ardamax | df1f3e766f8e1ffc1ab013e57ad84b9e3ccd6574f248a59e4829eb84a48b5019

General

Target

2d7c46588e711a0416b4159f367d0bef_JaffaCakes118.exe
Size

307KB
MD5

2d7c46588e711a0416b4159f367d0bef
SHA1

c9a75f7f8fd3dcbf649c603a13c155b52eb106e8
SHA256

df1f3e766f8e1ffc1ab013e57ad84b9e3ccd6574f248a59e4829eb84a48b5019
SHA512

e464d90017004cf507875233cd09426c2289d08a3a798619843d32cfb3825d3d80c419e8c0012c3f8f7da58191470908a6cbdf135d1dee5562c04a77afe4132f
SSDEEP

6144:EtxSzc8/K6ommiuOsp2FNYslkoxyL7AIBZWwDfG3Ls7n+zL8xRq3BQlfYQaxU:kxSzU6ombEp5sXxgsIrfDfG3LCNRq6lJ

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000018f08-31.dat	family_ardamax

Executes dropped EXE 3 IoCs

pid	Process
2204	Install.exe
2104	Ziro WP.exe
2724	TWWT.exe

Loads dropped DLL 12 IoCs

pid	Process
1956	2d7c46588e711a0416b4159f367d0bef_JaffaCakes118.exe
1956	2d7c46588e711a0416b4159f367d0bef_JaffaCakes118.exe
1956	2d7c46588e711a0416b4159f367d0bef_JaffaCakes118.exe
2204	Install.exe
2204	Install.exe
2204	Install.exe
2204	Install.exe
2204	Install.exe
2204	Install.exe
2724	TWWT.exe
2724	TWWT.exe
2724	TWWT.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TWWT Agent = "C:\\Windows\\SysWOW64\\28463\\TWWT.exe"	TWWT.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\TWWT.006	Install.exe
File created	C:\Windows\SysWOW64\28463\TWWT.007	Install.exe
File created	C:\Windows\SysWOW64\28463\TWWT.exe	Install.exe
File created	C:\Windows\SysWOW64\28463\TWWT.001	Install.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2d7c46588e711a0416b4159f367d0bef_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TWWT.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1956	2d7c46588e711a0416b4159f367d0bef_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 2204	1956	2d7c46588e711a0416b4159f367d0bef_JaffaCakes118.exe	29
PID 1956 wrote to memory of 2204	1956	2d7c46588e711a0416b4159f367d0bef_JaffaCakes118.exe	29
PID 1956 wrote to memory of 2204	1956	2d7c46588e711a0416b4159f367d0bef_JaffaCakes118.exe	29
PID 1956 wrote to memory of 2204	1956	2d7c46588e711a0416b4159f367d0bef_JaffaCakes118.exe	29
PID 1956 wrote to memory of 2204	1956	2d7c46588e711a0416b4159f367d0bef_JaffaCakes118.exe	29
PID 1956 wrote to memory of 2204	1956	2d7c46588e711a0416b4159f367d0bef_JaffaCakes118.exe	29
PID 1956 wrote to memory of 2204	1956	2d7c46588e711a0416b4159f367d0bef_JaffaCakes118.exe	29
PID 1956 wrote to memory of 2104	1956	2d7c46588e711a0416b4159f367d0bef_JaffaCakes118.exe	30
PID 1956 wrote to memory of 2104	1956	2d7c46588e711a0416b4159f367d0bef_JaffaCakes118.exe	30
PID 1956 wrote to memory of 2104	1956	2d7c46588e711a0416b4159f367d0bef_JaffaCakes118.exe	30
PID 1956 wrote to memory of 2104	1956	2d7c46588e711a0416b4159f367d0bef_JaffaCakes118.exe	30
PID 2204 wrote to memory of 2724	2204	Install.exe	32
PID 2204 wrote to memory of 2724	2204	Install.exe	32
PID 2204 wrote to memory of 2724	2204	Install.exe	32
PID 2204 wrote to memory of 2724	2204	Install.exe	32
PID 2204 wrote to memory of 2724	2204	Install.exe	32
PID 2204 wrote to memory of 2724	2204	Install.exe	32
PID 2204 wrote to memory of 2724	2204	Install.exe	32
PID 2104 wrote to memory of 2304	2104	Ziro WP.exe	33
PID 2104 wrote to memory of 2304	2104	Ziro WP.exe	33
PID 2104 wrote to memory of 2304	2104	Ziro WP.exe	33

C:\Users\Admin\AppData\Local\Temp\2d7c46588e711a0416b4159f367d0bef_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2d7c46588e711a0416b4159f367d0bef_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Users\Admin\AppData\Local\Temp\Install.exe
  "C:\Users\Admin\AppData\Local\Temp\Install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Windows\SysWOW64\28463\TWWT.exe
    "C:\Windows\system32\28463\TWWT.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2724
- C:\Users\Admin\AppData\Local\Temp\Ziro WP.exe
  "C:\Users\Admin\AppData\Local\Temp\Ziro WP.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2104
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
    dw20.exe -x -s 384
    3⤵
    PID:2304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Ziro WP.exe

Filesize
20KB

MD5
6a12f59443d2113f2b419da2934bb65b

SHA1
0404a60cc5cc573ad0afe827c0b8507a8155cbff

SHA256
a0d916021d2da7b11d16b09370815da280071ed5b6ae64cb7e761a8add8f74af

SHA512
09dc23edfe13c43bdc61b5f0e957bb720e2c6f4be26bc938aae8a65b133b3c9900346b5fe997b502d26d01e482882f88cbd874b8a458a7324d5aec7fdddd9736

Download Submit
C:\Windows\SysWOW64\28463\TWWT.001

Filesize
382B

MD5
5baeb57c99f07eacb0ff186468894371

SHA1
bd0533dee9b806228ce08522a30db18a57580e62

SHA256
03fc02f3e344312347cea152e4f1d2fff6a784afb008cf97c2cfc34e92a32645

SHA512
8b094c2110858b5a65d5e51890e840a95bd19f6444f2894305e1e39f825b8502ad7a323135f1803db4cfeb6bd9c96a5ccf80cd9afb614c5760b9734754fed9f6

Download Submit
C:\Windows\SysWOW64\28463\TWWT.006

Filesize
8KB

MD5
81e20f4361cf8f5a57812871c24d945e

SHA1
5d7877d6959ab26599b05795a71633f00c37a3da

SHA256
e6e8b4a29dccb3531f58c75b754caf7f26afe3e7043239305fd0ae7ab2f7571d

SHA512
69b1d75ab7123054bf98cf3a0f2cc7a0749cda8d85ebdef85be7d89f1454154ce29070907b934727a6c5276ff430e94810b87a5634d25d8529df9ee36fd20818

Download Submit
C:\Windows\SysWOW64\28463\TWWT.007

Filesize
5KB

MD5
e9fbdcc2f5fb657fa519b3f5c69fc52d

SHA1
c49cca77b46a59d620711de7564d43e5dafcd2b5

SHA256
cc440cfc4ce1a1ff503cc9e8937c59aae64bfce4daa3e7dc757220a25cadc2e4

SHA512
913759967e16b99d8ea66433e5dc99d5ddbf737be6784306e67c2b23a525b7a578fcae1028221d3209abc452ff30508eb750c62113c3868a7af36b544e525fb1

Download Submit
\Users\Admin\AppData\Local\Temp\@3459.tmp

Filesize
4KB

MD5
25530555085337eb644b061f239aa9d4

SHA1
8d91e099aba5439d4bfa8bce464c94e3e1acf620

SHA256
3fb6b438ad1530abdd068bffb303fb8a4de51430e0e18ddb6b1a0469ffab8325

SHA512
b1f9de0c276533a5a7070aeb2b6415cc1c0bdd2baf5e0645c6ac5ba767cab0d76e5b4461800d89724992af2c863294ada3c1eb2e4516183fe2010c33d47d6a2a

Download Submit
\Users\Admin\AppData\Local\Temp\Install.exe

Filesize
271KB

MD5
e047f686e8c93fdce534143c68ef93a2

SHA1
890fc6b085459c280100f4b303851e663c919ef4

SHA256
feecb0d13dea28109d9b30a4dd3f658302bbece331caa136f1c999a58a94c900

SHA512
7527caec2cb3a0ded6fdfbb137f9622387174515ade89425a3a7f018fb245080984daa303aebff2b4347a3e01eb51c84fb3de75f4ad97c7ce75f72f3c59dda72

Download Submit
\Windows\SysWOW64\28463\TWWT.exe

Filesize
473KB

MD5
97d8ad45f48b4b28a93aab94699b7168

SHA1
8b69b7fd7c008b95d12386f6da415097e72151de

SHA256
661df22a66b2062b233eb0bd9665de924cfe0ac9c6ba29e20ffef24f817f9331

SHA512
3351eac970bab391de410fcf1937da75d2e4722b808f10332f487ddfe469544e32e7d4ed0e5bdc19bd5f472cffcc55ca1498c95945b4e9c4ceff6ff5cc521c8a

Download Submit
memory/2104-29-0x000007FEF5EFE000-0x000007FEF5EFF000-memory.dmp

Filesize
4KB

Download
memory/2104-44-0x000007FEF5C40000-0x000007FEF65DD000-memory.dmp

Filesize
9.6MB

Download
memory/2104-48-0x000007FEF5EFE000-0x000007FEF5EFF000-memory.dmp

Filesize
4KB

Download
memory/2104-49-0x000007FEF5C40000-0x000007FEF65DD000-memory.dmp

Filesize
9.6MB

Download
memory/2104-50-0x000007FEF5C40000-0x000007FEF65DD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads