ardamax | d708e5a11c9e3c5c1ea23ef1780ef37c00d3847061b96b4d26f23fd6a759fef3

Analysis

max time kernel
150s
max time network
18s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-10-2024 08:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12a484964fbb0b47b3ee2bfc4e44b28c_JaffaCakes118.exe
Size

594KB
MD5

12a484964fbb0b47b3ee2bfc4e44b28c
SHA1

4e8aee2095b9ab8035fa1d10bbfddc166f862d87
SHA256

d708e5a11c9e3c5c1ea23ef1780ef37c00d3847061b96b4d26f23fd6a759fef3
SHA512

d11c43b6bce8bbc0e48da15f54145140911fc18783b20c0a5e5b4c23b6a75ed9d89148e61a9158ced57e250bd31c1d151ddfc8bbb5fa80d07d88e0d087080894
SSDEEP

12288:S3ri8WMK2omtW9ppL7lPip3x54YpjpkKQ5smmqyh509F0:ori8v+LF454Ylp5MsBhiW

Score

10^/10

ardamax discovery keylogger persistence stealer upx

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0005000000018fc2-9.dat	family_ardamax

Executes dropped EXE 2 IoCs

pid	Process
1908	HFCF.exe
2864	AutoBuff..exe

Loads dropped DLL 8 IoCs

pid	Process
1656	12a484964fbb0b47b3ee2bfc4e44b28c_JaffaCakes118.exe
1656	12a484964fbb0b47b3ee2bfc4e44b28c_JaffaCakes118.exe
1656	12a484964fbb0b47b3ee2bfc4e44b28c_JaffaCakes118.exe
1656	12a484964fbb0b47b3ee2bfc4e44b28c_JaffaCakes118.exe
1656	12a484964fbb0b47b3ee2bfc4e44b28c_JaffaCakes118.exe
1908	HFCF.exe
1908	HFCF.exe
2864	AutoBuff..exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HFCF Agent = "C:\\Windows\\SysWOW64\\Sys\\HFCF.exe"	HFCF.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Sys\HFCF.001	12a484964fbb0b47b3ee2bfc4e44b28c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Sys\HFCF.006	12a484964fbb0b47b3ee2bfc4e44b28c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Sys\HFCF.007	12a484964fbb0b47b3ee2bfc4e44b28c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Sys\HFCF.exe	12a484964fbb0b47b3ee2bfc4e44b28c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Sys\AKV.exe	12a484964fbb0b47b3ee2bfc4e44b28c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Sys	HFCF.exe

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0005000000018fc7-28.dat	upx
behavioral1/memory/1656-33-0x0000000002640000-0x0000000002697000-memory.dmp	upx
behavioral1/memory/2864-38-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2864-41-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2864-42-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2864-43-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2864-44-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2864-45-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2864-46-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2864-47-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2864-48-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2864-49-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2864-50-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2864-51-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2864-52-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2864-53-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2864-54-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2864-55-0x0000000000400000-0x0000000000457000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	12a484964fbb0b47b3ee2bfc4e44b28c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HFCF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AutoBuff..exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1908	HFCF.exe
Token: SeIncBasePriorityPrivilege	1908	HFCF.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe
2864	AutoBuff..exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1908	HFCF.exe
1908	HFCF.exe
1908	HFCF.exe
1908	HFCF.exe
1908	HFCF.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 1908	1656	12a484964fbb0b47b3ee2bfc4e44b28c_JaffaCakes118.exe	29
PID 1656 wrote to memory of 1908	1656	12a484964fbb0b47b3ee2bfc4e44b28c_JaffaCakes118.exe	29
PID 1656 wrote to memory of 1908	1656	12a484964fbb0b47b3ee2bfc4e44b28c_JaffaCakes118.exe	29
PID 1656 wrote to memory of 1908	1656	12a484964fbb0b47b3ee2bfc4e44b28c_JaffaCakes118.exe	29
PID 1656 wrote to memory of 2864	1656	12a484964fbb0b47b3ee2bfc4e44b28c_JaffaCakes118.exe	30
PID 1656 wrote to memory of 2864	1656	12a484964fbb0b47b3ee2bfc4e44b28c_JaffaCakes118.exe	30
PID 1656 wrote to memory of 2864	1656	12a484964fbb0b47b3ee2bfc4e44b28c_JaffaCakes118.exe	30
PID 1656 wrote to memory of 2864	1656	12a484964fbb0b47b3ee2bfc4e44b28c_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\12a484964fbb0b47b3ee2bfc4e44b28c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\12a484964fbb0b47b3ee2bfc4e44b28c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Windows\SysWOW64\Sys\HFCF.exe
  "C:\Windows\system32\Sys\HFCF.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1908
- C:\Users\Admin\AppData\Local\Temp\AutoBuff..exe
  "C:\Users\Admin\AppData\Local\Temp\AutoBuff..exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AutoBuff..exe

Filesize
119KB

MD5
fdd54f0ee40e24605295c4f8b841aa07

SHA1
0c99fd27473702ab1388e468827d5c12f85d4785

SHA256
279e8f379f9da000b896e7ac74d77befc350578a7b0a417f5269cbbc815676a9

SHA512
3e15a32fcfb23f761d1d3b348b0971aa62d7a0f5aa1db9c3899643a0e09b6d5ac62058ff398bde5fa84f5d9ce98cd4e2385f69ce0a9205f572d0f60f5452fec5

Download Submit
C:\Windows\SysWOW64\Sys\AKV.exe

Filesize
390KB

MD5
5255e3bd1037d42bbba2365412623a3b

SHA1
b473061ee152172ba5e33cae18f55774467a070f

SHA256
8e7e780b484bf5a5edce3dbdee2374ace11214b122560146b5859d8359c93655

SHA512
86af1d593b480622dcb4835d5f10045452eb20a01a04eba13734fd5bfec2515321072747c8fd4c95714022058e891f7cd55efee00b95d7e51c845aaabf4a793e

Download Submit
C:\Windows\SysWOW64\Sys\HFCF.001

Filesize
512B

MD5
78221020d6465c519ec6ed86fac483aa

SHA1
9eafce3c1e64a9f1f708a6e75f54d3c8a1371fff

SHA256
3dad5b6b09de7ac35169b667fa6ba2350a6e3c82ed3f164f5570c0afc8115d3c

SHA512
3f126f89c4fd0a02950bbe2277d3e4feac2d9fac709ce05a6b70bcbf3a862bdca2861c22923032de4dd3e8cdb5dfcdd8aeaa05a5c6d62566c11d1af00f565f44

Download Submit
\Users\Admin\AppData\Local\Temp\@78F.tmp

Filesize
4KB

MD5
730e7e458c7770fd80947b6ce9f7109a

SHA1
ef07be19ec55590ffce101951d12e7c6c5b7aaca

SHA256
70033d7c8520fb53a247b355559c3a156e22719e52cf55102edbbcfabc5ad096

SHA512
12f141144761e880af6567048036c7c482e6306158454f4c3a7821c1a5f5526771e3c473ddcc9cbe0860d4e61a5d5f092a59567222d0a995cdd1aeda5667a596

Download Submit
\Windows\SysWOW64\Sys\HFCF.006

Filesize
7KB

MD5
385d77949ecf6cfdb4f3d15bf29dfbe4

SHA1
09bd106320e68a5a14aeb2a34e4f0a6a627c0d36

SHA256
39659a7497354c9329be266683ae28be650b7639bca1def42af5d351e265762c

SHA512
b9baea0afb78944080598fc11c5f6c76b3adde37838f4fe3c9371fb9508fea03b7ec6775e9fdc65f39a94103cb061970ea8c51ded113701eede00d4a2fda0db9

Download Submit
\Windows\SysWOW64\Sys\HFCF.007

Filesize
5KB

MD5
f50daad1c62b3af9daceddc982d3a28c

SHA1
8519625cc16fac60381ea27b3339e62cef15c629

SHA256
246af3478a40b10bb54bbfb2aab8fb9965e702836f049dd9db714da8873b42d5

SHA512
8451a35d6a037f0224f292baf151e1c367df394bdca0c7c4c90f43c6b275f1f8173af1bf1791005398ca36678b76df3e8e49f51438f9deec86a529a9c81925fc

Download Submit
\Windows\SysWOW64\Sys\HFCF.exe

Filesize
476KB

MD5
b22ecd38fb2828478a5ff60e7a255e16

SHA1
078d9e7d975a2769e8c2ad40279e265eff89b033

SHA256
c2280b3b99486452228dd51dbd61db2afeb98d3cc5e8e48c5fb314c5af1a913a

SHA512
336de2a0a9975a254dad2e87b3c5388e6fd5560fd5d47d0f4f882f216a4e23dc3d8cb894161587d6a1d0d8845fce92589afc41a6db7947de81ffd023764762cd

Download Submit
memory/1656-33-0x0000000002640000-0x0000000002697000-memory.dmp

Filesize
348KB

Download
memory/1656-37-0x0000000002640000-0x0000000002697000-memory.dmp

Filesize
348KB

Download
memory/1908-39-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2864-42-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2864-47-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2864-38-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2864-43-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2864-44-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2864-45-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2864-46-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2864-41-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2864-48-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2864-49-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2864-50-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2864-51-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2864-52-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2864-53-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2864-54-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2864-55-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads