ardamax | bec763c6a2785dc6ccaee85ce48f958bcf1e6e7453752eb7e50cbf8c864c06ab

Analysis

max time kernel
140s
max time network
121s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
21-09-2024 08:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef67f043e12affd778875c5d9c0c820a_JaffaCakes118.exe
Size

788KB
MD5

ef67f043e12affd778875c5d9c0c820a
SHA1

f373d48646ad50eb240ebe0bfd46954b7101b924
SHA256

bec763c6a2785dc6ccaee85ce48f958bcf1e6e7453752eb7e50cbf8c864c06ab
SHA512

aa5fb109f91f7b1fe53d86a84c2a6a2039b3b7df70bd4f070685151b364b16faa774d512751162b8a2c311ed47e132acc55502b06b0b47f284c1b544e2d77abc
SSDEEP

24576:aoS7J6ngDSrQZ2PvQ9QmQZyx/wff12XtHAZn:6IgW0IP49OZyxofiHW

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0008000000019240-9.dat	family_ardamax

Executes dropped EXE 1 IoCs

pid	Process
2776	GQTA.exe

Loads dropped DLL 4 IoCs

pid	Process
2640	ef67f043e12affd778875c5d9c0c820a_JaffaCakes118.exe
2640	ef67f043e12affd778875c5d9c0c820a_JaffaCakes118.exe
2776	GQTA.exe
2776	GQTA.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\GQTA Agent = "C:\\Windows\\SysWOW64\\28463\\GQTA.exe"	GQTA.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\GQTA.007	ef67f043e12affd778875c5d9c0c820a_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\28463\GQTA.exe	ef67f043e12affd778875c5d9c0c820a_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\28463\key.bin	ef67f043e12affd778875c5d9c0c820a_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\28463\AKV.exe	ef67f043e12affd778875c5d9c0c820a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\28463	GQTA.exe
File created	C:\Windows\SysWOW64\28463\GQTA.001	ef67f043e12affd778875c5d9c0c820a_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\28463\GQTA.006	ef67f043e12affd778875c5d9c0c820a_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ef67f043e12affd778875c5d9c0c820a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GQTA.exe

Modifies registry class 37 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{679E9BC2-101C-49C9-3688-BA2BD3CC8189}\InprocServer32\ = "C:\\Windows\\SysWOW64\\msvidctl.dll"	GQTA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{679E9BC2-101C-49C9-3688-BA2BD3CC8189}\Programmable\	GQTA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{005EE33F-D8D9-B2CE-2EBF-D83F707EEA90}\1.0	GQTA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{005EE33F-D8D9-B2CE-2EBF-D83F707EEA90}\1.0\FLAGS\	GQTA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{679E9BC2-101C-49C9-3688-BA2BD3CC8189}\TypeLib\ = "{005EE33F-D8D9-B2CE-2EBF-D83F707EEA90}"	GQTA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{679E9BC2-101C-49C9-3688-BA2BD3CC8189}\Version\ = "1.0"	GQTA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{679E9BC2-101C-49C9-3688-BA2BD3CC8189}\VersionIndependentProgID	GQTA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{679E9BC2-101C-49C9-3688-BA2BD3CC8189}\ProgID\	GQTA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{679E9BC2-101C-49C9-3688-BA2BD3CC8189}\ProgID\ = "BDATuner.ChannelIDTuneRequest.1"	GQTA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{005EE33F-D8D9-B2CE-2EBF-D83F707EEA90}\1.0\0\win32	GQTA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{005EE33F-D8D9-B2CE-2EBF-D83F707EEA90}\1.0\HELPDIR	GQTA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{679E9BC2-101C-49C9-3688-BA2BD3CC8189}\TypeLib\	GQTA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{679E9BC2-101C-49C9-3688-BA2BD3CC8189}\VersionIndependentProgID\	GQTA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{679E9BC2-101C-49C9-3688-BA2BD3CC8189}\VersionIndependentProgID\ = "BDATuner.ChannelIDTuneRequest"	GQTA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{679E9BC2-101C-49C9-3688-BA2BD3CC8189}\Programmable	GQTA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{005EE33F-D8D9-B2CE-2EBF-D83F707EEA90}	GQTA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{005EE33F-D8D9-B2CE-2EBF-D83F707EEA90}\	GQTA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{005EE33F-D8D9-B2CE-2EBF-D83F707EEA90}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\"	GQTA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{679E9BC2-101C-49C9-3688-BA2BD3CC8189}\Version	GQTA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{679E9BC2-101C-49C9-3688-BA2BD3CC8189}\InprocServer32\	GQTA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{005EE33F-D8D9-B2CE-2EBF-D83F707EEA90}\1.0\ = "Groove Soap Security 1.0 Type Library"	GQTA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{005EE33F-D8D9-B2CE-2EBF-D83F707EEA90}\1.0\0\	GQTA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{679E9BC2-101C-49C9-3688-BA2BD3CC8189}\TypeLib	GQTA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{679E9BC2-101C-49C9-3688-BA2BD3CC8189}\Version\	GQTA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{679E9BC2-101C-49C9-3688-BA2BD3CC8189}\Implemented Categories\	GQTA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{679E9BC2-101C-49C9-3688-BA2BD3CC8189}\InprocServer32	GQTA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{005EE33F-D8D9-B2CE-2EBF-D83F707EEA90}\1.0\0	GQTA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{005EE33F-D8D9-B2CE-2EBF-D83F707EEA90}\1.0\FLAGS	GQTA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{005EE33F-D8D9-B2CE-2EBF-D83F707EEA90}\1.0\FLAGS\ = "0"	GQTA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{679E9BC2-101C-49C9-3688-BA2BD3CC8189}\ = "Dokaxoxge.Pihes.Kidokogva object"	GQTA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{679E9BC2-101C-49C9-3688-BA2BD3CC8189}\Implemented Categories	GQTA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{005EE33F-D8D9-B2CE-2EBF-D83F707EEA90}\1.0\0\win32\	GQTA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{679E9BC2-101C-49C9-3688-BA2BD3CC8189}	GQTA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{679E9BC2-101C-49C9-3688-BA2BD3CC8189}\ProgID	GQTA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{005EE33F-D8D9-B2CE-2EBF-D83F707EEA90}\1.0\	GQTA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{005EE33F-D8D9-B2CE-2EBF-D83F707EEA90}\1.0\0\win32\ = "C:\\PROGRA~2\\MICROS~1\\Office14\\GROOVE.EXE\\78"	GQTA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{005EE33F-D8D9-B2CE-2EBF-D83F707EEA90}\1.0\HELPDIR\	GQTA.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2776	GQTA.exe
Token: SeIncBasePriorityPrivilege	2776	GQTA.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2776	GQTA.exe
2776	GQTA.exe
2776	GQTA.exe
2776	GQTA.exe
2776	GQTA.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 2776	2640	ef67f043e12affd778875c5d9c0c820a_JaffaCakes118.exe	30
PID 2640 wrote to memory of 2776	2640	ef67f043e12affd778875c5d9c0c820a_JaffaCakes118.exe	30
PID 2640 wrote to memory of 2776	2640	ef67f043e12affd778875c5d9c0c820a_JaffaCakes118.exe	30
PID 2640 wrote to memory of 2776	2640	ef67f043e12affd778875c5d9c0c820a_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\ef67f043e12affd778875c5d9c0c820a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ef67f043e12affd778875c5d9c0c820a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Windows\SysWOW64\28463\GQTA.exe
  "C:\Windows\system32\28463\GQTA.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\28463\AKV.exe

Filesize
457KB

MD5
f34b87951e1a931e01df1bc9f1b98207

SHA1
f3cc94e72bf7e9bf2afa7d8dbfef0ca2087358a1

SHA256
e6cf7cdc5895da8a65f8c4a1a1d0d0583218a1c28f66d25dc56fa67f9c34ed5b

SHA512
c2438d88489b9ed7c6c875ecde07411a488eac9115358c73f72d7029874f75803ebead03a41692a900648fb2b2be63b7c8b4e3a71984261185b6d5d6d7201641

Download Submit
C:\Windows\SysWOW64\28463\GQTA.001

Filesize
508B

MD5
93e225ad2c85cac2463e59b8d6c36e9e

SHA1
a56fb48d99a22acfd4065c46d4af13cc73286464

SHA256
a6b31d595b441495ac1d282854413d0c5584a2d33d3b7d89d75064ba636ad10d

SHA512
ec4c159ba41ca46d9a138b046b8acbb3acbd073bc81e8592bb045e5a913481145b922b9cad63548131192e865b306d3d7a315a85d950a8c07ea1b5896506f102

Download Submit
C:\Windows\SysWOW64\28463\GQTA.006

Filesize
8KB

MD5
98d22fb2035a26a6b9b7decc0c0ff2fa

SHA1
43a75cf59fc2f8b59b1d962b4e685249eef816d5

SHA256
fd5c03fd9ea47c1e820d19bd307ad7c4e53f4b65d288cb675b05cbe76c9b5c25

SHA512
3cb7f765d6f4d1dc08a0087086f3fe243bd8ff9e699607cf1e4177892576665c0c799307751cba16fd3f1482e5abb884090024431be2ce86d4080f1d1134d91f

Download Submit
C:\Windows\SysWOW64\28463\GQTA.007

Filesize
5KB

MD5
15eb312db4b3e208b67082653acb8a02

SHA1
b0926b1e1733baa3d7f18d3806916f92704fccff

SHA256
72347b6d619bc7204a155486e4d09a62a4a494c35a8121349bfe2fecd5af99a8

SHA512
7e8d451bc9d1e83615db15d6cdf68230cdd333fa38362979f0408dc80bf680859a2bc3fc09c494805731317b0f136c3227226092f1bcc31c2c80cb73071aa443

Download Submit
C:\Windows\SysWOW64\28463\key.bin

Filesize
106B

MD5
c86a712d2ad5d8a676202a2076bb2759

SHA1
187c84c3c0d24ff5c64c4faa0077f29116ee2369

SHA256
d4ba8e5d0de6a6af149864416e0154218270fa9af4993f4d85f4ce2c9c107450

SHA512
7fbb0e3aa72f5ed3669a93232fa9ba3630c5b17d01164aefccab5b143b7357d91be5fe556ba95b9295fabdafae855bcb8b4f9899b295a7ce94a91ee6d63c0dcd

Download Submit
\Users\Admin\AppData\Local\Temp\@402C.tmp

Filesize
4KB

MD5
36400e746829504282eb26b364826aa9

SHA1
d39ea9da98be0c331fd71002645f4f40664288a2

SHA256
c7ab756437211f6e0e3dcd7482bc67cb910e504345902049eb8abe34a656deb0

SHA512
5fe8fae2f5fcbd42c72cc8f6dd70aeec0afd94af5cfd905441630755790dc6ed346823ee009c21537b9cdb3b7b7a39eeed933606726ffd891dae47b60465f640

Download Submit
\Windows\SysWOW64\28463\GQTA.exe

Filesize
651KB

MD5
b181beaba4204ac3ce7bc8e6f0b74312

SHA1
4ab13763d2ecdf0968f15a39302aab2b1f0ab462

SHA256
f36bad234fd1599dd1398d20bc57499314fe96d5de20074536067b2d3c2b4f2d

SHA512
d1aaa2fd25e53986c8ea8213a8a02515927c9e9aa3e4d8077a138a29ba32c807ec81473b672a22ffb6ba26126ccd7e1d310e057ef964d3b21b1672a67af5fd7b

Download Submit
memory/2776-22-0x0000000001EB0000-0x0000000001EB1000-memory.dmp

Filesize
4KB

Download
memory/2776-32-0x00000000030D0000-0x00000000030D1000-memory.dmp

Filesize
4KB

Download
memory/2776-25-0x0000000001E50000-0x0000000001E51000-memory.dmp

Filesize
4KB

Download
memory/2776-24-0x0000000001E90000-0x0000000001E91000-memory.dmp

Filesize
4KB

Download
memory/2776-23-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/2776-27-0x00000000030B0000-0x00000000030B3000-memory.dmp

Filesize
12KB

Download
memory/2776-21-0x00000000022B0000-0x00000000022B1000-memory.dmp

Filesize
4KB

Download
memory/2776-20-0x0000000001E70000-0x0000000001E71000-memory.dmp

Filesize
4KB

Download
memory/2776-33-0x0000000003110000-0x0000000003111000-memory.dmp

Filesize
4KB

Download
memory/2776-26-0x00000000030C0000-0x00000000030C1000-memory.dmp

Filesize
4KB

Download
memory/2776-31-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2776-30-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2776-28-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/2776-29-0x0000000003120000-0x0000000003121000-memory.dmp

Filesize
4KB

Download
memory/2776-18-0x0000000000300000-0x000000000035A000-memory.dmp

Filesize
360KB

Download
memory/2776-17-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/2776-41-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/2776-42-0x0000000000300000-0x000000000035A000-memory.dmp

Filesize
360KB

Download
memory/2776-43-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/2776-47-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads