ardamax | bfcd1ac18fa3f8a3cbc5a3a320d4dc81514fb667be3e852168b747bc6e7b9d62

General

Target

JaffaCakes118_7affbcacfb691cae522eaab8a38819ec.exe
Size

1.5MB
MD5

7affbcacfb691cae522eaab8a38819ec
SHA1

ac3f3836ecacf87f8461aa0af8298aa9cf8d0f7b
SHA256

bfcd1ac18fa3f8a3cbc5a3a320d4dc81514fb667be3e852168b747bc6e7b9d62
SHA512

62d6f0112e5a8c7eda6ca4ad4b108a266b8ea01500348ef1327690323d7da8a50e0d695dd9306afed0ff45459d096ef341c33a48276df7ef3c71528aa124bb93
SSDEEP

24576:7ZdEBjdXhuO8EsX/awcwgHfYgdi9jzkrJlfoROcs+xWfgwosiUlZsHU+rzjxXfy1:78BZXhNtsiw0/YgI9jQJlAkcstTiUczg

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000700000002430a-19.dat	family_ardamax

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	vbc.exe

Executes dropped EXE 2 IoCs

pid	Process
4120	vbc.exe
5972	QLP.exe

Loads dropped DLL 1 IoCs

pid	Process
5972	QLP.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\QLP Start = "C:\\Windows\\RQFWCN\\QLP.exe"	QLP.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 448 set thread context of 4120	448	JaffaCakes118_7affbcacfb691cae522eaab8a38819ec.exe	88

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\RQFWCN\QLP.004	vbc.exe
File created	C:\Windows\RQFWCN\QLP.001	vbc.exe
File created	C:\Windows\RQFWCN\QLP.002	vbc.exe
File created	C:\Windows\RQFWCN\QLP.exe	vbc.exe
File opened for modification	C:\Windows\RQFWCN\	QLP.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7affbcacfb691cae522eaab8a38819ec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QLP.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5972	QLP.exe
5972	QLP.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	5972	QLP.exe
Token: SeIncBasePriorityPrivilege	5972	QLP.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
5972	QLP.exe
5972	QLP.exe
5972	QLP.exe
5972	QLP.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 448 wrote to memory of 4120	448	JaffaCakes118_7affbcacfb691cae522eaab8a38819ec.exe	88
PID 448 wrote to memory of 4120	448	JaffaCakes118_7affbcacfb691cae522eaab8a38819ec.exe	88
PID 448 wrote to memory of 4120	448	JaffaCakes118_7affbcacfb691cae522eaab8a38819ec.exe	88
PID 448 wrote to memory of 4120	448	JaffaCakes118_7affbcacfb691cae522eaab8a38819ec.exe	88
PID 448 wrote to memory of 4120	448	JaffaCakes118_7affbcacfb691cae522eaab8a38819ec.exe	88
PID 448 wrote to memory of 4120	448	JaffaCakes118_7affbcacfb691cae522eaab8a38819ec.exe	88
PID 448 wrote to memory of 4120	448	JaffaCakes118_7affbcacfb691cae522eaab8a38819ec.exe	88
PID 448 wrote to memory of 4120	448	JaffaCakes118_7affbcacfb691cae522eaab8a38819ec.exe	88
PID 448 wrote to memory of 4120	448	JaffaCakes118_7affbcacfb691cae522eaab8a38819ec.exe	88
PID 448 wrote to memory of 4120	448	JaffaCakes118_7affbcacfb691cae522eaab8a38819ec.exe	88
PID 448 wrote to memory of 4120	448	JaffaCakes118_7affbcacfb691cae522eaab8a38819ec.exe	88
PID 448 wrote to memory of 4120	448	JaffaCakes118_7affbcacfb691cae522eaab8a38819ec.exe	88
PID 4120 wrote to memory of 5972	4120	vbc.exe	89
PID 4120 wrote to memory of 5972	4120	vbc.exe	89
PID 4120 wrote to memory of 5972	4120	vbc.exe	89

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7affbcacfb691cae522eaab8a38819ec.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7affbcacfb691cae522eaab8a38819ec.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:448
- C:\Users\Admin\AppData\Local\Temp\vbc.exe
  C:\Users\Admin\AppData\Local\Temp\vbc.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4120
- - C:\Windows\RQFWCN\QLP.exe
    "C:\Windows\RQFWCN\QLP.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:5972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\vbc.exe

Filesize
1.1MB

MD5
d881de17aa8f2e2c08cbb7b265f928f9

SHA1
08936aebc87decf0af6e8eada191062b5e65ac2a

SHA256
b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

SHA512
5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

Download Submit
C:\Windows\RQFWCN\QLP.001

Filesize
61KB

MD5
da40e93ad90ab590fe53693447794639

SHA1
ecf59a5ecbd382191169eda65f86ea331dd08547

SHA256
b82f906b6429aa5c3df2dd7d2b61f33912c8db41ff783d35731050a024bc6420

SHA512
87dbcbd1825ea71c78583680650236e8a8f8d4f718cf85f1542ed51fb1caaa4ff059ff0f201125564bcd80fa9d20c1d9ccd11e37133c7fef5ad30b27996f44e6

Download Submit
C:\Windows\RQFWCN\QLP.002

Filesize
44KB

MD5
377ce908ebaea0de394f2e850ca6a26a

SHA1
d54276a5deeab532d5e5e3602e08d608e95c0707

SHA256
dd81ace139ab0d6ca157775a5479fe6b94dc58de3a9bf81d39225967697cbcef

SHA512
fda6bd43017754e7fa23037591073a52bdecac8629b5b2fe0eb924fd958dd450074b742ee94879430e0d4155efa9fc0a080b6dd035cf726cce3cb575ac6eb35f

Download Submit
C:\Windows\RQFWCN\QLP.004

Filesize
1KB

MD5
47b1834e5d3fcda4d933b06f59cc59c0

SHA1
2e04e137fc08d9ffe7eb21882071617a20d20deb

SHA256
e43f59425281b271c541ef4590fb2adeb0bc5d7894a92a1878376eee4eac7cdb

SHA512
43ccf11ce67053853e65765ab07e1d410d7bdf7e3ff91b8c48beb84574ac708371c0a5248b048e20f14456c5b8c07f6b19e387ad073f72327bfb1285737ddad5

Download Submit
C:\Windows\RQFWCN\QLP.exe

Filesize
1.7MB

MD5
913606bf5ce3b52911d6645f99b066da

SHA1
1a651dbc73e39f9f8ff4b8979b463e9b2c480f60

SHA256
082036e132e0317a4dfa2add3e76ec42a82c6c64623d4cffc92314f3511bdc4d

SHA512
d136e882a1a87eac4706b4aea82a10584d7570116e6b025f6ee419d13eb2760dde2f54a10fa1ac149be62441f75f171ba0dc8503c00d404877ff9d433212604a

Download Submit
memory/448-15-0x0000000074790000-0x0000000074D41000-memory.dmp

Filesize
5.7MB

Download
memory/448-0-0x0000000074792000-0x0000000074793000-memory.dmp

Filesize
4KB

Download
memory/448-2-0x0000000074790000-0x0000000074D41000-memory.dmp

Filesize
5.7MB

Download
memory/448-1-0x0000000074790000-0x0000000074D41000-memory.dmp

Filesize
5.7MB

Download
memory/4120-13-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/4120-5-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/4120-8-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/4120-23-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/4120-7-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/5972-28-0x0000000000400000-0x00000000005BD000-memory.dmp

Filesize
1.7MB

Download
memory/5972-30-0x0000000000400000-0x00000000005BD000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads