ardamax | dbf90beb77f926b9e9111902ea8daa0fc4c4bb69b2a9f0f52e3c19fea8d236b2

General

Target

6b252cf16f01f8e3c007474c8bb966d6_JaffaCakes118.exe
Size

683KB
MD5

6b252cf16f01f8e3c007474c8bb966d6
SHA1

d29593cc421f1378f33366fec66c5816102662f0
SHA256

dbf90beb77f926b9e9111902ea8daa0fc4c4bb69b2a9f0f52e3c19fea8d236b2
SHA512

576f3b60a630c8409e72e23a3833bb308df41c3f4dcbd0c25d09f19e0add399e75cc5473deb1f27e8023c8b2c0c289dc09bc4de295a0401e2b681738ec12e947
SSDEEP

12288:XzVxulv+H7qMeU9dh3o5jSzW60/4fYoF0es3X91AKF2ot4P49z6Bg:h0lGbKwxoRbwYoF0esH912otk

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023b85-25.dat	family_ardamax

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	6b252cf16f01f8e3c007474c8bb966d6_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Install.exe

Executes dropped EXE 2 IoCs

pid	Process
1916	Install.exe
4052	PNQQ.exe

Loads dropped DLL 4 IoCs

pid	Process
1916	Install.exe
4052	PNQQ.exe
4052	PNQQ.exe
4052	PNQQ.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PNQQ Agent = "C:\\Windows\\SysWOW64\\28463\\PNQQ.exe"	PNQQ.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\PNQQ.006	Install.exe
File created	C:\Windows\SysWOW64\28463\PNQQ.007	Install.exe
File created	C:\Windows\SysWOW64\28463\PNQQ.exe	Install.exe
File created	C:\Windows\SysWOW64\28463\AKV.exe	Install.exe
File opened for modification	C:\Windows\SysWOW64\28463	PNQQ.exe
File created	C:\Windows\SysWOW64\Install.exe	6b252cf16f01f8e3c007474c8bb966d6_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\28463\PNQQ.001	Install.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6b252cf16f01f8e3c007474c8bb966d6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PNQQ.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4052	PNQQ.exe
Token: SeIncBasePriorityPrivilege	4052	PNQQ.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4052	PNQQ.exe
4052	PNQQ.exe
4052	PNQQ.exe
4052	PNQQ.exe
4052	PNQQ.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3500 wrote to memory of 1916	3500	6b252cf16f01f8e3c007474c8bb966d6_JaffaCakes118.exe	83
PID 3500 wrote to memory of 1916	3500	6b252cf16f01f8e3c007474c8bb966d6_JaffaCakes118.exe	83
PID 3500 wrote to memory of 1916	3500	6b252cf16f01f8e3c007474c8bb966d6_JaffaCakes118.exe	83
PID 3500 wrote to memory of 1612	3500	6b252cf16f01f8e3c007474c8bb966d6_JaffaCakes118.exe	85
PID 3500 wrote to memory of 1612	3500	6b252cf16f01f8e3c007474c8bb966d6_JaffaCakes118.exe	85
PID 3500 wrote to memory of 1612	3500	6b252cf16f01f8e3c007474c8bb966d6_JaffaCakes118.exe	85
PID 1916 wrote to memory of 4052	1916	Install.exe	95
PID 1916 wrote to memory of 4052	1916	Install.exe	95
PID 1916 wrote to memory of 4052	1916	Install.exe	95

C:\Users\Admin\AppData\Local\Temp\6b252cf16f01f8e3c007474c8bb966d6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6b252cf16f01f8e3c007474c8bb966d6_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3500
- C:\Windows\SysWOW64\Install.exe
  "C:\Windows\SysWOW64\Install.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Windows\SysWOW64\28463\PNQQ.exe
    "C:\Windows\system32\28463\PNQQ.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4052
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Pictures\1214934244.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@A0F3.tmp

Filesize
4KB

MD5
fc0fea286539e5d84ccf49020ca3823b

SHA1
d43711c776edf9a07abed6bb95ed4a0e45e14d52

SHA256
2520256a587481813a5557e54a65f2fca97baee5df333102adfff2dbdabb4828

SHA512
70e1a5ec247d5e3057fe19f7f34b31ee7a79ab16dca73794829d9d81e3ed891881df424f7aa44b9424550574ab61c95d376163b16080aa7cfd61e986e6988ea2

Download Submit
C:\Users\Admin\Pictures\1214934244.bat

Filesize
260B

MD5
a296fc295e44db7677a462bbde6bbff5

SHA1
659045e5c34d93228d3026b8fb9f018c7bfe977a

SHA256
1c827473aaf064a5bcfec98829512b1eea0712f6d7d0424eeecbb4bf21ce9c92

SHA512
334b5b2c21a5dd550af386b611860a803afa1209d1361432b1768ee91f0cabcc5987550a5876c35dd977c7aa10675d3ab10cafc019fdb7e4d416a8b91cddb0af

Download Submit
C:\Windows\SysWOW64\28463\AKV.exe

Filesize
408KB

MD5
9f298a92f457a6c240b70393f336a17a

SHA1
1acfd6d9856cdd6ca71b6efcc55040e97904aa58

SHA256
557cfe249fa1838dc600ca8b137b1dc2dde3d9552b9ee4186bdca34b0401164e

SHA512
17cb2cc5b337a2b55b94ccc3ce7661fe2b502ce309a012eabfd4d88797a85a3fe3dae53e34891e5b295f7764494836b62a0d24b0b03ac6c93f77cc1f5dd0484c

Download Submit
C:\Windows\SysWOW64\28463\PNQQ.001

Filesize
466B

MD5
b47a9d51621ebf97005b410f0b6c1515

SHA1
f263872fe7c2b24a687ab9609a1ec4326162bf05

SHA256
84a2eb19b7e69237a15322cbc22fd4e0304c9691402f6dd41e31c9e795d240cc

SHA512
58718fc696e0f67876adb2e4927d11de03599216c3333d28217b10f21423ea434dbaad033060266780d44f72613930f35fe164efedb455e2e3aa5eb795cc5c7d

Download Submit
C:\Windows\SysWOW64\28463\PNQQ.006

Filesize
8KB

MD5
75f215af21ded98ab7a1a2a0ea1f1a30

SHA1
e85649693a178064da1aa4cc7c8e34c92472ba0d

SHA256
af46dca2a4f77f0c977fec74312a41e20bd064bd2ca17bec0f09afd67d7e1e3d

SHA512
1582847dae80134e5272fc1b125d6af13746263601ebc8b540ea5fd3e4fc0a05f6e783c59a6052b971efd15d26d9d55b86345292160e9c79041b7c57f9a74f54

Download Submit
C:\Windows\SysWOW64\28463\PNQQ.007

Filesize
5KB

MD5
528f383007234b421e3f1072fae5af11

SHA1
b19c49e17263d940ffa4d46c60a7cf2d03525f09

SHA256
531958a2b1de11d2da2eb8a5409f57c1f31253f79f790473d0efc0ae5567b61f

SHA512
d1813fc77b21ebcdada0cc9c410e533a39a436a038d91cb131bf03c987dab6e7e5b4c99f1a135adde84b4afcbd0a9f0f13931bae3c45c5782d7557fa620b4830

Download Submit
C:\Windows\SysWOW64\28463\PNQQ.exe

Filesize
513KB

MD5
1800b0b263035d94f7bb5e9e70270032

SHA1
c8ba77fa2e414ad11e39a6493e15c078c99d80e6

SHA256
0b15e820894e38d036e75abd442e1cebbfb734c4a50fd0f3adcd3b77211caa5e

SHA512
1431bedcba045f110354c7ec8a34ad5677447aa647581ebc86c25ee38397d2eff4b02d438227144b934ce65b26a2be65c44b761bd4b46518ff44ba6aaf06f29f

Download Submit
C:\Windows\SysWOW64\Install.exe

Filesize
496KB

MD5
681f147968ea7277d72b18e738bf6471

SHA1
dc18a12fa40cb27dac3a10ce222224bc879d0d7c

SHA256
38dddc5b7e445801ab262c4407eb68fada6fe754213600e63c1662327e1f5641

SHA512
724fa9e7aeac02a8b59b04fe615187932540bd4b81cbfaf6c5bf81310e181049d35600f72b0d2d3294df73c838eec8c078454ddb3495ccef3448929c12784728

Download Submit
memory/4052-36-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/4052-40-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads