ardamax | d2b82aceb0fefc61e61988de6642e38e8a43794bc7eace500b543a30d2dbbc77

General

Target

JaffaCakes118_fc55485263d7bdc6e4a3adf3b83bde6d.exe
Size

599KB
MD5

fc55485263d7bdc6e4a3adf3b83bde6d
SHA1

bf6180b84513aa6800fde62d514e64be77e21d7a
SHA256

d2b82aceb0fefc61e61988de6642e38e8a43794bc7eace500b543a30d2dbbc77
SHA512

c350ff934b018cdd0ff1962f9c518eba4a90f8159e397fe2c6724fcd0b0173d7573514842ef73b5ed34b1a1d521ad7c9ff4d2ff10c09bd135e021eff5af3d7c0
SSDEEP

12288:+demUOhFb8yUEbU1X8uclpixBspAOUdk/I+QRoP5O:zmUOhZ8ys1sucvSMUdYl4

Score

10^/10

ardamax defense_evasion discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023c94-12.dat	family_ardamax

Downloads MZ/PE file 2 IoCs

flow	pid	Process
36	4632	Process not Found
57	3380	Process not Found

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Control Panel\International\Geo\Nation	JaffaCakes118_fc55485263d7bdc6e4a3adf3b83bde6d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Control Panel\International\Geo\Nation	YCQL.exe

Executes dropped EXE 2 IoCs

pid	Process
2328	YCQL.exe
1000	أونو.exe

Loads dropped DLL 6 IoCs

pid	Process
5076	JaffaCakes118_fc55485263d7bdc6e4a3adf3b83bde6d.exe
2328	YCQL.exe
1000	أونو.exe
2328	YCQL.exe
2328	YCQL.exe
4268	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\YCQL Agent = "C:\\Windows\\SysWOW64\\Sys32\\YCQL.exe"	YCQL.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Sys32\YCQL.001	JaffaCakes118_fc55485263d7bdc6e4a3adf3b83bde6d.exe
File created	C:\Windows\SysWOW64\Sys32\YCQL.006	JaffaCakes118_fc55485263d7bdc6e4a3adf3b83bde6d.exe
File created	C:\Windows\SysWOW64\Sys32\YCQL.007	JaffaCakes118_fc55485263d7bdc6e4a3adf3b83bde6d.exe
File created	C:\Windows\SysWOW64\Sys32\YCQL.exe	JaffaCakes118_fc55485263d7bdc6e4a3adf3b83bde6d.exe
File created	C:\Windows\SysWOW64\Sys32\AKV.exe	JaffaCakes118_fc55485263d7bdc6e4a3adf3b83bde6d.exe
File opened for modification	C:\Windows\SysWOW64\Sys32	YCQL.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4268	2328	WerFault.exe	88

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_fc55485263d7bdc6e4a3adf3b83bde6d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YCQL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	أونو.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
640	MicrosoftEdgeUpdate.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	2328	YCQL.exe
Token: SeIncBasePriorityPrivilege	2328	YCQL.exe
Token: SeIncBasePriorityPrivilege	2328	YCQL.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2328	YCQL.exe
2328	YCQL.exe
2328	YCQL.exe
2328	YCQL.exe
2328	YCQL.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5076 wrote to memory of 2328	5076	JaffaCakes118_fc55485263d7bdc6e4a3adf3b83bde6d.exe	88
PID 5076 wrote to memory of 2328	5076	JaffaCakes118_fc55485263d7bdc6e4a3adf3b83bde6d.exe	88
PID 5076 wrote to memory of 2328	5076	JaffaCakes118_fc55485263d7bdc6e4a3adf3b83bde6d.exe	88
PID 5076 wrote to memory of 1000	5076	JaffaCakes118_fc55485263d7bdc6e4a3adf3b83bde6d.exe	89
PID 5076 wrote to memory of 1000	5076	JaffaCakes118_fc55485263d7bdc6e4a3adf3b83bde6d.exe	89
PID 5076 wrote to memory of 1000	5076	JaffaCakes118_fc55485263d7bdc6e4a3adf3b83bde6d.exe	89
PID 2328 wrote to memory of 4556	2328	YCQL.exe	108
PID 2328 wrote to memory of 4556	2328	YCQL.exe	108
PID 2328 wrote to memory of 4556	2328	YCQL.exe	108

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fc55485263d7bdc6e4a3adf3b83bde6d.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fc55485263d7bdc6e4a3adf3b83bde6d.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5076
- C:\Windows\SysWOW64\Sys32\YCQL.exe
  "C:\Windows\system32\Sys32\YCQL.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2328 -s 1112
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:4268
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\Sys32\YCQL.exe > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4556
- C:\Users\Admin\AppData\Local\Temp\أونو.exe
  "C:\Users\Admin\AppData\Local\Temp\أونو.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1000

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NEJBNkExOTYtNDMxMS00Nzc0LTk5NjMtMUM3MTVBM0JDMkUwfSIgdXNlcmlkPSJ7MjlCNTUyRDUtRjczMy00NkYzLUJCMDktNEFDOTU5NDhDNjNCfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NjE2QzcxQjEtNEJDMi00RDJBLTlDMDctQkU3RTg5RjYxRjlEfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI0IiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODMyMzYiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NDI1MTE0ODAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MTczODA2OTg5Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2328 -ip 2328
1⤵
PID:428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

1

T1070

File Deletion

Modify Registry

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@D551.tmp

Filesize
3KB

MD5
14c3321783fac66161b308d34c5b0eac

SHA1
021b4f77e27d6e0b032158936a752e27cdde09fa

SHA256
09e6cfa1698ed3cd3592fa4ed36eb970fa599cb86ce6975f5ef90dfbaf6a2f21

SHA512
9ba6f2992164e7e98084e3c3b5a4cd231edeca22b784d01e5e98078ed19a1114ba9f837aa77ec3303bfcff6fa6a7a3b4588ee6e3a444eb35fc5e8c1d732825ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\أونو.exe

Filesize
512KB

MD5
0a4a56d661007346254a2afc51c86d99

SHA1
97763c9f04b05c7570009cab22b7ccb4c2beae8e

SHA256
5e02a65f94fadb6fbfcbe43e7365696c335427c9c34b95bc430580f4a79fc4d2

SHA512
410b0cda301287fc7ac8f9cb18c3823be9cd6623d88cd4db8740038d26eb51287d1c2c0fab1693d842ccddc0ba85c1da68811dfd61d24684bb149ca9958f3a0a

Download Submit
C:\Windows\SysWOW64\Sys32\AKV.exe

Filesize
389KB

MD5
53a578b112aeb18c5993556d4440ade1

SHA1
e51f2fcc784def3cc5ff594edfee5e25f1e9818c

SHA256
9170ccd49c118818a83d6ec5264e58519a986671828a144b70d9f601afd29156

SHA512
31357e35a4d31483951a7fbd0d774dffd880c8451e2410226dcfb8f8b1c24422febba81ae91aa2e5bb482bc0e662060f772417239e7e7a11c3c36ff8d716f352

Download Submit
C:\Windows\SysWOW64\Sys32\YCQL.001

Filesize
408B

MD5
cee15b648ad0b29c965d814a0e9757ff

SHA1
245699f21924b149c94c7396c08bb1afca07475c

SHA256
437846b310638425d5759b84849675ee1cfc9f470b3694a2135dc5f042d06bc2

SHA512
0df2182915d1bdcc3f28a25586c8aa59b1b93b3a77e63debc999811a8dcc8efd6083b7bf1f62a10ddf3f8601807946248d890bc903c797c2865c77cbef32cbbf

Download Submit
C:\Windows\SysWOW64\Sys32\YCQL.006

Filesize
7KB

MD5
504f5a7e8447c65bc2218bb3d47c309b

SHA1
5d2d703cfa8b1c0fab1b13b01e2250e246e2eb44

SHA256
81f383d6a9a90d1587af3f2903d9fd4ce4b4843aa285928ba731a3ee8f60c39f

SHA512
b90427bc146e30a5db47aaea4d7ac559db679f64ce490eb2195106acbc3d266442d71a7c0b00762203010436ed86bc84ef59bc3269b7611f9a6b5025fc85190b

Download Submit
C:\Windows\SysWOW64\Sys32\YCQL.007

Filesize
5KB

MD5
22e9e9b13c2c676bec39178311d55253

SHA1
da60379e518feeb798005065dcf626a74afe1848

SHA256
3a77698cfcbbc40473f163c76838e6509c52bd6ffb97ba9d144ccd25ef5c7e14

SHA512
1d3b7eb4dcaa969a49786f1f55caa731e2e82dc79896985d50aa225fd7071bef521a6d85f56ee249db518cf0fc4a53f942299328bf54862307f742d3a6ca3dcc

Download Submit
C:\Windows\SysWOW64\Sys32\YCQL.exe

Filesize
475KB

MD5
9c3ff825312190802dc56c7b0d0ccebd

SHA1
58e200c00382b3d13c81c9e829da065ed45f5928

SHA256
e55fbc08da9dc8bfb13b1d649e117540ee2c416a678eafa40e49088c2864dcc4

SHA512
513f6e3ab1bc31d01c1730c04313a39df5f9a5e30db70699df0507fff4c82f36706a637d32f532985e551a5a835682ebdc077560fee2f9741cba7767a86b7968

Download Submit
memory/2328-31-0x00000000004A0000-0x00000000004A1000-memory.dmp

Filesize
4KB

Download
memory/2328-36-0x00000000004A0000-0x00000000004A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads