ardamax | 45a05078e555fb489807bbd1e3df8f49d7004bfc0a374c45aa8c3d8953af1f9f

General

Target

ec28a285eb7c0022f021064a9e73ae40_JaffaCakes118.exe
Size

918KB
MD5

ec28a285eb7c0022f021064a9e73ae40
SHA1

bd06a5ca5a43d66614b5ef55344e2a8b4aed5048
SHA256

45a05078e555fb489807bbd1e3df8f49d7004bfc0a374c45aa8c3d8953af1f9f
SHA512

83f3a62e385ea1185e0cf54d11e5a0ea3c71a19bfa8e6c218dd4e62d971f8961ccc908d9a49828a2107943bb7c8e2d3caafa4d68d67a60ece63038d6467bcc2a
SSDEEP

24576:uHvZTDDE81u3rrl+YKvMqARUfrEvIzcSVKYYgQQh/SCqvoqU0bg0kW:eBTD5s33IXvMqkUfc+cSAa96U0

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000016dd0-5.dat	family_ardamax

Executes dropped EXE 1 IoCs

pid	Process
3064	RTL.exe

Loads dropped DLL 1 IoCs

pid	Process
1480	ec28a285eb7c0022f021064a9e73ae40_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RTL Start = "C:\\Windows\\SysWOW64\\MRPVRK\\RTL.exe"	RTL.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\MRPVRK\RTL.exe	ec28a285eb7c0022f021064a9e73ae40_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\MRPVRK\RTL.004	ec28a285eb7c0022f021064a9e73ae40_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\MRPVRK\RTL.001	ec28a285eb7c0022f021064a9e73ae40_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\MRPVRK\RTL.002	ec28a285eb7c0022f021064a9e73ae40_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ec28a285eb7c0022f021064a9e73ae40_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RTL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
532	DllHost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1480 wrote to memory of 3064	1480	ec28a285eb7c0022f021064a9e73ae40_JaffaCakes118.exe	30
PID 1480 wrote to memory of 3064	1480	ec28a285eb7c0022f021064a9e73ae40_JaffaCakes118.exe	30
PID 1480 wrote to memory of 3064	1480	ec28a285eb7c0022f021064a9e73ae40_JaffaCakes118.exe	30
PID 1480 wrote to memory of 3064	1480	ec28a285eb7c0022f021064a9e73ae40_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\ec28a285eb7c0022f021064a9e73ae40_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ec28a285eb7c0022f021064a9e73ae40_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Windows\SysWOW64\MRPVRK\RTL.exe
  "C:\Windows\system32\MRPVRK\RTL.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3064

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aaGROTA.JPG

Filesize
32KB

MD5
7f6e6fa951d59045c5351378a31c6564

SHA1
652104b5e35a8460e687da82735eb3f60513872f

SHA256
188dee039c6f53602db2d75e1e8b54ea6c461025554def240a623707cce8a7e7

SHA512
c77ba1621ade4287853dfe488e9c6654afe468e70f266cea7e6b2f9ff0e209b9a6ce8667917af182b7c44be0c693a688520e368cf27b5054214987382c3f7e81

Download Submit
C:\Windows\SysWOW64\MRPVRK\RTL.001

Filesize
61KB

MD5
34c92b717ae97bc926f56ba56a44f24a

SHA1
ccaf3c6bf0c73564d0bf19c92b8d25008ffffbfa

SHA256
6e60d85b35f5e9222375f606e4116b38364a4a943596ddb0d914cf1cf4791774

SHA512
2a9eb63837db128c9e036976d903ebd925e6952ab6bf4efa0e370e79f9fefe0ed6e44e4ab444f56ace1149f4dd14797f568e8827e7cebd1e5581dcf309f9745a

Download Submit
C:\Windows\SysWOW64\MRPVRK\RTL.002

Filesize
43KB

MD5
246761f047f6aa98d6eaad66a2f883b9

SHA1
42474a5b23d03e094103b62fd7e820457cf807c4

SHA256
3774021a3cdf32d23fd5921cea4de8c26b08f0d601f3097550a7e8af7b00f111

SHA512
d39d0913975ca2f8d585b72667d76de09ce7817f6de26ef21a8b62edc25d7fab39785f036992d19ca5700f5fc2ee377e696142c41529f23f503e8eefff393144

Download Submit
C:\Windows\SysWOW64\MRPVRK\RTL.004

Filesize
1KB

MD5
6b5a1c04478fb9bb2f4e5ea559553d20

SHA1
bbab85e6699ae17ef62e7c19bb76849b7bf59a25

SHA256
1a39a19570c64ca6521f7c3a7b5067e6c7dcfdabdf7d388652e6860317f9b48b

SHA512
d878a13897cba3805e95ecdf8eb43937386045086cd6ab2fb6cc3bff5c3487e8e41ec9ff9d7d20b9ed38156ecf515c5b85e54815b2ce8637972780130599bc87

Download Submit
\Windows\SysWOW64\MRPVRK\RTL.exe

Filesize
1.5MB

MD5
9ab9b7b74790b7bb2798dd2b26f4a913

SHA1
e8ffa981a0149aa6441dcb0dd42f7baf6eb773a2

SHA256
df1c8d608ebd300889cf21c3bda6d5dd2574d68e1f530cc5a885449a22177a75

SHA512
ffffe21d8cc244aacaaba2eb13cc77ad800a196ecf6f77637a8a1f6d456cabb8331970ab358ab21dcf9832343379b4f0486da3990d45eb2f2765e55b7404739e

Download Submit
memory/532-16-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/1480-15-0x00000000003A0000-0x00000000003A2000-memory.dmp

Filesize
8KB

Download
memory/3064-14-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads