ardamax | c32636cb94022907d1a5642c476d284d9f4462d6221b38eb30b256a651dbc802

General

Target

cd3392fb8eaad9e4875e4e1544754fc3_JaffaCakes118.exe
Size

1.2MB
MD5

cd3392fb8eaad9e4875e4e1544754fc3
SHA1

514b0bc99a88865ef3c1a49f9034dbdab898d510
SHA256

c32636cb94022907d1a5642c476d284d9f4462d6221b38eb30b256a651dbc802
SHA512

8f0cfa87c19c7d5a7dfd369c23d945cc3b5d59ffd60fe5542093bf6c4c756050ec51d4eb423f76bcb8d2636ad8587182ca1a1e847058b801cf511366be989882
SSDEEP

24576:9k/ATXowW3FgTB/LfQ/rGuDkfuo7o/xzf2blhk95oL15Hs/WsKLpOC5spd:CoTXgWTO/nW7TBhksL153gnp

Score

10^/10

ardamax defense_evasion discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x00070000000234d6-7.dat	family_ardamax

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	cd3392fb8eaad9e4875e4e1544754fc3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	QVA.exe

Executes dropped EXE 2 IoCs

pid	Process
1220	QVA.exe
2980	elf 3.9.7.0.exe

Loads dropped DLL 7 IoCs

pid	Process
1220	QVA.exe
2980	elf 3.9.7.0.exe
2980	elf 3.9.7.0.exe
2980	elf 3.9.7.0.exe
2980	elf 3.9.7.0.exe
2980	elf 3.9.7.0.exe
2980	elf 3.9.7.0.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\QVA Start = "C:\\Windows\\SysWOW64\\OHNSGG\\QVA.exe"	QVA.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\OHNSGG\QVA.004	cd3392fb8eaad9e4875e4e1544754fc3_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\OHNSGG\QVA.001	cd3392fb8eaad9e4875e4e1544754fc3_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\OHNSGG\QVA.002	cd3392fb8eaad9e4875e4e1544754fc3_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\OHNSGG\QVA.exe	cd3392fb8eaad9e4875e4e1544754fc3_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\OHNSGG\	QVA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cd3392fb8eaad9e4875e4e1544754fc3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QVA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	elf 3.9.7.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x00070000000234d8-15.dat	nsis_installer_1
behavioral2/files/0x00070000000234d8-15.dat	nsis_installer_2

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	1220	QVA.exe
Token: SeIncBasePriorityPrivilege	1220	QVA.exe
Token: SeIncBasePriorityPrivilege	1220	QVA.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1220	QVA.exe
1220	QVA.exe
1220	QVA.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4236 wrote to memory of 1220	4236	cd3392fb8eaad9e4875e4e1544754fc3_JaffaCakes118.exe	84
PID 4236 wrote to memory of 1220	4236	cd3392fb8eaad9e4875e4e1544754fc3_JaffaCakes118.exe	84
PID 4236 wrote to memory of 1220	4236	cd3392fb8eaad9e4875e4e1544754fc3_JaffaCakes118.exe	84
PID 4236 wrote to memory of 2980	4236	cd3392fb8eaad9e4875e4e1544754fc3_JaffaCakes118.exe	86
PID 4236 wrote to memory of 2980	4236	cd3392fb8eaad9e4875e4e1544754fc3_JaffaCakes118.exe	86
PID 4236 wrote to memory of 2980	4236	cd3392fb8eaad9e4875e4e1544754fc3_JaffaCakes118.exe	86
PID 1220 wrote to memory of 8	1220	QVA.exe	100
PID 1220 wrote to memory of 8	1220	QVA.exe	100
PID 1220 wrote to memory of 8	1220	QVA.exe	100

C:\Users\Admin\AppData\Local\Temp\cd3392fb8eaad9e4875e4e1544754fc3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cd3392fb8eaad9e4875e4e1544754fc3_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4236
- C:\Windows\SysWOW64\OHNSGG\QVA.exe
  "C:\Windows\system32\OHNSGG\QVA.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1220
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\OHNSGG\QVA.exe > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:8
- C:\Users\Admin\AppData\Local\Temp\elf 3.9.7.0.exe
  "C:\Users\Admin\AppData\Local\Temp\elf 3.9.7.0.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

1

T1070

File Deletion

Modify Registry

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\elf 3.9.7.0.exe

Filesize
382KB

MD5
0187882fd5c0b80c0cc1e784d8e40731

SHA1
e88f4075bec77757f9974368a59e495990d5e2f0

SHA256
8591ad8805a1282cf5b1a1db15bcc0baf27014590f07b32cbbe6bb01822d784e

SHA512
7c18130050e9cb9293bab366098d29ef948bf3a2e6362fa40c5b0c8fa45e19008026f8cdf65bff74ec464a933b4a41622f0ab891e9f953ab33e7d689b1f5adc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoC209.tmp\LangDLL.dll

Filesize
5KB

MD5
9384f4007c492d4fa040924f31c00166

SHA1
aba37faef30d7c445584c688a0b5638f5db31c7b

SHA256
60a964095af1be79f6a99b22212fefe2d16f5a0afd7e707d14394e4143e3f4f5

SHA512
68f158887e24302673227adffc688fd3edabf097d7f5410f983e06c6b9c7344ca1d8a45c7fa05553adcc5987993df3a298763477168d4842e554c4eb93b9aaaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoC209.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoC209.tmp\nsDialogs.dll

Filesize
9KB

MD5
c10e04dd4ad4277d5adc951bb331c777

SHA1
b1e30808198a3ae6d6d1cca62df8893dc2a7ad43

SHA256
e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a

SHA512
853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

Download Submit
C:\Windows\SysWOW64\OHNSGG\QVA.001

Filesize
61KB

MD5
7a5612cc859be918c5767487f8a6815a

SHA1
a855d3a3e6336ac0508a8099e8ace14680394c36

SHA256
643419bc7e3a46ecdd7196858b3489c806c5edc486b513ce58519a109544c9d1

SHA512
31c541870dbc695c34d132c4232accc2fe511f30188a4db33d5c41758cf5af00a4906b55b0a208b5848436313fd3d8ccf6be7f1af62ecedd3a5c4c301dc5e11d

Download Submit
C:\Windows\SysWOW64\OHNSGG\QVA.002

Filesize
43KB

MD5
b2bcd668abf17ee408d232cc636614b2

SHA1
c354f941121515536c4f0d9ae49ed1a9b28534b4

SHA256
563f5e99f0beb961ecf6a8284bf41fee3e85d6f63cdff1669438f5a2168bfd99

SHA512
ba1be164de5919ae45f4bedfebe7e7799626b457f07b42fc43b8912f2932955833617b45e147e2e4d406f57f57f50c1869aa611db18a569919395e42fa53a702

Download Submit
C:\Windows\SysWOW64\OHNSGG\QVA.004

Filesize
1KB

MD5
456f38fe3b18f0aef97eeb20cdf77335

SHA1
a946fcb212d3f090a2d0cb9c6a12684bc291993d

SHA256
70018c1a3b8abd19a646fa409e24702d14b0ebca0b17906dfbc2295f302d6404

SHA512
f371d799678351ddb3982cb9ef864f9d5ff0f8b15d7ea828da05ef509a11f5e6bb0b828ffb69a4b86dcaf179547e85e0233cb71eb899286a77fd32b130c8010e

Download Submit
C:\Windows\SysWOW64\OHNSGG\QVA.exe

Filesize
1.5MB

MD5
a9ea3f61a57b36cde9953afd91f18d34

SHA1
e7e931b96b6e39b64a2a38d704bbe9561a234cbc

SHA256
accbdc6de9b6b671e6dc5bda9f1f983fbfcaa07467fbf6eabd25b9d5314d82ec

SHA512
0a6a42a772a3afd66233d9d3abb962b3a8cbf3d6e0e719352795b6441a148617dbe788991f0cead29d4b1540726504c9c56bebd9836ae6263b82a121fafd89fc

Download Submit
memory/1220-22-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/1220-53-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/2980-34-0x0000000003350000-0x0000000003365000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads