ardamax | 85335c9913584ffa043afffbf21a1bea3dfdfafb0898f6f3bb63b2b67212edb3

General

Target

9e2dad56b15a9b479282726deb9d35e2_JaffaCakes118.exe
Size

575KB
MD5

9e2dad56b15a9b479282726deb9d35e2
SHA1

7ebf1c7c28caf8b40d6342ef9dad1ee042763089
SHA256

85335c9913584ffa043afffbf21a1bea3dfdfafb0898f6f3bb63b2b67212edb3
SHA512

e8cf4174fdfaed0b56aa82fe23783b8db03ce025506bff1b1efcc122384bd15dcbbc338c6602ab1b38ef4afb14b8682b7dc59399394e9916b48a69373ae9b668
SSDEEP

12288:IIkpPSSFoCRrpigV1DU4XV08eIA4dPUrCiIvt1DIekAYh57LVo:U6O/okX+5I8SDSnK

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000018766-9.dat	family_ardamax

Executes dropped EXE 1 IoCs

pid	Process
740	DPOP.exe

Loads dropped DLL 2 IoCs

pid	Process
2136	9e2dad56b15a9b479282726deb9d35e2_JaffaCakes118.exe
2136	9e2dad56b15a9b479282726deb9d35e2_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DPOP Agent = "C:\\Windows\\SysWOW64\\28463\\DPOP.exe"	DPOP.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\DPOP.006	9e2dad56b15a9b479282726deb9d35e2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\28463\DPOP.007	9e2dad56b15a9b479282726deb9d35e2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\28463\DPOP.exe	9e2dad56b15a9b479282726deb9d35e2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\28463\AKV.exe	9e2dad56b15a9b479282726deb9d35e2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\28463\DPOP.chm	9e2dad56b15a9b479282726deb9d35e2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\28463\DPOP.004	9e2dad56b15a9b479282726deb9d35e2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\28463\DPOP.003	9e2dad56b15a9b479282726deb9d35e2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\28463\DPOP.001	9e2dad56b15a9b479282726deb9d35e2_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9e2dad56b15a9b479282726deb9d35e2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DPOP.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 740	2136	9e2dad56b15a9b479282726deb9d35e2_JaffaCakes118.exe	30
PID 2136 wrote to memory of 740	2136	9e2dad56b15a9b479282726deb9d35e2_JaffaCakes118.exe	30
PID 2136 wrote to memory of 740	2136	9e2dad56b15a9b479282726deb9d35e2_JaffaCakes118.exe	30
PID 2136 wrote to memory of 740	2136	9e2dad56b15a9b479282726deb9d35e2_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\9e2dad56b15a9b479282726deb9d35e2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9e2dad56b15a9b479282726deb9d35e2_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Windows\SysWOW64\28463\DPOP.exe
  "C:\Windows\system32\28463\DPOP.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\28463\AKV.exe

Filesize
458KB

MD5
445bb23ed3b1c70476641806ffb42bd6

SHA1
8e39c008da05859777a69cfc9b7d5acb882d93c0

SHA256
62d39fc61386dccf614ab8345d77bd8f36b5350b3ed7b5ea506fd0dec7adb34a

SHA512
a06f7bbc85cd5071f061b5983e195fe4f143281d6c999da1b5e6c3816bbea1dde8e4d6d94ce97ae63a16f67d7f705fff526b5511bfa7111a05e8ef70e5348a03

Download Submit
C:\Windows\SysWOW64\28463\DPOP.001

Filesize
392B

MD5
5a8dd98e7d20b0ce7bd04d4cbf6d1332

SHA1
68116bded83562e0c0ed5e150c097374f17e60fc

SHA256
3002f0fb7f28aaef66089ac5bc14fecc1721ddeb1cdec70c164e118c17d3860d

SHA512
bfd8ce6c9d72a5b4fb51e80c7527e8942bdcc43c199e49b5fbfd9fa355691fc78e61f427bf4d11361e1ec6d5c02c75a089db6f2d0a8f617ac2dc294d7b06d95a

Download Submit
C:\Windows\SysWOW64\28463\DPOP.004

Filesize
14KB

MD5
eb8b93b928b88ff56474d2351ee09800

SHA1
9c50d21553448bb6b83688401e56ae765ea1e3c7

SHA256
d88a20d765f1e12796067764474f9cb22639864cbda71b1df1ef2bfb59bf62e2

SHA512
d9d571458c5c0fac4226f4b3c05c42a66ae9ffffaa7833de22fa053538917e63471db9bb2bfb464c476c47a454647d162c8e351d7ea2d8cbb1c640057ca1c1ea

Download Submit
C:\Windows\SysWOW64\28463\DPOP.006

Filesize
8KB

MD5
360ed664cecf28635462d5e563be3c62

SHA1
5ff3c278c561d07f7bf05495b804af75de80bb62

SHA256
da0ac6a5ab9f8258695ff475d6038d1d45af4cdee8efca0f5ba7baf434f28a6f

SHA512
76ebb7e13ca404a4220bacce77ccbe69804c96126075326562376608fc0b0011b3b5869047f97c609431cb4d3afd17368e9e21d1ab02ee0b0e491887439e6b29

Download Submit
C:\Windows\SysWOW64\28463\DPOP.007

Filesize
5KB

MD5
422d74eb4f7efa089c718584c66744b1

SHA1
613ae988006affa6dadf7b552e3c1ba867d73b68

SHA256
68acc0270eb37fc646e6a97fe5417f68ef881b383da4416674f45e04f6858cd1

SHA512
76688362ddf00585d0274605a3c34734bd93610eb02bb8ed115bde01d00e80daec1dcf5f845fb56c2e71160556d2000af4b6219b4b7466e76e740e4170862124

Download Submit
C:\Windows\SysWOW64\28463\DPOP.chm

Filesize
33KB

MD5
b0c07c5afc489587493d309e54279e58

SHA1
0dfc61e7e23394f6242fbbf961b6f94a81dcd7db

SHA256
44c43ba9cbe53a0a38a0176176a79da8223b4d3b311d12fb9e44e0bfe8f38e6c

SHA512
77dfd87a26b8b70377f5ef6da9617322821154aa249a7e4969533ac58781b07f806c8dfeaf05bf01b24305721a5e4425738fb744fe8be3150a88d6a2920191c4

Download Submit
\Users\Admin\AppData\Local\Temp\@CFBD.tmp

Filesize
4KB

MD5
45cc64001aa3c416b28e83b855097316

SHA1
0031aca142db6b23c4475e5ae2afe09e234ab336

SHA256
8e857031ebfa0e37532f37b0eaaa3c553921a4c211fadd983099c49ff772a83e

SHA512
662a7ebc4dc87db4b8b3f34ddf89a71631f395a65f0b3da1ed64c92f42068cf6ff1cb377a66d1e09957e522abccf5d9845931dc9891ca845258e3453597f29d3

Download Submit
\Windows\SysWOW64\28463\DPOP.exe

Filesize
567KB

MD5
90e0e67d8d1adc46c1829a02005c4a75

SHA1
6e35a52aedf38ae8fbc50108f0a572e8c9bfb1cc

SHA256
0b731d1736eb5ead93415efee7e3e7e4a78ba1352512482d16183b3a62b2543b

SHA512
7b33312246b77b191be15e1f675503a2dbfc3bb196388c5d46948240d011d8068d7a84841b25fad63e345ece0bd9a61b5ae39de4be84433805acd077dafece81

Download Submit
memory/740-27-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads