ardamax | ed4a22e4be09281a3450114792f3ebfae0c0b1106b96331c30c6cef4d6b73618

General

Target

JaffaCakes118_8fe47798bc47d7b775803e1dbef3c8be.exe
Size

2.3MB
MD5

8fe47798bc47d7b775803e1dbef3c8be
SHA1

bce6475d95dc735f3c0f308d40916f2931a7955b
SHA256

ed4a22e4be09281a3450114792f3ebfae0c0b1106b96331c30c6cef4d6b73618
SHA512

fef0aaaea2464223f9897f97911ae38bda6411e88261095c8b25f766f1d0c86dfdec4b86ea03faceaac462a042d7ac55cda96254c1327eeed1b69923f090090f
SSDEEP

49152:vucTMaQtsTAcapB8h6S8MKOaK6P0h04dg310EcZ09EjvMj:vcJsTxgBd7tI6PS04eKEEbMj

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.drivehq.com
Port:
21
Username:
rui.costa

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000016cab-6.dat	family_ardamax

Executes dropped EXE 1 IoCs

pid	Process
2784	GPU.exe

Loads dropped DLL 4 IoCs

pid	Process
2380	JaffaCakes118_8fe47798bc47d7b775803e1dbef3c8be.exe
2784	GPU.exe
2380	JaffaCakes118_8fe47798bc47d7b775803e1dbef3c8be.exe
2672	WINWORD.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\GPU Start = "C:\\Windows\\SysWOW64\\RYYGCG\\GPU.exe"	GPU.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\RYYGCG\GPU.001	JaffaCakes118_8fe47798bc47d7b775803e1dbef3c8be.exe
File opened for modification	C:\Windows\SysWOW64\RYYGCG\	GPU.exe
File opened for modification	C:\Windows\SysWOW64\RYYGCG\GPU.008	GPU.exe
File created	C:\Windows\SysWOW64\RYYGCG\App_Feb_04_2025__04_33_01.html	GPU.exe
File created	C:\Windows\SysWOW64\RYYGCG\GPU.008	GPU.exe
File created	C:\Windows\SysWOW64\RYYGCG\GPU.004	JaffaCakes118_8fe47798bc47d7b775803e1dbef3c8be.exe
File created	C:\Windows\SysWOW64\RYYGCG\GPU.002	JaffaCakes118_8fe47798bc47d7b775803e1dbef3c8be.exe
File created	C:\Windows\SysWOW64\RYYGCG\AKV.exe	JaffaCakes118_8fe47798bc47d7b775803e1dbef3c8be.exe
File created	C:\Windows\SysWOW64\RYYGCG\GPU.exe	JaffaCakes118_8fe47798bc47d7b775803e1dbef3c8be.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8fe47798bc47d7b775803e1dbef3c8be.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GPU.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2672	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2784	GPU.exe
2784	GPU.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2784	GPU.exe
Token: SeIncBasePriorityPrivilege	2784	GPU.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2784	GPU.exe
2784	GPU.exe
2784	GPU.exe
2784	GPU.exe
2672	WINWORD.EXE
2672	WINWORD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2784	2380	JaffaCakes118_8fe47798bc47d7b775803e1dbef3c8be.exe	30
PID 2380 wrote to memory of 2784	2380	JaffaCakes118_8fe47798bc47d7b775803e1dbef3c8be.exe	30
PID 2380 wrote to memory of 2784	2380	JaffaCakes118_8fe47798bc47d7b775803e1dbef3c8be.exe	30
PID 2380 wrote to memory of 2784	2380	JaffaCakes118_8fe47798bc47d7b775803e1dbef3c8be.exe	30
PID 2380 wrote to memory of 2672	2380	JaffaCakes118_8fe47798bc47d7b775803e1dbef3c8be.exe	31
PID 2380 wrote to memory of 2672	2380	JaffaCakes118_8fe47798bc47d7b775803e1dbef3c8be.exe	31
PID 2380 wrote to memory of 2672	2380	JaffaCakes118_8fe47798bc47d7b775803e1dbef3c8be.exe	31
PID 2380 wrote to memory of 2672	2380	JaffaCakes118_8fe47798bc47d7b775803e1dbef3c8be.exe	31
PID 2672 wrote to memory of 3004	2672	WINWORD.EXE	33
PID 2672 wrote to memory of 3004	2672	WINWORD.EXE	33
PID 2672 wrote to memory of 3004	2672	WINWORD.EXE	33
PID 2672 wrote to memory of 3004	2672	WINWORD.EXE	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8fe47798bc47d7b775803e1dbef3c8be.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8fe47798bc47d7b775803e1dbef3c8be.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\SysWOW64\RYYGCG\GPU.exe
  "C:\Windows\system32\RYYGCG\GPU.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2784
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Sobradelo.docx"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Sobradelo.docx

Filesize
1.2MB

MD5
5c1a4ef8f1642dc7d47b9ed8e488119d

SHA1
648fc017422d9703c12e44fb31a9bc19d9074ed3

SHA256
1e0dd3eda8a3a157b960922165c4539a96daf88b47d302c381a76b6624b4a8b4

SHA512
612e42bcb23e6d59d316cb069b8f95fbee896a0874312a0becf2f7e10fd297df80144bc9e411464f141ce4a1d568496d803933acba045bb843eda99a2bc69aa0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Windows\SysWOW64\RYYGCG\AKV.exe

Filesize
487KB

MD5
eb9f503f6859a5161bcb9aeac042ceab

SHA1
d46039f98020e296bbd6455c834c6299528c821b

SHA256
51fc5b6f1711fd6b4b5945d935d37f57609eafa68d865c1ec1464b0ab221830c

SHA512
fa034d6292e0c16bb4958f1efe2b51577db99df6ccdb2223ba3fee4bab1796a5d4fa37667c077296da22e4c67d39ae0667a428f774aa2d5d3c7750a28320d33d

Download Submit
C:\Windows\SysWOW64\RYYGCG\Feb_04_2025__04_33_01.008

Filesize
518B

MD5
79641b6731f27076fe7c5fabb60d6d38

SHA1
bb1a61fd2bd6aca516e086b37288fbdb44c5d947

SHA256
500e437ab249ce874ac0aa23e0036593a2f238cee484e346574ff69e698a01f7

SHA512
6757b6d1e83abaf8b337f686029b7dd81422dbce23993cda829d6fb08a6b06cb1232d9729784033003cb63b0cbaaaa92eab7bcc11b8338970183421f10372544

Download Submit
C:\Windows\SysWOW64\RYYGCG\GPU.001

Filesize
61KB

MD5
2666d675f8905ce58b7e961ffbfe8f61

SHA1
afa6625a916d27da14a591feba03352b2afb91cc

SHA256
1594c6986d0e4339825e2c812791c54c912d8358a76b6058da0bf6bba5f5c697

SHA512
81193afcb9406ea906db628ae434f576b6e4e2959674902cf8c2b11f5c7007b384a8e0385a6889637506f289d4849dd8dcb32dee9302363834333ef7813a2778

Download Submit
C:\Windows\SysWOW64\RYYGCG\GPU.002

Filesize
44KB

MD5
52f41f282445a7a75238c2bf31ff7b7d

SHA1
5b5c5eb4066e2c583137dff7e1333b89640514a7

SHA256
3a9e12f314bf9b5f043f3f05556b244a7ba244d3625f8adbd9cb59e9385ac4f3

SHA512
bc6e2959be659a86a2de4bb1dbae8171a6b02e39fd98e948c1c40e96e101e73af274e6ceb590fd5aa5e5cb558e8e80fb79aac0162cdc2266ab1b173bda419107

Download Submit
C:\Windows\SysWOW64\RYYGCG\GPU.004

Filesize
1KB

MD5
ed29d01a82e5b08ab40cf5c3f5fcc932

SHA1
f6b115bca43516233654b96eecdabfcafc3e25c1

SHA256
2550b2e4567960465b7b486b390a2d6068f5b81f4d529fd70b103061213255e7

SHA512
096bcc1e7c2b63ead8e4be8ee1c47217de39db6c6c9f62a22c3c2aa6b05d2c7133bafb07a934aa4f0a07ad3d14092ac0e3fb3fcd9ad7f917622e563dab6a202a

Download Submit
\Windows\SysWOW64\RYYGCG\GPU.exe

Filesize
1.7MB

MD5
68c19411dc10799efff9cfdb1dfa6ea3

SHA1
b337a16ee1a383ff4406fdaf65816f67174a6ec6

SHA256
a8565859541d680f0d8c74acdc0e0fee438de817785f4f596e470bdbefca0855

SHA512
16a2d576df4a24fa7f973e8e588f8cc79281d03343510344e6ef4ff8e3903e3a7751f38ef4f1c9fa2f8bdfaf3181b4fecae6905833df861c98e5b7b993a429d3

Download Submit
memory/2672-23-0x000000002FAD1000-0x000000002FAD2000-memory.dmp

Filesize
4KB

Download
memory/2672-28-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2672-29-0x0000000070CFD000-0x0000000070D08000-memory.dmp

Filesize
44KB

Download
memory/2672-47-0x0000000070CFD000-0x0000000070D08000-memory.dmp

Filesize
44KB

Download
memory/2784-46-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2784-16-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads