ardamax | c4099ac3f5861b0c6d227c389f5597cffb64dc340a9d79e50eba457745203d8c

General

Target

dca974dd704022af9c3adfdfb42007b0_JaffaCakes118.exe
Size

1.4MB
MD5

dca974dd704022af9c3adfdfb42007b0
SHA1

7b0c9fbcc5ae0fcca3b0a53030819df7c6dfd546
SHA256

c4099ac3f5861b0c6d227c389f5597cffb64dc340a9d79e50eba457745203d8c
SHA512

3a92bd8c403652859177deb60af54f5965ce5d1088a99fc4c72c1c4bcd0857f6a5c3edfbf336be8293442fa5a962670218ce556b0ff03429c1484373b5f21175
SSDEEP

24576:XrHV4SGPDx+SccjcZ3nxQc/aJoSlDZciA0GLlH2DLfbtdhvXijBqBVYq:uSqNkcSQc/aJfl1cbLlWJzvSNqBV/

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.drivehq.com
Port:
21
Username:
dhiliph

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023593-12.dat	family_ardamax

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	dca974dd704022af9c3adfdfb42007b0_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
776	system32SQSR.exe

Loads dropped DLL 2 IoCs

pid	Process
4500	dca974dd704022af9c3adfdfb42007b0_JaffaCakes118.exe
776	system32SQSR.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system32SQSR Agent = "C:\\Windows\\system32SQSR.exe"	system32SQSR.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\system32SQSR.exe	dca974dd704022af9c3adfdfb42007b0_JaffaCakes118.exe
File created	C:\Windows\system32AKV.exe	dca974dd704022af9c3adfdfb42007b0_JaffaCakes118.exe
File created	C:\Windows\system32SQSR.009	system32SQSR.exe
File created	C:\Windows\system32SQSR.009.tmp	system32SQSR.exe
File created	C:\Windows\Sep_12_2024__17_00_03.jpg	system32SQSR.exe
File created	C:\Windows\system32SQSR.007	dca974dd704022af9c3adfdfb42007b0_JaffaCakes118.exe
File created	C:\Windows\system32SQSR.006	dca974dd704022af9c3adfdfb42007b0_JaffaCakes118.exe
File opened for modification	C:\Windows\system32SQSR.009	system32SQSR.exe
File created	C:\Windows\Sep_12_2024__17_01_03.jpg	system32SQSR.exe
File created	C:\Windows\system32SQSR.001	dca974dd704022af9c3adfdfb42007b0_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dca974dd704022af9c3adfdfb42007b0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system32SQSR.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	dca974dd704022af9c3adfdfb42007b0_JaffaCakes118.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
968	vlc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
968	vlc.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: 33	776	system32SQSR.exe
Token: SeIncBasePriorityPrivilege	776	system32SQSR.exe
Token: 33	1116	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1116	AUDIODG.EXE
Token: 33	968	vlc.exe
Token: SeIncBasePriorityPrivilege	968	vlc.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
776	system32SQSR.exe
968	vlc.exe
968	vlc.exe
968	vlc.exe
968	vlc.exe
968	vlc.exe
968	vlc.exe
968	vlc.exe
968	vlc.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
776	system32SQSR.exe
968	vlc.exe
968	vlc.exe
968	vlc.exe
968	vlc.exe
968	vlc.exe
968	vlc.exe
968	vlc.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
776	system32SQSR.exe
776	system32SQSR.exe
776	system32SQSR.exe
776	system32SQSR.exe
968	vlc.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4500 wrote to memory of 776	4500	dca974dd704022af9c3adfdfb42007b0_JaffaCakes118.exe	91
PID 4500 wrote to memory of 776	4500	dca974dd704022af9c3adfdfb42007b0_JaffaCakes118.exe	91
PID 4500 wrote to memory of 776	4500	dca974dd704022af9c3adfdfb42007b0_JaffaCakes118.exe	91
PID 4500 wrote to memory of 968	4500	dca974dd704022af9c3adfdfb42007b0_JaffaCakes118.exe	93
PID 4500 wrote to memory of 968	4500	dca974dd704022af9c3adfdfb42007b0_JaffaCakes118.exe	93

C:\Users\Admin\AppData\Local\Temp\dca974dd704022af9c3adfdfb42007b0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dca974dd704022af9c3adfdfb42007b0_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4500
- C:\Windows\system32SQSR.exe
  "C:\Windows\system32SQSR.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:776
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Vodafone Full (Zekty.com).mp3"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:968

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x46c 0x470
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1420,i,11708048364682646792,608099842549576907,262144 --variations-seed-version --mojo-platform-channel-handle=1020 /prefetch:8
1⤵
PID:2488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@4699.tmp

Filesize
4KB

MD5
b7ea0bc4bb833ab77dce179f16039c14

SHA1
b05cc205aa6ffc60a5316c1d5d3831def5a60c20

SHA256
e7bc62fb964bacd8e3189f22a8d64a27bddeb90007a38da3d3e6b58f6d8a2dba

SHA512
5a4ad9b469c7502a930158ca2db814b0b84880b2658a6a6dcca9fee60e6c8dc5f8a3c8d09e280a026d63e3d48b5291074827d16f3e680ce87645d8aad996a652

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vodafone Full (Zekty.com).mp3

Filesize
1022KB

MD5
caa7d3978e8d9096243fe1f99e11bc52

SHA1
a021ab0e865581e0fbfb271472235f3a35342290

SHA256
87285bd09d1292eb94e582bb612bbb4a442ed96745424bab1223819ca3255031

SHA512
f7bf01bbf9721296c10dd76769398993dd48821b9856aa983cf5b0e5e6658226a09edbfe1f873cd32c13e4ebbe82c74216c29120712f50b6ae967253c8985fc8

Download Submit
C:\Windows\system32SQSR.001

Filesize
612B

MD5
0856b21b923ff4a4164bf970a7614aeb

SHA1
ef0b5cbd7ff727757d0ea908a12bc2bc7a67eac1

SHA256
220a26314ac62d730ed00487e5e0b9e103e2cf4cd02170706906a912f5461687

SHA512
657cb9105e9025e5391498e09289a9c219cb6df13aaa77af7d276bc76397a1cc7926eb51df845b99658a0176f11ac8f8ce9aa542db8fa74714eb131e8c9af3eb

Download Submit
C:\Windows\system32SQSR.006

Filesize
7KB

MD5
87ccf7eb039971590aac6f254b2c788a

SHA1
3095496ffd364b32cdbe63ba4dd2f477fd848515

SHA256
59973b04dd9bec56a7ff9d898fda25e9214ee7652f2687ba409b435ae07e554b

SHA512
d5f9f7855725021522fae819a855d3d2d2cf028b0ea3ac191ad02039cbb688af42b191a1ec4f1868365e2f7de36acca2b7ba3bee0a7b8447820c4521e942d8d2

Download Submit
C:\Windows\system32SQSR.009

Filesize
74KB

MD5
ec320ac1e6d36a4a1935ffb7900b578d

SHA1
269c131d2a26414d5feba7bba087b6c895dba8b5

SHA256
d05b345f5b91520fc41a1486d627b55ac85edc8f57f41a06700cba8eb956b7c9

SHA512
ef42214f499ffd6ef32616df828b14e8186701c637541c1ac9593ea5a97d02424146acaea9af2e17adbfccabba89abcb540a7cbadf10cfd94e1e513aca9f2a43

Download Submit
C:\Windows\system32SQSR.exe

Filesize
471KB

MD5
912c55621b4c3f0fb2daef5b4f4f5f4c

SHA1
735701c75569b7563950508afc8948b52e7bf4b2

SHA256
41ecb7a6e3e9c32ce1bbfdff8fe381f6c21fc1f601f7e9be9fcfa2678d2420a0

SHA512
65a08579e959d4beebb5ad026cab451d381e147621be8a0707baca748eaee22050c020e3d54f312376eaf6f20a1fc3713e5e07cc9d4ee7f32b7c17dc15c80d05

Download Submit
memory/776-20-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/776-55-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/968-44-0x00007FF8750A0000-0x00007FF8750B1000-memory.dmp

Filesize
68KB

Download
memory/968-38-0x00007FF8793B0000-0x00007FF8793E4000-memory.dmp

Filesize
208KB

Download
memory/968-45-0x00007FF875080000-0x00007FF87509D000-memory.dmp

Filesize
116KB

Download
memory/968-47-0x00007FF865570000-0x00007FF86577B000-memory.dmp

Filesize
2.0MB

Download
memory/968-39-0x00007FF865780000-0x00007FF865A36000-memory.dmp

Filesize
2.7MB

Download
memory/968-43-0x00007FF8750C0000-0x00007FF8750D7000-memory.dmp

Filesize
92KB

Download
memory/968-42-0x00007FF8750E0000-0x00007FF8750F1000-memory.dmp

Filesize
68KB

Download
memory/968-41-0x00007FF8755E0000-0x00007FF8755F7000-memory.dmp

Filesize
92KB

Download
memory/968-40-0x00007FF875CA0000-0x00007FF875CB8000-memory.dmp

Filesize
96KB

Download
memory/968-46-0x00007FF875060000-0x00007FF875071000-memory.dmp

Filesize
68KB

Download
memory/968-54-0x00007FF873680000-0x00007FF873691000-memory.dmp

Filesize
68KB

Download
memory/968-53-0x00007FF8743D0000-0x00007FF8743E1000-memory.dmp

Filesize
68KB

Download
memory/968-52-0x00007FF874820000-0x00007FF874831000-memory.dmp

Filesize
68KB

Download
memory/968-51-0x00007FF874840000-0x00007FF874858000-memory.dmp

Filesize
96KB

Download
memory/968-50-0x00007FF874E90000-0x00007FF874EB1000-memory.dmp

Filesize
132KB

Download
memory/968-49-0x00007FF874C70000-0x00007FF874CB1000-memory.dmp

Filesize
260KB

Download
memory/968-48-0x00007FF8644C0000-0x00007FF865570000-memory.dmp

Filesize
16.7MB

Download
memory/968-85-0x00007FF8644C0000-0x00007FF865570000-memory.dmp

Filesize
16.7MB

Download
memory/968-37-0x00007FF7070F0000-0x00007FF7071E8000-memory.dmp

Filesize
992KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads