ardamax | e33be1e701ecd90a1a3a74e2f37763cb4270f737b262c40aa68ab8949ca64016

General

Target

825be5cd244f49f4fc92a44a419bbeb4_JaffaCakes118.exe
Size

497KB
MD5

825be5cd244f49f4fc92a44a419bbeb4
SHA1

51d002d00dc353398051b15b1adb9fcb6e5c6994
SHA256

e33be1e701ecd90a1a3a74e2f37763cb4270f737b262c40aa68ab8949ca64016
SHA512

21f9c8a31a595ed54064381b2c1161c39f723e92444edb3a70d46024b7ab564257321cca1fc8e17e84e1e19a6c26782e4c69d40beb80e5ca47f498dd449c1ea5
SSDEEP

12288:r7wD68w/QNPFyRpLmg87cjsEJphoGr4WhFtIifuP:HQNtyfT84XJ4GcethU

Score

10^/10

ardamax discovery keylogger stealer

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.drivehq.com
Port:
21
Username:
donbugti

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0006000000018722-9.dat	family_ardamax

Executes dropped EXE 1 IoCs

pid	Process
2304	VSYT.exe

Loads dropped DLL 5 IoCs

pid	Process
2104	825be5cd244f49f4fc92a44a419bbeb4_JaffaCakes118.exe
2104	825be5cd244f49f4fc92a44a419bbeb4_JaffaCakes118.exe
2104	825be5cd244f49f4fc92a44a419bbeb4_JaffaCakes118.exe
2304	VSYT.exe
2304	VSYT.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Sys\VSYT.exe	825be5cd244f49f4fc92a44a419bbeb4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Sys\AKV.exe	825be5cd244f49f4fc92a44a419bbeb4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Sys	VSYT.exe
File created	C:\Windows\SysWOW64\Sys\VSYT.009	VSYT.exe
File opened for modification	C:\Windows\SysWOW64\Sys\VSYT.009	VSYT.exe
File created	C:\Windows\SysWOW64\Sys\VSYT.001	825be5cd244f49f4fc92a44a419bbeb4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Sys\VSYT.006	825be5cd244f49f4fc92a44a419bbeb4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Sys\VSYT.007	825be5cd244f49f4fc92a44a419bbeb4_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	825be5cd244f49f4fc92a44a419bbeb4_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VSYT.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2304	VSYT.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2304	VSYT.exe
Token: SeIncBasePriorityPrivilege	2304	VSYT.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2304	VSYT.exe
2304	VSYT.exe
2304	VSYT.exe
2304	VSYT.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 2304	2104	825be5cd244f49f4fc92a44a419bbeb4_JaffaCakes118.exe	30
PID 2104 wrote to memory of 2304	2104	825be5cd244f49f4fc92a44a419bbeb4_JaffaCakes118.exe	30
PID 2104 wrote to memory of 2304	2104	825be5cd244f49f4fc92a44a419bbeb4_JaffaCakes118.exe	30
PID 2104 wrote to memory of 2304	2104	825be5cd244f49f4fc92a44a419bbeb4_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\825be5cd244f49f4fc92a44a419bbeb4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\825be5cd244f49f4fc92a44a419bbeb4_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\SysWOW64\Sys\VSYT.exe
  "C:\Windows\system32\Sys\VSYT.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Sys\AKV.exe

Filesize
387KB

MD5
bcf6fab667525797024d0962e41e9b7b

SHA1
86b3d41b65eb4ed85c6610a4bb595df787bb2a6a

SHA256
916385eb000bc6011cac9b11d89fd08ffaaddf7d727f9c9bf0764bbcf905b877

SHA512
7e04832d129e3bacb4d4d83259ec02e1e6f5da4da742dbbf010345ccd90a0547e12fcca68da3cff284687a112f570ca269596512605715b3477ae99933afc82c

Download Submit
C:\Windows\SysWOW64\Sys\VSYT.001

Filesize
3KB

MD5
3f3e260429a0bcee3fe081f14fdb56ae

SHA1
fdaf56854c61f8b65c81fd827ae151dae6501b29

SHA256
9e2bb421110474b0681e60121fca926031222091b9f65573f10ec34c84d88f19

SHA512
03cf686555ab26e3c8d4404f7fa1c3a79b04c6ec9b4502c74999bcc77d439214545a7f9d44fb48ee9a988a6470faadfb216e183c8f58448ed6cad1a42e9c426d

Download Submit
C:\Windows\SysWOW64\Sys\VSYT.006

Filesize
5KB

MD5
3a2ef41ad6d9415229e0b76ec6df1baf

SHA1
e72f2c0d664a4d2323872bd1f586ec60bb0a6342

SHA256
b7e321cf9dacead275e600c2b531e96a62c671e0a2d641e141acbefb509adf2b

SHA512
b8d5f62e7da21d4114f8764afb16bc409921935d3440f8e712740a50dd7a01f850cfda31f0a4b41e4f514d6bb64e407a83e8e034e5be65cddde27817c728caeb

Download Submit
C:\Windows\SysWOW64\Sys\VSYT.007

Filesize
4KB

MD5
cb576a1e67ddeb42dc0e23a541cefdb8

SHA1
9684e67a013de4f0f5066856f553674db0f2749c

SHA256
8a9a4e62b646f072f6c1b5415b8461af96db307f59c4d32c9e4f455477ffc221

SHA512
e173475fbf9541daa6790133ceef4b8af414491c0a198e356ba1b1c2fcbdcf7044e8b8ae22d72f39b2b7b888e254fd742b9b09ae3c4e63fa64b5171508247942

Download Submit
C:\Windows\SysWOW64\Sys\VSYT.009

Filesize
1.3MB

MD5
aaa2004f1512c151640587d83c2e9c51

SHA1
606403b64d3aba5f3a119cbfefcb7f067967d6b7

SHA256
7c1c7b2e69bbefec1d61a3212f6473b44f8e392f8bc78b09f4d72582f03ab6e8

SHA512
a59c6e3a32515bf9df370da729684baa8f9790b5ca1794e87b10de223fe6071f08a23060c6ee30624cffbd732500bcdd13a62734da44d5a0b36882f0fb44450b

Download Submit
\Users\Admin\AppData\Local\Temp\@B78C.tmp

Filesize
4KB

MD5
b429300c8148810d2e6a8d40009fc124

SHA1
93ec9660cc0d68cadc6c7f44b35ea0a0ef684ae8

SHA256
98445d51b61014815fc43e44933e5dc126c4fe763545141e78ee1358e487b4b7

SHA512
47a1cfdba6c1e04a322116538a62b22d61cf6b31966e53cfe4e54eb75a58530a7636e3deffcfb7e96ff2bdae2b99c7bcb312685d1ceac2f79c118f6347bf2407

Download Submit
\Windows\SysWOW64\Sys\VSYT.exe

Filesize
468KB

MD5
4b64ea8b01e25e1af067d11698778ce4

SHA1
20c4d03590cc3ef10e0b3ddbfcdf6fbb41149847

SHA256
08b9f18c1098036ae8830caae054c451c66478490dcd4c653a01abaa937ee7c5

SHA512
5bea198540fa4dd9234017ec3e7a0cf79da4d3bc53cb715a3a6335567c08ff0871b886d6f4dd80e9f4e9df4cac8be392fc7d0e3456c14624583c6cf337ce65d0

Download Submit
memory/2304-24-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2304-27-0x000000007747F000-0x0000000077480000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing