ardamax | 0dbfd337b160c8c65587ac6c4192a222f0810538f84b8fece4b011bdef87c4a4

General

Target

109b7ccb2580197c3daebf70c55e4cd8_JaffaCakes118.exe
Size

504KB
MD5

109b7ccb2580197c3daebf70c55e4cd8
SHA1

4727f0578478d17ccd3e31fc08c74522fb186b1a
SHA256

0dbfd337b160c8c65587ac6c4192a222f0810538f84b8fece4b011bdef87c4a4
SHA512

f3068dbd5a3ee19ebfcf15b8890a9e170a5b07c5413b0ed01ddf5db1b5cc75f928021b6a9a1d0d8f478c036cd3e9220f335e597e8df65de43175ff780b4d7d94
SSDEEP

12288:m1QfRvV6CunDeLMD/UgR/aXUtIhP/4OV5TTp8q:5JvV6C8eLMDMgRoXhb5uq

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000700000002341c-12.dat	family_ardamax

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	109b7ccb2580197c3daebf70c55e4cd8_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
548	FQGI.exe

Loads dropped DLL 4 IoCs

pid	Process
2572	109b7ccb2580197c3daebf70c55e4cd8_JaffaCakes118.exe
548	FQGI.exe
548	FQGI.exe
548	FQGI.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FQGI Agent = "C:\\Windows\\SysWOW64\\Sys32\\FQGI.exe"	FQGI.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Sys32\FQGI.006	109b7ccb2580197c3daebf70c55e4cd8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Sys32\FQGI.007	109b7ccb2580197c3daebf70c55e4cd8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Sys32\FQGI.exe	109b7ccb2580197c3daebf70c55e4cd8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Sys32\AKV.exe	109b7ccb2580197c3daebf70c55e4cd8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Sys32	FQGI.exe
File created	C:\Windows\SysWOW64\Sys32\FQGI.001	109b7ccb2580197c3daebf70c55e4cd8_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	109b7ccb2580197c3daebf70c55e4cd8_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FQGI.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	548	FQGI.exe
Token: SeIncBasePriorityPrivilege	548	FQGI.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
548	FQGI.exe
548	FQGI.exe
548	FQGI.exe
548	FQGI.exe
548	FQGI.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2572 wrote to memory of 548	2572	109b7ccb2580197c3daebf70c55e4cd8_JaffaCakes118.exe	82
PID 2572 wrote to memory of 548	2572	109b7ccb2580197c3daebf70c55e4cd8_JaffaCakes118.exe	82
PID 2572 wrote to memory of 548	2572	109b7ccb2580197c3daebf70c55e4cd8_JaffaCakes118.exe	82

C:\Users\Admin\AppData\Local\Temp\109b7ccb2580197c3daebf70c55e4cd8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\109b7ccb2580197c3daebf70c55e4cd8_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2572
- C:\Windows\SysWOW64\Sys32\FQGI.exe
  "C:\Windows\system32\Sys32\FQGI.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@96D7.tmp

Filesize
4KB

MD5
74ff002e34aadbe8a9f7d88d2532c5d5

SHA1
3c11c399973d2db9a94ad7a089870d026c8c859d

SHA256
57d3fc3ef8934afd806d28d705c05637c0bd2d64b91a1a3e87e9bfbbf95f6e8e

SHA512
704c6520a7c89e6432776ad31c3334d22db390474c141974fc189c03b84e4618a35707f70f7ab7337bb63775a3cc04c2f70e88d9e3f921cf9ab2116305ed1bde

Download Submit
C:\Windows\SysWOW64\Sys32\AKV.exe

Filesize
391KB

MD5
75e14e922eeea4674c45a00335c28777

SHA1
f3268f7a91e0cef3ac1b03877daa694655e79fa1

SHA256
e103b85edbafbacc8e4ac50378ee4812b68ceccd2b6f2066243ac03674030f68

SHA512
b2c5e09c041bc235bf1be0a808c92dc5b8256447be95a0fb4bcfe9160123c63d14a4979eea28f5286a0f3f354c59f032c9a24586dfb7067150dae7339314f6fa

Download Submit
C:\Windows\SysWOW64\Sys32\FQGI.001

Filesize
546B

MD5
a907c1827c8018622a048a28cae54676

SHA1
9a4e4174411e70d50c6377f6995c93cf255e007b

SHA256
8726c38d570b0f7a1102e364ae169f731db2b1c284166802a9c883a99b470b16

SHA512
f73dc95a8dadccd9dd04a5886e860e07212374f9a9fa3e5541446920a5de3857f104e226e787e2dd0bdc7db6f9ba0aaa222462bda8b78198eb94c9f45aeea3a2

Download Submit
C:\Windows\SysWOW64\Sys32\FQGI.006

Filesize
7KB

MD5
5001bd93dc919785a830ab883eefb04e

SHA1
eb4e7b7d42bf4669c1f011fcd0119012cfb957c0

SHA256
2027d2ecaa78d0ffdd4234ce531be60f230b8258ae6c001af587f6d73dba771c

SHA512
20f6a8fa9e2188aa29d101100edae17d77b4983f3e1dd4696c6fbcd47ef0bbcce392a0733c330dd7a707b0f5bb92720f684b04cdd8c0f1a0b186012001c477d8

Download Submit
C:\Windows\SysWOW64\Sys32\FQGI.007

Filesize
5KB

MD5
00c2e21155375b96338bf76afea81546

SHA1
9ec87a26f5a48db97c05b2e3990aedec0adaa999

SHA256
6f3c20f654f2f4aee0752b95d72d9f46ebf467422611b30e9baa5ad1d21a4534

SHA512
cbaf2efa919def1d351de8ad8b1e30af4bb754db833019f9d998f1c78a844b933b18c41e8764edd1632be2076fd23cd7f302cfaf3f8ed6538bc90db178db422a

Download Submit
C:\Windows\SysWOW64\Sys32\FQGI.exe

Filesize
476KB

MD5
63ea07b550f22b1f5d5d6897f4d92894

SHA1
8107c9115d45c7857534f0e0b2d9837304f009f2

SHA256
729269e2ce40465fa2b512e2dfea0da818a2972070ae6fa57c92893a1276ea01

SHA512
c094235f36a1ecf1ce9082a22d34d33153595c91c941fb1e1bd9d3903e2142e6e7603db184dc19248258027e0b8377aa13f523b84a98c74c5645cd3e3c2cdf8c

Download Submit
memory/548-23-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/548-27-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads