ardamax | d2bb826df9485b0b31a55dbe782bef51ac5b9e723d66f6fc043c0be03a7c97b1

General

Target

6599c61f79bc39edb0800d342281982f_JaffaCakes118.exe
Size

1.1MB
MD5

6599c61f79bc39edb0800d342281982f
SHA1

1f176e0c08943f68efde845034b3c12071f3c0ba
SHA256

d2bb826df9485b0b31a55dbe782bef51ac5b9e723d66f6fc043c0be03a7c97b1
SHA512

8e45dbdb4337f310d227e7e9b87c33aa295a3ba003540f5865a5a75d6c89a06c32f351736fd2e41f5373f5478d0d7a129905e6734134e71d2ef61286f8d99034
SSDEEP

24576:fLMPuMGw4AYJyFFbvrxFwYzMh0fe4sR5EjUTzxIPkwwiFYAS5zVgYUBS0jQ:fquMGw4arrbn17+yjUlIzwk4F

Score

10^/10

ardamax aspackv2 discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x000600000001925b-9.dat	family_ardamax

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x00050000000194e4-19.dat	aspack_v212_v242

Executes dropped EXE 2 IoCs

pid	Process
2336	BVHA.exe
3060	Revolution 4.2.exe

Loads dropped DLL 9 IoCs

pid	Process
1664	6599c61f79bc39edb0800d342281982f_JaffaCakes118.exe
1664	6599c61f79bc39edb0800d342281982f_JaffaCakes118.exe
1664	6599c61f79bc39edb0800d342281982f_JaffaCakes118.exe
1664	6599c61f79bc39edb0800d342281982f_JaffaCakes118.exe
1664	6599c61f79bc39edb0800d342281982f_JaffaCakes118.exe
2336	BVHA.exe
2336	BVHA.exe
3060	Revolution 4.2.exe
3060	Revolution 4.2.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BVHA Agent = "C:\\Windows\\SysWOW64\\Sys32\\BVHA.exe"	BVHA.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Sys32\BVHA.001	6599c61f79bc39edb0800d342281982f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Sys32\BVHA.006	6599c61f79bc39edb0800d342281982f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Sys32\BVHA.007	6599c61f79bc39edb0800d342281982f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Sys32\BVHA.exe	6599c61f79bc39edb0800d342281982f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Sys32\AKV.exe	6599c61f79bc39edb0800d342281982f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Sys32	BVHA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6599c61f79bc39edb0800d342281982f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Revolution 4.2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BVHA.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.CT\shell\open	Revolution 4.2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.CT\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Revolution 4.2.exe \"%1\""	Revolution 4.2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.CT\DefaultIcon	Revolution 4.2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.CT\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Revolution 4.2.exe,0"	Revolution 4.2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.CT\shell\open\command	Revolution 4.2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.CT	Revolution 4.2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.CT\shell	Revolution 4.2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.CT\shell\open\command\preCE	Revolution 4.2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.CT\DefaultIcon\preCE	Revolution 4.2.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3060	Revolution 4.2.exe
Token: 33	2336	BVHA.exe
Token: SeIncBasePriorityPrivilege	2336	BVHA.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2336	BVHA.exe
2336	BVHA.exe
2336	BVHA.exe
2336	BVHA.exe
2336	BVHA.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 2336	1664	6599c61f79bc39edb0800d342281982f_JaffaCakes118.exe	30
PID 1664 wrote to memory of 2336	1664	6599c61f79bc39edb0800d342281982f_JaffaCakes118.exe	30
PID 1664 wrote to memory of 2336	1664	6599c61f79bc39edb0800d342281982f_JaffaCakes118.exe	30
PID 1664 wrote to memory of 2336	1664	6599c61f79bc39edb0800d342281982f_JaffaCakes118.exe	30
PID 1664 wrote to memory of 3060	1664	6599c61f79bc39edb0800d342281982f_JaffaCakes118.exe	31
PID 1664 wrote to memory of 3060	1664	6599c61f79bc39edb0800d342281982f_JaffaCakes118.exe	31
PID 1664 wrote to memory of 3060	1664	6599c61f79bc39edb0800d342281982f_JaffaCakes118.exe	31
PID 1664 wrote to memory of 3060	1664	6599c61f79bc39edb0800d342281982f_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\6599c61f79bc39edb0800d342281982f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6599c61f79bc39edb0800d342281982f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Windows\SysWOW64\Sys32\BVHA.exe
  "C:\Windows\system32\Sys32\BVHA.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2336
- C:\Users\Admin\AppData\Local\Temp\Revolution 4.2.exe
  "C:\Users\Admin\AppData\Local\Temp\Revolution 4.2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Sys32\AKV.exe

Filesize
390KB

MD5
b073e1c34193d3b1ae37dade3152eb45

SHA1
f0b627e8310be12c832d2e14b1818446ffb42dfc

SHA256
8f418775144b64508556ffdfa24a8b6263dcb353fba94872fe8c24391d9bde79

SHA512
0e13f5052e1bc892205366f69fa5262c5fb815f9a9809fd39eeb0787a4fb48328907456f30fece3db19c9a40d0d1cc75cfd430e0c2b9edbd462909c315b6846b

Download Submit
C:\Windows\SysWOW64\Sys32\BVHA.001

Filesize
536B

MD5
633207edb2d2dbd5194215773b958f76

SHA1
807286c5ca3552d4cde99ce5a6be2806717070d0

SHA256
22cd03e4d19298a103faa65cff9d524a9654d3be32d2e483a55024122a79235b

SHA512
6f1b355d1b3c95a8bcfd08d465b41a7e52d80dc9ec0ee67538e1076ef56c156a269699cb860847e051e898cc32071f4969b0ca8426caae4c95871f82febeced2

Download Submit
C:\Windows\SysWOW64\Sys32\BVHA.006

Filesize
7KB

MD5
8f7b2a047e21e5168021c6b6c74b43d5

SHA1
86d6497fa6bfbc8d889479da1180d1b81c6dcf1c

SHA256
d18a1d8bd7bca221016a415a55034e6d47231b5561f3ecf4022c3caea52c00e8

SHA512
a15f0a4280b80db35e99b0a4c8e17fc63f49713b73fbd195ea2b5304bceb733cbfcf6673410dea2c6b83d617f8562fa18dd95574875caac71f81649fc95d2fd7

Download Submit
C:\Windows\SysWOW64\Sys32\BVHA.007

Filesize
5KB

MD5
aef6e96d082b935073a8ae15ba537f63

SHA1
704af73246a277c552c3ed2f859a227413de1b31

SHA256
75e8ce0baa4ccc7249d3d8a594d55744dfb6b6d0d9c272903ba8285ac504ef06

SHA512
a14c6de30455112aa8c8489ad080822f52554e4da087861cc49723e2f24f5bc292723cd5c129cb79fa13534f510a47e7e81173066633cf3716d983f951fc1955

Download Submit
\Users\Admin\AppData\Local\Temp\@B51C.tmp

Filesize
4KB

MD5
c5c306d45c5b88d004a071941b12b030

SHA1
fcdd3d742203743514f195d6d1060a8475036632

SHA256
2e6181885f8cb215a7291d556100636a7fd2b409cb6df1f65f6c61d058521ec8

SHA512
fdc66e8a5338e60adda51b21bfc5a40b86293d16c5492c82cdbce3cf4f9743c8b49f5e2e4d31c5b827c50c257a08c6dc57d3266ae3eac60ac46ad14684802738

Download Submit
\Users\Admin\AppData\Local\Temp\Revolution 4.2.exe

Filesize
656KB

MD5
d710fae69019f64cc7e12d5e9a6a0ee6

SHA1
8e108fece67c1ebbb02ef224fb1e4601c313dc5e

SHA256
9e96e2d71a1be32bb9119619b4ca471820af3e104737305ff3a8a26b3db21a48

SHA512
d084788775e9f57290c052639987b6d888d5c5f07e2eecf5bf2f81d4f7cd4ed6203cf06e217480e84aeb6d3bec220d673279c7134fe82e76f88678fc59c2c3be

Download Submit
\Windows\SysWOW64\Sys32\BVHA.exe

Filesize
477KB

MD5
489644a82021a8b7073ce20ff2ab34c9

SHA1
6384e2e97d957848d3a62af246f94e9c4a9e2f6e

SHA256
51fd851ac6c71b99feaa4d0222ba87e53363c4981f9727d054b97baaeca8eeaf

SHA512
95028425396879a03a003ae6e77f0567e13256a476ecc07779639b131091e206441e13d8a6aac99aef0135c065c6ccead9a9d5677fc63e70ec65f30e2509c872

Download Submit
memory/2336-41-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2336-34-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/3060-42-0x0000000000400000-0x0000000000687000-memory.dmp

Filesize
2.5MB

Download
memory/3060-48-0x0000000000400000-0x0000000000687000-memory.dmp

Filesize
2.5MB

Download
memory/3060-39-0x000000007767F000-0x0000000077680000-memory.dmp

Filesize
4KB

Download
memory/3060-28-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/3060-43-0x0000000000400000-0x0000000000687000-memory.dmp

Filesize
2.5MB

Download
memory/3060-44-0x0000000000400000-0x0000000000687000-memory.dmp

Filesize
2.5MB

Download
memory/3060-45-0x0000000000400000-0x0000000000687000-memory.dmp

Filesize
2.5MB

Download
memory/3060-46-0x0000000000400000-0x0000000000687000-memory.dmp

Filesize
2.5MB

Download
memory/3060-47-0x0000000000400000-0x0000000000687000-memory.dmp

Filesize
2.5MB

Download
memory/3060-40-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/3060-49-0x0000000000400000-0x0000000000687000-memory.dmp

Filesize
2.5MB

Download
memory/3060-50-0x0000000000400000-0x0000000000687000-memory.dmp

Filesize
2.5MB

Download
memory/3060-51-0x0000000000400000-0x0000000000687000-memory.dmp

Filesize
2.5MB

Download
memory/3060-52-0x0000000000400000-0x0000000000687000-memory.dmp

Filesize
2.5MB

Download
memory/3060-53-0x0000000000400000-0x0000000000687000-memory.dmp

Filesize
2.5MB

Download
memory/3060-54-0x0000000000400000-0x0000000000687000-memory.dmp

Filesize
2.5MB

Download
memory/3060-55-0x0000000000400000-0x0000000000687000-memory.dmp

Filesize
2.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads