ardamax | 9aa1c3a579ea5def789c293a1c189c4948ca6a4baa72e96c9210d18af42859a4

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
25-11-2024 02:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

98b15443e550dae15aa0b62e7a0f33ea_JaffaCakes118.exe
Size

810KB
MD5

98b15443e550dae15aa0b62e7a0f33ea
SHA1

c611fb4003decf8a9269ba36f81ad9703e827f0e
SHA256

9aa1c3a579ea5def789c293a1c189c4948ca6a4baa72e96c9210d18af42859a4
SHA512

785964fd34814cd39cf926fee10d1004aa4b40df18bd0e4b886062d9a038fcce4e4b731cf2e26fb323dd033eb97267e80361f001df1e07a054f59a4fa64278db
SSDEEP

12288:PXYYzjmQ6JNyyojwHY2P66OhQykpMweH+BbFge0Yt2WDGenamsKbELfvld/9QE14:pipqwEhkpbhbFge0XG9nHsKbELfR9LML

Score

10^/10

ardamax defense_evasion discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0006000000016d54-621.dat	family_ardamax

Executes dropped EXE 3 IoCs

pid	Process
1520	Install.exe
1376	YKQM.exe
2928	cmd.exe

Loads dropped DLL 11 IoCs

pid	Process
2244	98b15443e550dae15aa0b62e7a0f33ea_JaffaCakes118.exe
1520	Install.exe
1520	Install.exe
1520	Install.exe
1376	YKQM.exe
1376	YKQM.exe
1376	YKQM.exe
1376	YKQM.exe
1376	YKQM.exe
1376	YKQM.exe
1376	YKQM.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\YKQM Agent = "C:\\Windows\\SysWOW64\\28463\\YKQM.exe"	YKQM.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\YKQM.exe	Install.exe
File created	C:\Windows\SysWOW64\28463\AKV.exe	Install.exe
File opened for modification	C:\Windows\SysWOW64\28463	YKQM.exe
File created	C:\Windows\SysWOW64\28463\YKQM.001	Install.exe
File created	C:\Windows\SysWOW64\28463\YKQM.006	Install.exe
File created	C:\Windows\SysWOW64\28463\YKQM.007	Install.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	98b15443e550dae15aa0b62e7a0f33ea_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YKQM.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: 33	2244	98b15443e550dae15aa0b62e7a0f33ea_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2244	98b15443e550dae15aa0b62e7a0f33ea_JaffaCakes118.exe
Token: 33	2244	98b15443e550dae15aa0b62e7a0f33ea_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2244	98b15443e550dae15aa0b62e7a0f33ea_JaffaCakes118.exe
Token: 33	2244	98b15443e550dae15aa0b62e7a0f33ea_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2244	98b15443e550dae15aa0b62e7a0f33ea_JaffaCakes118.exe
Token: 33	1520	Install.exe
Token: SeIncBasePriorityPrivilege	1520	Install.exe
Token: 33	1376	YKQM.exe
Token: SeIncBasePriorityPrivilege	1376	YKQM.exe
Token: SeIncBasePriorityPrivilege	1376	YKQM.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1376	YKQM.exe
1376	YKQM.exe
1376	YKQM.exe
1376	YKQM.exe
1376	YKQM.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 1520	2244	98b15443e550dae15aa0b62e7a0f33ea_JaffaCakes118.exe	30
PID 2244 wrote to memory of 1520	2244	98b15443e550dae15aa0b62e7a0f33ea_JaffaCakes118.exe	30
PID 2244 wrote to memory of 1520	2244	98b15443e550dae15aa0b62e7a0f33ea_JaffaCakes118.exe	30
PID 2244 wrote to memory of 1520	2244	98b15443e550dae15aa0b62e7a0f33ea_JaffaCakes118.exe	30
PID 2244 wrote to memory of 1520	2244	98b15443e550dae15aa0b62e7a0f33ea_JaffaCakes118.exe	30
PID 2244 wrote to memory of 1520	2244	98b15443e550dae15aa0b62e7a0f33ea_JaffaCakes118.exe	30
PID 2244 wrote to memory of 1520	2244	98b15443e550dae15aa0b62e7a0f33ea_JaffaCakes118.exe	30
PID 1520 wrote to memory of 1376	1520	Install.exe	31
PID 1520 wrote to memory of 1376	1520	Install.exe	31
PID 1520 wrote to memory of 1376	1520	Install.exe	31
PID 1520 wrote to memory of 1376	1520	Install.exe	31
PID 1520 wrote to memory of 1376	1520	Install.exe	31
PID 1520 wrote to memory of 1376	1520	Install.exe	31
PID 1520 wrote to memory of 1376	1520	Install.exe	31
PID 1376 wrote to memory of 2928	1376	YKQM.exe	33
PID 1376 wrote to memory of 2928	1376	YKQM.exe	33
PID 1376 wrote to memory of 2928	1376	YKQM.exe	33
PID 1376 wrote to memory of 2928	1376	YKQM.exe	33
PID 1376 wrote to memory of 2928	1376	YKQM.exe	33
PID 1376 wrote to memory of 2928	1376	YKQM.exe	33
PID 1376 wrote to memory of 2928	1376	YKQM.exe	33

C:\Users\Admin\AppData\Local\Temp\98b15443e550dae15aa0b62e7a0f33ea_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\98b15443e550dae15aa0b62e7a0f33ea_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Users\Admin\AppData\Local\Xenocode\Sandbox\wrar420\2012.09.27T08.16\Virtual\STUBEXE\@APPDATALOCAL@\Temp\Install.exe
  "C:\Users\Admin\AppData\Local\Temp\Install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1520
- - C:\Users\Admin\AppData\Local\Xenocode\Sandbox\wrar420\2012.09.27T08.16\Native\STUBEXE\@SYSTEM@\28463\YKQM.exe
    "C:\Windows\system32\28463\YKQM.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1376
  - - C:\Users\Admin\AppData\Local\Xenocode\Sandbox\wrar420\2012.09.27T08.16\Native\STUBEXE\@SYSTEM@\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\28463\YKQM.exe > nul
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\28463\AKV.exe

Filesize
395KB

MD5
b8fa30233794772b8b76b4b1d91c7321

SHA1
0cf9561be2528944285e536f41d502be24c3aa87

SHA256
14116fa79ccc105fabd312b4dff74933f8684c6b27db37e5e3a79d159092d29a

SHA512
10ce8b18e7afb8c7e30bb90b0a1f199ef0b77873fa7a9efc596606e151be6b516c0ec6222a9032bdcc527e80964f53d20a28fa1881a08b4df303b2e28204549d

Download Submit
C:\Windows\SysWOW64\28463\YKQM.001

Filesize
416B

MD5
51a32aca32c80f367853a5b820a4b9a8

SHA1
87ae46a15e775c872237297c66b3bbcf0700320e

SHA256
3a4945b8492144af1656039bf0c44f85fbba4319ad4ae3febbf3379945a4f2f8

SHA512
83f2b6a3fa10b86ba789d2a18732b0c348a0041ad276b682b0b848fdf069f83270d620b0a41389e1e016857f71e0bde15180a9856073649ff85faed49af52f0e

Download Submit
C:\Windows\SysWOW64\28463\YKQM.exe

Filesize
473KB

MD5
17535dddecf8cb1efdba1f1952126547

SHA1
a862a9a3eb6c201751be1038537522a5281ea6cb

SHA256
1a3d28ac6359e58aa656f4734f9f36b6c09badadcf9fb900b9b118d90c38a9dd

SHA512
b4f31b552ab3bb3dafa365aa7a31f58674ae7ee82ce1d23457f2e7047431430b00abb3b5498491725639daf583b526b278a737168cfdc4e9ec796dfbc14a53d8

Download Submit
\Users\Admin\AppData\Local\Temp\@731D.tmp

Filesize
4KB

MD5
c3679c3ff636d1a6b8c65323540da371

SHA1
d184758721a426467b687bec2a4acc80fe44c6f8

SHA256
d4eba51c616b439a8819218bddf9a6fa257d55c9f04cf81441cc99cc945ad3eb

SHA512
494a0a32eef4392ecb54df6e1da7d93183473c4e45f4ac4bd6ec3b0ed8c85c58303a0d36edec41420d05ff624195f08791b6b7e018419a3251b7e71ec9b730e7

Download Submit
\Users\Admin\AppData\Local\Xenocode\Sandbox\wrar420\2012.09.27T08.16\Native\STUBEXE\@SYSTEM@\28463\YKQM.exe

Filesize
17KB

MD5
bd1a7e7752d57865328f7586e873cfce

SHA1
8759c72e07ebc46fa1989c0d92083baaba8852f9

SHA256
53227a39a4f4e313117dc9f995f39ab1e7588be410a8365e8eff2d618d13091d

SHA512
1c37109301c962cd23e3d190adcb47e89743095fa64e8edd9e8b82c81239a85d6b9eefbb5d457fddcc388ec0bae9867d881adb8946a9acd930fc3f9bee77014a

Download Submit
\Users\Admin\AppData\Local\Xenocode\Sandbox\wrar420\2012.09.27T08.16\Native\STUBEXE\@SYSTEM@\cmd.exe

Filesize
17KB

MD5
a6bb1229030921e98aade90362b8e36b

SHA1
7944ee4dc63d7e1b9be245c2d6f1877c27747788

SHA256
8f2342ddb9d971ae938690ca621e25a74cf82eeb1a6c05eef3159e3092f3d2b0

SHA512
3dc54461117cbb9f2735559a1d823cd72b769956829bccd8e824c9035a84735213b2e68a4269f1604cc4f5f4e59520a9db9be289ffd69fd1b96b916fe7c6dcda

Download Submit
\Users\Admin\AppData\Local\Xenocode\Sandbox\wrar420\2012.09.27T08.16\Virtual\STUBEXE\@APPDATALOCAL@\Temp\Install.exe

Filesize
17KB

MD5
06e746bbd24495581a5cca7436fca56b

SHA1
66629b8c87f6eedcccf5f6376c08128950efa824

SHA256
0f18c4d5eac6035a96b8d39ee9044c02de760075712d418b4355bc0aa4894b3d

SHA512
d73ffa655b334c33e60e1b103cf310b9879e1c52143e375f9a121c6ec61adbb47f4c0dcc9f7991076188ee90920a9cc099d3fde32df71a8ffe6d7992439963da

Download Submit
\Windows\SysWOW64\28463\YKQM.006

Filesize
8KB

MD5
43f02e9974b1477c1e6388882f233db0

SHA1
f3e27b231193f8d5b2e1b09d05ae3a62795cf339

SHA256
3c9e56e51d5a7a1b9aefe853c12a98bf246039aa46db94227ea128f6331782ba

SHA512
e22d14735606fe75ee5e55204807c3f5531d3e0c4f63aa4a3b2d4bb6abda6128c7e2816753f2e64400ac6dae8f8ef1e013a7a464dff2a79ad9937c48821a067f

Download Submit
\Windows\SysWOW64\28463\YKQM.007

Filesize
5KB

MD5
b5a87d630436f958c6e1d82d15f98f96

SHA1
d3ff5e92198d4df0f98a918071aca53550bf1cff

SHA256
a895ad4d23e8b2c2dc552092f645ca309e62c36d4721ebfe7afd2eee7765d4b2

SHA512
fd7bae85a86bdaa12fec826d1d38728a90e2037cb3182ad7652d8a9f54c4b322734c587b62221e6f907fce24fcf2e0ae4cce1f5e3d8861661064b4da24bd87ce

Download Submit
memory/2244-39-0x0000000000420000-0x000000000048C000-memory.dmp

Filesize
432KB

Download
memory/2244-47-0x0000000000420000-0x000000000048C000-memory.dmp

Filesize
432KB

Download
memory/2244-34-0x0000000000420000-0x000000000048C000-memory.dmp

Filesize
432KB

Download
memory/2244-30-0x0000000000420000-0x000000000048C000-memory.dmp

Filesize
432KB

Download
memory/2244-28-0x0000000000420000-0x000000000048C000-memory.dmp

Filesize
432KB

Download
memory/2244-26-0x0000000000420000-0x000000000048C000-memory.dmp

Filesize
432KB

Download
memory/2244-22-0x0000000000420000-0x000000000048C000-memory.dmp

Filesize
432KB

Download
memory/2244-20-0x0000000000420000-0x000000000048C000-memory.dmp

Filesize
432KB

Download
memory/2244-18-0x0000000000420000-0x000000000048C000-memory.dmp

Filesize
432KB

Download
memory/2244-16-0x0000000000420000-0x000000000048C000-memory.dmp

Filesize
432KB

Download
memory/2244-14-0x0000000000420000-0x000000000048C000-memory.dmp

Filesize
432KB

Download
memory/2244-12-0x0000000000420000-0x000000000048C000-memory.dmp

Filesize
432KB

Download
memory/2244-10-0x0000000000420000-0x000000000048C000-memory.dmp

Filesize
432KB

Download
memory/2244-8-0x0000000000420000-0x000000000048C000-memory.dmp

Filesize
432KB

Download
memory/2244-6-0x0000000000420000-0x000000000048C000-memory.dmp

Filesize
432KB

Download
memory/2244-4-0x0000000000420000-0x000000000048C000-memory.dmp

Filesize
432KB

Download
memory/2244-57-0x0000000000420000-0x000000000048C000-memory.dmp

Filesize
432KB

Download
memory/2244-41-0x0000000000420000-0x000000000048C000-memory.dmp

Filesize
432KB

Download
memory/2244-203-0x0000000000420000-0x000000000048C000-memory.dmp

Filesize
432KB

Download
memory/2244-281-0x0000000000420000-0x000000000048C000-memory.dmp

Filesize
432KB

Download
memory/2244-42-0x0000000076F80000-0x0000000076F81000-memory.dmp

Filesize
4KB

Download
memory/2244-43-0x0000000000420000-0x000000000048C000-memory.dmp

Filesize
432KB

Download
memory/2244-45-0x0000000000420000-0x000000000048C000-memory.dmp

Filesize
432KB

Download
memory/2244-36-0x0000000000420000-0x000000000048C000-memory.dmp

Filesize
432KB

Download
memory/2244-67-0x0000000000420000-0x000000000048C000-memory.dmp

Filesize
432KB

Download
memory/2244-273-0x0000000000420000-0x000000000048C000-memory.dmp

Filesize
432KB

Download
memory/2244-258-0x0000000000420000-0x000000000048C000-memory.dmp

Filesize
432KB

Download
memory/2244-246-0x0000000000420000-0x000000000048C000-memory.dmp

Filesize
432KB

Download
memory/2244-221-0x0000000000420000-0x000000000048C000-memory.dmp

Filesize
432KB

Download
memory/2244-220-0x0000000000420000-0x000000000048C000-memory.dmp

Filesize
432KB

Download
memory/2244-207-0x0000000000420000-0x000000000048C000-memory.dmp

Filesize
432KB

Download
memory/2244-206-0x0000000076F80000-0x0000000076F81000-memory.dmp

Filesize
4KB

Download
memory/2244-65-0x0000000000420000-0x000000000048C000-memory.dmp

Filesize
432KB

Download
memory/2244-63-0x0000000000420000-0x000000000048C000-memory.dmp

Filesize
432KB

Download
memory/2244-61-0x0000000000420000-0x000000000048C000-memory.dmp

Filesize
432KB

Download
memory/2244-59-0x0000000000420000-0x000000000048C000-memory.dmp

Filesize
432KB

Download
memory/2244-55-0x0000000000420000-0x000000000048C000-memory.dmp

Filesize
432KB

Download
memory/2244-53-0x0000000000420000-0x000000000048C000-memory.dmp

Filesize
432KB

Download
memory/2244-51-0x0000000000420000-0x000000000048C000-memory.dmp

Filesize
432KB

Download
memory/2244-49-0x0000000000420000-0x000000000048C000-memory.dmp

Filesize
432KB

Download
memory/2244-24-0x0000000000420000-0x000000000048C000-memory.dmp

Filesize
432KB

Download
memory/2244-2-0x0000000000420000-0x000000000048C000-memory.dmp

Filesize
432KB

Download
memory/2244-1-0x0000000000420000-0x000000000048C000-memory.dmp

Filesize
432KB

Download
memory/2244-0-0x0000000000420000-0x000000000048C000-memory.dmp

Filesize
432KB

Download
memory/2244-948-0x0000000000420000-0x000000000048C000-memory.dmp

Filesize
432KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads