ardamax | 5d2fe12230c1823267fa32116975e6d4d61378d60ff795aaf221db1ad2510fe1

General

Target

bdacbaac7288774e1a08e13499f57a06_JaffaCakes118.exe
Size

1.2MB
MD5

bdacbaac7288774e1a08e13499f57a06
SHA1

a492c96808082bfb5aa2fd262e94c8e23c96989d
SHA256

5d2fe12230c1823267fa32116975e6d4d61378d60ff795aaf221db1ad2510fe1
SHA512

01e0966af6c98c184415436e50b53a04512937e1b666a763bed73e64467193e92d0ff385332f7e1b03904415c8f77835ec021a692f58cce1b9b490b839fb0c77
SSDEEP

24576:E0NzTkTxqqlKZF9qnQAmj9nmiuqNiUtSvAHwf3LozYxFekDpqO:E0pTk5lS9qnUj8TqYUnHwPszkg+E

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0008000000018b3e-6.dat	family_ardamax

Executes dropped EXE 1 IoCs

pid	Process
2448	SIQ.exe

Loads dropped DLL 4 IoCs

pid	Process
2476	bdacbaac7288774e1a08e13499f57a06_JaffaCakes118.exe
2448	SIQ.exe
2476	bdacbaac7288774e1a08e13499f57a06_JaffaCakes118.exe
2736	NOTEPAD.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SIQ Start = "C:\\Windows\\SysWOW64\\FSHPTR\\SIQ.exe"	SIQ.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\FSHPTR\SIQ.001	bdacbaac7288774e1a08e13499f57a06_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\FSHPTR\AKV.exe	bdacbaac7288774e1a08e13499f57a06_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\FSHPTR\SIQ.009	SIQ.exe
File created	C:\Windows\SysWOW64\FSHPTR\Screen_Aug_24_2024__00_44_45.jpg	SIQ.exe
File created	C:\Windows\SysWOW64\FSHPTR\SIQ.exe	bdacbaac7288774e1a08e13499f57a06_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\FSHPTR\SIQ.008	SIQ.exe
File created	C:\Windows\SysWOW64\FSHPTR\App_Aug_24_2024__00_43_45.html	SIQ.exe
File created	C:\Windows\SysWOW64\FSHPTR\SIQ.009	SIQ.exe
File created	C:\Windows\SysWOW64\FSHPTR\Screen_Aug_24_2024__00_45_45.jpg	SIQ.exe
File created	C:\Windows\SysWOW64\FSHPTR\SIQ.004	bdacbaac7288774e1a08e13499f57a06_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\FSHPTR\SIQ.002	bdacbaac7288774e1a08e13499f57a06_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\FSHPTR\SIQ.008	SIQ.exe
File opened for modification	C:\Windows\SysWOW64\FSHPTR\	SIQ.exe
File created	C:\Windows\SysWOW64\FSHPTR\Screen_Aug_24_2024__00_44_45.html	SIQ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bdacbaac7288774e1a08e13499f57a06_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SIQ.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2736	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2448	SIQ.exe
2448	SIQ.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2448	SIQ.exe
Token: SeIncBasePriorityPrivilege	2448	SIQ.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2448	SIQ.exe
2448	SIQ.exe
2448	SIQ.exe
2448	SIQ.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2476 wrote to memory of 2448	2476	bdacbaac7288774e1a08e13499f57a06_JaffaCakes118.exe	31
PID 2476 wrote to memory of 2448	2476	bdacbaac7288774e1a08e13499f57a06_JaffaCakes118.exe	31
PID 2476 wrote to memory of 2448	2476	bdacbaac7288774e1a08e13499f57a06_JaffaCakes118.exe	31
PID 2476 wrote to memory of 2448	2476	bdacbaac7288774e1a08e13499f57a06_JaffaCakes118.exe	31
PID 2476 wrote to memory of 2736	2476	bdacbaac7288774e1a08e13499f57a06_JaffaCakes118.exe	32
PID 2476 wrote to memory of 2736	2476	bdacbaac7288774e1a08e13499f57a06_JaffaCakes118.exe	32
PID 2476 wrote to memory of 2736	2476	bdacbaac7288774e1a08e13499f57a06_JaffaCakes118.exe	32
PID 2476 wrote to memory of 2736	2476	bdacbaac7288774e1a08e13499f57a06_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\bdacbaac7288774e1a08e13499f57a06_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bdacbaac7288774e1a08e13499f57a06_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Windows\SysWOW64\FSHPTR\SIQ.exe
  "C:\Windows\system32\FSHPTR\SIQ.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2448
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Install.txt
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Opens file in notepad (likely ransom note)
  PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Install.txt

Filesize
1B

MD5
e1671797c52e15f763380b45e841ec32

SHA1
58e6b3a414a1e090dfc6029add0f3555ccba127f

SHA256
3f79bb7b435b05321651daefd374cdc681dc06faa65e374e38337b88ca046dea

SHA512
87c568e037a5fa50b1bc911e8ee19a77c4dd3c22bce9932f86fdd8a216afe1681c89737fada6859e91047eece711ec16da62d6ccb9fd0de2c51f132347350d8c

Download Submit
C:\Windows\SysWOW64\FSHPTR\AKV.exe

Filesize
484KB

MD5
4f60429f20ac507bb61cb45998a73847

SHA1
c094a508b75c7c9a83cb04cd1fa9a547ab87fded

SHA256
65478b0bded54534eb7e1241a8da267c57b55c3da90adce2880c04b861c6ddc9

SHA512
e5f879e4e21051d91f7bf88e77dbbf1c288d595988d55a13ef703e242094e8a762c3262200cf478d55ac91d12cefcdd176646cffaf88439313d8e44b12c5fa91

Download Submit
C:\Windows\SysWOW64\FSHPTR\Aug_24_2024__00_43_45.008

Filesize
446B

MD5
36585cfb4271e598ff10cd17dfcebaa9

SHA1
3275aa7e177934f87843b47c1322611e77c48fb1

SHA256
242bd84f79872f15a6ccbe6b829a7fbed858e84db7492e9e6bd18748c1cf7427

SHA512
7a2a5d90952139333254ba46990905c563b87be61f92fadbaf9549ca3e4f10e7acda62fecdf1fab8ddb071716df48268ef4c35877c9bc5445435d8168cdba2fe

Download Submit
C:\Windows\SysWOW64\FSHPTR\Aug_24_2024__00_44_45.009

Filesize
115KB

MD5
cb0e16d82fd67bfcf4cc69249a39be03

SHA1
64253e9cf7cac45a0c731485fe56d5b63c2568c9

SHA256
b2c7dc58e963b4fe77e98e456331164d166b09e8d2dfa0f5e6975c8a8851d7f7

SHA512
afe29ee7dcf9d8488a1dc282b75d3e09039cd45bb4c868f062dae47f7c101b982777c5b987823d3223d5a2c810a9c536a9dbb9b212161bfe7a36a8c6cf9090a3

Download Submit
C:\Windows\SysWOW64\FSHPTR\SIQ.001

Filesize
61KB

MD5
0d52ec4abb6e5055a153d97eab5bc2da

SHA1
f01f83ac6741d9d53aa43501d456c5b003746fe9

SHA256
845e34cf0373b2e959d3d27cfe09d858283dd6a4b335014c3b82e4af1161b321

SHA512
5876e5a0401d9520678e733fc89147d6a6d7ef5bf6f8dbbb59276c79f8cf57301a49b3c20861a5696ee36337d6b151c32c3be2abcdb2990301bf0c616ff0be19

Download Submit
C:\Windows\SysWOW64\FSHPTR\SIQ.002

Filesize
43KB

MD5
fab6c7c9f60f3a391f22754e221ba23f

SHA1
b885a44fa6a8d6c0f08069f202527de1e93d460e

SHA256
11c28e015fb748bf664203c92288252a90aa7119079094d5fed17bc6ebfc803b

SHA512
86c368b8d542ec4dde120effcdac80a03118b8296188f3e09dde81883903b6a51a1bb6b981d394e05ff21bdc1cdcda125a427bfdb76aa209e706a58666e342bb

Download Submit
C:\Windows\SysWOW64\FSHPTR\SIQ.004

Filesize
1KB

MD5
2ddff30336bc233d0a0e575688949bf9

SHA1
448fe7cb45214c96f7faa6134db5dbcc984059d0

SHA256
0ec43fb4f2b6a4488b99b0ec4b5a0f03722477ca02983b3d6ffbc195d3bae703

SHA512
a6f832282879a82b47493d191b85619b6be0d6d37de818ea92d64d804952add90cbce184866bbfc1812898f0d377750eb3ac56979a9573d556d6fd050c8fd7d8

Download Submit
\Windows\SysWOW64\FSHPTR\SIQ.exe

Filesize
1.7MB

MD5
cfeee152a39c265c34b5163548f8c59b

SHA1
5807f521bf8c48e8fb0abb657b6df7d21a533dc4

SHA256
0f86eb289dc6b99c7560607e4e8e84b134515cee05becae947056026bfd21844

SHA512
b50eafbade678e6a29dcae61e6eb251bcbc26d25427adf313aa7eb654de710d48236f1749e59cd0b19e28967b26a37bde364e584853b9b7f007d89c999d08ecd

Download Submit
memory/2448-16-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2448-28-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads