ardamax | 437fb865e4f563cdfe1e1ac1dda4c6a294cec7c3d251ef8b9db4656ad97f3429

General

Target

1a3bd3f174a4e18eacd64fdff556047b_JaffaCakes118.exe
Size

1.3MB
MD5

1a3bd3f174a4e18eacd64fdff556047b
SHA1

6163ba0828e7e9f0282069eb93f51016627ca04e
SHA256

437fb865e4f563cdfe1e1ac1dda4c6a294cec7c3d251ef8b9db4656ad97f3429
SHA512

8f03f7604537628638b9e3720f22f9b299edcfd0143e9b05d18463a2f1bb3e24724b2ef6b75f207eb6a093af22c03931aebcfba88b88bd13069030ec75a05edd
SSDEEP

24576:SZB2ezCh58rOWkkMj/Vel2Dd9wXWKIk0G4aoYbXd/LlZIaglx:SZYezCh7iMj/cWLKLpLoYbXd/LlZS

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0008000000016d0e-21.dat	family_ardamax

Executes dropped EXE 2 IoCs

pid	Process
2976	gula.jpg
1220	QEQ.exe

Loads dropped DLL 5 IoCs

pid	Process
2760	cmd.exe
2976	gula.jpg
1220	QEQ.exe
1220	QEQ.exe
1220	QEQ.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\QEQ Start = "C:\\Windows\\SysWOW64\\BXHLJG\\QEQ.exe"	QEQ.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\BXHLJG\QEQ.exe	gula.jpg
File opened for modification	C:\Windows\SysWOW64\BXHLJG\	QEQ.exe
File created	C:\Windows\SysWOW64\BXHLJG\QEQ.004	gula.jpg
File created	C:\Windows\SysWOW64\BXHLJG\QEQ.001	gula.jpg
File created	C:\Windows\SysWOW64\BXHLJG\QEQ.002	gula.jpg
File created	C:\Windows\SysWOW64\BXHLJG\AKV.exe	gula.jpg

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gula.jpg
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QEQ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1a3bd3f174a4e18eacd64fdff556047b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.jpg	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.jpg\ = "exefile"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.jpg\ = "jpgfile"	cmd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1220	QEQ.exe
1220	QEQ.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1220	QEQ.exe
Token: SeIncBasePriorityPrivilege	1220	QEQ.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1220	QEQ.exe
1220	QEQ.exe
1220	QEQ.exe
1220	QEQ.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 2760	2664	1a3bd3f174a4e18eacd64fdff556047b_JaffaCakes118.exe	31
PID 2664 wrote to memory of 2760	2664	1a3bd3f174a4e18eacd64fdff556047b_JaffaCakes118.exe	31
PID 2664 wrote to memory of 2760	2664	1a3bd3f174a4e18eacd64fdff556047b_JaffaCakes118.exe	31
PID 2664 wrote to memory of 2760	2664	1a3bd3f174a4e18eacd64fdff556047b_JaffaCakes118.exe	31
PID 2664 wrote to memory of 2760	2664	1a3bd3f174a4e18eacd64fdff556047b_JaffaCakes118.exe	31
PID 2664 wrote to memory of 2760	2664	1a3bd3f174a4e18eacd64fdff556047b_JaffaCakes118.exe	31
PID 2664 wrote to memory of 2760	2664	1a3bd3f174a4e18eacd64fdff556047b_JaffaCakes118.exe	31
PID 2760 wrote to memory of 2976	2760	cmd.exe	33
PID 2760 wrote to memory of 2976	2760	cmd.exe	33
PID 2760 wrote to memory of 2976	2760	cmd.exe	33
PID 2760 wrote to memory of 2976	2760	cmd.exe	33
PID 2760 wrote to memory of 2976	2760	cmd.exe	33
PID 2760 wrote to memory of 2976	2760	cmd.exe	33
PID 2760 wrote to memory of 2976	2760	cmd.exe	33
PID 2976 wrote to memory of 1220	2976	gula.jpg	34
PID 2976 wrote to memory of 1220	2976	gula.jpg	34
PID 2976 wrote to memory of 1220	2976	gula.jpg	34
PID 2976 wrote to memory of 1220	2976	gula.jpg	34
PID 2976 wrote to memory of 1220	2976	gula.jpg	34
PID 2976 wrote to memory of 1220	2976	gula.jpg	34
PID 2976 wrote to memory of 1220	2976	gula.jpg	34

C:\Users\Admin\AppData\Local\Temp\1a3bd3f174a4e18eacd64fdff556047b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1a3bd3f174a4e18eacd64fdff556047b_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\trocaz.bat" "
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Users\Admin\AppData\Local\Temp\gula.jpg
    gula.jpg
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2976
  - - C:\Windows\SysWOW64\BXHLJG\QEQ.exe
      "C:\Windows\system32\BXHLJG\QEQ.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gula.jpg

Filesize
1.2MB

MD5
c3e356cc7e1386dbc22536ee67989673

SHA1
2f6634012ff6785df127e012de0f2a64c92fcbfe

SHA256
e1976bd6b81209a21d731d7058861670388f7678b1f420c55f1036afeb121708

SHA512
f8f778a45403d911cde47be17b313f26ff7f638c7a18d94fc368580b079e71a175a7cc0790b26970f32ae34d3afe140d1c11f6a9adfb199388fce263a4532569

Download Submit
C:\Users\Admin\AppData\Local\Temp\trocaz.bat

Filesize
65B

MD5
2ee0ff40e09517bac60c45fd7aee84e6

SHA1
c110e6bfa35e6b69df26ad048801476c9a08a619

SHA256
9ca04ae81c18bfa4ccece4f7677b5fdbec490e1f423e41f7958312b1a79f5b39

SHA512
f055b7aa075b830ed361a56487e817054c3dd163c5581fa02094af5bc98653e9f9238da6f4e88ad9e7a3b0d11bc169dc35dd84d2bd5122a177f798f076da0da6

Download Submit
C:\Windows\SysWOW64\BXHLJG\AKV.exe

Filesize
485KB

MD5
b905540561802896d1609a5709c38795

SHA1
a265f7c1d428ccece168d36ae1a5f50abfb69e37

SHA256
ce666ce776c30251bb1b465d47826c23efaa86ec5ee50b2a4d23a4ceb343ed53

SHA512
7663654f134f47a8092bae1f3f9d46732d2541ab955e7604d43a0def1e61e2bc039a6753e94d99f1d04b69f55a86f1fb937513671019f1bdf100edb97b24badc

Download Submit
C:\Windows\SysWOW64\BXHLJG\QEQ.001

Filesize
61KB

MD5
0e7e847fb96b4faa6cb4d3707a96887e

SHA1
896fd4064044e271312e9128e874108eec69521f

SHA256
c0f3e18ed0020dae5f75d3338b51f9c8de26d8af0a4d31904ba77cb1d112bbca

SHA512
ad680ed30b0cabe1be4e7237b8e620060de9c5f64d088d21a6acf6f293551ab4abc10f8f959aa6041e19aeaea538e72beeecc29b7669546a9a151141d4e73684

Download Submit
C:\Windows\SysWOW64\BXHLJG\QEQ.002

Filesize
43KB

MD5
f195701cf2c54d6ceadad943cf5135b8

SHA1
9beb03fc097fc58d7375b0511b87ced98a423a08

SHA256
177c1dcc7f13158445f0b99713e9cad205da86e764940a48d43dc375565b0dec

SHA512
f78def1ab431bb2b7b647ec76c063c30a87cabd22605f94cbe4fbb6f757fd54ddf7861d3842a0e369abfce94b68d41dec0fe2322a74f67d9875f561f92b20025

Download Submit
C:\Windows\SysWOW64\BXHLJG\QEQ.004

Filesize
1KB

MD5
ac8f25da5349ef2778fb1969b4e8d0ff

SHA1
32e3b4d84e855de5d202b0aa6eb05f161c16ff9b

SHA256
c7866438c2f2d11007e777a729abaa5f823ff9a27e435eab5f87e052f0bf38ba

SHA512
24f6e2d428be94c0ccd53601eccc5c28e8021ca879b6180f1de5a79b9467a9aa709a11ba60ceffe36fb33b2b02216c84d16db1e9c98aa45c8a93e273cf9dfed4

Download Submit
\Windows\SysWOW64\BXHLJG\QEQ.exe

Filesize
1.7MB

MD5
d95623e481661c678a0546e02f10f24c

SHA1
b6949e68a19b270873764585eb1e82448d1e0717

SHA256
cecfadce6fb09b3977c20d15fb40f8f66a1d7e488a4794451d048a598c3417da

SHA512
dee02644d92ed30e88bb10e9dcdba97abd9949b230059ec20cf5d93061f9cdb77b1e793e5f69d0b51595c30077c3ddd093348d22b070ce898ccefe28b8062591

Download Submit
memory/2664-33-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads