ardamax | ab1fe1fe5fa13d93735123b47a4d29215146978d8fb26d4176c3bdeeb3b447fa

General

Target

8720ba5c05129f74e068a7d8096bd332_JaffaCakes118.exe
Size

3.0MB
MD5

8720ba5c05129f74e068a7d8096bd332
SHA1

568cf19b66f6656f6cf9d20070ea8531cb9a383b
SHA256

ab1fe1fe5fa13d93735123b47a4d29215146978d8fb26d4176c3bdeeb3b447fa
SHA512

b501974c9e7229936c476f4d59d239a4f58fbc768c4fce6a77878027df267bd2bb480e0752d51174abf33eb1c971d0a70439000ed5b312aa0e0fca8c93718576
SSDEEP

49152:S2sGvURF4T9QERWhQ6HBc+anFCbQGbm6J0+Ys6lAqFlAtp5odXQ5hB:BUve9Q0WhZBcgEUm6JDyAYlAt7ogD

Score

10^/10

ardamax defense_evasion discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x0006000000019926-9.dat	family_ardamax

Executes dropped EXE 2 IoCs

Processes:

MGXW.exesro_client.exe

pid	Process
2180	MGXW.exe
2712	sro_client.exe

Loads dropped DLL 11 IoCs

Processes:

8720ba5c05129f74e068a7d8096bd332_JaffaCakes118.exeMGXW.exesro_client.exe

pid	Process
1464	8720ba5c05129f74e068a7d8096bd332_JaffaCakes118.exe
1464	8720ba5c05129f74e068a7d8096bd332_JaffaCakes118.exe
1464	8720ba5c05129f74e068a7d8096bd332_JaffaCakes118.exe
2180	MGXW.exe
2180	MGXW.exe
1464	8720ba5c05129f74e068a7d8096bd332_JaffaCakes118.exe
1464	8720ba5c05129f74e068a7d8096bd332_JaffaCakes118.exe
1464	8720ba5c05129f74e068a7d8096bd332_JaffaCakes118.exe
1464	8720ba5c05129f74e068a7d8096bd332_JaffaCakes118.exe
2712	sro_client.exe
2712	sro_client.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

MGXW.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MGXW Agent = "C:\\Windows\\SysWOW64\\Sys32\\MGXW.exe"	MGXW.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 5 IoCs

Processes:

8720ba5c05129f74e068a7d8096bd332_JaffaCakes118.exeMGXW.exe

description	ioc	Process
File created	C:\Windows\SysWOW64\Sys32\MGXW.001	8720ba5c05129f74e068a7d8096bd332_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Sys32\MGXW.006	8720ba5c05129f74e068a7d8096bd332_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Sys32\MGXW.007	8720ba5c05129f74e068a7d8096bd332_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Sys32\MGXW.exe	8720ba5c05129f74e068a7d8096bd332_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Sys32	MGXW.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

sro_client.execmd.exe8720ba5c05129f74e068a7d8096bd332_JaffaCakes118.exeMGXW.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sro_client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8720ba5c05129f74e068a7d8096bd332_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MGXW.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

MGXW.exe

description	pid	Process
Token: 33	2180	MGXW.exe
Token: SeIncBasePriorityPrivilege	2180	MGXW.exe
Token: SeIncBasePriorityPrivilege	2180	MGXW.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

MGXW.exe

pid	Process
2180	MGXW.exe
2180	MGXW.exe
2180	MGXW.exe
2180	MGXW.exe
2180	MGXW.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

8720ba5c05129f74e068a7d8096bd332_JaffaCakes118.exeMGXW.exe

description	pid	Process	procid_target
PID 1464 wrote to memory of 2180	1464	8720ba5c05129f74e068a7d8096bd332_JaffaCakes118.exe	30
PID 1464 wrote to memory of 2180	1464	8720ba5c05129f74e068a7d8096bd332_JaffaCakes118.exe	30
PID 1464 wrote to memory of 2180	1464	8720ba5c05129f74e068a7d8096bd332_JaffaCakes118.exe	30
PID 1464 wrote to memory of 2180	1464	8720ba5c05129f74e068a7d8096bd332_JaffaCakes118.exe	30
PID 1464 wrote to memory of 2712	1464	8720ba5c05129f74e068a7d8096bd332_JaffaCakes118.exe	31
PID 1464 wrote to memory of 2712	1464	8720ba5c05129f74e068a7d8096bd332_JaffaCakes118.exe	31
PID 1464 wrote to memory of 2712	1464	8720ba5c05129f74e068a7d8096bd332_JaffaCakes118.exe	31
PID 1464 wrote to memory of 2712	1464	8720ba5c05129f74e068a7d8096bd332_JaffaCakes118.exe	31
PID 2180 wrote to memory of 3048	2180	MGXW.exe	33
PID 2180 wrote to memory of 3048	2180	MGXW.exe	33
PID 2180 wrote to memory of 3048	2180	MGXW.exe	33
PID 2180 wrote to memory of 3048	2180	MGXW.exe	33

C:\Users\Admin\AppData\Local\Temp\8720ba5c05129f74e068a7d8096bd332_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8720ba5c05129f74e068a7d8096bd332_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1464
- C:\Windows\SysWOW64\Sys32\MGXW.exe
  "C:\Windows\system32\Sys32\MGXW.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\Sys32\MGXW.exe > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3048
- C:\Users\Admin\AppData\Local\Temp\sro_client.exe
  "C:\Users\Admin\AppData\Local\Temp\sro_client.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

1

T1070

File Deletion

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Sys32\MGXW.001

Filesize
434B

MD5
f19f43c8367e0e7a975f33572dbe0750

SHA1
5604b137e3c67aab87404eef7c5d51aca62b9a74

SHA256
2a100867f815cfbaf97e4e57c67dc1ee023ef82cedb86e40976049837212b568

SHA512
8a3fefc2037a7f94f5855b3fccb38bbc6b97043245a847b7df7d7d0e676414435d191c2b72e33a49f16d3b03fd87e9513d411b633169cacbcb3ee3219360d3c4

Download Submit
C:\Windows\SysWOW64\Sys32\MGXW.006

Filesize
7KB

MD5
6d97151278f4a6c0273d92bed593e49a

SHA1
c2cbe640b2531f5b51ae461a4f213294b106c7e4

SHA256
7a572090797699c09c8f369f1d646d4340aea4c0bbd8f5383a3747478b99aa60

SHA512
0ec5bfb032c8d1d911faafbe63a4739d23dc3368f9d6b8b2fb4a6a92f9ae6c5e5e1a21acb879eef0ea592646c69483338504048cf16ed9be827cf6fbe70d63de

Download Submit
C:\Windows\SysWOW64\Sys32\MGXW.007

Filesize
5KB

MD5
5ff123f581e889ec2d72e5e91762250c

SHA1
036f31e9303b85dbc0bde419674654743b4135d4

SHA256
1dbf1be7742842553d83dd0c2b39855828c8be7715fd40d2ab464a2a13b82116

SHA512
21dc1dcd42bcd7f5ff28b3023141f6e58229c7b34a6deae966c3fb13f8c4e8aeeb20a4615bd0d2912441298d870c7a9a50667d6e7e58a16519f9051186616207

Download Submit
\Users\Admin\AppData\Local\Temp\@7FCA.tmp

Filesize
4KB

MD5
070dbaaff6fc4389cf2f22d071d21c26

SHA1
536ecaadbcbcf2f4c16a7c47d8ee2f71921957da

SHA256
83ea6f0a401f215e90ca73b97575a56da6ca420872603179bd5db5ec76f85081

SHA512
8fdc34084f119dad46c0f4699acb0478a0b17bb065cb68527f556c16fb20891d7a69276ffd2c1d7568a2350112ddecc182c28fae8d0e7b77db88be9fd14f0609

Download Submit
\Users\Admin\AppData\Local\Temp\sro_client.exe

Filesize
7.2MB

MD5
011d6636c60fbaf9d0febcee68ea63e1

SHA1
043979cfc93ab50660141f1bf7d0002da96baeec

SHA256
f5c631ee4c700d37385de0b88cdbfaa6c0409abea4da681a48ff728caeedbf8f

SHA512
ad7ddd5650bd1cd078e93199e1a2a2a5530995660373708fffdeff4635108e2bc431accc53c13296f81ea324f3fde5fe0f37a256f497f7fe6b09bf29a3c87f5f

Download Submit
\Windows\SysWOW64\Sys32\MGXW.exe

Filesize
477KB

MD5
75f85a9486fbf3f06af7ee61303deca5

SHA1
e5df6099c029ae4a77d9e9a116992ff55a73a546

SHA256
54841077de626fa46dd196c12fae104d2669cd3ea7d8988ed8637fbe552ae200

SHA512
58f7a4dcb59ccb046b80165f34b62f00accd5c1ac58681f75b08177b07835ccee9b569508dab2115805b114e5839911aca1e762baad4a3002083a51bc97419e6

Download Submit
memory/2180-20-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2180-39-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads