ardamax | 4b70fc62fdc106932e6bf2bba83284c8430e3b6692420b77d0f83f033ae88e8e

General

Target

0a76ae1d64e79b9d9d19e065be04ffca_JaffaCakes118.exe
Size

1.1MB
MD5

0a76ae1d64e79b9d9d19e065be04ffca
SHA1

ab2544b157e992053157d1c8cbd530df63f74574
SHA256

4b70fc62fdc106932e6bf2bba83284c8430e3b6692420b77d0f83f033ae88e8e
SHA512

699e47477dd0126746bf1c379faac597fac7b42d2b51ae401a080e465de1f2fc1a84b9c4b6ab194280e8fb24cc425ab35543c56e8faeac8c3e7ec2de31965395
SSDEEP

24576:ck/ATeXYiAFAQ50dZ+D8rSScaH36SCVzCObhQUu1OaF6UJport:FoTEpffcR9CMhu1Z6C6

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000014239-6.dat	family_ardamax

Executes dropped EXE 1 IoCs

pid	Process
2688	XWI.exe

Loads dropped DLL 2 IoCs

pid	Process
2448	0a76ae1d64e79b9d9d19e065be04ffca_JaffaCakes118.exe
2688	XWI.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\XWI Start = "C:\\Windows\\SysWOW64\\GANSOJ\\XWI.exe"	XWI.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\GANSOJ\XWI.001	0a76ae1d64e79b9d9d19e065be04ffca_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\GANSOJ\XWI.002	0a76ae1d64e79b9d9d19e065be04ffca_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\GANSOJ\AKV.exe	0a76ae1d64e79b9d9d19e065be04ffca_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\GANSOJ\XWI.exe	0a76ae1d64e79b9d9d19e065be04ffca_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\GANSOJ\	XWI.exe
File created	C:\Windows\SysWOW64\GANSOJ\XWI.004	0a76ae1d64e79b9d9d19e065be04ffca_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2688	XWI.exe
Token: SeIncBasePriorityPrivilege	2688	XWI.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2688	XWI.exe
2688	XWI.exe
2688	XWI.exe
2688	XWI.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 2688	2448	0a76ae1d64e79b9d9d19e065be04ffca_JaffaCakes118.exe	28
PID 2448 wrote to memory of 2688	2448	0a76ae1d64e79b9d9d19e065be04ffca_JaffaCakes118.exe	28
PID 2448 wrote to memory of 2688	2448	0a76ae1d64e79b9d9d19e065be04ffca_JaffaCakes118.exe	28
PID 2448 wrote to memory of 2688	2448	0a76ae1d64e79b9d9d19e065be04ffca_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\0a76ae1d64e79b9d9d19e065be04ffca_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0a76ae1d64e79b9d9d19e065be04ffca_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Windows\SysWOW64\GANSOJ\XWI.exe
  "C:\Windows\system32\GANSOJ\XWI.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\GANSOJ\AKV.exe

Filesize
463KB

MD5
5e5779ae5ae80c6c63c314fb4ae4f937

SHA1
90482bd8fcb2aeea505c33763c8c1e60f5b24c08

SHA256
c1ab672486b01d8f1cb79f4edb631ce6752febaedb83ee3a8f0260b4359b1d3b

SHA512
d132cda0e75052d4bff46dc72828191fed22745b193c743c4f298273589610cf227aa8ff88831763b1815689c79c4b363b56d72a31250da38c7a8933588b0855

Download Submit
C:\Windows\SysWOW64\GANSOJ\XWI.001

Filesize
61KB

MD5
531e64a4fe6c3ca60a609d1ee60d5ef5

SHA1
618d2ad5cc0d74a9a66946791544540c62ca9317

SHA256
89e94f28792d0de2fbb74eb5a2368b30db5e154f6845a1778e2cdf81ce1fb501

SHA512
5bf245d3371fcb90401ff5fa735b7e1f2672c9efa90c8917dcbe9164bd49adf43855017db7b14fb51da045362b8d38a293c91ce21825721726f173419336c9ce

Download Submit
C:\Windows\SysWOW64\GANSOJ\XWI.002

Filesize
43KB

MD5
b42f6052ceed5cce1bcaf3ecfcf65ece

SHA1
121e9a32af559261ec7485f8923463beea618e89

SHA256
8969214d0824806ae4af98abed05b38a80b9f04390f1b5b81e5351cebc5e6984

SHA512
c8907c30535e6bb68ff3175adf97180f01fb6a50b9c65ee4f58f19f17908e348480225b8d7a25d9bff42b29b6dea059480d124ec3ade5346053e26f2597c5175

Download Submit
C:\Windows\SysWOW64\GANSOJ\XWI.004

Filesize
1KB

MD5
0ead3873825dff6f90c132331103369f

SHA1
1931852a5dd6868d1d1041ab2c6051b0350296cd

SHA256
08ee325adaecc1e457eebdf38ec2edf9a0ba4f83a9f3f4e545ed2de113ccef12

SHA512
1149072b4ba57fd21a0cc939890323d8d734b31d2778fc5f5580afd76420932aea4fd58aa3c91ddb72ff4de2db7061f62fd271968e20c51b8bd75deff15109d2

Download Submit
\Windows\SysWOW64\GANSOJ\XWI.exe

Filesize
1.5MB

MD5
7c66e42411616c20e365cf927e0501b0

SHA1
ad749fa5974ad5480caff11d9c412f7321da84c7

SHA256
ada5a9d3b0947cc3dbab16da7e8737d5a21fc3decbc413f31fe808b065bca5c3

SHA512
04e55da475e1e933527f3320a18fcd2ff47cd19f960a071a1b9b14e710a9caf9d7f9e8a9404719aab4ff32c323d56b9e7eba700b9cd01af25afca6b4023e37cf

Download Submit
memory/2688-15-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2688-17-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads