ardamax | e5c4c074eb72bfb02e963ce0a5448ff28d4abce5620d44eb34adbd5af18f407e

General

Target

bf944bcfd5877ec84fa7a6f9561e30da_JaffaCakes118.exe
Size

571KB
MD5

bf944bcfd5877ec84fa7a6f9561e30da
SHA1

f109075f50557ff64ba1a7c9e7432b82f083835e
SHA256

e5c4c074eb72bfb02e963ce0a5448ff28d4abce5620d44eb34adbd5af18f407e
SHA512

278acd1de65d7813b2b08314576e13c04082b89ed4063052d2f7deadde9efb8b6e3ee49cc400eedafa5e56a82a7523be5be1ebfe73e24a956c36e323e5ffebf3
SSDEEP

12288:cgnJlcwKOjl9O9N6ntOwZ5vfMn16aGwJF99NR056T6+nUme:lnJPl9O9An4w7vEB76oYme

Score

10^/10

ardamax defense_evasion discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0008000000016fdf-28.dat	family_ardamax

Executes dropped EXE 2 IoCs

pid	Process
2436	Eu_Goes.exe
2676	GVTR.exe

Loads dropped DLL 13 IoCs

pid	Process
2052	bf944bcfd5877ec84fa7a6f9561e30da_JaffaCakes118.exe
2052	bf944bcfd5877ec84fa7a6f9561e30da_JaffaCakes118.exe
2436	Eu_Goes.exe
2436	Eu_Goes.exe
2436	Eu_Goes.exe
2436	Eu_Goes.exe
2436	Eu_Goes.exe
2436	Eu_Goes.exe
2676	GVTR.exe
2676	GVTR.exe
2676	GVTR.exe
2676	GVTR.exe
2676	GVTR.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\GVTR Agent = "C:\\Windows\\SysWOW64\\Sys32\\GVTR.exe"	GVTR.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Sys32\GVTR.001	Eu_Goes.exe
File created	C:\Windows\SysWOW64\Sys32\GVTR.006	Eu_Goes.exe
File created	C:\Windows\SysWOW64\Sys32\GVTR.007	Eu_Goes.exe
File created	C:\Windows\SysWOW64\Sys32\GVTR.exe	Eu_Goes.exe
File created	C:\Windows\SysWOW64\Sys32\AKV.exe	Eu_Goes.exe
File opened for modification	C:\Windows\SysWOW64\Sys32	GVTR.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bf944bcfd5877ec84fa7a6f9561e30da_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eu_Goes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GVTR.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	2676	GVTR.exe
Token: SeIncBasePriorityPrivilege	2676	GVTR.exe
Token: SeIncBasePriorityPrivilege	2676	GVTR.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2676	GVTR.exe
2676	GVTR.exe
2676	GVTR.exe
2676	GVTR.exe
2676	GVTR.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2052 wrote to memory of 2436	2052	bf944bcfd5877ec84fa7a6f9561e30da_JaffaCakes118.exe	31
PID 2052 wrote to memory of 2436	2052	bf944bcfd5877ec84fa7a6f9561e30da_JaffaCakes118.exe	31
PID 2052 wrote to memory of 2436	2052	bf944bcfd5877ec84fa7a6f9561e30da_JaffaCakes118.exe	31
PID 2052 wrote to memory of 2436	2052	bf944bcfd5877ec84fa7a6f9561e30da_JaffaCakes118.exe	31
PID 2052 wrote to memory of 2436	2052	bf944bcfd5877ec84fa7a6f9561e30da_JaffaCakes118.exe	31
PID 2052 wrote to memory of 2436	2052	bf944bcfd5877ec84fa7a6f9561e30da_JaffaCakes118.exe	31
PID 2052 wrote to memory of 2436	2052	bf944bcfd5877ec84fa7a6f9561e30da_JaffaCakes118.exe	31
PID 2436 wrote to memory of 2676	2436	Eu_Goes.exe	32
PID 2436 wrote to memory of 2676	2436	Eu_Goes.exe	32
PID 2436 wrote to memory of 2676	2436	Eu_Goes.exe	32
PID 2436 wrote to memory of 2676	2436	Eu_Goes.exe	32
PID 2436 wrote to memory of 2676	2436	Eu_Goes.exe	32
PID 2436 wrote to memory of 2676	2436	Eu_Goes.exe	32
PID 2436 wrote to memory of 2676	2436	Eu_Goes.exe	32
PID 2676 wrote to memory of 1156	2676	GVTR.exe	33
PID 2676 wrote to memory of 1156	2676	GVTR.exe	33
PID 2676 wrote to memory of 1156	2676	GVTR.exe	33
PID 2676 wrote to memory of 1156	2676	GVTR.exe	33
PID 2676 wrote to memory of 1156	2676	GVTR.exe	33
PID 2676 wrote to memory of 1156	2676	GVTR.exe	33
PID 2676 wrote to memory of 1156	2676	GVTR.exe	33

C:\Users\Admin\AppData\Local\Temp\bf944bcfd5877ec84fa7a6f9561e30da_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bf944bcfd5877ec84fa7a6f9561e30da_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2052
- C:\Users\Admin\AppData\Local\Temp\Eu_Goes.exe
  "C:\Users\Admin\AppData\Local\Temp\Eu_Goes.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Windows\SysWOW64\Sys32\GVTR.exe
    "C:\Windows\system32\Sys32\GVTR.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\Sys32\GVTR.exe > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

1

T1070

File Deletion

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Sys32\AKV.exe

Filesize
390KB

MD5
b073e1c34193d3b1ae37dade3152eb45

SHA1
f0b627e8310be12c832d2e14b1818446ffb42dfc

SHA256
8f418775144b64508556ffdfa24a8b6263dcb353fba94872fe8c24391d9bde79

SHA512
0e13f5052e1bc892205366f69fa5262c5fb815f9a9809fd39eeb0787a4fb48328907456f30fece3db19c9a40d0d1cc75cfd430e0c2b9edbd462909c315b6846b

Download Submit
C:\Windows\SysWOW64\Sys32\GVTR.001

Filesize
426B

MD5
dd98bbd5719d498cf97d2c5e9487577e

SHA1
a325b6d7a0c78b6ff35df5c087b1ae3c2d59edfd

SHA256
89a13219d477d0dc74fcc38e0c10d9445633885d519a122d88723f3d84766f9a

SHA512
b72bb28d737e73913798c14c4c3818656e08256eaffaa5cad63f97b523edde609d1ecebdc16a58651e0d95d585d6dc1b018ae87d71418dadfb2e831d2112b3ba

Download Submit
C:\Windows\SysWOW64\Sys32\GVTR.006

Filesize
7KB

MD5
8f7b2a047e21e5168021c6b6c74b43d5

SHA1
86d6497fa6bfbc8d889479da1180d1b81c6dcf1c

SHA256
d18a1d8bd7bca221016a415a55034e6d47231b5561f3ecf4022c3caea52c00e8

SHA512
a15f0a4280b80db35e99b0a4c8e17fc63f49713b73fbd195ea2b5304bceb733cbfcf6673410dea2c6b83d617f8562fa18dd95574875caac71f81649fc95d2fd7

Download Submit
C:\Windows\SysWOW64\Sys32\GVTR.007

Filesize
5KB

MD5
aef6e96d082b935073a8ae15ba537f63

SHA1
704af73246a277c552c3ed2f859a227413de1b31

SHA256
75e8ce0baa4ccc7249d3d8a594d55744dfb6b6d0d9c272903ba8285ac504ef06

SHA512
a14c6de30455112aa8c8489ad080822f52554e4da087861cc49723e2f24f5bc292723cd5c129cb79fa13534f510a47e7e81173066633cf3716d983f951fc1955

Download Submit
C:\Windows\SysWOW64\Sys32\GVTR.exe

Filesize
477KB

MD5
489644a82021a8b7073ce20ff2ab34c9

SHA1
6384e2e97d957848d3a62af246f94e9c4a9e2f6e

SHA256
51fd851ac6c71b99feaa4d0222ba87e53363c4981f9727d054b97baaeca8eeaf

SHA512
95028425396879a03a003ae6e77f0567e13256a476ecc07779639b131091e206441e13d8a6aac99aef0135c065c6ccead9a9d5677fc63e70ec65f30e2509c872

Download Submit
\Users\Admin\AppData\Local\Temp\@D8D2.tmp

Filesize
4KB

MD5
c5c306d45c5b88d004a071941b12b030

SHA1
fcdd3d742203743514f195d6d1060a8475036632

SHA256
2e6181885f8cb215a7291d556100636a7fd2b409cb6df1f65f6c61d058521ec8

SHA512
fdc66e8a5338e60adda51b21bfc5a40b86293d16c5492c82cdbce3cf4f9743c8b49f5e2e4d31c5b827c50c257a08c6dc57d3266ae3eac60ac46ad14684802738

Download Submit
\Users\Admin\AppData\Local\Temp\Eu_Goes.exe

Filesize
481KB

MD5
5f45e559de5b279018a87b137ac9cd03

SHA1
daf85f2d7062b0336f9b56f2e1769bc5375fd494

SHA256
eb66b97b31ba81e4e885d7b8d3673aad9df7cd4bce0708e01fa860c614691be9

SHA512
c7d59b2d2f1356982fc20463f242f3965b4453756950cea705ea06c184c5310fb08ef68b2b7cbc2f4feede4d42a51d126a0c92940657da97ba591f3cf4014695

Download Submit
memory/2052-10-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads