ardamax | eb00925c8cb360c8817c2a6515192abe5842161489cdf64e5beaebf3aa2c6597

General

Target

JaffaCakes118_8842674d652f074eeb8915da5295f48b.exe
Size

589KB
MD5

8842674d652f074eeb8915da5295f48b
SHA1

8a779bdf5fd018640809f36e27278595cbef5736
SHA256

eb00925c8cb360c8817c2a6515192abe5842161489cdf64e5beaebf3aa2c6597
SHA512

e58fb6ed8f2683e1a07c278e5cebd26021e62dc446dddd30cf26a7265c4eab732800115d6179662b5bda8625955dffd8c9797d9841288688d93801e90a257a87
SSDEEP

12288:tSUZvqKoE8AFZQ73sSj/oNtHH2HkxZKvXu43qMlYeDflnHWVIu6rrfLxXcjovlRs:ZboEFSASj/oNt2yZK2rufDfFXL6g+xjf

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023b86-21.dat	family_ardamax

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	JaffaCakes118_8842674d652f074eeb8915da5295f48b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Install.exe

Executes dropped EXE 2 IoCs

pid	Process
4384	Install.exe
4596	QGSH.exe

Loads dropped DLL 1 IoCs

pid	Process
4384	Install.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\QGSH Agent = "C:\\Windows\\SysWOW64\\28463\\QGSH.exe"	QGSH.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\QGSH.001	Install.exe
File created	C:\Windows\SysWOW64\28463\QGSH.006	Install.exe
File created	C:\Windows\SysWOW64\28463\QGSH.007	Install.exe
File created	C:\Windows\SysWOW64\28463\QGSH.exe	Install.exe
File created	C:\Windows\SysWOW64\28463\AKV.exe	Install.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8842674d652f074eeb8915da5295f48b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QGSH.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3280 wrote to memory of 4384	3280	JaffaCakes118_8842674d652f074eeb8915da5295f48b.exe	82
PID 3280 wrote to memory of 4384	3280	JaffaCakes118_8842674d652f074eeb8915da5295f48b.exe	82
PID 3280 wrote to memory of 4384	3280	JaffaCakes118_8842674d652f074eeb8915da5295f48b.exe	82
PID 4384 wrote to memory of 4596	4384	Install.exe	83
PID 4384 wrote to memory of 4596	4384	Install.exe	83
PID 4384 wrote to memory of 4596	4384	Install.exe	83

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8842674d652f074eeb8915da5295f48b.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8842674d652f074eeb8915da5295f48b.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3280
- C:\Users\Admin\AppData\Local\Temp\Install.exe
  "C:\Users\Admin\AppData\Local\Temp\Install.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4384
- - C:\Windows\SysWOW64\28463\QGSH.exe
    "C:\Windows\system32\28463\QGSH.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:4596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@9A9A.tmp

Filesize
4KB

MD5
27092ec75c1839f36bfe900a38acc484

SHA1
fe14b750a0ed653246c5f358891f8c1241913bb2

SHA256
e6e29699840ae26c452227f9a1c9fd0e3cda0c2413c4255df9fc066c47af0e07

SHA512
815477e8681e38dd3110171adbaf06738eb9d63839671a959a296ec1a1fb17d788682dde5e6a1f0bffa3b4deda4577292ffa37ce10b95ad14276ffcd0795ac0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe

Filesize
480KB

MD5
c0cdbc628240a97df806fbac106ab621

SHA1
8b6790d86a58090904eef4e3c0d6543c1dae66d1

SHA256
6d96c49a5bf1bb651ba10691df8e053bda5fe247bcb460344fadeff63aebc46e

SHA512
9c3171901c309ebdadd7053d9fcf0053059e956678f8d8fcc4ea353de8ace56b8cd4a9d089190fae9c032b606b1f6624a56a28b2a180e3fc711d3fc9b274dd7f

Download Submit
C:\Windows\SysWOW64\28463\AKV.exe

Filesize
394KB

MD5
b87e2e56dbf34fb12705317f4d361c12

SHA1
3b4a6c2fddaab9f71747437c60dc7ad85661b4fa

SHA256
1ed5873542484a3f4c898de6684fc04bc0929e4fc795cd09b4b86f17e817d85a

SHA512
9d1bf05a200efda561f3141d3a4c70a347ba2a64fbfb5fb9b432956660b4aabc492f93fa50ba1928a3c408ec048c357a50cb79d12ba6200b28b1aeb98dbc39a0

Download Submit
C:\Windows\SysWOW64\28463\QGSH.001

Filesize
422B

MD5
54af0c1cbbc68160c31defe067934bc9

SHA1
167fdd06c7e9a68779edda10ce02a205dd7757d8

SHA256
633306292857dbf6a075ca322f38b6d383b1c44154bf01727fb115323dbf9b32

SHA512
9d34dd6c84a717f267eef9179631de0a89735350ce04cd6a9b55f166974b13fb0ce23e4845d74060c4438a47acf551958026aeba72e909ee7a09289a4d5cbb33

Download Submit
C:\Windows\SysWOW64\28463\QGSH.006

Filesize
8KB

MD5
aae8ccee5d5eed5748d13f474123efea

SHA1
6da78da4de3b99a55fad00be2ec53a3ad3bd06ae

SHA256
10c464d1675774e0282171555d59fb8975ed6c0e6a781182490f48e66823a5b8

SHA512
d370e1ffeeb81b3f07b83a9cf1e3b44635fde7aa6ac999bccafece8091dbf96f0a78257bb0e03b3689dc47fb4e96ec7deac7848a43ddef62afc9b8cc665ee8bd

Download Submit
C:\Windows\SysWOW64\28463\QGSH.007

Filesize
5KB

MD5
40685d22d05d92462a2cfc1bba9a81b7

SHA1
f0e19012d0ed000148898b1e1264736bed438da8

SHA256
cdca1e5bc4c5129caa8eeddf637c820b6241c8790ce1a341e38e8324ae95afa0

SHA512
21961d2dd118b45bde4cf00b4570712791a22769d05afb5b6c54355b0aaee9b7f7de00b357845349ef957807452365134d51e11181d2d45f98ed0cc9402de90b

Download Submit
C:\Windows\SysWOW64\28463\QGSH.exe

Filesize
473KB

MD5
339ae4ce820cda75bbb363b2ed1c06fd

SHA1
62399c6102cc98ed66cbcd88a63ff870cf7b2100

SHA256
1e4a463ac0d463cee1f52f9529474484157c85d671aea1ab5f4173df12de01b6

SHA512
5da8b333a839c4b169c6f4c9a1929918f166a895af7818c8223df7ed22279aac3b6ef88f89ee083a4f475f82ec6078f8e9800a9afc9547712245d090636a284a

Download Submit
memory/4596-32-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads