\\PXEMDC\\VGQ.exe"	VGQ.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\PXEMDC\VGQ.002	02def8406306f175c3244c679916e7a1_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\PXEMDC\AKV.exe	02def8406306f175c3244c679916e7a1_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\PXEMDC\VGQ.exe	02def8406306f175c3244c679916e7a1_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\PXEMDC\	VGQ.exe
File created	C:\Windows\SysWOW64\PXEMDC\VGQ.004	02def8406306f175c3244c679916e7a1_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\PXEMDC\VGQ.001	02def8406306f175c3244c679916e7a1_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2656	7zFM.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: 33	1648	VGQ.exe
Token: SeIncBasePriorityPrivilege	1648	VGQ.exe
Token: SeRestorePrivilege	2656	7zFM.exe
Token: 35	2656	7zFM.exe
Token: SeIncBasePriorityPrivilege	1648	VGQ.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2656	7zFM.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1648	VGQ.exe
1648	VGQ.exe
1648	VGQ.exe
1648	VGQ.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1312 wrote to memory of 1648	1312	02def8406306f175c3244c679916e7a1_JaffaCakes118.exe	28
PID 1312 wrote to memory of 1648	1312	02def8406306f175c3244c679916e7a1_JaffaCakes118.exe	28
PID 1312 wrote to memory of 1648	1312	02def8406306f175c3244c679916e7a1_JaffaCakes118.exe	28
PID 1312 wrote to memory of 1648	1312	02def8406306f175c3244c679916e7a1_JaffaCakes118.exe	28
PID 1312 wrote to memory of 2656	1312	02def8406306f175c3244c679916e7a1_JaffaCakes118.exe	29
PID 1312 wrote to memory of 2656	1312	02def8406306f175c3244c679916e7a1_JaffaCakes118.exe	29
PID 1312 wrote to memory of 2656	1312	02def8406306f175c3244c679916e7a1_JaffaCakes118.exe	29
PID 1312 wrote to memory of 2656	1312	02def8406306f175c3244c679916e7a1_JaffaCakes118.exe	29
PID 1648 wrote to memory of 2180	1648	VGQ.exe	32
PID 1648 wrote to memory of 2180	1648	VGQ.exe	32
PID 1648 wrote to memory of 2180	1648	VGQ.exe	32
PID 1648 wrote to memory of 2180	1648	VGQ.exe	32

C:\Users\Admin\AppData\Local\Temp\02def8406306f175c3244c679916e7a1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\02def8406306f175c3244c679916e7a1_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1312
- C:\Windows\SysWOW64\PXEMDC\VGQ.exe
  "C:\Windows\system32\PXEMDC\VGQ.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1648
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\PXEMDC\VGQ.exe > nul
    3⤵
    PID:2180
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\l2phx.3.5.33.166.rar"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\l2phx.3.5.33.166.rar

Filesize
2.1MB

MD5
1d37c631a4405f1c2d449a4f4a2af8e6

SHA1
f6ed0e71eaf309a822312eb77ad3e62890a62fe7

SHA256
9a31f28dad93448096162459473ff8744188c1e673e670fc62fc689fb4025ad4

SHA512
2f56e1ed22c9fc7cc809338536d5b6cdca6ff6f4cab21a2e91dc02f34caf9f588ebf6e245266f2ed501485cb1a66677179857eb73674498881a37d8d3e758336

Download Submit
C:\Windows\SysWOW64\PXEMDC\AKV.exe

Filesize
463KB

MD5
eb916da4abe4ff314662089013c8f832

SHA1
1e7e611cc6922a2851bcf135806ab51cdb499efa

SHA256
96af80e7ba0f3997d59ebcb5ecef619f980d71ca29113e2cd2f2e8adcdea3061

SHA512
d0dbe1d1612982b9cd2a3ed3cbd3e3b5be49237f580f91d5e5d5b6d20ed4dc0babb69a666c19bf4e0f10776a43b9b1dcda91a4cd381ce3705b1795ef9d731c8b

Download Submit
C:\Windows\SysWOW64\PXEMDC\VGQ.001

Filesize
61KB

MD5
425ff37c76030ca0eb60321eedd4afdd

SHA1
7dde5e9ce5c4057d3db149f323fa43ed29d90e09

SHA256
70b00b09ae76a7ecfd6680ab22df546b17826755087c069fc87d14895e1a4e24

SHA512
ef5ff97c0d682b6155eff8f92dace1789cf01ca8bca55af1c1d0f2243b5e18bc12a657bb2bb12601b51ef9e1b942f02feb8462644da291fd1b2239c34ef2b59b

Download Submit
C:\Windows\SysWOW64\PXEMDC\VGQ.002

Filesize
43KB

MD5
12fb4f589942682a478b7c7881dfcba2

SHA1
a3d490c6cda965708a1ff6a0dc4e88037e0d6336

SHA256
4de0c277800ae36b85a11ed9765f732a73578d4dce053ff7179f96ab776fb60d

SHA512
dd1c6a4ea5bc9698701ec941c4e90fe8dfb0993dc321edc052d1a80cc49bc46be665a85ec678876e698de60cda5dbf1d6279742a16d648f9d18e642a3ea33ddd

Download Submit
C:\Windows\SysWOW64\PXEMDC\VGQ.004

Filesize
1KB

MD5
86eee1573ca72c6678ce86bc0688d403

SHA1
b13637623edb01cc6837513ecfa170409bc1e6e4

SHA256
2a848811a1769db02e9e11dc60809c19d017dd4a54d714ddcc77532f9474bf57

SHA512
bd91d345ca3badbe8c6e154b85d50b33f45d1712f02904323e8c4aaa61e6e399904e889457159f8ba6aa084eefe7752f13ba30426edf4c24202ce22e4660197b

Download Submit
\Windows\SysWOW64\PXEMDC\VGQ.exe

Filesize
1.5MB

MD5
f8530f0dfe90c7c1e20239b0a7643041

SHA1
3e0208ab84b8444a69c8d62ad0b81c4186395802

SHA256
734439c4049ae1a832b4cc5c8d227112106406945d1a7cbb355e11a3f5e356c4

SHA512
5cb01517938789e006e00d69729ae7d73ad480f1ae17a80059bf81ee5d9cebb1263a35732c84f03d742684a650b116b13e6731ca80b0b9cdb3908e5588649399

Download Submit
memory/1648-15-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1648-20-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads