ardamax | 2278727a4c05cb69cf0b2f885cf4aed70c2acf9267ac8116ea9c136fbf431b23

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
12-12-2024 05:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e503896542a0b060e76aedac3ae28b7d_JaffaCakes118.exe
Size

1.2MB
MD5

e503896542a0b060e76aedac3ae28b7d
SHA1

2a23273d34be236de842fca7bceec29023124d24
SHA256

2278727a4c05cb69cf0b2f885cf4aed70c2acf9267ac8116ea9c136fbf431b23
SHA512

134b7db6109927f410d0ab1c608c76ebf2a3c8f9c4bee2425a8bce7634ab27847f7bd6d04d0039843465d7c80863be272e3b4c9cdb975e1ad743c84bfb97ae12
SSDEEP

24576:X0NzT7BxPhnoLhLjhFdLIR5AzMcw872OyiaI3r1QhROCbCXYhdpNLbdNr:X0pT7BnchLjhFdLgSAcw8721P5ZGXG/B

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000016c88-6.dat	family_ardamax

Executes dropped EXE 2 IoCs

pid	Process
444	QDY.exe
2532	RFInjector.exe

Loads dropped DLL 5 IoCs

pid	Process
2128	e503896542a0b060e76aedac3ae28b7d_JaffaCakes118.exe
2128	e503896542a0b060e76aedac3ae28b7d_JaffaCakes118.exe
444	QDY.exe
444	QDY.exe
2532	RFInjector.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\QDY Start = "C:\\Windows\\SysWOW64\\PMXMQI\\QDY.exe"	QDY.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\PMXMQI\QDY.002	e503896542a0b060e76aedac3ae28b7d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\PMXMQI\QDY.003	e503896542a0b060e76aedac3ae28b7d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\PMXMQI\QDY.exe	e503896542a0b060e76aedac3ae28b7d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\PMXMQI\	QDY.exe
File created	C:\Windows\SysWOW64\PMXMQI\QDY.004	e503896542a0b060e76aedac3ae28b7d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\PMXMQI\QDY.001	e503896542a0b060e76aedac3ae28b7d_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QDY.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RFInjector.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e503896542a0b060e76aedac3ae28b7d_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
444	QDY.exe
444	QDY.exe
2532	RFInjector.exe
2532	RFInjector.exe
2532	RFInjector.exe
2532	RFInjector.exe
2532	RFInjector.exe
2532	RFInjector.exe
2532	RFInjector.exe
2532	RFInjector.exe
2532	RFInjector.exe
2532	RFInjector.exe
2532	RFInjector.exe
2532	RFInjector.exe
2532	RFInjector.exe
2532	RFInjector.exe
2532	RFInjector.exe
2532	RFInjector.exe
2532	RFInjector.exe
2532	RFInjector.exe
2532	RFInjector.exe
2532	RFInjector.exe
2532	RFInjector.exe
2532	RFInjector.exe
2532	RFInjector.exe
2532	RFInjector.exe
2532	RFInjector.exe
2532	RFInjector.exe
2532	RFInjector.exe
2532	RFInjector.exe
2532	RFInjector.exe
2532	RFInjector.exe
2532	RFInjector.exe
2532	RFInjector.exe
2532	RFInjector.exe
2532	RFInjector.exe
2532	RFInjector.exe
2532	RFInjector.exe
2532	RFInjector.exe
2532	RFInjector.exe
2532	RFInjector.exe
2532	RFInjector.exe
2532	RFInjector.exe
2532	RFInjector.exe
2532	RFInjector.exe
2532	RFInjector.exe
2532	RFInjector.exe
2532	RFInjector.exe
2532	RFInjector.exe
2532	RFInjector.exe
2532	RFInjector.exe
2532	RFInjector.exe
2532	RFInjector.exe
2532	RFInjector.exe
2532	RFInjector.exe
2532	RFInjector.exe
2532	RFInjector.exe
2532	RFInjector.exe
2532	RFInjector.exe
2532	RFInjector.exe
2532	RFInjector.exe
2532	RFInjector.exe
2532	RFInjector.exe
2532	RFInjector.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	444	QDY.exe
Token: SeIncBasePriorityPrivilege	444	QDY.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
444	QDY.exe
444	QDY.exe
444	QDY.exe
444	QDY.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 444	2128	e503896542a0b060e76aedac3ae28b7d_JaffaCakes118.exe	30
PID 2128 wrote to memory of 444	2128	e503896542a0b060e76aedac3ae28b7d_JaffaCakes118.exe	30
PID 2128 wrote to memory of 444	2128	e503896542a0b060e76aedac3ae28b7d_JaffaCakes118.exe	30
PID 2128 wrote to memory of 444	2128	e503896542a0b060e76aedac3ae28b7d_JaffaCakes118.exe	30
PID 2128 wrote to memory of 2532	2128	e503896542a0b060e76aedac3ae28b7d_JaffaCakes118.exe	31
PID 2128 wrote to memory of 2532	2128	e503896542a0b060e76aedac3ae28b7d_JaffaCakes118.exe	31
PID 2128 wrote to memory of 2532	2128	e503896542a0b060e76aedac3ae28b7d_JaffaCakes118.exe	31
PID 2128 wrote to memory of 2532	2128	e503896542a0b060e76aedac3ae28b7d_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\e503896542a0b060e76aedac3ae28b7d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e503896542a0b060e76aedac3ae28b7d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Windows\SysWOW64\PMXMQI\QDY.exe
  "C:\Windows\system32\PMXMQI\QDY.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:444
- C:\Users\Admin\AppData\Local\Temp\RFInjector.exe
  "C:\Users\Admin\AppData\Local\Temp\RFInjector.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\PMXMQI\QDY.001

Filesize
61KB

MD5
43a9733e89a458d638ffb6a2a475d557

SHA1
f19a7513a53208e6b9295acff974181b593675a4

SHA256
8d093cbce69e6d77abec376639a2814653873db3d49d270effc5536de51a5930

SHA512
5e5fa1e02deba80eb8098e6e2ed89ac29a7c5204a713ed6725a0ca070c5da19670171ba1e1fbe38aab5cc5f15061ca8c1a66060fdd633a3270d1609135d4052e

Download Submit
C:\Windows\SysWOW64\PMXMQI\QDY.002

Filesize
43KB

MD5
f195701cf2c54d6ceadad943cf5135b8

SHA1
9beb03fc097fc58d7375b0511b87ced98a423a08

SHA256
177c1dcc7f13158445f0b99713e9cad205da86e764940a48d43dc375565b0dec

SHA512
f78def1ab431bb2b7b647ec76c063c30a87cabd22605f94cbe4fbb6f757fd54ddf7861d3842a0e369abfce94b68d41dec0fe2322a74f67d9875f561f92b20025

Download Submit
C:\Windows\SysWOW64\PMXMQI\QDY.003

Filesize
65KB

MD5
fa881c9545d01792ac6697572d52ab85

SHA1
bcf56567eea2066fce6662651d886d026eaaec30

SHA256
540e5d4e0cac56e0db7e4218838625460b3f4249a3c063c10f8bc01a277752de

SHA512
1c7fe1495b590120605701e331890c0f65b2a01b3179a454ef8622d8765c57ec918c45da68034b85241fedf00cde4e4d8cee74db198c03ca573f5ab64494fb28

Download Submit
C:\Windows\SysWOW64\PMXMQI\QDY.004

Filesize
1KB

MD5
3db7920a84fc19926b8312188b389110

SHA1
d4d77326f234cd090c3599b2e8f8ccf1c6e77228

SHA256
9dd196acb725234fa023c9b34583e18232f295abcad573fde37c940dbb3315b5

SHA512
05473055ea324eb594e4885ef3e097a526add02a0a6a786b498b2e79fff60215ed33f65eb2995d40bfe04d7dda1dae5bb1e8089f6c66dc63b2e504a65930d6b6

Download Submit
\Users\Admin\AppData\Local\Temp\RFInjector.exe

Filesize
499KB

MD5
719810492ac134154692fa69ee55223b

SHA1
6f58e55337aacf55416b0bb740deee2fa8dd0786

SHA256
9f7e9fe250283a34d78bbd83b66da692a8393871b7d679496b442b78844cd4e2

SHA512
4851e9a98863b991de78de7f97a0e07ab4b27380e7befd68684ddba9bdb6f9d6615be8fbd96217d0f64b9e71e971ed814ee52dd12d52d4ece80e5c0f442726d0

Download Submit
\Windows\SysWOW64\PMXMQI\QDY.exe

Filesize
1.7MB

MD5
d95623e481661c678a0546e02f10f24c

SHA1
b6949e68a19b270873764585eb1e82448d1e0717

SHA256
cecfadce6fb09b3977c20d15fb40f8f66a1d7e488a4794451d048a598c3417da

SHA512
dee02644d92ed30e88bb10e9dcdba97abd9949b230059ec20cf5d93061f9cdb77b1e793e5f69d0b51595c30077c3ddd093348d22b070ce898ccefe28b8062591

Download Submit
memory/444-19-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/444-27-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2532-23-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2532-29-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2532-28-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download