ardamax | 01a7d7e26e6948a5154cd181493c5e9b8f878e0b15104210975b4e4cd512bba6

General

Target

22c77ec19fdbc7049a312d8d29da7e88_JaffaCakes118.exe
Size

1.5MB
MD5

22c77ec19fdbc7049a312d8d29da7e88
SHA1

50f12f6451ce59e5449fdbce95e4363024a989e0
SHA256

01a7d7e26e6948a5154cd181493c5e9b8f878e0b15104210975b4e4cd512bba6
SHA512

1884f5a0d74ef461edd37163b33052db4e46a64d1c37a2eb8b162fee3c272f18fd288ba3f0f1e2e90f649ffd08c3b40a5ca85b2c48288cec391a6270eb5cfc9b
SSDEEP

24576:XVaUT/+zfqacw+005WuFp0beGy/EC8h/acjXoX8VhVi6b4M2R98OqPPFGMTfcH2B:XVrTmzfqLZH5WwcjXoX8YjR6OeGMTQ2B

Score

10^/10

ardamax keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x00070000000233f7-9.dat	family_ardamax

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	22c77ec19fdbc7049a312d8d29da7e88_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
4276	QPT.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\QPT Start = "C:\\Windows\\SysWOW64\\CKSOIR\\QPT.exe"	QPT.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\CKSOIR\QPT.004	22c77ec19fdbc7049a312d8d29da7e88_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\CKSOIR\QPT.001	22c77ec19fdbc7049a312d8d29da7e88_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\CKSOIR\QPT.002	22c77ec19fdbc7049a312d8d29da7e88_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\CKSOIR\AKV.exe	22c77ec19fdbc7049a312d8d29da7e88_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\CKSOIR\QPT.003	22c77ec19fdbc7049a312d8d29da7e88_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\CKSOIR\QPT.exe	22c77ec19fdbc7049a312d8d29da7e88_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4892 wrote to memory of 4276	4892	22c77ec19fdbc7049a312d8d29da7e88_JaffaCakes118.exe	81
PID 4892 wrote to memory of 4276	4892	22c77ec19fdbc7049a312d8d29da7e88_JaffaCakes118.exe	81
PID 4892 wrote to memory of 4276	4892	22c77ec19fdbc7049a312d8d29da7e88_JaffaCakes118.exe	81

C:\Users\Admin\AppData\Local\Temp\22c77ec19fdbc7049a312d8d29da7e88_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\22c77ec19fdbc7049a312d8d29da7e88_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4892
- C:\Windows\SysWOW64\CKSOIR\QPT.exe
  "C:\Windows\system32\CKSOIR\QPT.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\CKSOIR\AKV.exe

Filesize
456KB

MD5
924cfca73fb9033f078a0f0621456f3a

SHA1
21c1edeac0a21fa9676362915a63856e7cb59b1a

SHA256
7b62f4292c1324c6aa08b8da79d19440f47e2da72e2caa8fab6c93b0c4296aba

SHA512
24bf43cf465d9bd6a011c8f8f8cf59b8d26b35406f36ae6dda5ed1e6094f5c2b6a83d0c992be7d6d5129c5e9f3d077dabfee847dad56a883a96d503f5a7ae06b

Download Submit
C:\Windows\SysWOW64\CKSOIR\QPT.001

Filesize
60KB

MD5
c9cec63855b65f0d823ac0db81864517

SHA1
03e0c57d0f093ccd1b06ea5f07a127a0eb2587cb

SHA256
c69bfea6d64eef6169eecfaa3b576c9cb48f8fed190487f9051eeb5b3785af6f

SHA512
df8b021329ae4bdc04c72da289a0cb5c95b90e5a51e048dbb4dbb9a38fbcf4718ba249480dd0920cfb84d4141c97d2c7bbf9bcfef8906d83a8812d5fb376fa9e

Download Submit
C:\Windows\SysWOW64\CKSOIR\QPT.002

Filesize
43KB

MD5
d718a21bcd75d95744395d6dcf2ef9f2

SHA1
c2e3751640138c3ef8a137038ca6578838fa9073

SHA256
9d344f12d5aff2bf16090d875317075f6cc57fac95418d7b7469e51d6b363406

SHA512
f50267c1db72ecdb5a14bb5c97b2420fdc9e53295f1b87ce5df241c96d0c8654698e6c0fc9bc9bd6cd4feca2d2be650b422727a018a74565df08345d42065abf

Download Submit
C:\Windows\SysWOW64\CKSOIR\QPT.003

Filesize
69KB

MD5
007ad38074db50ff56a9bbd84fd1c3d4

SHA1
73770ccf0d220d917ecb8890ca0becfe934f0c7f

SHA256
ee318dcb3c61199660581422cd3f98c3721f1745930e545cb2fb44c88456f9c5

SHA512
a8bdce16cc19b0f18b5e65ecd671c3caa86f3b74457fffcbffa751921b299c74df767463ed6fd4f5d3240bc1957fc5d0731c8567897db857d6c067d2b7bc1bb4

Download Submit
C:\Windows\SysWOW64\CKSOIR\QPT.004

Filesize
1KB

MD5
57c869972a69bbe0981531e9dfb99631

SHA1
93b1ee373db88383c33cb10ed452d6810d7a7d11

SHA256
8564e4713cd2f0492ac2a03238333c6afda0cb373b690db0a38e01b7377ed66f

SHA512
7d6d3c25fc452835c1678098bbc9eec371260f7c06f50b864ca64800681151ee1af17c9a850484e08d75aef7c5705d0e3366ad84949bdd6ab514b7f269e5cbeb

Download Submit
C:\Windows\SysWOW64\CKSOIR\QPT.exe

Filesize
1.7MB

MD5
405f59610beaf42b02989637f07cb34a

SHA1
e43ed23cdf65da7f184daa6ce3ba8ad1f743c6e6

SHA256
3115b43b33937f05243b3470c917c47d2f79e01ca1bead3e0b150018b4be2b57

SHA512
fcb5206da936d76125806b36c4cea8909902fc1b3c85a23b5d22955d8c3ccc0a27f5f5da49f91015582b5b16e2614d9e129540c0cc6056614212079e0a84b814

Download Submit
memory/4276-18-0x00000000006E0000-0x00000000006E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads