ardamax | d5e63228736a899e155d558eb6b915886fef7df09b9951e1a146f9d02a926168

General

Target

e8e4ef7c51cadda1313e8157482c6367_JaffaCakes118.exe
Size

1.2MB
MD5

e8e4ef7c51cadda1313e8157482c6367
SHA1

2a888806cabfff1acada3e0e2a51e39a0fedd950
SHA256

d5e63228736a899e155d558eb6b915886fef7df09b9951e1a146f9d02a926168
SHA512

a286931dd7fa2b105de3ab717601a6202babea84c80c87d8cc482317faf6a7063c46649e748f2e3e95882d4ef456ef45f3203281a0007a2aa491f9bfbe86c399
SSDEEP

24576:arpmoqEgR46rOsOlHK6QTmGD0V5zhfvZGc6PoH25iv/g7MVlq2b4I4ZrEz:a0ATM6QTAV5zx1H25nMV8VI6rEz

Score

10^/10

ardamax discovery evasion keylogger persistence stealer themida

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0005000000019626-33.dat	family_ardamax

Executes dropped EXE 2 IoCs

pid	Process
2556	Install.exe
2856	DQOC.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Wine	e8e4ef7c51cadda1313e8157482c6367_JaffaCakes118.exe

Loads dropped DLL 13 IoCs

pid	Process
2820	e8e4ef7c51cadda1313e8157482c6367_JaffaCakes118.exe
2556	Install.exe
2556	Install.exe
2556	Install.exe
2556	Install.exe
2556	Install.exe
2556	Install.exe
2856	DQOC.exe
2856	DQOC.exe
2856	DQOC.exe
2856	DQOC.exe
2856	DQOC.exe
2672	DllHost.exe

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2820-0-0x0000000000400000-0x00000000004AE000-memory.dmp	themida
behavioral1/memory/2820-4-0x0000000000400000-0x00000000004AE000-memory.dmp	themida
behavioral1/memory/2820-6-0x0000000000400000-0x00000000004AE000-memory.dmp	themida
behavioral1/memory/2820-19-0x0000000000400000-0x00000000004AE000-memory.dmp	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DQOC Agent = "C:\\Windows\\SysWOW64\\28463\\DQOC.exe"	DQOC.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\28463	DQOC.exe
File created	C:\Windows\SysWOW64\28463\DQOC.001	Install.exe
File created	C:\Windows\SysWOW64\28463\DQOC.006	Install.exe
File created	C:\Windows\SysWOW64\28463\DQOC.007	Install.exe
File created	C:\Windows\SysWOW64\28463\DQOC.exe	Install.exe
File created	C:\Windows\SysWOW64\28463\AKV.exe	Install.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e8e4ef7c51cadda1313e8157482c6367_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DQOC.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2856	DQOC.exe
Token: SeIncBasePriorityPrivilege	2856	DQOC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2672	DllHost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2820	e8e4ef7c51cadda1313e8157482c6367_JaffaCakes118.exe
2856	DQOC.exe
2856	DQOC.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 2556	2820	e8e4ef7c51cadda1313e8157482c6367_JaffaCakes118.exe	31
PID 2820 wrote to memory of 2556	2820	e8e4ef7c51cadda1313e8157482c6367_JaffaCakes118.exe	31
PID 2820 wrote to memory of 2556	2820	e8e4ef7c51cadda1313e8157482c6367_JaffaCakes118.exe	31
PID 2820 wrote to memory of 2556	2820	e8e4ef7c51cadda1313e8157482c6367_JaffaCakes118.exe	31
PID 2820 wrote to memory of 2556	2820	e8e4ef7c51cadda1313e8157482c6367_JaffaCakes118.exe	31
PID 2820 wrote to memory of 2556	2820	e8e4ef7c51cadda1313e8157482c6367_JaffaCakes118.exe	31
PID 2820 wrote to memory of 2556	2820	e8e4ef7c51cadda1313e8157482c6367_JaffaCakes118.exe	31
PID 2556 wrote to memory of 2856	2556	Install.exe	32
PID 2556 wrote to memory of 2856	2556	Install.exe	32
PID 2556 wrote to memory of 2856	2556	Install.exe	32
PID 2556 wrote to memory of 2856	2556	Install.exe	32
PID 2556 wrote to memory of 2856	2556	Install.exe	32
PID 2556 wrote to memory of 2856	2556	Install.exe	32
PID 2556 wrote to memory of 2856	2556	Install.exe	32

C:\Users\Admin\AppData\Local\Temp\e8e4ef7c51cadda1313e8157482c6367_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e8e4ef7c51cadda1313e8157482c6367_JaffaCakes118.exe"
1⤵
- Identifies Wine through registry keys
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Users\Admin\AppData\Local\Temp\Install.exe
  "C:\Users\Admin\AppData\Local\Temp\Install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Windows\SysWOW64\28463\DQOC.exe
    "C:\Windows\system32\28463\DQOC.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2856

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\openkore1.jpg

Filesize
6KB

MD5
3486f2fdb7da64532c88925861d75968

SHA1
169bea49d580865bcad02db62433089f37b7239f

SHA256
f301b44e939ff08a2183cb5022c967ed331e64cd3b2607a7e50819b5de0137cd

SHA512
ec54aa0f5b7724b781a13749871f61cb905b63285223055399cc285fece81d48757f61fb921f9e35730c80a0e8e39104b67d242efb1e424afbbf75fc16bff428

Download Submit
C:\Windows\SysWOW64\28463\AKV.exe

Filesize
393KB

MD5
1533823edeb16a2f6130b0eac0a74b1a

SHA1
c00306974e0acda509d547d8947abbd19e848827

SHA256
e330dedede24e626c90b2894697df4d81228d583203b80775de310dd315f6a9a

SHA512
2d72b0b822de528943348881aa2f0855ef4d306df52f343ebbd8d8b8845da4a79a01efd88c1abf7645e4a72c4069d6d5d4c4d85f1dcd580ac61a9e2657303a87

Download Submit
C:\Windows\SysWOW64\28463\DQOC.001

Filesize
482B

MD5
21dbe7863505ecfb3700ff3b0517782d

SHA1
2d11343f76aceec900f4a6545a3c31df712fb23a

SHA256
5895b9717b4636d93bb683f55768af33e806843889b48cf35e38526448cc683f

SHA512
5a6d0cf8139170026c171ca0458c505dab2517d332b657d08a390f94755f64ef9bc3dac4aac457f118e1396120e9da863e19144ead68435e7e321f53dc592ee1

Download Submit
C:\Windows\SysWOW64\28463\DQOC.006

Filesize
7KB

MD5
9bb764979044a263709a095f707fbf7f

SHA1
6a6ff5611d93c860401b165ff85957fbb340f14c

SHA256
6f55fcdfbdba9aef5252dfbb9a0f1ac9c83dac472659223ae5a7840484e2d95b

SHA512
a764c11ce03910f372ab7a19f251dbfcd369ad59a7e19b8f1a5825ef44f263d0c693f6bb69332bcb545ea397fc10497cbe4a83402a60971a07bdeb01ce19c057

Download Submit
C:\Windows\SysWOW64\28463\DQOC.007

Filesize
5KB

MD5
c14f089be45a2669a608c0cb4b5ed402

SHA1
6c3168f0af173afbc295848ad1bdb480c510097c

SHA256
dfd377848164271d02259d4481e7978a12392f71f7bcadaecae247d962127d08

SHA512
3c3bc020b74bd76eaa7b5fe577371fef420a62afa9512ef6a0d148b902fe98f8372358ab0f1213e389ad44d52a631ed117a6921be51d66734059cbfdef33ead9

Download Submit
\Users\Admin\AppData\Local\Temp\@A3E.tmp

Filesize
4KB

MD5
67ce8b2ea53b0aa6ec6213a2b62b9d95

SHA1
e4ac32be20e72d1c12d0ba6919d5fd209a85d009

SHA256
2daed63cd25eb939ae46c5a1caf7fe07bde609a859720884b51d324ff45fc4f6

SHA512
760bef7efb0750d860909f2c92ef2190d7a63b8d07d83ba17997a2cd5c92f509f6c645d86bfbf22c3baff8ebabbf14856f8f4998b9d7132db19785190071c29e

Download Submit
\Users\Admin\AppData\Local\Temp\Install.exe

Filesize
480KB

MD5
d26c2aadff0fed020d097a15162a186d

SHA1
79f81cf5c1c0b6ef43e9a62278c52002da609c89

SHA256
ae5064cdc54945028c94060e757dcacf2a4872f4b8ef2a28bbd015d38833908c

SHA512
7472a2bd6e3e77370ea20a3367ce57799d1206385bc6ac72e07e2a77487af773f19aa275f5bfade5786d7112a83030535640b2508f161f5123ede07f339980da

Download Submit
\Windows\SysWOW64\28463\DQOC.exe

Filesize
472KB

MD5
a10c0ee1f0006cd3f58809ee8a6ab81f

SHA1
c4dcb5bffaaea97f7c6d850905a03c001a452d9a

SHA256
9ae3fe10cb437ef5f98a8731c63cd21a3a0791d231428bd264422acd4b57268f

SHA512
ece264bd37989f52bef0446f378b9c7f2d9f8b6af52cf9ba9234540b2a51b3b0faaa7f3e99ee854371a91650105660deeb0748a82d29733b5f69de15ba8a4157

Download Submit
memory/2672-55-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/2672-8-0x0000000000120000-0x0000000000122000-memory.dmp

Filesize
8KB

Download
memory/2672-9-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/2820-7-0x0000000005740000-0x0000000005742000-memory.dmp

Filesize
8KB

Download
memory/2820-19-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/2820-20-0x0000000000401000-0x0000000000407000-memory.dmp

Filesize
24KB

Download
memory/2820-16-0x0000000003EA0000-0x0000000003EA1000-memory.dmp

Filesize
4KB

Download
memory/2820-0-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/2820-6-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/2820-4-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/2820-1-0x0000000000401000-0x0000000000407000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads