ardamax | 4f315383c0983c00c28f31cd008b60c6eff4f8cceb070cf70713405c02a97458

General

Target

a5e2762223935a4dfb2d698249e0dec8_JaffaCakes118.exe
Size

605KB
MD5

a5e2762223935a4dfb2d698249e0dec8
SHA1

5ee41d8224806321f8b9d950d844198a47a4e227
SHA256

4f315383c0983c00c28f31cd008b60c6eff4f8cceb070cf70713405c02a97458
SHA512

ddd8fedf465ad56990c10936d7c60d93f43657c00191affc628d749ee7ab184ae8635d52a92b288dfc657077de2ad7428a30007919c7360f9f385c98e88dfc2e
SSDEEP

12288:IP+PbVQvXpZvCDi+fa3c54/I2XHrSm3rY//8JqhLtnIm:pjy7F4as5OLXLRY//BnI

Score

10^/10

ardamax discovery keylogger stealer upx

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x00070000000234ae-22.dat	family_ardamax

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	a5e2762223935a4dfb2d698249e0dec8_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
1456	Install.exe
3228	VNQS.exe

Loads dropped DLL 5 IoCs

pid	Process
1456	Install.exe
3228	VNQS.exe
3228	VNQS.exe
3228	VNQS.exe
884	a5e2762223935a4dfb2d698249e0dec8_JaffaCakes118.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/884-0-0x0000000000400000-0x00000000004C5000-memory.dmp	upx
behavioral2/memory/884-42-0x0000000000400000-0x00000000004C5000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Sys\VNQS.006	Install.exe
File created	C:\Windows\SysWOW64\Sys\VNQS.007	Install.exe
File created	C:\Windows\SysWOW64\Sys\VNQS.exe	Install.exe
File created	C:\Windows\SysWOW64\Sys\AKV.exe	Install.exe
File opened for modification	C:\Windows\SysWOW64\Sys	VNQS.exe
File created	C:\Windows\SysWOW64\Install.exe	a5e2762223935a4dfb2d698249e0dec8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\116604.jpg	a5e2762223935a4dfb2d698249e0dec8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Sys\VNQS.001	Install.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32zcleaner.bat	a5e2762223935a4dfb2d698249e0dec8_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VNQS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a5e2762223935a4dfb2d698249e0dec8_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	3228	VNQS.exe
Token: SeIncBasePriorityPrivilege	3228	VNQS.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3228	VNQS.exe
3228	VNQS.exe
3228	VNQS.exe
3228	VNQS.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 884 wrote to memory of 1456	884	a5e2762223935a4dfb2d698249e0dec8_JaffaCakes118.exe	85
PID 884 wrote to memory of 1456	884	a5e2762223935a4dfb2d698249e0dec8_JaffaCakes118.exe	85
PID 884 wrote to memory of 1456	884	a5e2762223935a4dfb2d698249e0dec8_JaffaCakes118.exe	85
PID 1456 wrote to memory of 3228	1456	Install.exe	87
PID 1456 wrote to memory of 3228	1456	Install.exe	87
PID 1456 wrote to memory of 3228	1456	Install.exe	87
PID 884 wrote to memory of 4480	884	a5e2762223935a4dfb2d698249e0dec8_JaffaCakes118.exe	94
PID 884 wrote to memory of 4480	884	a5e2762223935a4dfb2d698249e0dec8_JaffaCakes118.exe	94
PID 884 wrote to memory of 4480	884	a5e2762223935a4dfb2d698249e0dec8_JaffaCakes118.exe	94

C:\Users\Admin\AppData\Local\Temp\a5e2762223935a4dfb2d698249e0dec8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a5e2762223935a4dfb2d698249e0dec8_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:884
- C:\Windows\SysWOW64\Install.exe
  "C:\Windows\system32\Install.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1456
- - C:\Windows\SysWOW64\Sys\VNQS.exe
    "C:\Windows\system32\Sys\VNQS.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3228
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Windows\system32zcleaner.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@AEFD.tmp

Filesize
4KB

MD5
b8416a532c8e995dfb2789ff77fa5618

SHA1
b5421c4f4ae3f27a9278b60d6ef683deb3111251

SHA256
f93ff177d9d79a04d8a35a57689e9977babf939de260f27fbc832c0be981ca89

SHA512
30dcc35db52f723490ea03df3abe5efc9374035a339f060a7468cae79bf8ba379538a87ad5217f0f0e06b741fe6497917b4226e65ac9c0e3026900244c3094b3

Download Submit
C:\Windows\SysWOW64\Install.exe

Filesize
473KB

MD5
0505f56cb8f0fbb8a6631060e703640d

SHA1
6b3bf0ffee4a57c52ea3558bd580130eff61ab1d

SHA256
64bbb1bce626e4410ec86953c6e649b39b2e0ddf0d51e2722e54c48f78c196fa

SHA512
086540b3a58320968f10a2908621b9ad2069b55d333cb5934b75a8eaf39e014b1f126dbf381030d3e8cc515cddcc4baed4098f61f58db184da3711aef063465a

Download Submit
C:\Windows\SysWOW64\Sys\AKV.exe

Filesize
387KB

MD5
81f6a58eb4c46ebf68ac1dbcdeef7901

SHA1
1732b02862a98c039055e1fd5b817b07af76659e

SHA256
72fc82a07b19ffb5f2c8e2f292db1b0ab42c96b12ef10110562eddcc2297d3aa

SHA512
b0d1325bdf8dcd2683e46f8dfb984fbf87b7d92d8ec3f2a0d8330a313d6ae26847ca5e4a0ec9bd65d8ef09344f2d489af9a2866b3b2a67377c14fccdca63f6cb

Download Submit
C:\Windows\SysWOW64\Sys\VNQS.001

Filesize
3KB

MD5
37c7fffacfd8d7c1e0b02e06f235f935

SHA1
732002b4fee161322b20356596f7454414288614

SHA256
bec8b4d200e99955681b6b951554a397fe109f73c8840605a9a71f6435455dde

SHA512
07de54acc27aedded20a105a2a3130049ca3362df5567b6ee365f745716b726378704133dc61c3f610a20a6be66a3f14e4d7bb0ed8c88b52de4b7214da5954b9

Download Submit
C:\Windows\SysWOW64\Sys\VNQS.006

Filesize
5KB

MD5
271bbf07cc8006c3335db6fc21622be4

SHA1
cb0caf39bc1cab16ec8a39d6a11160865703c329

SHA256
5d6e4701d424e8e095b95c98f87bb1946ac0254bd089d128c4a4c3e5b13ed5d7

SHA512
65dd41d4bb119d1f3801dc3097254e967d747661c83bfe0cd3c061441b63e1dd4928a0476fbd4a015631ecf1d511d2f66ec87f2bd078b6bce0b86fdb659392c8

Download Submit
C:\Windows\SysWOW64\Sys\VNQS.007

Filesize
4KB

MD5
2d8ec35eb48bf5cbc8c38a7a8d6cfa51

SHA1
4f43dc1a30731acba6d33b52c3970c9815f5be34

SHA256
7b6d9330aba21844b6f267489d29f0e10b4beea3a749b72d5dec9e8761c98d3e

SHA512
0a2f41f3e88132e56f7ce3c83e24753c80c9344011b0dcd943def8733b79d197e10ad5fba82be08f0054ec5d4c9af731f1a1eb4e041a93cd81c25b364087176e

Download Submit
C:\Windows\SysWOW64\Sys\VNQS.exe

Filesize
468KB

MD5
62401443a0feeb13a9940fcc78558090

SHA1
6200cf99b3a6a1bebde29378a6260ddf92d13370

SHA256
69761c67078239fa4e05676e0974f7d7410de0f6f00d19f8f69c9a180c0d5de7

SHA512
2001aa6875728c2ba75b1f8ee44fbb87a508598194f5ed6e5945292c2eb67874c3bc619da84a107ac0e5bc83748625eadcae0ccbd9f1f5414575db3fc3e92ce0

Download Submit
C:\Windows\system32zcleaner.bat

Filesize
140B

MD5
76477a794c43a2ceeac4d36bcbd62812

SHA1
a6ece953e579d7f5f984adab8fda15d7e7fc6f26

SHA256
1b333790bbfa99c3501165eeceace284e52464f55da967f76368096601164f6a

SHA512
9207f5ccb7d0a49c69af41929be4082fb26bb8334727629be257cd4900b6e9b31336a7e2b989fdc45f8787f22eedd40e33c9264b43160f216bc28bb53f63720a

Download Submit
memory/884-0-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/884-42-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3228-33-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/3228-44-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing