ardamax | fcb5a8b669aed84a2c97f1f2b3a90981f1a7701bc99e56409942d9aceef58da6

General

Target

73335537220bdfd701774177b09d94b0_JaffaCakes118.exe
Size

543KB
MD5

73335537220bdfd701774177b09d94b0
SHA1

000c2db050d7d04567ca5150f52b85c484dc3aa0
SHA256

fcb5a8b669aed84a2c97f1f2b3a90981f1a7701bc99e56409942d9aceef58da6
SHA512

8753209bc479b0baea8ebd56c4041eda93f3ff9417ee2eca6998113ddc98386fb767bcb3f1540014de544cdd94d1b5c26456faa4875b8458c82bcd104222643e
SSDEEP

12288:OIZsut4Cfk1B3Cb1KX4GKaOxYP3uA0JQiIBPrCeKIekAYn09+i:MuCCM1BCwXyaGyIQlJ2ws3

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

Processes:

resource	yara_rule
\Windows\SysWOW64\74638\DGYR.exe	family_ardamax

Executes dropped EXE 1 IoCs

Processes:

DGYR.exe

pid process

2040 DGYR.exe
Loads dropped DLL 2 IoCs

Processes:

73335537220bdfd701774177b09d94b0_JaffaCakes118.exe

pid process

3028 73335537220bdfd701774177b09d94b0_JaffaCakes118.exe
3028 73335537220bdfd701774177b09d94b0_JaffaCakes118.exe

pid	process
2040	DGYR.exe

pid	process
3028	73335537220bdfd701774177b09d94b0_JaffaCakes118.exe
3028	73335537220bdfd701774177b09d94b0_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

DGYR.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DGYR Agent = "C:\\Windows\\SysWOW64\\74638\\DGYR.exe"	DGYR.exe

Drops file in System32 directory 5 IoCs

Processes:

73335537220bdfd701774177b09d94b0_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\SysWOW64\74638\DGYR.006	73335537220bdfd701774177b09d94b0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\74638\DGYR.007	73335537220bdfd701774177b09d94b0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\74638\DGYR.exe	73335537220bdfd701774177b09d94b0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\74638\AKV.exe	73335537220bdfd701774177b09d94b0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\74638\DGYR.001	73335537220bdfd701774177b09d94b0_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

73335537220bdfd701774177b09d94b0_JaffaCakes118.exeDGYR.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73335537220bdfd701774177b09d94b0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DGYR.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

73335537220bdfd701774177b09d94b0_JaffaCakes118.exe

description	pid	process	target process
PID 3028 wrote to memory of 2040	3028	73335537220bdfd701774177b09d94b0_JaffaCakes118.exe	DGYR.exe
PID 3028 wrote to memory of 2040	3028	73335537220bdfd701774177b09d94b0_JaffaCakes118.exe	DGYR.exe
PID 3028 wrote to memory of 2040	3028	73335537220bdfd701774177b09d94b0_JaffaCakes118.exe	DGYR.exe
PID 3028 wrote to memory of 2040	3028	73335537220bdfd701774177b09d94b0_JaffaCakes118.exe	DGYR.exe

C:\Users\Admin\AppData\Local\Temp\73335537220bdfd701774177b09d94b0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\73335537220bdfd701774177b09d94b0_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Windows\SysWOW64\74638\DGYR.exe
  "C:\Windows\system32\74638\DGYR.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\74638\AKV.exe

Filesize
458KB

MD5
e28b8e6368b1a9edb3de05e8bedbda3d

SHA1
d219b27b16558a560cbdd568ab42a08adb7547be

SHA256
ce9cc662186b1f46448434150afcf521ff753077ccdddb03b9c5dfb56178fda5

SHA512
096f2e77303636fceba5e5abbfffc2949a9551ed44a0e34f9445544e8318854c4138d4313f99d7904b58ee567963bdc76d89ebb550637fd6841a00d74eb762fb

Download Submit
C:\Windows\SysWOW64\74638\DGYR.001

Filesize
426B

MD5
1b72c3de319a128482fc02c7d19d1595

SHA1
792c85f3be569eeea4cb763a8bcb7db848e04afd

SHA256
5aa46a1bdf9621942407bdc9aecb24317ec976f22d16d5e0f0e79576e2b3bb9b

SHA512
947ca12d5c1f72782554edc07fdb13f5436092420600809b6e687a63d2f202889b2e9afff05759bdd07fa00115c1bf1051815f3ee72fbbc7a34cf2e6d1f1e3f5

Download Submit
C:\Windows\SysWOW64\74638\DGYR.006

Filesize
8KB

MD5
8d093334c5c1ab69afff0e4322c3158b

SHA1
05c415e71e7dcacb78f49f25925f5177b02f0021

SHA256
e0e54c8f86327bcb48df4c803a2ebd7299f839e77b8ee77665210f4e33885a40

SHA512
20acde6e65c87b6dcbb44e48b12165bf9565dbf1f96f431d6b5367f61f1ae9ae20bf637f1f696078b7a7f3aaf078cbf7c4257d9d2a3fbebcbb165b0b941ca275

Download Submit
C:\Windows\SysWOW64\74638\DGYR.007

Filesize
5KB

MD5
f9fb0e65a3753ca6530eda233cf7fd3d

SHA1
3eee3da17c67440102371450791d4474f0d5d537

SHA256
4c1f344695d2a4773b0106a21e8b0bc97a7a88c04787420907afc3f14e9cf2a3

SHA512
97bc5e069c7e1ffdbfdd7379b91f3aedd1b2483196ee916ed7a737036d2e7dd3dc070a583391ac88456fa7e9c0e8c9edee81edd4f5ad3b9c6b972f0ec96ecf8d

Download Submit
\Users\Admin\AppData\Local\Temp\@E1A8.tmp

Filesize
4KB

MD5
c88da5c55de230053bb94c597184e4ae

SHA1
7d7a4cf6466165c6c1c507f7910ecb27ad0da331

SHA256
64e12bb2b0fdeed4187cb4748a97b75379ff2c4e72c3655efe5b23eab8cd2869

SHA512
40f163ea795150dae74c6df09bff38d68b52d58b6ee9cf2aac873062588cc18f6e445c5ee9410a5060ecd2cc87c70be44a41b8b4f32250a6ce20bc6bf41bc623

Download Submit
\Windows\SysWOW64\74638\DGYR.exe

Filesize
568KB

MD5
9c04bcdac0f7fa9100cf3418eaac9ed1

SHA1
d1e566631886b2882e7ac0709d04e98f6d44de4a

SHA256
c82c2989bf19daf8d201dd25de7933488de98825257e549a8c7c2d21736a32c3

SHA512
2d3c39c3c249c58109e49b733cc68dbb5e2bed1749e0f90c0e7ae2995ec14d9ea36116abefb84ada0377d108a79f446d4fbbb4454c8f3ee7ad3446ada0be2aac

Download Submit
memory/2040-21-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads