ardamax | b97151131b32023291c0eaf3a4edad375cae14e066ddb6a43585c1a5f25fb9c4

General

Target

55b237fd1040c7dbb1b4ebccab44e4d8_JaffaCakes118.exe
Size

1.8MB
MD5

55b237fd1040c7dbb1b4ebccab44e4d8
SHA1

c8733ba8a7806aba1e58bb102a3af910ed3e3541
SHA256

b97151131b32023291c0eaf3a4edad375cae14e066ddb6a43585c1a5f25fb9c4
SHA512

86e12c936519211c145c6354792192b6ba8f5d978db964316b1e09e0b6331877c001c5a52b5787749948459524699b23ca9a454ee06a5c728f59105f776e44c6
SSDEEP

24576:aHvZT9oJb1EQTBqHr4aix0YLpQWdq/eSEyefbodWPhlg4mt5R2OXWF7a2CyBuM4j:aBT9yCQTBqHCpSWScoMU5Xiad2tAxjJ

Score

10^/10

ardamax keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000015d82-6.dat	family_ardamax

Executes dropped EXE 1 IoCs

pid	Process
2928	DTT.exe

Loads dropped DLL 1 IoCs

pid	Process
2692	55b237fd1040c7dbb1b4ebccab44e4d8_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DTT Start = "C:\\Windows\\SysWOW64\\PLLWTF\\DTT.exe"	DTT.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\PLLWTF\DTT.004	55b237fd1040c7dbb1b4ebccab44e4d8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\PLLWTF\DTT.001	55b237fd1040c7dbb1b4ebccab44e4d8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\PLLWTF\DTT.002	55b237fd1040c7dbb1b4ebccab44e4d8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\PLLWTF\AKV.exe	55b237fd1040c7dbb1b4ebccab44e4d8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\PLLWTF\DTT.exe	55b237fd1040c7dbb1b4ebccab44e4d8_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2928	DTT.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 2928	2692	55b237fd1040c7dbb1b4ebccab44e4d8_JaffaCakes118.exe	30
PID 2692 wrote to memory of 2928	2692	55b237fd1040c7dbb1b4ebccab44e4d8_JaffaCakes118.exe	30
PID 2692 wrote to memory of 2928	2692	55b237fd1040c7dbb1b4ebccab44e4d8_JaffaCakes118.exe	30
PID 2692 wrote to memory of 2928	2692	55b237fd1040c7dbb1b4ebccab44e4d8_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\55b237fd1040c7dbb1b4ebccab44e4d8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\55b237fd1040c7dbb1b4ebccab44e4d8_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Windows\SysWOW64\PLLWTF\DTT.exe
  "C:\Windows\system32\PLLWTF\DTT.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\PLLWTF\AKV.exe

Filesize
461KB

MD5
7e335c1258740a5798c2b3eea5a97229

SHA1
6ce1e98ddc05a4b9e772901c9bc6caae4103267f

SHA256
667ab5d791b89216a46f7dd3a1bcb9b7e5f235415a74a9678ca41cec051c462f

SHA512
8c190dd139f5459a91c81871f53fc080a81c6397c68cb5b0ee195571012cc8af923b10cd77301da1816f935d36a0587d1c75126f5553005a0f50eb22d3441cb4

Download Submit
C:\Windows\SysWOW64\PLLWTF\DTT.001

Filesize
61KB

MD5
9fca42b7fa3132ded471b886c4bf8a51

SHA1
86109ac13f8b63bd3467bbf05e39c5cf9bd11d26

SHA256
c519bcfc50245700b30cb417478b46810443b03a6447387dd1d0a13966ff00dd

SHA512
bbdd590e1bd2971fbc6a462f6501341c0808d658ba3407b051f9d299d9babf0632af092d64c6ad290d4ae5d9db8c367898a064bbea916c516c0a54066ad698ab

Download Submit
C:\Windows\SysWOW64\PLLWTF\DTT.002

Filesize
43KB

MD5
4c30b3e90b3da5619bc0d5f53c025135

SHA1
829f487b7c26f6cb8b7f211b2331abbc5229aa61

SHA256
b632cedab7ce3d19eebc0d31864dc8c38cd249dcbde299cda818f7026ec294cf

SHA512
fd0b36fb43c6b62f6d47455b392276d4e3710b204ef11c70cefed417740a4b5d9357ba37f612f3f87d539175af312ead05bc7a4360fe3e26fd43c56e856e6313

Download Submit
C:\Windows\SysWOW64\PLLWTF\DTT.004

Filesize
1KB

MD5
765c037e7a50953c52b91a7a82904cd8

SHA1
e19c8f31d2e4dd9cb7c21cebb000d3c7e8d74e61

SHA256
ff72b5928d48a2c4b3f19f72b8180326821e6abec88977617399d4e657f9768c

SHA512
be3fe6a2dedefcaabbd8e2404750792167e19b2e084526babdaf4e7c6b70dcf4249eaca129a2d7a636de5f68acc86d1547037b089f61b1a4d64b5719899ccd23

Download Submit
\Windows\SysWOW64\PLLWTF\DTT.exe

Filesize
1.5MB

MD5
9c28244f2dbe3a4758b532838b0040c9

SHA1
4b58bb4033d43ae64af6c18db48d5d25e23f6121

SHA256
cb770745d547a27a4b99fdbe27a672135f812b29d94fd2b843d06bb5aa1748aa

SHA512
24ed3d4c6aae307a0f1bb1f063b211152644b06d7425a5fe24b09f5f747dd63011451cef3f47cc4985b3316cf1213c056d38768ccb7f44cb2fab28cf4e30e969

Download Submit
memory/2928-16-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2928-17-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads