ardamax | 02d47750c5216e8511202b46db7fd20dfff9c81b6cd15ceef93ee301702cd3f2

General

Target

10d45979874eb4499795d8a1e51f2836_JaffaCakes118.exe
Size

2.3MB
MD5

10d45979874eb4499795d8a1e51f2836
SHA1

ed0a03845121cb397433226b5ef218b9291f8ea7
SHA256

02d47750c5216e8511202b46db7fd20dfff9c81b6cd15ceef93ee301702cd3f2
SHA512

de3809c38484ffab72fd3bbab0b1c5e5223e16ccd9da52c300cf3e1b37842a6845cba6137f7938138e477eddc696d156b47a679215b439b34c20fd04fe73b1bc
SSDEEP

49152:sygCp6HtAtYNox4cdbTPieMm9aJAesm5eYfUBrwAqANA+IUSGLE26Jd:s/Cp6HtAtSof79KAesmkSerqAKFGo

Score

10^/10

ardamax defense_evasion discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x00070000000234a6-12.dat	family_ardamax

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	10d45979874eb4499795d8a1e51f2836_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	system32QPSS.exe

Executes dropped EXE 1 IoCs

pid	Process
2556	system32QPSS.exe

Loads dropped DLL 7 IoCs

pid	Process
868	10d45979874eb4499795d8a1e51f2836_JaffaCakes118.exe
2556	system32QPSS.exe
868	10d45979874eb4499795d8a1e51f2836_JaffaCakes118.exe
868	10d45979874eb4499795d8a1e51f2836_JaffaCakes118.exe
2556	system32QPSS.exe
2556	system32QPSS.exe
2992	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system32QPSS Agent = "C:\\Windows\\system32QPSS.exe"	system32QPSS.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\system32QPSS.001	10d45979874eb4499795d8a1e51f2836_JaffaCakes118.exe
File created	C:\Windows\system32QPSS.006	10d45979874eb4499795d8a1e51f2836_JaffaCakes118.exe
File created	C:\Windows\system32QPSS.007	10d45979874eb4499795d8a1e51f2836_JaffaCakes118.exe
File created	C:\Windows\system32QPSS.exe	10d45979874eb4499795d8a1e51f2836_JaffaCakes118.exe
File created	C:\Windows\system32AKV.exe	10d45979874eb4499795d8a1e51f2836_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2992	2556	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10d45979874eb4499795d8a1e51f2836_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system32QPSS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	10d45979874eb4499795d8a1e51f2836_JaffaCakes118.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3496	vlc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3496	vlc.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: 33	2556	system32QPSS.exe
Token: SeIncBasePriorityPrivilege	2556	system32QPSS.exe
Token: 33	5032	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5032	AUDIODG.EXE
Token: 33	3496	vlc.exe
Token: SeIncBasePriorityPrivilege	3496	vlc.exe
Token: SeIncBasePriorityPrivilege	2556	system32QPSS.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
3496	vlc.exe
3496	vlc.exe
3496	vlc.exe
3496	vlc.exe
3496	vlc.exe
3496	vlc.exe
3496	vlc.exe
3496	vlc.exe
3496	vlc.exe
3496	vlc.exe
3496	vlc.exe
3496	vlc.exe
3496	vlc.exe
3496	vlc.exe
3496	vlc.exe
3496	vlc.exe
3496	vlc.exe
3496	vlc.exe
3496	vlc.exe
3496	vlc.exe
3496	vlc.exe
3496	vlc.exe
3496	vlc.exe
3496	vlc.exe
3496	vlc.exe
3496	vlc.exe
3496	vlc.exe
3496	vlc.exe

Suspicious use of SendNotifyMessage 9 IoCs

pid	Process
3496	vlc.exe
3496	vlc.exe
3496	vlc.exe
3496	vlc.exe
3496	vlc.exe
3496	vlc.exe
3496	vlc.exe
3496	vlc.exe
3496	vlc.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
2556	system32QPSS.exe
2556	system32QPSS.exe
2556	system32QPSS.exe
2556	system32QPSS.exe
2556	system32QPSS.exe
3496	vlc.exe
3496	vlc.exe
3496	vlc.exe
3496	vlc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 868 wrote to memory of 2556	868	10d45979874eb4499795d8a1e51f2836_JaffaCakes118.exe	82
PID 868 wrote to memory of 2556	868	10d45979874eb4499795d8a1e51f2836_JaffaCakes118.exe	82
PID 868 wrote to memory of 2556	868	10d45979874eb4499795d8a1e51f2836_JaffaCakes118.exe	82
PID 868 wrote to memory of 3496	868	10d45979874eb4499795d8a1e51f2836_JaffaCakes118.exe	83
PID 868 wrote to memory of 3496	868	10d45979874eb4499795d8a1e51f2836_JaffaCakes118.exe	83
PID 2556 wrote to memory of 2800	2556	system32QPSS.exe	97
PID 2556 wrote to memory of 2800	2556	system32QPSS.exe	97
PID 2556 wrote to memory of 2800	2556	system32QPSS.exe	97

C:\Users\Admin\AppData\Local\Temp\10d45979874eb4499795d8a1e51f2836_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\10d45979874eb4499795d8a1e51f2836_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:868
- C:\Windows\system32QPSS.exe
  "C:\Windows\system32QPSS.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2556 -s 1068
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2992
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Windows\SYSTEM~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2800
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\ghn_0001.wmv"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3496

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3dc 0x33c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2556 -ip 2556
1⤵
PID:624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

1

T1070

File Deletion

Modify Registry

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@B49A.tmp

Filesize
4KB

MD5
d1e6a3b3fec7d6f1d0db1bc02da26d93

SHA1
d7da87bdc09c38836cecd0844bfd587172c076f4

SHA256
bca04b3b3b4b8b416597ecd653056ec98f88e16a57ef64f2143b09ab892a3730

SHA512
327def77c38f293c4e8b4f20a3380bc7c5ba5b72f2431b20f67cbaeb2a4d11c2dd9493e477d36de88d75cf185b8fc2936fd6eee3cfa9bcd5620e0fc054f232f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ghn_0001.wmv

Filesize
1.9MB

MD5
8273c4435bd0bd5d1c5dd6e1094e4a64

SHA1
5556e60360bc2311ae8e1f3b3742a3be74076c99

SHA256
68b7b3d76f05e996f4c645a69dda8233114e7366b9a324f7d8a3e01f634a92d1

SHA512
2f8d49cbb11d9692d8b2b2f5dc80b051e6d938fe4b8f287447572df4a73acada834f464aae0169033862c0ee703e058d2f9c30db4f5ddfb99fc29f63f7810e27

Download Submit
C:\Windows\system32QPSS.001

Filesize
404B

MD5
466dac75e7a23d24d2a284f59d72cec5

SHA1
7e3541a7688937d4a67691a1e8d7470ba79fc998

SHA256
8a880ed186650af7c01d18cfbed4ce7af88c2a2ecef8ec221526dbe85fcbca14

SHA512
eb7613536b565a2bcbf2702e83f0b06d398c5dfbbde915969716424719193710ae2e8088130a98d43c2104e74458e5f714a648c586208603a80d9ac0def857d2

Download Submit
C:\Windows\system32QPSS.006

Filesize
7KB

MD5
9bff554f06d83650594d29c02ff22490

SHA1
5b00b436753479c29403b18256d1be009134f920

SHA256
37dc6bab558f611dface5ee2d0cb73f078f1b850de80f4bc5c1e4ebde024c693

SHA512
eb98be1e1b86acbe8d36542a42ec73f2357392ece2bca103910be6f5c06b5fbb3b8639cf4b8da03ccf284f09dffece1b12e2882f6f13c5d17ca66a8560e7e572

Download Submit
C:\Windows\system32QPSS.007

Filesize
5KB

MD5
b6f12dd5978a40f15490b637523b0207

SHA1
c2a9ae1415e61f59ceaffe91bb5ccde499bcfafd

SHA256
097124b7451b236ec652f964aeb3a06a8caf8aa8763db37cc1db16ab91dffe9e

SHA512
5baa4a7641cbdd5e6a331f1a5d753ae3d5a2b8e64a6db21ac475176b0d020e6cc79c5ef83fb35003612976d39fcabc3786e46a1b36ca6f91a614995e50c37795

Download Submit
C:\Windows\system32QPSS.exe

Filesize
471KB

MD5
9db739b6cc6f87cc09aa60428f94551a

SHA1
f8dad673918a9f342a90d8c0221423c90ae35fd7

SHA256
050dbbfa127d4db9f3fdf7efc1961dc2530a5affd1921818c053d7aaa07f1eda

SHA512
0f410d81d92dbeec6bbc17a3f6e296bc8e96544b45e7ca2209d832bcdce1b3993c43c1f1298d77bb03eff94bb0c27a7cb950d599a6572a2e4c929400edde5a2d

Download Submit
memory/2556-19-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/2556-60-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/3496-44-0x00007FFAB6DA0000-0x00007FFAB6DB1000-memory.dmp

Filesize
68KB

Download
memory/3496-39-0x00007FF682930000-0x00007FF682A28000-memory.dmp

Filesize
992KB

Download
memory/3496-47-0x00007FFAB6CC0000-0x00007FFAB6CDD000-memory.dmp

Filesize
116KB

Download
memory/3496-41-0x00007FFAB7350000-0x00007FFAB7606000-memory.dmp

Filesize
2.7MB

Download
memory/3496-46-0x00007FFAB6D60000-0x00007FFAB6D71000-memory.dmp

Filesize
68KB

Download
memory/3496-49-0x00007FFAB6730000-0x00007FFAB693B000-memory.dmp

Filesize
2.0MB

Download
memory/3496-50-0x00007FFAB6C50000-0x00007FFAB6C91000-memory.dmp

Filesize
260KB

Download
memory/3496-45-0x00007FFAB6D80000-0x00007FFAB6D97000-memory.dmp

Filesize
92KB

Download
memory/3496-40-0x00007FFABAF40000-0x00007FFABAF74000-memory.dmp

Filesize
208KB

Download
memory/3496-43-0x00007FFABAF20000-0x00007FFABAF37000-memory.dmp

Filesize
92KB

Download
memory/3496-42-0x00007FFABD740000-0x00007FFABD758000-memory.dmp

Filesize
96KB

Download
memory/3496-48-0x00007FFAB6CA0000-0x00007FFAB6CB1000-memory.dmp

Filesize
68KB

Download
memory/3496-59-0x00007FFAA72C0000-0x00007FFAA72D2000-memory.dmp

Filesize
72KB

Download
memory/3496-58-0x00007FFAA72E0000-0x00007FFAA72F1000-memory.dmp

Filesize
68KB

Download
memory/3496-57-0x00007FFAA74C0000-0x00007FFAA74D5000-memory.dmp

Filesize
84KB

Download
memory/3496-56-0x00007FFAB66F0000-0x00007FFAB6701000-memory.dmp

Filesize
68KB

Download
memory/3496-55-0x00007FFAB6710000-0x00007FFAB6721000-memory.dmp

Filesize
68KB

Download
memory/3496-54-0x00007FFABAE30000-0x00007FFABAE41000-memory.dmp

Filesize
68KB

Download
memory/3496-53-0x00007FFABAE50000-0x00007FFABAE68000-memory.dmp

Filesize
96KB

Download
memory/3496-52-0x00007FFABAE70000-0x00007FFABAE91000-memory.dmp

Filesize
132KB

Download
memory/3496-51-0x00007FFAA7960000-0x00007FFAA8A10000-memory.dmp

Filesize
16.7MB

Download
memory/3496-63-0x00007FFAB7350000-0x00007FFAB7606000-memory.dmp

Filesize
2.7MB

Download
memory/3496-73-0x00007FFAA7960000-0x00007FFAA8A10000-memory.dmp

Filesize
16.7MB

Download
memory/3496-94-0x00007FFAA7960000-0x00007FFAA8A10000-memory.dmp

Filesize
16.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads