ardamax | f43f7d9ee9b85d080d445ec8c69fd8c7349893996b25eb322c3183a45b28cce5

General

Target

12f9251338d518abf22361c88013b051_JaffaCakes118.exe
Size

512KB
MD5

12f9251338d518abf22361c88013b051
SHA1

4c00f7c63661449bf58f8fa8139b52e30bfef49d
SHA256

f43f7d9ee9b85d080d445ec8c69fd8c7349893996b25eb322c3183a45b28cce5
SHA512

e86bc25b63e492ec28904d18aa57007d486bde5777e4e3b54f88675285c5d57f71fa715beb446b13d5e012d8d75fdbf52f0dbb507c0ce070e9c2217bc78b7643
SSDEEP

12288:PRXeucDwf9apYBAtS6mIyZFEYcnMTGiPNIMSOD2Zxnd5umOfhPH8LlgddaIw9+Dh:suc6e9maYcnWPSfWOImOmgHe9+UE

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0009000000017355-9.dat	family_ardamax

Executes dropped EXE 2 IoCs

pid	Process
576	VDBV.exe
2764	Secret Spammer V5.2.exe

Loads dropped DLL 9 IoCs

pid	Process
1540	12f9251338d518abf22361c88013b051_JaffaCakes118.exe
1540	12f9251338d518abf22361c88013b051_JaffaCakes118.exe
1540	12f9251338d518abf22361c88013b051_JaffaCakes118.exe
576	VDBV.exe
1540	12f9251338d518abf22361c88013b051_JaffaCakes118.exe
1540	12f9251338d518abf22361c88013b051_JaffaCakes118.exe
576	VDBV.exe
2764	Secret Spammer V5.2.exe
2764	Secret Spammer V5.2.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VDBV Agent = "C:\\Windows\\SysWOW64\\Sys32\\VDBV.exe"	VDBV.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Sys32\VDBV.001	12f9251338d518abf22361c88013b051_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Sys32\VDBV.006	12f9251338d518abf22361c88013b051_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Sys32\VDBV.007	12f9251338d518abf22361c88013b051_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Sys32\VDBV.exe	12f9251338d518abf22361c88013b051_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Sys32\AKV.exe	12f9251338d518abf22361c88013b051_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Sys32	VDBV.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Secret Spammer V5.2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	12f9251338d518abf22361c88013b051_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VDBV.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
576	VDBV.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	576	VDBV.exe
Token: SeIncBasePriorityPrivilege	576	VDBV.exe

Suspicious use of SetWindowsHookEx 35 IoCs

pid	Process
576	VDBV.exe
576	VDBV.exe
576	VDBV.exe
576	VDBV.exe
576	VDBV.exe
2764	Secret Spammer V5.2.exe
2764	Secret Spammer V5.2.exe
2764	Secret Spammer V5.2.exe
2764	Secret Spammer V5.2.exe
2764	Secret Spammer V5.2.exe
2764	Secret Spammer V5.2.exe
2764	Secret Spammer V5.2.exe
2764	Secret Spammer V5.2.exe
2764	Secret Spammer V5.2.exe
2764	Secret Spammer V5.2.exe
2764	Secret Spammer V5.2.exe
2764	Secret Spammer V5.2.exe
2764	Secret Spammer V5.2.exe
2764	Secret Spammer V5.2.exe
2764	Secret Spammer V5.2.exe
2764	Secret Spammer V5.2.exe
2764	Secret Spammer V5.2.exe
2764	Secret Spammer V5.2.exe
2764	Secret Spammer V5.2.exe
2764	Secret Spammer V5.2.exe
2764	Secret Spammer V5.2.exe
2764	Secret Spammer V5.2.exe
2764	Secret Spammer V5.2.exe
2764	Secret Spammer V5.2.exe
2764	Secret Spammer V5.2.exe
2764	Secret Spammer V5.2.exe
2764	Secret Spammer V5.2.exe
2764	Secret Spammer V5.2.exe
2764	Secret Spammer V5.2.exe
2764	Secret Spammer V5.2.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1540 wrote to memory of 576	1540	12f9251338d518abf22361c88013b051_JaffaCakes118.exe	30
PID 1540 wrote to memory of 576	1540	12f9251338d518abf22361c88013b051_JaffaCakes118.exe	30
PID 1540 wrote to memory of 576	1540	12f9251338d518abf22361c88013b051_JaffaCakes118.exe	30
PID 1540 wrote to memory of 576	1540	12f9251338d518abf22361c88013b051_JaffaCakes118.exe	30
PID 1540 wrote to memory of 2764	1540	12f9251338d518abf22361c88013b051_JaffaCakes118.exe	31
PID 1540 wrote to memory of 2764	1540	12f9251338d518abf22361c88013b051_JaffaCakes118.exe	31
PID 1540 wrote to memory of 2764	1540	12f9251338d518abf22361c88013b051_JaffaCakes118.exe	31
PID 1540 wrote to memory of 2764	1540	12f9251338d518abf22361c88013b051_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\12f9251338d518abf22361c88013b051_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\12f9251338d518abf22361c88013b051_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1540
- C:\Windows\SysWOW64\Sys32\VDBV.exe
  "C:\Windows\system32\Sys32\VDBV.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:576
- C:\Users\Admin\AppData\Local\Temp\Secret Spammer V5.2.exe
  "C:\Users\Admin\AppData\Local\Temp\Secret Spammer V5.2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Sys32\AKV.exe

Filesize
391KB

MD5
869461e168a87283a8782e70f5d5a3a8

SHA1
ab189b5f2682ae66162226b4f646b1e80486c653

SHA256
992cb5ea845b2d24c02f4e40873bf4ebd7b58b57ae2e001907228af4879e575b

SHA512
e4e77e07eb0ef2adb6d5ebdb9629f4632c417cf3d1a22e4c414b806bfbd259df13f6c88265f9346ed2b22bf67eb3d63924d86767c8508be4abdc9067f15a82ae

Download Submit
C:\Windows\SysWOW64\Sys32\VDBV.001

Filesize
460B

MD5
a626aa5bd250cd00c2777ff30f4df9fd

SHA1
46ae96aa6cc1db792db9197e2927fdcb92c82790

SHA256
7b6a0b375656446a2280e2d8ec5ea138fda8379d7d5e75132c86ec0a7c3217c2

SHA512
d23a5a7ebf0ef295058d89035b8a24af5f0bafd7dd47f18ebaf8e67fe9e9e189ab0efb3b9cb24274a663db5b870ecc5612cff1660e84ad983d8629935134510a

Download Submit
C:\Windows\SysWOW64\Sys32\VDBV.006

Filesize
7KB

MD5
928cc65dc793834c709a054ca57c19c8

SHA1
a1e5d8407199c1bd6a4b274044de640fe0d9e99b

SHA256
e3473d81a02ed30e4236591384136f41f17b6a4aae24b5468789644ccd4bf192

SHA512
f7c8f7a75c4f8a418630e2ac15676740a902449d9a3c4baf3184409f8701c9caa3e82304d141362d95503f1af6b693eed7b77f690d92ca0162f7ea3ecbc80fdf

Download Submit
C:\Windows\SysWOW64\Sys32\VDBV.007

Filesize
5KB

MD5
3e1f5d5a06cf97b0495b8d129fbe02e4

SHA1
b0de258a813f5edde85004f6865b6ed91f6d6f8f

SHA256
f49448fc7c567e64eaeb9cc4dbd3c8021a82b5d9df0a622a439f7b42dc2f26d7

SHA512
b0e0b81cb5776d298e96346aa61027c9799a47191c94de50be2209c32747774959d002ddeb98fd15556ee893b0d7bd1f0c8a901469dce4e3acf94e2c4c3e2bfd

Download Submit
\Users\Admin\AppData\Local\Temp\@A709.tmp

Filesize
4KB

MD5
33303ca8abef9221cb410b8a232e9fe4

SHA1
0cdfc25dbf0e9ad7d4585cd9037dc2e6604be00c

SHA256
5110301dee966f0f26307ab1b430279d1e4999c2c4a0ea924ff32f1a9ded869a

SHA512
da29821045773ba776def985966b62e09e69bb5bf1786b16c2fff6feb68a03b9e22c5f7d081e3dd58d1785cd7ac64736497c043b7cf6c7149c3a54f8ef111800

Download Submit
\Users\Admin\AppData\Local\Temp\Secret Spammer V5.2.exe

Filesize
76KB

MD5
9f13ae5b5fc4cdb6c704fec083dbc106

SHA1
0bdee8c13599787db9a7555518797f217ab8eb56

SHA256
086ed21bc5a820ff570d575bebbcebc2a35b310dc51838387f8899d4331c68ae

SHA512
e0f2e0035dcc59e19e03c3beb1f996c0c0495d68f3c2b879ae6414023efd312c1209058372e613166be528b1e7e27a369aec9e5a32589147a17b03aedcae23f5

Download Submit
\Windows\SysWOW64\Sys32\VDBV.exe

Filesize
476KB

MD5
ef52b540cb404d908338e9cbf7cff283

SHA1
778765e1736c0a197685978c3fee7a44e7bde419

SHA256
39d8bdb975fbfcbcec8fe63be4e9fe6ce39ae5d23a005118aeffa07b17a3f815

SHA512
596b77bf5b15455c326a5a2efd66bc69685eb625e3e211ea0341ad4d8920ada7618a7107e42f2c0963fe6c2d92f2acf47b641ef33071a7c42004e5874d5219a6

Download Submit
memory/576-23-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/576-41-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2764-39-0x0000000076F0F000-0x0000000076F10000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads