ardamax | da59ea3410c527d88a366d6d96b77d1b813ea65379bf94338acef968659f76a3

General

Target

JaffaCakes118_2151b3962417697f7ff01b06e87df2e8.exe
Size

480KB
MD5

2151b3962417697f7ff01b06e87df2e8
SHA1

22953f41c93a4a870eca23da2468ddd128627190
SHA256

da59ea3410c527d88a366d6d96b77d1b813ea65379bf94338acef968659f76a3
SHA512

7e73bd425a6333c68b012ba5a59bc9f15aecfd9c0dd76e17e136c55082e8dcaff5aa7932ad8b8610fcff0897362bfe2785acd921a035e4e6a507583964d5e23b
SSDEEP

12288:rsuemPZSaSUkQmIWtXE4Cwj9RKp2TvgyB/HzyaxkrzPCW0PYkbm7ybL1RL:6mPZbVWtntRKpg7fzyaiLCWp7yb3L

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023c83-12.dat	family_ardamax

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	JaffaCakes118_2151b3962417697f7ff01b06e87df2e8.exe

Executes dropped EXE 1 IoCs

pid	Process
3392	VTVX.exe

Loads dropped DLL 2 IoCs

pid	Process
876	JaffaCakes118_2151b3962417697f7ff01b06e87df2e8.exe
3392	VTVX.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VTVX Agent = "C:\\Windows\\SysWOW64\\Sys32\\VTVX.exe"	VTVX.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Sys32\AKV.exe	JaffaCakes118_2151b3962417697f7ff01b06e87df2e8.exe
File opened for modification	C:\Windows\SysWOW64\Sys32	VTVX.exe
File created	C:\Windows\SysWOW64\Sys32\VTVX.001	JaffaCakes118_2151b3962417697f7ff01b06e87df2e8.exe
File created	C:\Windows\SysWOW64\Sys32\VTVX.006	JaffaCakes118_2151b3962417697f7ff01b06e87df2e8.exe
File created	C:\Windows\SysWOW64\Sys32\VTVX.007	JaffaCakes118_2151b3962417697f7ff01b06e87df2e8.exe
File created	C:\Windows\SysWOW64\Sys32\VTVX.exe	JaffaCakes118_2151b3962417697f7ff01b06e87df2e8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_2151b3962417697f7ff01b06e87df2e8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VTVX.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	3392	VTVX.exe
Token: SeIncBasePriorityPrivilege	3392	VTVX.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3392	VTVX.exe
3392	VTVX.exe
3392	VTVX.exe
3392	VTVX.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 876 wrote to memory of 3392	876	JaffaCakes118_2151b3962417697f7ff01b06e87df2e8.exe	82
PID 876 wrote to memory of 3392	876	JaffaCakes118_2151b3962417697f7ff01b06e87df2e8.exe	82
PID 876 wrote to memory of 3392	876	JaffaCakes118_2151b3962417697f7ff01b06e87df2e8.exe	82

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2151b3962417697f7ff01b06e87df2e8.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2151b3962417697f7ff01b06e87df2e8.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:876
- C:\Windows\SysWOW64\Sys32\VTVX.exe
  "C:\Windows\system32\Sys32\VTVX.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@AEAF.tmp

Filesize
4KB

MD5
ac3fe2c556596b659ee6b595c58e10a5

SHA1
815ed04b1a4045fde2660d2f5e36cce75cba96e1

SHA256
b264c6fa863a4471fe3334a3f7404145bfd2e4d41904e6395a35f050f39a34a9

SHA512
43a4798a3c0c31c8c8797cb519861579818350365c26665fe0b8c65f4fa3c8ef6bc1837ac6ceffc6c31e51e1bb572cc294c091b7ef5f891a20010521575aa514

Download Submit
C:\Windows\SysWOW64\Sys32\AKV.exe

Filesize
391KB

MD5
42d621e2cfb9c20627fca4a0376c4174

SHA1
fa89729dd54f9d68c92f423eada65c993bb194f1

SHA256
52e97b8a9c6ab207767616f71834b6160f7476890e0d12528140dd751e408426

SHA512
5c5386d1f504df56a60fd4dc402f90915f44f513a2c70c0645cdcfb57d92754bf545b0f704e2ac1ab1bc9e985fe164d7e740d2f8f3867fbdf13cce7048dc199a

Download Submit
C:\Windows\SysWOW64\Sys32\VTVX.001

Filesize
384B

MD5
cb0b53a340a572f49ca631e7c7651544

SHA1
e6ec79f215d5fa0e7be755dbbdfb84564bdd0705

SHA256
62808ac2de3b0f6472b47764d4ec690a47300a07d0b66c688146e35bcd2f76e7

SHA512
23474bca3fd08659b82349d5ba6449882d5a59d18817f5ce5d452b6a93f221c22f67d437341673548765d6fed5ed8f7fa5086d85c77423f286fce17127a159b8

Download Submit
C:\Windows\SysWOW64\Sys32\VTVX.006

Filesize
7KB

MD5
cae44465a902cdee5716cd290f5e5d15

SHA1
d847caa95776c5d238bcb16530cb266d9a4a214c

SHA256
440512b20650797a76add16ca5ce4a079f73e56b56b4b17b892f881d70ca69b7

SHA512
4e4f80188b8b5391e81f92ef47caf98feb06a7bda8d75f8f55b65c23fc0738048dbb56bb0007505b8f3f86b0183d7b953252133d79c95dca02e385a89f44a7ce

Download Submit
C:\Windows\SysWOW64\Sys32\VTVX.007

Filesize
5KB

MD5
ec7ae4f69f2cbb52ee4fbbc0ddf4d1e8

SHA1
0b4baca1ef2cfb23b7cdc21a94bf75971ce857c4

SHA256
b9078189accbcdd76a0fbda68020cbbef096a1f01ba4351a54a4232e356008f0

SHA512
263907449236afb75ef29a3822c5493dbad4dd18ae5a9b21199a3c51304c057bc94f1cb4b6d23a3c308ec0e3cf26989b40f685c301e0678d694f32fa66aa9c0d

Download Submit
C:\Windows\SysWOW64\Sys32\VTVX.exe

Filesize
476KB

MD5
3141cee1200fc3f14e92336d7d8dbed7

SHA1
0eae11bcfb73105bf20c272bfd17cd368d38b668

SHA256
a7b5fadbce366e689b54af37cb0dc84ba2a51bf0ba5f52efd46367d015a8b8a5

SHA512
429d1cd67c07571429a55c62218ee7902796c6dc22f20e4292a3983e0c37d307d3f46c7d198f9781a0bac1238c1b35ea4ffdf317386890837db16a2b73d6e054

Download Submit
memory/3392-23-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

Filesize
4KB

Download
memory/3392-25-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads