ardamax | e3c559cc4620be1f6d1623f0a8f4b5ef2bf59e143d347de5a249a9b395c3186c

General

Target

f36021e880e248c89e00209e962b2436_JaffaCakes118.exe
Size

992KB
MD5

f36021e880e248c89e00209e962b2436
SHA1

347cde2fbd1e4961cfcb2468e8948ad3c44856f5
SHA256

e3c559cc4620be1f6d1623f0a8f4b5ef2bf59e143d347de5a249a9b395c3186c
SHA512

7ee62a27135168efe29c72aab7b66f9177587f33461b7fffae4cc1abd9b2a09511a16bd1b5e60fa89a925b21a54515425f1598f3069720d165699cdb8f623012
SSDEEP

12288:jKUUioUWLbAPS6PkhpOWASZVwMINLTaPwts7UvFEnkfl549z:j5x79qIn+qMI4YO7Uvaq5Yz

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0009000000015e18-22.dat	family_ardamax

Executes dropped EXE 3 IoCs

pid	Process
2732	Job.v517.dll
3036	system32QRNN.exe
2552	Selamla.exe

Loads dropped DLL 5 IoCs

pid	Process
3032	f36021e880e248c89e00209e962b2436_JaffaCakes118.exe
3032	f36021e880e248c89e00209e962b2436_JaffaCakes118.exe
2732	Job.v517.dll
2732	Job.v517.dll
2732	Job.v517.dll

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system32QRNN Agent = "C:\\Windows\\system32QRNN.exe"	system32QRNN.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\system32QRNN.001	Job.v517.dll
File created	C:\Windows\system32QRNN.006	Job.v517.dll
File created	C:\Windows\system32QRNN.007	Job.v517.dll
File created	C:\Windows\system32QRNN.exe	Job.v517.dll
File created	C:\Windows\system32AKV.exe	Job.v517.dll

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f36021e880e248c89e00209e962b2436_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Job.v517.dll
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system32QRNN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Selamla.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	3036	system32QRNN.exe
Token: SeIncBasePriorityPrivilege	3036	system32QRNN.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
3032	f36021e880e248c89e00209e962b2436_JaffaCakes118.exe
3036	system32QRNN.exe
3036	system32QRNN.exe
3036	system32QRNN.exe
3036	system32QRNN.exe
2552	Selamla.exe
3036	system32QRNN.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 2732	3032	f36021e880e248c89e00209e962b2436_JaffaCakes118.exe	30
PID 3032 wrote to memory of 2732	3032	f36021e880e248c89e00209e962b2436_JaffaCakes118.exe	30
PID 3032 wrote to memory of 2732	3032	f36021e880e248c89e00209e962b2436_JaffaCakes118.exe	30
PID 3032 wrote to memory of 2732	3032	f36021e880e248c89e00209e962b2436_JaffaCakes118.exe	30
PID 2732 wrote to memory of 3036	2732	Job.v517.dll	31
PID 2732 wrote to memory of 3036	2732	Job.v517.dll	31
PID 2732 wrote to memory of 3036	2732	Job.v517.dll	31
PID 2732 wrote to memory of 3036	2732	Job.v517.dll	31
PID 2732 wrote to memory of 2552	2732	Job.v517.dll	32
PID 2732 wrote to memory of 2552	2732	Job.v517.dll	32
PID 2732 wrote to memory of 2552	2732	Job.v517.dll	32
PID 2732 wrote to memory of 2552	2732	Job.v517.dll	32

C:\Users\Admin\AppData\Local\Temp\f36021e880e248c89e00209e962b2436_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f36021e880e248c89e00209e962b2436_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Users\Admin\AppData\Local\Temp\Job.v517.dll
  C:\Users\Admin\AppData\Local\Temp\Job.v517.dll
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Windows\system32QRNN.exe
    "C:\Windows\system32QRNN.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3036
- - C:\Users\Admin\AppData\Local\Temp\Selamla.exe
    "C:\Users\Admin\AppData\Local\Temp\Selamla.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system32QRNN.001

Filesize
410B

MD5
7464a77c20777a3b059de4d474056b09

SHA1
140fe594dbc3a5e54f2a80bcd389491f13a98397

SHA256
070347d21f2050610d1594f069b296aa72a599bbe1e80db82a815dab7b44bd60

SHA512
5b9bbf3d0427701f2b8b592b9fe55a9793b469fe84774a3c473d1c3fe9c8379ce9e5ae2e12723debc19d03e8be8f9ec8ccc117c8d8b986c48779db3dfd7cdfb5

Download Submit
C:\Windows\system32QRNN.006

Filesize
7KB

MD5
87ccf7eb039971590aac6f254b2c788a

SHA1
3095496ffd364b32cdbe63ba4dd2f477fd848515

SHA256
59973b04dd9bec56a7ff9d898fda25e9214ee7652f2687ba409b435ae07e554b

SHA512
d5f9f7855725021522fae819a855d3d2d2cf028b0ea3ac191ad02039cbb688af42b191a1ec4f1868365e2f7de36acca2b7ba3bee0a7b8447820c4521e942d8d2

Download Submit
C:\Windows\system32QRNN.007

Filesize
5KB

MD5
81938df0dbfee60828e9ce953bdf62e6

SHA1
b1182a051011e901c17eab2e28727bec8db475fb

SHA256
982e2e47e8af4384a6b71937fb4e678a61fbc354f6816204e14a01d325529a98

SHA512
64ebe41c17f55f725aeb946b1a7843ad27062490a3e9cc49df7ecb3e5e408444c766236642986cbe499e876e91d1d95d4aafe7d044fda3f5370bbe5f71532143

Download Submit
C:\Windows\system32QRNN.exe

Filesize
471KB

MD5
912c55621b4c3f0fb2daef5b4f4f5f4c

SHA1
735701c75569b7563950508afc8948b52e7bf4b2

SHA256
41ecb7a6e3e9c32ce1bbfdff8fe381f6c21fc1f601f7e9be9fcfa2678d2420a0

SHA512
65a08579e959d4beebb5ad026cab451d381e147621be8a0707baca748eaee22050c020e3d54f312376eaf6f20a1fc3713e5e07cc9d4ee7f32b7c17dc15c80d05

Download Submit
\Users\Admin\AppData\Local\Temp\@4BDF.tmp

Filesize
4KB

MD5
b7ea0bc4bb833ab77dce179f16039c14

SHA1
b05cc205aa6ffc60a5316c1d5d3831def5a60c20

SHA256
e7bc62fb964bacd8e3189f22a8d64a27bddeb90007a38da3d3e6b58f6d8a2dba

SHA512
5a4ad9b469c7502a930158ca2db814b0b84880b2658a6a6dcca9fee60e6c8dc5f8a3c8d09e280a026d63e3d48b5291074827d16f3e680ce87645d8aad996a652

Download Submit
\Users\Admin\AppData\Local\Temp\Job.v517.dll

Filesize
482KB

MD5
6b372db2d40fd55d69ac49b69524c392

SHA1
5d38b7713c87286ce77ee0de09151374818e6f79

SHA256
30d6a5889d1c696c84fede548643d174e88bc6d03e7002c05e502562de639465

SHA512
458f3bb83bd4e5fece9bff7e785a389ad86cf0c59fc759d3dacba99ce120fd98d6250b61a27fd30f1753086bcbf5b4104ece00982af6d49e3e8b74b6fa961e92

Download Submit
\Users\Admin\AppData\Local\Temp\Selamla.exe

Filesize
16KB

MD5
17e2fd7c20f4eec6c3ca84c3db660ea9

SHA1
1118a2f602a8e0350ad5c681c3d896b5aae44a90

SHA256
c11145cb46c00dcebeee513e14e1629f93c1d64522e3df64db982a7539360933

SHA512
8fd50e0ac295feee4da2781f660f198068c47a68b3d36f53f54003ba42fd1d7e86afe173e01475273681e5a9db2fad725f49e5bda7be4a10f91add48ab2b3bf6

Download Submit
memory/2552-54-0x00000000002D0000-0x00000000002D6000-memory.dmp

Filesize
24KB

Download
memory/2552-39-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2552-53-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/2552-46-0x00000000777EF000-0x00000000777F0000-memory.dmp

Filesize
4KB

Download
memory/2552-47-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2732-30-0x00000000028C0000-0x00000000028C9000-memory.dmp

Filesize
36KB

Download
memory/3032-45-0x00000000777EF000-0x00000000777F0000-memory.dmp

Filesize
4KB

Download
memory/3032-50-0x0000000003ED0000-0x0000000003ED6000-memory.dmp

Filesize
24KB

Download
memory/3032-49-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/3036-51-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/3036-52-0x0000000001C80000-0x0000000001C86000-memory.dmp

Filesize
24KB

Download
memory/3036-48-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/3036-40-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads