ardamax | 5a249d68140e642d1034d038ade0fdee40ef788fbe9e93492f72038ec2ce1895

General

Target

8203e48a8f4ef3222962f3fd00a8a731_JaffaCakes118.exe
Size

1.2MB
MD5

8203e48a8f4ef3222962f3fd00a8a731
SHA1

58e9fe4e4be60dee8fba0c1f7a8e358d8b2ad7c7
SHA256

5a249d68140e642d1034d038ade0fdee40ef788fbe9e93492f72038ec2ce1895
SHA512

b05b07b4029426d6548d64557b908454bf78fba04f1d9a1a9bb1e9fac753295bb2dfd21f752085ee8c87f10eb469322de0484ec120159a6a888ee9ebf65bc2ce
SSDEEP

24576:PZ+7EWOzlwruFR1YxgmEqn6TyXV+3rD11R8sW:Q7F6kxBBn6+wrDf

Score

10^/10

ardamax discovery keylogger stealer upx

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0005000000018690-45.dat	family_ardamax

Executes dropped EXE 3 IoCs

pid	Process
1052	Install.exe
2836	Banco Imobiliário.exe
3060	VNQS.exe

Loads dropped DLL 20 IoCs

pid	Process
2024	8203e48a8f4ef3222962f3fd00a8a731_JaffaCakes118.exe
2024	8203e48a8f4ef3222962f3fd00a8a731_JaffaCakes118.exe
2024	8203e48a8f4ef3222962f3fd00a8a731_JaffaCakes118.exe
2024	8203e48a8f4ef3222962f3fd00a8a731_JaffaCakes118.exe
2024	8203e48a8f4ef3222962f3fd00a8a731_JaffaCakes118.exe
2024	8203e48a8f4ef3222962f3fd00a8a731_JaffaCakes118.exe
2024	8203e48a8f4ef3222962f3fd00a8a731_JaffaCakes118.exe
2024	8203e48a8f4ef3222962f3fd00a8a731_JaffaCakes118.exe
1052	Install.exe
1052	Install.exe
1052	Install.exe
1052	Install.exe
1052	Install.exe
1052	Install.exe
3060	VNQS.exe
3060	VNQS.exe
3060	VNQS.exe
3060	VNQS.exe
3060	VNQS.exe
2836	Banco Imobiliário.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Sys\VNQS.001	Install.exe
File created	C:\Windows\SysWOW64\Sys\VNQS.006	Install.exe
File created	C:\Windows\SysWOW64\Sys\VNQS.007	Install.exe
File created	C:\Windows\SysWOW64\Sys\VNQS.exe	Install.exe
File created	C:\Windows\SysWOW64\Sys\AKV.exe	Install.exe
File opened for modification	C:\Windows\SysWOW64\Sys	VNQS.exe
File created	C:\Windows\SysWOW64\Install.exe	8203e48a8f4ef3222962f3fd00a8a731_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Banco Imobiliário.exe	8203e48a8f4ef3222962f3fd00a8a731_JaffaCakes118.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000016d2e-17.dat	upx
behavioral1/memory/2836-37-0x0000000000400000-0x00000000005E5000-memory.dmp	upx
behavioral1/memory/2836-67-0x0000000000400000-0x00000000005E5000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banco Imobiliário.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VNQS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8203e48a8f4ef3222962f3fd00a8a731_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	3060	VNQS.exe
Token: SeIncBasePriorityPrivilege	3060	VNQS.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3060	VNQS.exe
3060	VNQS.exe
3060	VNQS.exe
3060	VNQS.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 1052	2024	8203e48a8f4ef3222962f3fd00a8a731_JaffaCakes118.exe	31
PID 2024 wrote to memory of 1052	2024	8203e48a8f4ef3222962f3fd00a8a731_JaffaCakes118.exe	31
PID 2024 wrote to memory of 1052	2024	8203e48a8f4ef3222962f3fd00a8a731_JaffaCakes118.exe	31
PID 2024 wrote to memory of 1052	2024	8203e48a8f4ef3222962f3fd00a8a731_JaffaCakes118.exe	31
PID 2024 wrote to memory of 1052	2024	8203e48a8f4ef3222962f3fd00a8a731_JaffaCakes118.exe	31
PID 2024 wrote to memory of 1052	2024	8203e48a8f4ef3222962f3fd00a8a731_JaffaCakes118.exe	31
PID 2024 wrote to memory of 1052	2024	8203e48a8f4ef3222962f3fd00a8a731_JaffaCakes118.exe	31
PID 2024 wrote to memory of 2836	2024	8203e48a8f4ef3222962f3fd00a8a731_JaffaCakes118.exe	32
PID 2024 wrote to memory of 2836	2024	8203e48a8f4ef3222962f3fd00a8a731_JaffaCakes118.exe	32
PID 2024 wrote to memory of 2836	2024	8203e48a8f4ef3222962f3fd00a8a731_JaffaCakes118.exe	32
PID 2024 wrote to memory of 2836	2024	8203e48a8f4ef3222962f3fd00a8a731_JaffaCakes118.exe	32
PID 1052 wrote to memory of 3060	1052	Install.exe	33
PID 1052 wrote to memory of 3060	1052	Install.exe	33
PID 1052 wrote to memory of 3060	1052	Install.exe	33
PID 1052 wrote to memory of 3060	1052	Install.exe	33
PID 1052 wrote to memory of 3060	1052	Install.exe	33
PID 1052 wrote to memory of 3060	1052	Install.exe	33
PID 1052 wrote to memory of 3060	1052	Install.exe	33

C:\Users\Admin\AppData\Local\Temp\8203e48a8f4ef3222962f3fd00a8a731_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8203e48a8f4ef3222962f3fd00a8a731_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Windows\SysWOW64\Install.exe
  "C:\Windows\system32\Install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1052
- - C:\Windows\SysWOW64\Sys\VNQS.exe
    "C:\Windows\system32\Sys\VNQS.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3060
- C:\Windows\SysWOW64\Banco Imobiliário.exe
  "C:\Windows\system32\Banco Imobiliário.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Sys\AKV.exe

Filesize
387KB

MD5
81f6a58eb4c46ebf68ac1dbcdeef7901

SHA1
1732b02862a98c039055e1fd5b817b07af76659e

SHA256
72fc82a07b19ffb5f2c8e2f292db1b0ab42c96b12ef10110562eddcc2297d3aa

SHA512
b0d1325bdf8dcd2683e46f8dfb984fbf87b7d92d8ec3f2a0d8330a313d6ae26847ca5e4a0ec9bd65d8ef09344f2d489af9a2866b3b2a67377c14fccdca63f6cb

Download Submit
C:\Windows\SysWOW64\Sys\VNQS.001

Filesize
3KB

MD5
37c7fffacfd8d7c1e0b02e06f235f935

SHA1
732002b4fee161322b20356596f7454414288614

SHA256
bec8b4d200e99955681b6b951554a397fe109f73c8840605a9a71f6435455dde

SHA512
07de54acc27aedded20a105a2a3130049ca3362df5567b6ee365f745716b726378704133dc61c3f610a20a6be66a3f14e4d7bb0ed8c88b52de4b7214da5954b9

Download Submit
C:\Windows\SysWOW64\Sys\VNQS.006

Filesize
5KB

MD5
271bbf07cc8006c3335db6fc21622be4

SHA1
cb0caf39bc1cab16ec8a39d6a11160865703c329

SHA256
5d6e4701d424e8e095b95c98f87bb1946ac0254bd089d128c4a4c3e5b13ed5d7

SHA512
65dd41d4bb119d1f3801dc3097254e967d747661c83bfe0cd3c061441b63e1dd4928a0476fbd4a015631ecf1d511d2f66ec87f2bd078b6bce0b86fdb659392c8

Download Submit
C:\Windows\SysWOW64\Sys\VNQS.007

Filesize
4KB

MD5
2d8ec35eb48bf5cbc8c38a7a8d6cfa51

SHA1
4f43dc1a30731acba6d33b52c3970c9815f5be34

SHA256
7b6d9330aba21844b6f267489d29f0e10b4beea3a749b72d5dec9e8761c98d3e

SHA512
0a2f41f3e88132e56f7ce3c83e24753c80c9344011b0dcd943def8733b79d197e10ad5fba82be08f0054ec5d4c9af731f1a1eb4e041a93cd81c25b364087176e

Download Submit
\Users\Admin\AppData\Local\Temp\@DCF7.tmp

Filesize
4KB

MD5
b8416a532c8e995dfb2789ff77fa5618

SHA1
b5421c4f4ae3f27a9278b60d6ef683deb3111251

SHA256
f93ff177d9d79a04d8a35a57689e9977babf939de260f27fbc832c0be981ca89

SHA512
30dcc35db52f723490ea03df3abe5efc9374035a339f060a7468cae79bf8ba379538a87ad5217f0f0e06b741fe6497917b4226e65ac9c0e3026900244c3094b3

Download Submit
\Windows\SysWOW64\Banco Imobiliário.exe

Filesize
465KB

MD5
cffaed7e1f58e280047c83b8162d7b5e

SHA1
425fc50f23ac46efb63e80d56de04abe3b4e59a7

SHA256
d7eeca654d65aae04a3a709e3d9df45117ba2401f48bd0e55526289daef025da

SHA512
439cf4fc6c76ac9979b0ebca44f096bfbc18721cbef685f216728c80f1525d9596cb062c9ae6cf5d0f7d620763480c39425d0a8e2ab4f81071cf40fac0a14c5e

Download Submit
\Windows\SysWOW64\Install.exe

Filesize
473KB

MD5
aa50f3f2ca317593e55cea34c7bae742

SHA1
a432a26ac4e91ee62a7281d19c967bf3937ada41

SHA256
e631d8f267722d658f24d98d6273b1793011d78fac8ae9657fb1e1817ccce94b

SHA512
bdde410334b742cb93c06bc80dd0e12d23727fd944789f9ec0371407f4aa5227256eb57bbd851e15b1d7ea7631813ff9d8ecad36e6e8e902c5706deee10df0f5

Download Submit
\Windows\SysWOW64\Sys\VNQS.exe

Filesize
468KB

MD5
62401443a0feeb13a9940fcc78558090

SHA1
6200cf99b3a6a1bebde29378a6260ddf92d13370

SHA256
69761c67078239fa4e05676e0974f7d7410de0f6f00d19f8f69c9a180c0d5de7

SHA512
2001aa6875728c2ba75b1f8ee44fbb87a508598194f5ed6e5945292c2eb67874c3bc619da84a107ac0e5bc83748625eadcae0ccbd9f1f5414575db3fc3e92ce0

Download Submit
memory/2024-33-0x0000000000400000-0x0000000000532000-memory.dmp

Filesize
1.2MB

Download
memory/2024-29-0x0000000003370000-0x0000000003555000-memory.dmp

Filesize
1.9MB

Download
memory/2836-37-0x0000000000400000-0x00000000005E5000-memory.dmp

Filesize
1.9MB

Download
memory/2836-47-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2836-67-0x0000000000400000-0x00000000005E5000-memory.dmp

Filesize
1.9MB

Download
memory/2836-69-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing