ardamax | 2729f96cef4feb27b331f804206b1cadd5635e2fd887ad57f02518cc33c116d1

General

Target

0884e80bb810720287c10ef2256acbbc_JaffaCakes118.exe
Size

3.3MB
MD5

0884e80bb810720287c10ef2256acbbc
SHA1

69be1ea392fa0b2290b627cad48f8b94ca163d72
SHA256

2729f96cef4feb27b331f804206b1cadd5635e2fd887ad57f02518cc33c116d1
SHA512

b64c4fb06806786635bdfbaf61572b4b987c30d161656c577712a4d10e1237d4aa9fc50a673924abc8dfc3f8c7cb551704f6738ab9416c386198fa8a5ad9b663
SSDEEP

98304:GVqypFXeUnvZP8Rm/9qcL8mbjYmJHBmHM:G9nBERm/lLdnxnmHM

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000015b85-6.dat	family_ardamax

Executes dropped EXE 1 IoCs

pid	Process
1608	QUL.exe

Loads dropped DLL 4 IoCs

pid	Process
852	0884e80bb810720287c10ef2256acbbc_JaffaCakes118.exe
1608	QUL.exe
2676	DllHost.exe
852	0884e80bb810720287c10ef2256acbbc_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\QUL Start = "C:\\Windows\\SysWOW64\\JWKUCM\\QUL.exe"	QUL.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\JWKUCM\QUL.004	0884e80bb810720287c10ef2256acbbc_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\JWKUCM\QUL.001	0884e80bb810720287c10ef2256acbbc_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\JWKUCM\QUL.002	0884e80bb810720287c10ef2256acbbc_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\JWKUCM\AKV.exe	0884e80bb810720287c10ef2256acbbc_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\JWKUCM\QUL.exe	0884e80bb810720287c10ef2256acbbc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\JWKUCM\	QUL.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1608	QUL.exe
Token: SeIncBasePriorityPrivilege	1608	QUL.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2676	DllHost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1608	QUL.exe
1608	QUL.exe
1608	QUL.exe
1608	QUL.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 852 wrote to memory of 1608	852	0884e80bb810720287c10ef2256acbbc_JaffaCakes118.exe	28
PID 852 wrote to memory of 1608	852	0884e80bb810720287c10ef2256acbbc_JaffaCakes118.exe	28
PID 852 wrote to memory of 1608	852	0884e80bb810720287c10ef2256acbbc_JaffaCakes118.exe	28
PID 852 wrote to memory of 1608	852	0884e80bb810720287c10ef2256acbbc_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\0884e80bb810720287c10ef2256acbbc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0884e80bb810720287c10ef2256acbbc_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:852
- C:\Windows\SysWOW64\JWKUCM\QUL.exe
  "C:\Windows\system32\JWKUCM\QUL.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1608

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Soa pulina.JPG

Filesize
2.2MB

MD5
c0af0e79967982558d07da0b0c5ed8d3

SHA1
787ca1142c0607659c0b3e60804adbe3f5179833

SHA256
c8261c9aac7556a8c2322a9124d22873e00b6298992419d31acca399eb10320d

SHA512
49af2fdbd664eb5b594631d1aacbff3f995d5bd63af9f23a0721805d29cbd9382ab537874809c94e35a9bad753c9dd938e203f5c064d3ddbc164a14b72b77b7b

Download Submit
C:\Windows\SysWOW64\JWKUCM\AKV.exe

Filesize
461KB

MD5
7e335c1258740a5798c2b3eea5a97229

SHA1
6ce1e98ddc05a4b9e772901c9bc6caae4103267f

SHA256
667ab5d791b89216a46f7dd3a1bcb9b7e5f235415a74a9678ca41cec051c462f

SHA512
8c190dd139f5459a91c81871f53fc080a81c6397c68cb5b0ee195571012cc8af923b10cd77301da1816f935d36a0587d1c75126f5553005a0f50eb22d3441cb4

Download Submit
C:\Windows\SysWOW64\JWKUCM\QUL.001

Filesize
61KB

MD5
9fca42b7fa3132ded471b886c4bf8a51

SHA1
86109ac13f8b63bd3467bbf05e39c5cf9bd11d26

SHA256
c519bcfc50245700b30cb417478b46810443b03a6447387dd1d0a13966ff00dd

SHA512
bbdd590e1bd2971fbc6a462f6501341c0808d658ba3407b051f9d299d9babf0632af092d64c6ad290d4ae5d9db8c367898a064bbea916c516c0a54066ad698ab

Download Submit
C:\Windows\SysWOW64\JWKUCM\QUL.002

Filesize
43KB

MD5
4c30b3e90b3da5619bc0d5f53c025135

SHA1
829f487b7c26f6cb8b7f211b2331abbc5229aa61

SHA256
b632cedab7ce3d19eebc0d31864dc8c38cd249dcbde299cda818f7026ec294cf

SHA512
fd0b36fb43c6b62f6d47455b392276d4e3710b204ef11c70cefed417740a4b5d9357ba37f612f3f87d539175af312ead05bc7a4360fe3e26fd43c56e856e6313

Download Submit
C:\Windows\SysWOW64\JWKUCM\QUL.004

Filesize
1KB

MD5
11d19265998646011ebc13f658be5180

SHA1
d304b1b52b03eacc8a30968649f95f70d9ed6bbf

SHA256
758d8db063d781371dd2e4b4580bd5dd989592631625dbf9a93723825dab48cc

SHA512
b244891db3237bba0ea1a62a04f2121ef3196cf057b2086c1e99cb6e1c8b0ca5ad1ccedfa20e0e54bbe0ebdab2035d17dce1d7605328a0cf248df062a7b2c208

Download Submit
\Windows\SysWOW64\JWKUCM\QUL.exe

Filesize
1.5MB

MD5
9c28244f2dbe3a4758b532838b0040c9

SHA1
4b58bb4033d43ae64af6c18db48d5d25e23f6121

SHA256
cb770745d547a27a4b99fdbe27a672135f812b29d94fd2b843d06bb5aa1748aa

SHA512
24ed3d4c6aae307a0f1bb1f063b211152644b06d7425a5fe24b09f5f747dd63011451cef3f47cc4985b3316cf1213c056d38768ccb7f44cb2fab28cf4e30e969

Download Submit
memory/852-20-0x0000000000430000-0x0000000000432000-memory.dmp

Filesize
8KB

Download
memory/1608-16-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1608-23-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2676-21-0x0000000000360000-0x0000000000362000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads