ardamax | f6a427e78f0905ac2b8cfd882bf4c409e567c67163cdcef6fdbe9277d4a5f283

General

Target

JaffaCakes118_6b5991fe1c54e2dee8efb0a6752a1099.exe
Size

2.2MB
MD5

6b5991fe1c54e2dee8efb0a6752a1099
SHA1

73735a5b949d0175156c7234787a452b6d0d50c9
SHA256

f6a427e78f0905ac2b8cfd882bf4c409e567c67163cdcef6fdbe9277d4a5f283
SHA512

9a7336946325e0105b28025da2d05a111dafdbfaf58420b84bb365393043510a3ac5fa21ed39c90f31a02ac8f7b2d37ea5454f4b98718429d226b0b175e15b62
SSDEEP

24576:fOkeXzdpiaeS6wbvusjfssaalU8dRlde688c9O75qbFv8f5p24scaOdJS:fcqq6qGiEaU8dRlf8f9D0xO

Score

10^/10

ardamax discovery keylogger persistence stealer upx

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0005000000019350-30.dat	family_ardamax

Executes dropped EXE 2 IoCs

pid	Process
1792	signature.exe
2884	QHEJ.exe

Loads dropped DLL 11 IoCs

pid	Process
1276	JaffaCakes118_6b5991fe1c54e2dee8efb0a6752a1099.exe
1276	JaffaCakes118_6b5991fe1c54e2dee8efb0a6752a1099.exe
1792	signature.exe
1792	signature.exe
1792	signature.exe
2884	QHEJ.exe
2884	QHEJ.exe
1788	rundll32.exe
1788	rundll32.exe
2628	AcroRd32.exe
2628	AcroRd32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\QHEJ Agent = "C:\\Windows\\SysWOW64\\28463\\QHEJ.exe"	QHEJ.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\28463	QHEJ.exe
File created	C:\Windows\SysWOW64\28463\QHEJ.001	signature.exe
File created	C:\Windows\SysWOW64\28463\QHEJ.006	signature.exe
File created	C:\Windows\SysWOW64\28463\QHEJ.007	signature.exe
File created	C:\Windows\SysWOW64\28463\QHEJ.exe	signature.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1276-0-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral1/memory/1276-16-0x0000000000400000-0x000000000040D000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6b5991fe1c54e2dee8efb0a6752a1099.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	signature.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QHEJ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2628	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2884	QHEJ.exe
Token: SeIncBasePriorityPrivilege	2884	QHEJ.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2884	QHEJ.exe
2884	QHEJ.exe
2884	QHEJ.exe
2884	QHEJ.exe
2884	QHEJ.exe
2628	AcroRd32.exe
2628	AcroRd32.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1276 wrote to memory of 1788	1276	JaffaCakes118_6b5991fe1c54e2dee8efb0a6752a1099.exe	30
PID 1276 wrote to memory of 1788	1276	JaffaCakes118_6b5991fe1c54e2dee8efb0a6752a1099.exe	30
PID 1276 wrote to memory of 1788	1276	JaffaCakes118_6b5991fe1c54e2dee8efb0a6752a1099.exe	30
PID 1276 wrote to memory of 1788	1276	JaffaCakes118_6b5991fe1c54e2dee8efb0a6752a1099.exe	30
PID 1276 wrote to memory of 1788	1276	JaffaCakes118_6b5991fe1c54e2dee8efb0a6752a1099.exe	30
PID 1276 wrote to memory of 1788	1276	JaffaCakes118_6b5991fe1c54e2dee8efb0a6752a1099.exe	30
PID 1276 wrote to memory of 1788	1276	JaffaCakes118_6b5991fe1c54e2dee8efb0a6752a1099.exe	30
PID 1276 wrote to memory of 1792	1276	JaffaCakes118_6b5991fe1c54e2dee8efb0a6752a1099.exe	31
PID 1276 wrote to memory of 1792	1276	JaffaCakes118_6b5991fe1c54e2dee8efb0a6752a1099.exe	31
PID 1276 wrote to memory of 1792	1276	JaffaCakes118_6b5991fe1c54e2dee8efb0a6752a1099.exe	31
PID 1276 wrote to memory of 1792	1276	JaffaCakes118_6b5991fe1c54e2dee8efb0a6752a1099.exe	31
PID 1792 wrote to memory of 2884	1792	signature.exe	32
PID 1792 wrote to memory of 2884	1792	signature.exe	32
PID 1792 wrote to memory of 2884	1792	signature.exe	32
PID 1792 wrote to memory of 2884	1792	signature.exe	32
PID 1788 wrote to memory of 2628	1788	rundll32.exe	33
PID 1788 wrote to memory of 2628	1788	rundll32.exe	33
PID 1788 wrote to memory of 2628	1788	rundll32.exe	33
PID 1788 wrote to memory of 2628	1788	rundll32.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6b5991fe1c54e2dee8efb0a6752a1099.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6b5991fe1c54e2dee8efb0a6752a1099.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1276
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\header.psd
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1788
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\header.psd"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2628
- C:\Users\Admin\AppData\Local\Temp\signature.exe
  "C:\Users\Admin\AppData\Local\Temp\signature.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1792
- - C:\Windows\SysWOW64\28463\QHEJ.exe
    "C:\Windows\system32\28463\QHEJ.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\header.psd

Filesize
1.3MB

MD5
ee7f7f35162af67150038a6b083648e9

SHA1
32758528efca36d45dead82da990ffaaf4465866

SHA256
2e8e8dd204d47749b588b3e3c6af15e08b8e9545bc2f6ac6dd8962328a0391e4

SHA512
f3ec99fef186b1914b0aa840b15a8c511207486f1f664fd6f9d1eea14ff515957c1c66650c7af30f9b997b0b5f7fce995842a235ba19f64195790902b98438e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\signature.exe

Filesize
894KB

MD5
8a30bd816fce0f7f30570f74de041f43

SHA1
88320c6c902ad73e041c4fa9deea532e5a13df87

SHA256
dc42d8978c71c2a79b12a2ad07489e455121546e924c5513afe5a1219ea3e289

SHA512
aa67ec8988a4f2035b0301eb4a3007be7404e7c6f9dc0b7b7a2678f0fcce40e9556b1ee9dc967b52e1346612f3d11cfdaaf4d3892d0ff5fd074835af61d3ee54

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
ee2fc4d9ab3b52e2b11d865286c6ca98

SHA1
a091087204464ebec17f19c798fab9439ad70276

SHA256
2d7bb0ad19abf9f4201404d9cd422daa3b6ef5b382b9d28e605c8c4cb0f8fec9

SHA512
6d132bdcc55b03a9965603f5a11601e2e7d09c462356415f6a04c06091a30c2adce72413d7e883947989fad9f53b36d71b9d19ae071cd728dca5d73b2fa11b95

Download Submit
C:\Windows\SysWOW64\28463\QHEJ.001

Filesize
422B

MD5
3a5ff6b2528a10f5097dc335c20413e8

SHA1
12c54771b8ad4016716a32972c62296579d32ff3

SHA256
82e0b8349d72ec3e0e7a607ad0913a8f3a507f04c1cffaaf951b2f15d72ad13b

SHA512
058376e1fee27fdcfd0c8dfbecc17155d0c7d69a637a04fb41b5cb8bf9bc0c46d58e7a5a58e8dd1199b42ae6fd7915fd8f4e9fde3492c5a4b6048e3a911af4ef

Download Submit
C:\Windows\SysWOW64\28463\QHEJ.006

Filesize
8KB

MD5
aae8ccee5d5eed5748d13f474123efea

SHA1
6da78da4de3b99a55fad00be2ec53a3ad3bd06ae

SHA256
10c464d1675774e0282171555d59fb8975ed6c0e6a781182490f48e66823a5b8

SHA512
d370e1ffeeb81b3f07b83a9cf1e3b44635fde7aa6ac999bccafece8091dbf96f0a78257bb0e03b3689dc47fb4e96ec7deac7848a43ddef62afc9b8cc665ee8bd

Download Submit
C:\Windows\SysWOW64\28463\QHEJ.007

Filesize
5KB

MD5
40685d22d05d92462a2cfc1bba9a81b7

SHA1
f0e19012d0ed000148898b1e1264736bed438da8

SHA256
cdca1e5bc4c5129caa8eeddf637c820b6241c8790ce1a341e38e8324ae95afa0

SHA512
21961d2dd118b45bde4cf00b4570712791a22769d05afb5b6c54355b0aaee9b7f7de00b357845349ef957807452365134d51e11181d2d45f98ed0cc9402de90b

Download Submit
C:\Windows\SysWOW64\28463\QHEJ.exe

Filesize
473KB

MD5
339ae4ce820cda75bbb363b2ed1c06fd

SHA1
62399c6102cc98ed66cbcd88a63ff870cf7b2100

SHA256
1e4a463ac0d463cee1f52f9529474484157c85d671aea1ab5f4173df12de01b6

SHA512
5da8b333a839c4b169c6f4c9a1929918f166a895af7818c8223df7ed22279aac3b6ef88f89ee083a4f475f82ec6078f8e9800a9afc9547712245d090636a284a

Download Submit
\Users\Admin\AppData\Local\Temp\@94A1.tmp

Filesize
4KB

MD5
27092ec75c1839f36bfe900a38acc484

SHA1
fe14b750a0ed653246c5f358891f8c1241913bb2

SHA256
e6e29699840ae26c452227f9a1c9fd0e3cda0c2413c4255df9fc066c47af0e07

SHA512
815477e8681e38dd3110171adbaf06738eb9d63839671a959a296ec1a1fb17d788682dde5e6a1f0bffa3b4deda4577292ffa37ce10b95ad14276ffcd0795ac0b

Download Submit
memory/1276-0-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1276-16-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads