ardamax | 82b8b54d6320c5e10351ba41cf277ad8b48f1669bbac3c0cdb7e04ecb3842851

General

Target

JaffaCakes118_7f2524a569e6af1527c52684ff3e3d92.exe
Size

1005KB
MD5

7f2524a569e6af1527c52684ff3e3d92
SHA1

c18f85864859e8b16070ea7368275bf2d661a8da
SHA256

82b8b54d6320c5e10351ba41cf277ad8b48f1669bbac3c0cdb7e04ecb3842851
SHA512

b9e4baabcb1755f7c0add9375f8726835fc72f0e54d210428ebdc1c519d692f4806cffd5d063aa247714a3bdbacffd3ec9770f1391a031e00a5fc981bd4e9cb6
SSDEEP

24576:QfiTEh0ErMQCiEj4CskphuosobwQmIqnSCCWAaR33:MiTG0ZLJRVs5QmIqnSJe3

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0009000000016d37-9.dat	family_ardamax

Executes dropped EXE 1 IoCs

pid	Process
2500	VSMY.exe

Loads dropped DLL 3 IoCs

pid	Process
1768	JaffaCakes118_7f2524a569e6af1527c52684ff3e3d92.exe
1768	JaffaCakes118_7f2524a569e6af1527c52684ff3e3d92.exe
2500	VSMY.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VSMY Agent = "C:\\Windows\\SysWOW64\\9283\\VSMY.exe"	VSMY.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\9283	VSMY.exe
File created	C:\Windows\SysWOW64\9283\VSMY.001	JaffaCakes118_7f2524a569e6af1527c52684ff3e3d92.exe
File created	C:\Windows\SysWOW64\9283\VSMY.006	JaffaCakes118_7f2524a569e6af1527c52684ff3e3d92.exe
File created	C:\Windows\SysWOW64\9283\VSMY.007	JaffaCakes118_7f2524a569e6af1527c52684ff3e3d92.exe
File created	C:\Windows\SysWOW64\9283\VSMY.exe	JaffaCakes118_7f2524a569e6af1527c52684ff3e3d92.exe
File created	C:\Windows\SysWOW64\9283\AKV.exe	JaffaCakes118_7f2524a569e6af1527c52684ff3e3d92.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7f2524a569e6af1527c52684ff3e3d92.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VSMY.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Web3.5 = "1742294345"	VSMY.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2500	VSMY.exe
Token: SeIncBasePriorityPrivilege	2500	VSMY.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2500	VSMY.exe
2500	VSMY.exe
2500	VSMY.exe
2500	VSMY.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1768 wrote to memory of 2500	1768	JaffaCakes118_7f2524a569e6af1527c52684ff3e3d92.exe	28
PID 1768 wrote to memory of 2500	1768	JaffaCakes118_7f2524a569e6af1527c52684ff3e3d92.exe	28
PID 1768 wrote to memory of 2500	1768	JaffaCakes118_7f2524a569e6af1527c52684ff3e3d92.exe	28
PID 1768 wrote to memory of 2500	1768	JaffaCakes118_7f2524a569e6af1527c52684ff3e3d92.exe	28

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7f2524a569e6af1527c52684ff3e3d92.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7f2524a569e6af1527c52684ff3e3d92.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1768
- C:\Windows\SysWOW64\9283\VSMY.exe
  "C:\Windows\system32\9283\VSMY.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\9283\AKV.exe

Filesize
485KB

MD5
4ab520f74e0aa0aed3f30fcb3d805b61

SHA1
9f2f8520dd278b7b520847347480d055e015eebd

SHA256
283a798c5b3ca228f11fbe82449b623e1b7696616e16a5dc10289cf559ed465c

SHA512
8eaaadb27e65bfeaebfbd09a92bece5fe9b3eba884338e21bf269ed2fb988c6d2bd3dadfef5368511e436be91709e6150854a7cbd12b1b3a059dc33dcc586f39

Download Submit
C:\Windows\SysWOW64\9283\VSMY.001

Filesize
874B

MD5
8af18c64fe7301ab5232f2f07398853d

SHA1
9480dd5552a8cb4408a2eea17a01a8e10901b072

SHA256
5ed74d81b39160bdd15386c8a9b378736061335c68ad711aa981a0ab199abcb1

SHA512
3639cba25d83fc188ec6ad1563b3757e080bcaf23b006f83b59d0d429c522c6b47e74ecd63737eb2836186e58ec198d282a2d3ae36dcb38eed55a742d808f406

Download Submit
C:\Windows\SysWOW64\9283\VSMY.007

Filesize
42KB

MD5
f5febac4334611a73a5ff8dca6350b68

SHA1
79c05615355c69d0a48986e75fb3e8b4e0cdf01f

SHA256
12eb9b552509c5bcf12da9e486a43b9d0dcd178b056ea6759490163d2f836f7a

SHA512
b14e505c2ab37973aab1ffe82a4e3c13b2e029dccd6abfef76cf528f81a0e94a6ea5cb861d9516c4b2f7e7f417e246e6ff9d687ef8731e5920b3aef072b206d0

Download Submit
\Users\Admin\AppData\Local\Temp\@8BFA.tmp

Filesize
41KB

MD5
1d37734fccde498272db7781e9908b83

SHA1
fa80a7b860ed442514917f4a8779e3f1091e86fa

SHA256
5cf064962e802b7d8074000a90e3451b9cdd66768a046442943231392aa7e486

SHA512
785180a548778c1c626e7cc50a8ae9b1dd143409f3f9702bf1af1338adb16fb17b472dc0934c578fc455acbce6f33b63a22feb99551b710bcdadd213b20a25be

Download Submit
\Windows\SysWOW64\9283\VSMY.006

Filesize
60KB

MD5
08232c4ac7a429324f47e6bc80fc29d8

SHA1
c8219763c1e3f0d084cdfb3ba5a4b4c905676e61

SHA256
827a43bc2cf60a7294513c83ba2d61422bdfb1ffac506c85163914ae7df6d775

SHA512
aa2b74fa12628831df7fff34b3f1ff19a21ace4d24fb6ae526b1c1e08851e28da619323cf684d17e36455bc913699d7b65feadd724aa99d7a1575616c05ef722

Download Submit
\Windows\SysWOW64\9283\VSMY.exe

Filesize
1.2MB

MD5
9532796f5fb7eafd7501ece9425e2654

SHA1
586098a380a1f00ba6cd144a7628b1aadbc18f0a

SHA256
e183b703099f81a5178ff7fcd28316f2eda6eb5a17ab0e7bfbe1baa848d92f6b

SHA512
ebb73788dae098b6889af3963f20746e2457e08888a074bb0ad01fb88a2a9ef9d095338f3cbc1ea51478247ef509bdc43c948bea117ef55e53d838fb1d94243b

Download Submit
memory/2500-21-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2500-23-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads