ardamax | 5d2fe12230c1823267fa32116975e6d4d61378d60ff795aaf221db1ad2510fe1

General

Target

bdacbaac7288774e1a08e13499f57a06_JaffaCakes118.exe
Size

1.2MB
MD5

bdacbaac7288774e1a08e13499f57a06
SHA1

a492c96808082bfb5aa2fd262e94c8e23c96989d
SHA256

5d2fe12230c1823267fa32116975e6d4d61378d60ff795aaf221db1ad2510fe1
SHA512

01e0966af6c98c184415436e50b53a04512937e1b666a763bed73e64467193e92d0ff385332f7e1b03904415c8f77835ec021a692f58cce1b9b490b839fb0c77
SSDEEP

24576:E0NzTkTxqqlKZF9qnQAmj9nmiuqNiUtSvAHwf3LozYxFekDpqO:E0pTk5lS9qnUj8TqYUnHwPszkg+E

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000700000002346c-7.dat	family_ardamax

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	bdacbaac7288774e1a08e13499f57a06_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
3332	SIQ.exe

Loads dropped DLL 2 IoCs

pid	Process
3332	SIQ.exe
4144	NOTEPAD.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SIQ Start = "C:\\Windows\\SysWOW64\\FSHPTR\\SIQ.exe"	SIQ.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\FSHPTR\	SIQ.exe
File created	C:\Windows\SysWOW64\FSHPTR\SIQ.009	SIQ.exe
File created	C:\Windows\SysWOW64\FSHPTR\Screen_Aug_24_2024__00_44_41.html	SIQ.exe
File created	C:\Windows\SysWOW64\FSHPTR\SIQ.002	bdacbaac7288774e1a08e13499f57a06_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\FSHPTR\AKV.exe	bdacbaac7288774e1a08e13499f57a06_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\FSHPTR\SIQ.exe	bdacbaac7288774e1a08e13499f57a06_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\FSHPTR\Screen_Aug_24_2024__00_44_40.jpg	SIQ.exe
File created	C:\Windows\SysWOW64\FSHPTR\SIQ.004	bdacbaac7288774e1a08e13499f57a06_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\FSHPTR\SIQ.001	bdacbaac7288774e1a08e13499f57a06_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\FSHPTR\SIQ.009	SIQ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bdacbaac7288774e1a08e13499f57a06_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SIQ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	bdacbaac7288774e1a08e13499f57a06_JaffaCakes118.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4144	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3332	SIQ.exe
3332	SIQ.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	3332	SIQ.exe
Token: SeIncBasePriorityPrivilege	3332	SIQ.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3332	SIQ.exe
3332	SIQ.exe
3332	SIQ.exe
3332	SIQ.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4004 wrote to memory of 3332	4004	bdacbaac7288774e1a08e13499f57a06_JaffaCakes118.exe	88
PID 4004 wrote to memory of 3332	4004	bdacbaac7288774e1a08e13499f57a06_JaffaCakes118.exe	88
PID 4004 wrote to memory of 3332	4004	bdacbaac7288774e1a08e13499f57a06_JaffaCakes118.exe	88
PID 4004 wrote to memory of 4144	4004	bdacbaac7288774e1a08e13499f57a06_JaffaCakes118.exe	90
PID 4004 wrote to memory of 4144	4004	bdacbaac7288774e1a08e13499f57a06_JaffaCakes118.exe	90
PID 4004 wrote to memory of 4144	4004	bdacbaac7288774e1a08e13499f57a06_JaffaCakes118.exe	90

C:\Users\Admin\AppData\Local\Temp\bdacbaac7288774e1a08e13499f57a06_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bdacbaac7288774e1a08e13499f57a06_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4004
- C:\Windows\SysWOW64\FSHPTR\SIQ.exe
  "C:\Windows\system32\FSHPTR\SIQ.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3332
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Install.txt
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Opens file in notepad (likely ransom note)
  PID:4144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Install.txt

Filesize
1B

MD5
e1671797c52e15f763380b45e841ec32

SHA1
58e6b3a414a1e090dfc6029add0f3555ccba127f

SHA256
3f79bb7b435b05321651daefd374cdc681dc06faa65e374e38337b88ca046dea

SHA512
87c568e037a5fa50b1bc911e8ee19a77c4dd3c22bce9932f86fdd8a216afe1681c89737fada6859e91047eece711ec16da62d6ccb9fd0de2c51f132347350d8c

Download Submit
C:\Windows\SysWOW64\FSHPTR\AKV.exe

Filesize
484KB

MD5
4f60429f20ac507bb61cb45998a73847

SHA1
c094a508b75c7c9a83cb04cd1fa9a547ab87fded

SHA256
65478b0bded54534eb7e1241a8da267c57b55c3da90adce2880c04b861c6ddc9

SHA512
e5f879e4e21051d91f7bf88e77dbbf1c288d595988d55a13ef703e242094e8a762c3262200cf478d55ac91d12cefcdd176646cffaf88439313d8e44b12c5fa91

Download Submit
C:\Windows\SysWOW64\FSHPTR\Aug_24_2024__00_44_41.009

Filesize
57KB

MD5
3d651fa5a97b20252ca2ec495a864fb9

SHA1
d7b3ec70914daaae30982d8a17f3e9b984b23acf

SHA256
c37a75bd098084ad0c19b67f48989288933359a9ebc8ce421d4e14cd17c18a0a

SHA512
7010b951812c2707089393fe2110a7d55fe08a45d91ff09792f8fde1cad0f69787c4fc292cbf690d37411dbd434d19cabfb57be2aa97df3efb67f670be4913d8

Download Submit
C:\Windows\SysWOW64\FSHPTR\SIQ.001

Filesize
61KB

MD5
0d52ec4abb6e5055a153d97eab5bc2da

SHA1
f01f83ac6741d9d53aa43501d456c5b003746fe9

SHA256
845e34cf0373b2e959d3d27cfe09d858283dd6a4b335014c3b82e4af1161b321

SHA512
5876e5a0401d9520678e733fc89147d6a6d7ef5bf6f8dbbb59276c79f8cf57301a49b3c20861a5696ee36337d6b151c32c3be2abcdb2990301bf0c616ff0be19

Download Submit
C:\Windows\SysWOW64\FSHPTR\SIQ.002

Filesize
43KB

MD5
fab6c7c9f60f3a391f22754e221ba23f

SHA1
b885a44fa6a8d6c0f08069f202527de1e93d460e

SHA256
11c28e015fb748bf664203c92288252a90aa7119079094d5fed17bc6ebfc803b

SHA512
86c368b8d542ec4dde120effcdac80a03118b8296188f3e09dde81883903b6a51a1bb6b981d394e05ff21bdc1cdcda125a427bfdb76aa209e706a58666e342bb

Download Submit
C:\Windows\SysWOW64\FSHPTR\SIQ.004

Filesize
1KB

MD5
2ddff30336bc233d0a0e575688949bf9

SHA1
448fe7cb45214c96f7faa6134db5dbcc984059d0

SHA256
0ec43fb4f2b6a4488b99b0ec4b5a0f03722477ca02983b3d6ffbc195d3bae703

SHA512
a6f832282879a82b47493d191b85619b6be0d6d37de818ea92d64d804952add90cbce184866bbfc1812898f0d377750eb3ac56979a9573d556d6fd050c8fd7d8

Download Submit
C:\Windows\SysWOW64\FSHPTR\SIQ.exe

Filesize
1.7MB

MD5
cfeee152a39c265c34b5163548f8c59b

SHA1
5807f521bf8c48e8fb0abb657b6df7d21a533dc4

SHA256
0f86eb289dc6b99c7560607e4e8e84b134515cee05becae947056026bfd21844

SHA512
b50eafbade678e6a29dcae61e6eb251bcbc26d25427adf313aa7eb654de710d48236f1749e59cd0b19e28967b26a37bde364e584853b9b7f007d89c999d08ecd

Download Submit
memory/3332-18-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/3332-22-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/3332-23-0x00000000737F0000-0x0000000073829000-memory.dmp

Filesize
228KB

Download
memory/3332-40-0x00000000737F0000-0x0000000073829000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads