ardamax | eed2d77f9875fcbacdba26225d84749793cc5d659ec5590a5dfeadd0ebcd0fb7

General

Target

JaffaCakes118_9f2e080bb201db070a4857ee3c8276b5.exe
Size

272KB
MD5

9f2e080bb201db070a4857ee3c8276b5
SHA1

05485420df3815a7d793caf619bf51819c1b467a
SHA256

eed2d77f9875fcbacdba26225d84749793cc5d659ec5590a5dfeadd0ebcd0fb7
SHA512

0bf5d6be038e46ae2dabd00222feaa78f078a53085bfdd59cf0e29d3b0303a909e59bbe6f3a8eec5bd653c9e6a877ce2e1de370e3dfe8c7364b0776ed4ae17bb
SSDEEP

6144:jL2OVlxyl9MnDGMPzlUB4Hx6IWkphqk4gbjK:jLqGh7oIxpgkHvK

Score

10^/10

ardamax defense_evasion discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023b95-12.dat	family_ardamax

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	JaffaCakes118_9f2e080bb201db070a4857ee3c8276b5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	system32NQGF.exe

Executes dropped EXE 1 IoCs

pid	Process
3776	system32NQGF.exe

Loads dropped DLL 8 IoCs

pid	Process
4440	JaffaCakes118_9f2e080bb201db070a4857ee3c8276b5.exe
3776	system32NQGF.exe
4440	JaffaCakes118_9f2e080bb201db070a4857ee3c8276b5.exe
4440	JaffaCakes118_9f2e080bb201db070a4857ee3c8276b5.exe
3776	system32NQGF.exe
3776	system32NQGF.exe
4440	JaffaCakes118_9f2e080bb201db070a4857ee3c8276b5.exe
3584	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system32NQGF Agent = "C:\\Windows\\system32NQGF.exe"	system32NQGF.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32NQGF.007	JaffaCakes118_9f2e080bb201db070a4857ee3c8276b5.exe
File created	C:\Windows\system32NQGF.exe	JaffaCakes118_9f2e080bb201db070a4857ee3c8276b5.exe
File created	C:\Windows\system32NQGF.001	JaffaCakes118_9f2e080bb201db070a4857ee3c8276b5.exe
File created	C:\Windows\system32NQGF.006	JaffaCakes118_9f2e080bb201db070a4857ee3c8276b5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3584	3776	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_9f2e080bb201db070a4857ee3c8276b5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system32NQGF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	JaffaCakes118_9f2e080bb201db070a4857ee3c8276b5.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	3776	system32NQGF.exe
Token: SeIncBasePriorityPrivilege	3776	system32NQGF.exe
Token: SeIncBasePriorityPrivilege	3776	system32NQGF.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3776	system32NQGF.exe
3776	system32NQGF.exe
3776	system32NQGF.exe
3776	system32NQGF.exe
3776	system32NQGF.exe
2424	OpenWith.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4440 wrote to memory of 3776	4440	JaffaCakes118_9f2e080bb201db070a4857ee3c8276b5.exe	82
PID 4440 wrote to memory of 3776	4440	JaffaCakes118_9f2e080bb201db070a4857ee3c8276b5.exe	82
PID 4440 wrote to memory of 3776	4440	JaffaCakes118_9f2e080bb201db070a4857ee3c8276b5.exe	82
PID 3776 wrote to memory of 1252	3776	system32NQGF.exe	96
PID 3776 wrote to memory of 1252	3776	system32NQGF.exe	96
PID 3776 wrote to memory of 1252	3776	system32NQGF.exe	96

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9f2e080bb201db070a4857ee3c8276b5.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9f2e080bb201db070a4857ee3c8276b5.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4440
- C:\Windows\system32NQGF.exe
  "C:\Windows\system32NQGF.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3776
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3776 -s 1072
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:3584
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Windows\SYSTEM~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1252

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3776 -ip 3776
1⤵
PID:624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

1

T1070

File Deletion

Modify Registry

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@786C.tmp

Filesize
4KB

MD5
b7ea0bc4bb833ab77dce179f16039c14

SHA1
b05cc205aa6ffc60a5316c1d5d3831def5a60c20

SHA256
e7bc62fb964bacd8e3189f22a8d64a27bddeb90007a38da3d3e6b58f6d8a2dba

SHA512
5a4ad9b469c7502a930158ca2db814b0b84880b2658a6a6dcca9fee60e6c8dc5f8a3c8d09e280a026d63e3d48b5291074827d16f3e680ce87645d8aad996a652

Download Submit
C:\Windows\system32NQGF.001

Filesize
388B

MD5
9f9a31ad79eef6bcee5d9fbb5579f823

SHA1
3578008e95847d96bd636ac00cbe3624070cac01

SHA256
a59175995e47c6bffb41bc09495949adf21eb2b6950f1bd74aa2e9ff10eec46b

SHA512
ae00c53694d46157beb2261e34aec4610b7f09720537ec9ade98631fe58f6f7882e7e33cfaa7631778f82cbf26f46a4ce192c596a488ea483750c0a835fd4b85

Download Submit
C:\Windows\system32NQGF.006

Filesize
7KB

MD5
87ccf7eb039971590aac6f254b2c788a

SHA1
3095496ffd364b32cdbe63ba4dd2f477fd848515

SHA256
59973b04dd9bec56a7ff9d898fda25e9214ee7652f2687ba409b435ae07e554b

SHA512
d5f9f7855725021522fae819a855d3d2d2cf028b0ea3ac191ad02039cbb688af42b191a1ec4f1868365e2f7de36acca2b7ba3bee0a7b8447820c4521e942d8d2

Download Submit
C:\Windows\system32NQGF.007

Filesize
5KB

MD5
81938df0dbfee60828e9ce953bdf62e6

SHA1
b1182a051011e901c17eab2e28727bec8db475fb

SHA256
982e2e47e8af4384a6b71937fb4e678a61fbc354f6816204e14a01d325529a98

SHA512
64ebe41c17f55f725aeb946b1a7843ad27062490a3e9cc49df7ecb3e5e408444c766236642986cbe499e876e91d1d95d4aafe7d044fda3f5370bbe5f71532143

Download Submit
C:\Windows\system32NQGF.exe

Filesize
471KB

MD5
912c55621b4c3f0fb2daef5b4f4f5f4c

SHA1
735701c75569b7563950508afc8948b52e7bf4b2

SHA256
41ecb7a6e3e9c32ce1bbfdff8fe381f6c21fc1f601f7e9be9fcfa2678d2420a0

SHA512
65a08579e959d4beebb5ad026cab451d381e147621be8a0707baca748eaee22050c020e3d54f312376eaf6f20a1fc3713e5e07cc9d4ee7f32b7c17dc15c80d05

Download Submit
memory/3776-19-0x0000000000A70000-0x0000000000A71000-memory.dmp

Filesize
4KB

Download
memory/3776-30-0x0000000000A70000-0x0000000000A71000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads