ardamax | bfcd1ac18fa3f8a3cbc5a3a320d4dc81514fb667be3e852168b747bc6e7b9d62

General

Target

JaffaCakes118_7affbcacfb691cae522eaab8a38819ec.exe
Size

1.5MB
MD5

7affbcacfb691cae522eaab8a38819ec
SHA1

ac3f3836ecacf87f8461aa0af8298aa9cf8d0f7b
SHA256

bfcd1ac18fa3f8a3cbc5a3a320d4dc81514fb667be3e852168b747bc6e7b9d62
SHA512

62d6f0112e5a8c7eda6ca4ad4b108a266b8ea01500348ef1327690323d7da8a50e0d695dd9306afed0ff45459d096ef341c33a48276df7ef3c71528aa124bb93
SSDEEP

24576:7ZdEBjdXhuO8EsX/awcwgHfYgdi9jzkrJlfoROcs+xWfgwosiUlZsHU+rzjxXfy1:78BZXhNtsiw0/YgI9jQJlAkcstTiUczg

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000016c36-35.dat	family_ardamax

Executes dropped EXE 2 IoCs

pid	Process
2200	vbc.exe
2676	QLP.exe

Loads dropped DLL 5 IoCs

pid	Process
2988	JaffaCakes118_7affbcacfb691cae522eaab8a38819ec.exe
2200	vbc.exe
2676	QLP.exe
2676	QLP.exe
2676	QLP.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\QLP Start = "C:\\Windows\\RQFWCN\\QLP.exe"	QLP.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2988 set thread context of 2200	2988	JaffaCakes118_7affbcacfb691cae522eaab8a38819ec.exe	31

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\RQFWCN\QLP.004	vbc.exe
File created	C:\Windows\RQFWCN\QLP.001	vbc.exe
File created	C:\Windows\RQFWCN\QLP.002	vbc.exe
File created	C:\Windows\RQFWCN\QLP.exe	vbc.exe
File opened for modification	C:\Windows\RQFWCN\	QLP.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QLP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7affbcacfb691cae522eaab8a38819ec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2676	QLP.exe
2676	QLP.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2676	QLP.exe
Token: SeIncBasePriorityPrivilege	2676	QLP.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2676	QLP.exe
2676	QLP.exe
2676	QLP.exe
2676	QLP.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 2200	2988	JaffaCakes118_7affbcacfb691cae522eaab8a38819ec.exe	31
PID 2988 wrote to memory of 2200	2988	JaffaCakes118_7affbcacfb691cae522eaab8a38819ec.exe	31
PID 2988 wrote to memory of 2200	2988	JaffaCakes118_7affbcacfb691cae522eaab8a38819ec.exe	31
PID 2988 wrote to memory of 2200	2988	JaffaCakes118_7affbcacfb691cae522eaab8a38819ec.exe	31
PID 2988 wrote to memory of 2200	2988	JaffaCakes118_7affbcacfb691cae522eaab8a38819ec.exe	31
PID 2988 wrote to memory of 2200	2988	JaffaCakes118_7affbcacfb691cae522eaab8a38819ec.exe	31
PID 2988 wrote to memory of 2200	2988	JaffaCakes118_7affbcacfb691cae522eaab8a38819ec.exe	31
PID 2988 wrote to memory of 2200	2988	JaffaCakes118_7affbcacfb691cae522eaab8a38819ec.exe	31
PID 2988 wrote to memory of 2200	2988	JaffaCakes118_7affbcacfb691cae522eaab8a38819ec.exe	31
PID 2988 wrote to memory of 2200	2988	JaffaCakes118_7affbcacfb691cae522eaab8a38819ec.exe	31
PID 2988 wrote to memory of 2200	2988	JaffaCakes118_7affbcacfb691cae522eaab8a38819ec.exe	31
PID 2988 wrote to memory of 2200	2988	JaffaCakes118_7affbcacfb691cae522eaab8a38819ec.exe	31
PID 2988 wrote to memory of 2200	2988	JaffaCakes118_7affbcacfb691cae522eaab8a38819ec.exe	31
PID 2200 wrote to memory of 2676	2200	vbc.exe	32
PID 2200 wrote to memory of 2676	2200	vbc.exe	32
PID 2200 wrote to memory of 2676	2200	vbc.exe	32
PID 2200 wrote to memory of 2676	2200	vbc.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7affbcacfb691cae522eaab8a38819ec.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7affbcacfb691cae522eaab8a38819ec.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Users\Admin\AppData\Local\Temp\vbc.exe
  C:\Users\Admin\AppData\Local\Temp\vbc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2200
- - C:\Windows\RQFWCN\QLP.exe
    "C:\Windows\RQFWCN\QLP.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\RQFWCN\QLP.001

Filesize
61KB

MD5
da40e93ad90ab590fe53693447794639

SHA1
ecf59a5ecbd382191169eda65f86ea331dd08547

SHA256
b82f906b6429aa5c3df2dd7d2b61f33912c8db41ff783d35731050a024bc6420

SHA512
87dbcbd1825ea71c78583680650236e8a8f8d4f718cf85f1542ed51fb1caaa4ff059ff0f201125564bcd80fa9d20c1d9ccd11e37133c7fef5ad30b27996f44e6

Download Submit
C:\Windows\RQFWCN\QLP.002

Filesize
44KB

MD5
377ce908ebaea0de394f2e850ca6a26a

SHA1
d54276a5deeab532d5e5e3602e08d608e95c0707

SHA256
dd81ace139ab0d6ca157775a5479fe6b94dc58de3a9bf81d39225967697cbcef

SHA512
fda6bd43017754e7fa23037591073a52bdecac8629b5b2fe0eb924fd958dd450074b742ee94879430e0d4155efa9fc0a080b6dd035cf726cce3cb575ac6eb35f

Download Submit
C:\Windows\RQFWCN\QLP.004

Filesize
1KB

MD5
47b1834e5d3fcda4d933b06f59cc59c0

SHA1
2e04e137fc08d9ffe7eb21882071617a20d20deb

SHA256
e43f59425281b271c541ef4590fb2adeb0bc5d7894a92a1878376eee4eac7cdb

SHA512
43ccf11ce67053853e65765ab07e1d410d7bdf7e3ff91b8c48beb84574ac708371c0a5248b048e20f14456c5b8c07f6b19e387ad073f72327bfb1285737ddad5

Download Submit
\Users\Admin\AppData\Local\Temp\vbc.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
\Windows\RQFWCN\QLP.exe

Filesize
1.7MB

MD5
913606bf5ce3b52911d6645f99b066da

SHA1
1a651dbc73e39f9f8ff4b8979b463e9b2c480f60

SHA256
082036e132e0317a4dfa2add3e76ec42a82c6c64623d4cffc92314f3511bdc4d

SHA512
d136e882a1a87eac4706b4aea82a10584d7570116e6b025f6ee419d13eb2760dde2f54a10fa1ac149be62441f75f171ba0dc8503c00d404877ff9d433212604a

Download Submit
memory/2200-22-0x0000000000010000-0x0000000000011000-memory.dmp

Filesize
4KB

Download
memory/2200-40-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/2200-32-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/2200-9-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/2200-7-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/2200-15-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/2200-11-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/2200-13-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/2200-17-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/2200-27-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/2200-20-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/2200-18-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2676-46-0x0000000000400000-0x00000000005BD000-memory.dmp

Filesize
1.7MB

Download
memory/2676-51-0x0000000000400000-0x00000000005BD000-memory.dmp

Filesize
1.7MB

Download
memory/2988-1-0x00000000745C0000-0x0000000074B6B000-memory.dmp

Filesize
5.7MB

Download
memory/2988-2-0x00000000745C0000-0x0000000074B6B000-memory.dmp

Filesize
5.7MB

Download
memory/2988-0-0x00000000745C1000-0x00000000745C2000-memory.dmp

Filesize
4KB

Download
memory/2988-33-0x00000000745C0000-0x0000000074B6B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads