ardamax | c32636cb94022907d1a5642c476d284d9f4462d6221b38eb30b256a651dbc802

General

Target

cd3392fb8eaad9e4875e4e1544754fc3_JaffaCakes118.exe
Size

1.2MB
MD5

cd3392fb8eaad9e4875e4e1544754fc3
SHA1

514b0bc99a88865ef3c1a49f9034dbdab898d510
SHA256

c32636cb94022907d1a5642c476d284d9f4462d6221b38eb30b256a651dbc802
SHA512

8f0cfa87c19c7d5a7dfd369c23d945cc3b5d59ffd60fe5542093bf6c4c756050ec51d4eb423f76bcb8d2636ad8587182ca1a1e847058b801cf511366be989882
SSDEEP

24576:9k/ATXowW3FgTB/LfQ/rGuDkfuo7o/xzf2blhk95oL15Hs/WsKLpOC5spd:CoTXgWTO/nW7TBhksL153gnp

Score

10^/10

ardamax defense_evasion discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000016123-5.dat	family_ardamax

Executes dropped EXE 2 IoCs

pid	Process
2440	QVA.exe
1776	elf 3.9.7.0.exe

Loads dropped DLL 7 IoCs

pid	Process
1880	cd3392fb8eaad9e4875e4e1544754fc3_JaffaCakes118.exe
2440	QVA.exe
1880	cd3392fb8eaad9e4875e4e1544754fc3_JaffaCakes118.exe
1776	elf 3.9.7.0.exe
1776	elf 3.9.7.0.exe
1776	elf 3.9.7.0.exe
1776	elf 3.9.7.0.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\QVA Start = "C:\\Windows\\SysWOW64\\OHNSGG\\QVA.exe"	QVA.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\OHNSGG\QVA.004	cd3392fb8eaad9e4875e4e1544754fc3_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\OHNSGG\QVA.001	cd3392fb8eaad9e4875e4e1544754fc3_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\OHNSGG\QVA.002	cd3392fb8eaad9e4875e4e1544754fc3_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\OHNSGG\QVA.exe	cd3392fb8eaad9e4875e4e1544754fc3_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\OHNSGG\	QVA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cd3392fb8eaad9e4875e4e1544754fc3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QVA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	elf 3.9.7.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x00070000000161f3-17.dat	nsis_installer_1
behavioral1/files/0x00070000000161f3-17.dat	nsis_installer_2

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1776	elf 3.9.7.0.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	2440	QVA.exe
Token: SeIncBasePriorityPrivilege	2440	QVA.exe
Token: SeIncBasePriorityPrivilege	2440	QVA.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2440	QVA.exe
2440	QVA.exe
2440	QVA.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1880 wrote to memory of 2440	1880	cd3392fb8eaad9e4875e4e1544754fc3_JaffaCakes118.exe	31
PID 1880 wrote to memory of 2440	1880	cd3392fb8eaad9e4875e4e1544754fc3_JaffaCakes118.exe	31
PID 1880 wrote to memory of 2440	1880	cd3392fb8eaad9e4875e4e1544754fc3_JaffaCakes118.exe	31
PID 1880 wrote to memory of 2440	1880	cd3392fb8eaad9e4875e4e1544754fc3_JaffaCakes118.exe	31
PID 1880 wrote to memory of 1776	1880	cd3392fb8eaad9e4875e4e1544754fc3_JaffaCakes118.exe	32
PID 1880 wrote to memory of 1776	1880	cd3392fb8eaad9e4875e4e1544754fc3_JaffaCakes118.exe	32
PID 1880 wrote to memory of 1776	1880	cd3392fb8eaad9e4875e4e1544754fc3_JaffaCakes118.exe	32
PID 1880 wrote to memory of 1776	1880	cd3392fb8eaad9e4875e4e1544754fc3_JaffaCakes118.exe	32
PID 1880 wrote to memory of 1776	1880	cd3392fb8eaad9e4875e4e1544754fc3_JaffaCakes118.exe	32
PID 1880 wrote to memory of 1776	1880	cd3392fb8eaad9e4875e4e1544754fc3_JaffaCakes118.exe	32
PID 1880 wrote to memory of 1776	1880	cd3392fb8eaad9e4875e4e1544754fc3_JaffaCakes118.exe	32
PID 2440 wrote to memory of 2292	2440	QVA.exe	33
PID 2440 wrote to memory of 2292	2440	QVA.exe	33
PID 2440 wrote to memory of 2292	2440	QVA.exe	33
PID 2440 wrote to memory of 2292	2440	QVA.exe	33

C:\Users\Admin\AppData\Local\Temp\cd3392fb8eaad9e4875e4e1544754fc3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cd3392fb8eaad9e4875e4e1544754fc3_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1880
- C:\Windows\SysWOW64\OHNSGG\QVA.exe
  "C:\Windows\system32\OHNSGG\QVA.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\OHNSGG\QVA.exe > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2292
- C:\Users\Admin\AppData\Local\Temp\elf 3.9.7.0.exe
  "C:\Users\Admin\AppData\Local\Temp\elf 3.9.7.0.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

1

T1070

File Deletion

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\OHNSGG\QVA.001

Filesize
61KB

MD5
7a5612cc859be918c5767487f8a6815a

SHA1
a855d3a3e6336ac0508a8099e8ace14680394c36

SHA256
643419bc7e3a46ecdd7196858b3489c806c5edc486b513ce58519a109544c9d1

SHA512
31c541870dbc695c34d132c4232accc2fe511f30188a4db33d5c41758cf5af00a4906b55b0a208b5848436313fd3d8ccf6be7f1af62ecedd3a5c4c301dc5e11d

Download Submit
C:\Windows\SysWOW64\OHNSGG\QVA.002

Filesize
43KB

MD5
b2bcd668abf17ee408d232cc636614b2

SHA1
c354f941121515536c4f0d9ae49ed1a9b28534b4

SHA256
563f5e99f0beb961ecf6a8284bf41fee3e85d6f63cdff1669438f5a2168bfd99

SHA512
ba1be164de5919ae45f4bedfebe7e7799626b457f07b42fc43b8912f2932955833617b45e147e2e4d406f57f57f50c1869aa611db18a569919395e42fa53a702

Download Submit
C:\Windows\SysWOW64\OHNSGG\QVA.004

Filesize
1KB

MD5
456f38fe3b18f0aef97eeb20cdf77335

SHA1
a946fcb212d3f090a2d0cb9c6a12684bc291993d

SHA256
70018c1a3b8abd19a646fa409e24702d14b0ebca0b17906dfbc2295f302d6404

SHA512
f371d799678351ddb3982cb9ef864f9d5ff0f8b15d7ea828da05ef509a11f5e6bb0b828ffb69a4b86dcaf179547e85e0233cb71eb899286a77fd32b130c8010e

Download Submit
\Users\Admin\AppData\Local\Temp\elf 3.9.7.0.exe

Filesize
382KB

MD5
0187882fd5c0b80c0cc1e784d8e40731

SHA1
e88f4075bec77757f9974368a59e495990d5e2f0

SHA256
8591ad8805a1282cf5b1a1db15bcc0baf27014590f07b32cbbe6bb01822d784e

SHA512
7c18130050e9cb9293bab366098d29ef948bf3a2e6362fa40c5b0c8fa45e19008026f8cdf65bff74ec464a933b4a41622f0ab891e9f953ab33e7d689b1f5adc9

Download Submit
\Users\Admin\AppData\Local\Temp\nsdD49E.tmp\LangDLL.dll

Filesize
5KB

MD5
9384f4007c492d4fa040924f31c00166

SHA1
aba37faef30d7c445584c688a0b5638f5db31c7b

SHA256
60a964095af1be79f6a99b22212fefe2d16f5a0afd7e707d14394e4143e3f4f5

SHA512
68f158887e24302673227adffc688fd3edabf097d7f5410f983e06c6b9c7344ca1d8a45c7fa05553adcc5987993df3a298763477168d4842e554c4eb93b9aaaf

Download Submit
\Users\Admin\AppData\Local\Temp\nsdD49E.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsdD49E.tmp\nsDialogs.dll

Filesize
9KB

MD5
c10e04dd4ad4277d5adc951bb331c777

SHA1
b1e30808198a3ae6d6d1cca62df8893dc2a7ad43

SHA256
e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a

SHA512
853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

Download Submit
\Windows\SysWOW64\OHNSGG\QVA.exe

Filesize
1.5MB

MD5
a9ea3f61a57b36cde9953afd91f18d34

SHA1
e7e931b96b6e39b64a2a38d704bbe9561a234cbc

SHA256
accbdc6de9b6b671e6dc5bda9f1f983fbfcaa07467fbf6eabd25b9d5314d82ec

SHA512
0a6a42a772a3afd66233d9d3abb962b3a8cbf3d6e0e719352795b6441a148617dbe788991f0cead29d4b1540726504c9c56bebd9836ae6263b82a121fafd89fc

Download Submit
memory/1776-28-0x00000000005E0000-0x00000000005F5000-memory.dmp

Filesize
84KB

Download
memory/2440-14-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2440-45-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads