ardamax | 2805e9c34681e25ee5c053d45374c9971cca86e4cda06273daa107b6a77f8428

General

Target

d2ead7909a62646c912a2348963756d8_JaffaCakes118.exe
Size

1.3MB
MD5

d2ead7909a62646c912a2348963756d8
SHA1

e473d5ca54112913af5ec40cde668c2be988a68b
SHA256

2805e9c34681e25ee5c053d45374c9971cca86e4cda06273daa107b6a77f8428
SHA512

047bdc58b40abc77348acb8187ae7266d26b6403c54f2081437ea76b8721f8de52b5c11bdd52679324556aa59e1f20e1c12c59d65132824f73557a657a16609d
SSDEEP

24576:eJnAlcdHz6ZrGoJoDcn47CsLsec9eIo88075rGqZtQpaP8LmGWEgqLMDlnQmHxxp:yASlwG1DMuIecfr7hxUJAD6mRxp

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0008000000016dec-23.dat	family_ardamax

Executes dropped EXE 2 IoCs

pid	Process
1888	file1.exe
2112	QMVN.exe

Loads dropped DLL 4 IoCs

pid	Process
1888	file1.exe
1888	file1.exe
2112	QMVN.exe
2112	QMVN.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\QMVN Agent = "C:\\Windows\\SysWOW64\\28463\\QMVN.exe"	QMVN.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\28463	QMVN.exe
File created	C:\Windows\SysWOW64\28463\QMVN.009	QMVN.exe
File opened for modification	C:\Windows\SysWOW64\28463\QMVN.009	QMVN.exe
File created	C:\Windows\SysWOW64\28463\QMVN.001	file1.exe
File created	C:\Windows\SysWOW64\28463\QMVN.006	file1.exe
File created	C:\Windows\SysWOW64\28463\QMVN.007	file1.exe
File created	C:\Windows\SysWOW64\28463\QMVN.exe	file1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QMVN.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2112	QMVN.exe
Token: SeIncBasePriorityPrivilege	2112	QMVN.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2112	QMVN.exe
2112	QMVN.exe
2112	QMVN.exe
2112	QMVN.exe
2112	QMVN.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 1888	2700	d2ead7909a62646c912a2348963756d8_JaffaCakes118.exe	30
PID 2700 wrote to memory of 1888	2700	d2ead7909a62646c912a2348963756d8_JaffaCakes118.exe	30
PID 2700 wrote to memory of 1888	2700	d2ead7909a62646c912a2348963756d8_JaffaCakes118.exe	30
PID 2700 wrote to memory of 1888	2700	d2ead7909a62646c912a2348963756d8_JaffaCakes118.exe	30
PID 1888 wrote to memory of 2112	1888	file1.exe	31
PID 1888 wrote to memory of 2112	1888	file1.exe	31
PID 1888 wrote to memory of 2112	1888	file1.exe	31
PID 1888 wrote to memory of 2112	1888	file1.exe	31

C:\Users\Admin\AppData\Local\Temp\d2ead7909a62646c912a2348963756d8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d2ead7909a62646c912a2348963756d8_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Users\Admin\AppData\Local\Temp\file1.exe
  C:\Users\Admin\AppData\Local\Temp\\file1.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1888
- - C:\Windows\SysWOW64\28463\QMVN.exe
    "C:\Windows\system32\28463\QMVN.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\file1.exe

Filesize
599KB

MD5
db2fa420feaa7f53d0583435969fba67

SHA1
51872158314fda4cdf9df562cae75e9a6c44e4b5

SHA256
1cf23e41ee10024e9cc06c726dc04782c663bdd3392a10a1af0115bab60ba3ce

SHA512
0a230b9879f501e4d240ae549ab3b978804187b0ab957873f01c9e6bc4476f0c67350dfbdbc52f9e81deabd5a030ffe2dc28d2586c41f6a91f9612d92dd540b8

Download Submit
C:\Windows\SysWOW64\28463\QMVN.001

Filesize
438B

MD5
67e985197ccde242048e11d6e2838aec

SHA1
637af8fd702a105fb69f9a86fcf836b955d3e309

SHA256
141aac24f971fa77cf5c13576b29ab3d729e7c91b3119cdd8a4f8460e2cb20ef

SHA512
6f1c46873cca9315ed327f14819f583cde3fb5a156aae1063b5d3a0d7b7e0e1778cff8f505e4c28792829eb730b9735713b4aa29d8d1bb7a063e112b8b289e90

Download Submit
C:\Windows\SysWOW64\28463\QMVN.006

Filesize
8KB

MD5
395bbef326fa5ad1216b23f5debf167b

SHA1
aa4a7334b5a693b3f0d6f47b568e0d13a593d782

SHA256
7c1c4ba8978d3ec53bc6da4d8f9e5e1ca52edf5ccf5ec19ef06b02055ff3b3d1

SHA512
dc3f3d7501feb10623807e89f28a0e38bdbbd4a7e2ad964c8ab33c392bde61896fe40bb7773f6309cd59ad9a686decbd81c15b588ac8d311fd2a273ac9410679

Download Submit
C:\Windows\SysWOW64\28463\QMVN.007

Filesize
5KB

MD5
1b5e72f0ebd49cf146f9ae68d792ffe5

SHA1
1e90a69c12b9a849fbbac0670296b07331c1cf87

SHA256
8f4485675fe35b14276f5c8af8a6b42f03cf1b5de638355e4c4b28397385e87e

SHA512
6364f5581de5aaec09b5d1c4e5745193f981ff93cf91e20c6c9ff56566b5d182ccbdacf9aeed1d7a01460eb21619e14ac4ab31b083a951b45b3b7f9d93a62ffc

Download Submit
C:\Windows\SysWOW64\28463\QMVN.exe

Filesize
912KB

MD5
6768ba61744862704760b66ce8f8fdd4

SHA1
e86cbed8cf20c2a9c76219d0c434bc310ffb2392

SHA256
4cf4bf2b7d2bb4215e255e1f2b1238ad989f3c8a98ebfd5cb033bccf32fedaa0

SHA512
eadb56b633707724ef4f47f8b421b0f3b2afa5a9800fae030f81aefae483eed6b494da470278273f388c3ae346a33cbbfe742924d231dab1c9b42bbefaf95a61

Download Submit
\Users\Admin\AppData\Local\Temp\@9186.tmp

Filesize
4KB

MD5
a55cbc0f0125b005ef369020b4c17806

SHA1
010af3e2e84b337e91f5e0c791b01e1d527211ce

SHA256
27cfe74936e4090aafbef07ee45725923f4b1243135e1e3a51e3385dbcd7b637

SHA512
88e5f7905c86d73bc5af028f20c8bf49f700307926c5b92814c245abe08e9c35841116d428ddbd7b957b47ccc8980684c12608b6818e4b6c1c8c0d27d54a07be

Download Submit
memory/2112-31-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2112-26-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2112-35-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2700-3-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

Filesize
9.6MB

Download
memory/2700-2-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

Filesize
9.6MB

Download
memory/2700-0-0x000007FEF5B7E000-0x000007FEF5B7F000-memory.dmp

Filesize
4KB

Download
memory/2700-1-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

Filesize
9.6MB

Download
memory/2700-34-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads