ardamax | 653a2c5e7b6269ce2988ffd4c0a10513db882716838916ed412aac7c828e3442

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
31-07-2024 22:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e3f5dc077b3c5b7a325f69b28ddd6fa_JaffaCakes118.exe
Size

2.6MB
MD5

7e3f5dc077b3c5b7a325f69b28ddd6fa
SHA1

ebbdb581472554bb132fe9922d6bec9c346c9e4e
SHA256

653a2c5e7b6269ce2988ffd4c0a10513db882716838916ed412aac7c828e3442
SHA512

08d5f21b88c4b4185424f0c07a5e1be22c3d46c21f41f06ba25011ea0cf8988aefe5762ab086022712f7a8a668ad03cbbb474ba9c7dae4b7959a72ce897394e8
SSDEEP

49152:XaPQbgW0hZA6ZiTZ4FE/ZHx1qZ4lC37ovKnMkIzTSnM3pJBo/s:zbniOt/MF4KKXSn

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023491-27.dat	family_ardamax

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3774859476-2260090144-3466365324-1000\Control Panel\International\Geo\Nation	Install.exe

Executes dropped EXE 4 IoCs

pid	Process
4108	Kopia setup-4.5.9.exe
856	Install.exe
3656	Kopia setup-4.5.9.tmp
2452	IQFA.exe

Loads dropped DLL 7 IoCs

pid	Process
856	Install.exe
2452	IQFA.exe
2452	IQFA.exe
2452	IQFA.exe
3656	Kopia setup-4.5.9.tmp
3656	Kopia setup-4.5.9.tmp
3656	Kopia setup-4.5.9.tmp

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\IQFA Agent = "C:\\Windows\\SysWOW64\\Sys32\\IQFA.exe"	IQFA.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Sys32\IQFA.007	Install.exe
File created	C:\Windows\SysWOW64\Sys32\IQFA.exe	Install.exe
File created	C:\Windows\SysWOW64\Sys32\AKV.exe	Install.exe
File opened for modification	C:\Windows\SysWOW64\Sys32	IQFA.exe
File created	C:\Windows\SysWOW64\Sys32\IQFA.001	Install.exe
File created	C:\Windows\SysWOW64\Sys32\IQFA.006	Install.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7e3f5dc077b3c5b7a325f69b28ddd6fa_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kopia setup-4.5.9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kopia setup-4.5.9.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IQFA.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2452	IQFA.exe
Token: SeIncBasePriorityPrivilege	2452	IQFA.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2452	IQFA.exe
2452	IQFA.exe
2452	IQFA.exe
2452	IQFA.exe
2452	IQFA.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4464 wrote to memory of 4108	4464	7e3f5dc077b3c5b7a325f69b28ddd6fa_JaffaCakes118.exe	83
PID 4464 wrote to memory of 4108	4464	7e3f5dc077b3c5b7a325f69b28ddd6fa_JaffaCakes118.exe	83
PID 4464 wrote to memory of 4108	4464	7e3f5dc077b3c5b7a325f69b28ddd6fa_JaffaCakes118.exe	83
PID 4464 wrote to memory of 856	4464	7e3f5dc077b3c5b7a325f69b28ddd6fa_JaffaCakes118.exe	84
PID 4464 wrote to memory of 856	4464	7e3f5dc077b3c5b7a325f69b28ddd6fa_JaffaCakes118.exe	84
PID 4464 wrote to memory of 856	4464	7e3f5dc077b3c5b7a325f69b28ddd6fa_JaffaCakes118.exe	84
PID 4108 wrote to memory of 3656	4108	Kopia setup-4.5.9.exe	86
PID 4108 wrote to memory of 3656	4108	Kopia setup-4.5.9.exe	86
PID 4108 wrote to memory of 3656	4108	Kopia setup-4.5.9.exe	86
PID 856 wrote to memory of 2452	856	Install.exe	87
PID 856 wrote to memory of 2452	856	Install.exe	87
PID 856 wrote to memory of 2452	856	Install.exe	87

C:\Users\Admin\AppData\Local\Temp\7e3f5dc077b3c5b7a325f69b28ddd6fa_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7e3f5dc077b3c5b7a325f69b28ddd6fa_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4464
- C:\Users\Admin\AppData\Local\Temp\Kopia setup-4.5.9.exe
  "C:\Users\Admin\AppData\Local\Temp\Kopia setup-4.5.9.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4108
- - C:\Users\Admin\AppData\Local\Temp\is-7B9TE.tmp\Kopia setup-4.5.9.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-7B9TE.tmp\Kopia setup-4.5.9.tmp" /SL5="$60290,1816456,54272,C:\Users\Admin\AppData\Local\Temp\Kopia setup-4.5.9.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:3656
- C:\Users\Admin\AppData\Local\Temp\Install.exe
  "C:\Users\Admin\AppData\Local\Temp\Install.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:856
- - C:\Windows\SysWOW64\Sys32\IQFA.exe
    "C:\Windows\system32\Sys32\IQFA.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@BC89.tmp

Filesize
4KB

MD5
33303ca8abef9221cb410b8a232e9fe4

SHA1
0cdfc25dbf0e9ad7d4585cd9037dc2e6604be00c

SHA256
5110301dee966f0f26307ab1b430279d1e4999c2c4a0ea924ff32f1a9ded869a

SHA512
da29821045773ba776def985966b62e09e69bb5bf1786b16c2fff6feb68a03b9e22c5f7d081e3dd58d1785cd7ac64736497c043b7cf6c7149c3a54f8ef111800

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe

Filesize
480KB

MD5
832e577bd7636d2e7fed0cdec1621b35

SHA1
09d2c2664ba14fce46fa7bd01b24da0942909125

SHA256
71c47d10f5c157edeada86ce7016556bb2cfa5478b68c54c6504293f1f9429ca

SHA512
d21a74fc1831cfaed2625c76a1e78a6be7481f7bd7f66f695159efe6b131cfb10a9d89f37fe5e55668cae67c2a21a1a9a90665ff0ee819dc5ce03fd4f902d7f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kopia setup-4.5.9.exe

Filesize
2.0MB

MD5
76641925fb1808e61be234c076ee0793

SHA1
9536eef3b699d52460e9e5261b9f669f87955d0f

SHA256
dd0b2a6f679c52c13c70b01aac9102a8e6b6442e208bcc7c2debc3a4de7c9a80

SHA512
6c588de91cf02b8eba5567821ad96d82c243dfd2b9e84d348cbe53d6342316655b5365c02aec44ed0eda45943a01828111673664d53936c6d9efdeb6bc8bf6d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7B9TE.tmp\Kopia setup-4.5.9.tmp

Filesize
683KB

MD5
ce4e0ff83ac2a3256fd5c220562294a1

SHA1
72429c43cc4ed0a184a9c7b208902005489ff49a

SHA256
130ec61d37b76fa26a4c7ebcf210467c5be3ae2ace7346546c65f093478bb06b

SHA512
b375a78ca9b8e30ba665d3934716e5d3ac5737d8cf05a562f59c8b142923e3a79f1c44b55e995bd43fd0a9056a122cbe332d33947f626fa2d5bfb9f2e1824e98

Download Submit
C:\Windows\SysWOW64\Sys32\AKV.exe

Filesize
391KB

MD5
869461e168a87283a8782e70f5d5a3a8

SHA1
ab189b5f2682ae66162226b4f646b1e80486c653

SHA256
992cb5ea845b2d24c02f4e40873bf4ebd7b58b57ae2e001907228af4879e575b

SHA512
e4e77e07eb0ef2adb6d5ebdb9629f4632c417cf3d1a22e4c414b806bfbd259df13f6c88265f9346ed2b22bf67eb3d63924d86767c8508be4abdc9067f15a82ae

Download Submit
C:\Windows\SysWOW64\Sys32\IQFA.001

Filesize
450B

MD5
aec921a1612ad0252e45a0f8ee253563

SHA1
c591a991b42e8686e881df63f7d065b09c3ac7f0

SHA256
5ed110f0c49b667cea9af13b44e81304fcb395594d84a4bf82c3e22650fb0ba1

SHA512
e20765bba40f09a9c6676b8437ec45b714c2cc5b9f82539a28c60418bc96b5fb79101087a21a64f83f79f7dcf120d3b97ca4c88603ed85bc4517ace5541c3302

Download Submit
C:\Windows\SysWOW64\Sys32\IQFA.006

Filesize
7KB

MD5
928cc65dc793834c709a054ca57c19c8

SHA1
a1e5d8407199c1bd6a4b274044de640fe0d9e99b

SHA256
e3473d81a02ed30e4236591384136f41f17b6a4aae24b5468789644ccd4bf192

SHA512
f7c8f7a75c4f8a418630e2ac15676740a902449d9a3c4baf3184409f8701c9caa3e82304d141362d95503f1af6b693eed7b77f690d92ca0162f7ea3ecbc80fdf

Download Submit
C:\Windows\SysWOW64\Sys32\IQFA.007

Filesize
5KB

MD5
3e1f5d5a06cf97b0495b8d129fbe02e4

SHA1
b0de258a813f5edde85004f6865b6ed91f6d6f8f

SHA256
f49448fc7c567e64eaeb9cc4dbd3c8021a82b5d9df0a622a439f7b42dc2f26d7

SHA512
b0e0b81cb5776d298e96346aa61027c9799a47191c94de50be2209c32747774959d002ddeb98fd15556ee893b0d7bd1f0c8a901469dce4e3acf94e2c4c3e2bfd

Download Submit
C:\Windows\SysWOW64\Sys32\IQFA.exe

Filesize
476KB

MD5
ef52b540cb404d908338e9cbf7cff283

SHA1
778765e1736c0a197685978c3fee7a44e7bde419

SHA256
39d8bdb975fbfcbcec8fe63be4e9fe6ce39ae5d23a005118aeffa07b17a3f815

SHA512
596b77bf5b15455c326a5a2efd66bc69685eb625e3e211ea0341ad4d8920ada7618a7107e42f2c0963fe6c2d92f2acf47b641ef33071a7c42004e5874d5219a6

Download Submit
memory/2452-39-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2452-55-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3656-34-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3656-52-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/4108-19-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/4108-17-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4108-51-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads