ardamax | 9100fd81f00a92c607d2335bb99897e52cc648e9cdba4e691697170fd42af946

General

Target

e054e8d7db10b778177ba4da9d129cea_JaffaCakes118.exe
Size

314KB
MD5

e054e8d7db10b778177ba4da9d129cea
SHA1

6b275b5a36fe2c15135e3297120342f527c93660
SHA256

9100fd81f00a92c607d2335bb99897e52cc648e9cdba4e691697170fd42af946
SHA512

93a007fd495c2294f2b40cf03fa39482261e26a4ab62570d54b88fabe6727986ba2a0117921899d61f65a56933b0322ce2979f115fa1a4ff73c7e77d3b4f0924
SSDEEP

6144:sULZpTuvWCI/MOdUsMkA5pjdbptraOvACl/TnX7k4+VYY+2GrUuImyksoi:s5vWFMYUsPAxbpIOvrlbXL+uKGrYVV

Score

10^/10

ardamax defense_evasion discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x00090000000174a8-20.dat	family_ardamax

Executes dropped EXE 2 IoCs

pid	Process
1316	Installer.exe
1744	VPYI.exe

Loads dropped DLL 12 IoCs

pid	Process
1720	e054e8d7db10b778177ba4da9d129cea_JaffaCakes118.exe
1316	Installer.exe
1316	Installer.exe
1316	Installer.exe
1316	Installer.exe
1316	Installer.exe
1316	Installer.exe
1744	VPYI.exe
1744	VPYI.exe
1744	VPYI.exe
1744	VPYI.exe
1744	VPYI.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VPYI Agent = "C:\\Windows\\SysWOW64\\28463\\VPYI.exe"	VPYI.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\VPYI.007	Installer.exe
File created	C:\Windows\SysWOW64\28463\VPYI.exe	Installer.exe
File opened for modification	C:\Windows\SysWOW64\28463	VPYI.exe
File created	C:\Windows\SysWOW64\28463\VPYI.001	Installer.exe
File created	C:\Windows\SysWOW64\28463\VPYI.006	Installer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e054e8d7db10b778177ba4da9d129cea_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VPYI.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	1744	VPYI.exe
Token: SeIncBasePriorityPrivilege	1744	VPYI.exe
Token: SeIncBasePriorityPrivilege	1744	VPYI.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1744	VPYI.exe
1744	VPYI.exe
1744	VPYI.exe
1744	VPYI.exe
1744	VPYI.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 1316	1720	e054e8d7db10b778177ba4da9d129cea_JaffaCakes118.exe	30
PID 1720 wrote to memory of 1316	1720	e054e8d7db10b778177ba4da9d129cea_JaffaCakes118.exe	30
PID 1720 wrote to memory of 1316	1720	e054e8d7db10b778177ba4da9d129cea_JaffaCakes118.exe	30
PID 1720 wrote to memory of 1316	1720	e054e8d7db10b778177ba4da9d129cea_JaffaCakes118.exe	30
PID 1720 wrote to memory of 1316	1720	e054e8d7db10b778177ba4da9d129cea_JaffaCakes118.exe	30
PID 1720 wrote to memory of 1316	1720	e054e8d7db10b778177ba4da9d129cea_JaffaCakes118.exe	30
PID 1720 wrote to memory of 1316	1720	e054e8d7db10b778177ba4da9d129cea_JaffaCakes118.exe	30
PID 1316 wrote to memory of 1744	1316	Installer.exe	31
PID 1316 wrote to memory of 1744	1316	Installer.exe	31
PID 1316 wrote to memory of 1744	1316	Installer.exe	31
PID 1316 wrote to memory of 1744	1316	Installer.exe	31
PID 1316 wrote to memory of 1744	1316	Installer.exe	31
PID 1316 wrote to memory of 1744	1316	Installer.exe	31
PID 1316 wrote to memory of 1744	1316	Installer.exe	31
PID 1744 wrote to memory of 2428	1744	VPYI.exe	33
PID 1744 wrote to memory of 2428	1744	VPYI.exe	33
PID 1744 wrote to memory of 2428	1744	VPYI.exe	33
PID 1744 wrote to memory of 2428	1744	VPYI.exe	33
PID 1744 wrote to memory of 2428	1744	VPYI.exe	33
PID 1744 wrote to memory of 2428	1744	VPYI.exe	33
PID 1744 wrote to memory of 2428	1744	VPYI.exe	33

C:\Users\Admin\AppData\Local\Temp\e054e8d7db10b778177ba4da9d129cea_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e054e8d7db10b778177ba4da9d129cea_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Users\Admin\AppData\Local\Temp\Installer.exe
  "C:\Users\Admin\AppData\Local\Temp\Installer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1316
- - C:\Windows\SysWOW64\28463\VPYI.exe
    "C:\Windows\system32\28463\VPYI.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1744
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\28463\VPYI.exe > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

1

T1070

File Deletion

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\28463\VPYI.001

Filesize
404B

MD5
cdb1c8750dee9d9d97707087f15439ac

SHA1
6035adbdf5753571df2f9706002cda4057858e74

SHA256
e551b171764d82bbfc2edb843e4e1181e32242905e2edb2750970dfe3e8f4d7b

SHA512
abedec2eadbf84f1d61dcea55e723fd11be252213ebb61c14682120d1a54813bf29107e07b6754c01bd82a8c972f3b302e8f0cfa4c97bbf706bc1f39e203d872

Download Submit
C:\Windows\SysWOW64\28463\VPYI.006

Filesize
8KB

MD5
86d96c93965255cef35ca42413188b75

SHA1
9d77f203267febe047d049584e5c79f1c1801b2d

SHA256
b796bd1f5cdb1d1db91c3aca1ac700c015775b9caf2725fbf4b6089a096f21c5

SHA512
2db81080a16494ec549f4f39ee382580ba12cd5cbfe31632c8459ba94d767ce1ad3e9c0e6643f80530ae5e316fc42dca05708eeade7ce3c0341d669325cdb095

Download Submit
C:\Windows\SysWOW64\28463\VPYI.007

Filesize
5KB

MD5
b73942c11844487ca7fc3e78062c8abb

SHA1
28f4c4159528ccbe9d83b5cd5e157861d11ff04c

SHA256
4ba88f8964ee02a395d88974fd43b05610cf520b4ab40f36b3f98715ce1e0984

SHA512
d4c782f5abd91b3396b243345f968eb5a705a7aefeedf92e62047309f7ccf223c0825623c184de66e3667c22eb371f0329be97ea70f6d72b54f98b22042e1f9c

Download Submit
\Users\Admin\AppData\Local\Temp\@C1C9.tmp

Filesize
4KB

MD5
9dc64557fcebd521ca4b267da15c2914

SHA1
c2247f9e0f0c8d11c7b9ab93f43ed53943d0bdd2

SHA256
a49cb9cbab2a60418b2079d4110123682fc980bb6b46ac5ada144797b5fa2cf4

SHA512
00241a139ca307c5eb4d89fa8b6296833961091286282c3482746e4a3589ef61e6d007edb6aa6fa1ef812d57bf63a8e495e0db712e17decc77bbae2490cdbe01

Download Submit
\Users\Admin\AppData\Local\Temp\Installer.exe

Filesize
295KB

MD5
a52ec26202644da6d02a66b7afa48e00

SHA1
c7e8f2cae27eab663aea22d24020b104e9775436

SHA256
06810abc5bbb2570db251786a56c70d2c8acda5be8689e94824893e5488559b5

SHA512
fe79d68989c22b6e7e20ec1f7dd07aa8965ad7131ed5bca91fa142f07073eb6e869837d30f3936b7202157010b38ef9e12e627c7bc6a5e5e519d37fb6634bf17

Download Submit
\Windows\SysWOW64\28463\VPYI.exe

Filesize
472KB

MD5
324154483b20e6f67a3c1486e3fc7c6a

SHA1
d6630eb1d8555b48413434b4a5d54c8de819cbf8

SHA256
ded1c934280294375d7b926773511e4d5e6c8dbb22b0dd25a80a6b0b3af065d3

SHA512
36349f7c53b9989eac63e8c91b7fb009a5a0dce934242ae5956a5e3d3764949a87296adeba81f3da96b5e035f3755b4dd75de2ffa211b7db296313c52f6d478b

Download Submit
memory/1720-5-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads