ardamax | 02090a2cef0f19600b683136cec6db05c8d59324faa9aa5dd23c7219355680b1

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
03-01-2025 05:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_6a762deb162375245b6792f8638299b0.exe
Size

606KB
MD5

6a762deb162375245b6792f8638299b0
SHA1

2e78ea2ad7d541f3db68644a37b1e008cd34b5ef
SHA256

02090a2cef0f19600b683136cec6db05c8d59324faa9aa5dd23c7219355680b1
SHA512

8e753b701d1676a5f4924b555a2f49e8c4910a19b9fb6116109d243c09ce22deb60238a84048519b80fb04e9764f9f3f418533912c0e115aaa807aac8af2532a
SSDEEP

12288:Ol6/KYaGPtaEoStfyOAk3crTvDdfE9t3/RVDtX0hYYSkHFMnp5K:V/JbPsEoaKOAkmb1ELJVDHkHFMe

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x000600000001938a-9.dat	family_ardamax

Executes dropped EXE 2 IoCs

pid	Process
2268	VECS.exe
2272	Walker's Injector.exe

Loads dropped DLL 7 IoCs

pid	Process
1572	JaffaCakes118_6a762deb162375245b6792f8638299b0.exe
1572	JaffaCakes118_6a762deb162375245b6792f8638299b0.exe
1572	JaffaCakes118_6a762deb162375245b6792f8638299b0.exe
1572	JaffaCakes118_6a762deb162375245b6792f8638299b0.exe
2268	VECS.exe
1572	JaffaCakes118_6a762deb162375245b6792f8638299b0.exe
2268	VECS.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VECS Agent = "C:\\Windows\\SysWOW64\\28463\\VECS.exe"	VECS.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\VECS.exe	JaffaCakes118_6a762deb162375245b6792f8638299b0.exe
File created	C:\Windows\SysWOW64\28463\AKV.exe	JaffaCakes118_6a762deb162375245b6792f8638299b0.exe
File created	C:\Windows\SysWOW64\28463\VECS.003	JaffaCakes118_6a762deb162375245b6792f8638299b0.exe
File created	C:\Windows\SysWOW64\28463\Jan_03_2025__05_20_56.jpg	VECS.exe
File created	C:\Windows\SysWOW64\28463\VECS.007	JaffaCakes118_6a762deb162375245b6792f8638299b0.exe
File created	C:\Windows\SysWOW64\28463\VECS.009	VECS.exe
File created	C:\Windows\SysWOW64\28463\Jan_03_2025__05_21_56.jpg	VECS.exe
File created	C:\Windows\SysWOW64\28463\VECS.001	JaffaCakes118_6a762deb162375245b6792f8638299b0.exe
File created	C:\Windows\SysWOW64\28463\VECS.chm	JaffaCakes118_6a762deb162375245b6792f8638299b0.exe
File opened for modification	C:\Windows\SysWOW64\28463	VECS.exe
File created	C:\Windows\SysWOW64\28463\VECS.006	JaffaCakes118_6a762deb162375245b6792f8638299b0.exe
File created	C:\Windows\SysWOW64\28463\VECS.004	JaffaCakes118_6a762deb162375245b6792f8638299b0.exe
File opened for modification	C:\Windows\SysWOW64\28463\VECS.009	VECS.exe
File created	C:\Windows\SysWOW64\28463\VECS.009.tmp	VECS.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6a762deb162375245b6792f8638299b0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VECS.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2268	VECS.exe
Token: SeIncBasePriorityPrivilege	2268	VECS.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2268	VECS.exe
2268	VECS.exe
2268	VECS.exe
2268	VECS.exe
2268	VECS.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1572 wrote to memory of 2268	1572	JaffaCakes118_6a762deb162375245b6792f8638299b0.exe	28
PID 1572 wrote to memory of 2268	1572	JaffaCakes118_6a762deb162375245b6792f8638299b0.exe	28
PID 1572 wrote to memory of 2268	1572	JaffaCakes118_6a762deb162375245b6792f8638299b0.exe	28
PID 1572 wrote to memory of 2268	1572	JaffaCakes118_6a762deb162375245b6792f8638299b0.exe	28
PID 1572 wrote to memory of 2272	1572	JaffaCakes118_6a762deb162375245b6792f8638299b0.exe	29
PID 1572 wrote to memory of 2272	1572	JaffaCakes118_6a762deb162375245b6792f8638299b0.exe	29
PID 1572 wrote to memory of 2272	1572	JaffaCakes118_6a762deb162375245b6792f8638299b0.exe	29
PID 1572 wrote to memory of 2272	1572	JaffaCakes118_6a762deb162375245b6792f8638299b0.exe	29

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6a762deb162375245b6792f8638299b0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6a762deb162375245b6792f8638299b0.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1572
- C:\Windows\SysWOW64\28463\VECS.exe
  "C:\Windows\system32\28463\VECS.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2268
- C:\Users\Admin\AppData\Local\Temp\Walker's Injector.exe
  "C:\Users\Admin\AppData\Local\Temp\Walker's Injector.exe"
  2⤵
  - Executes dropped EXE
  PID:2272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Walker's Injector.exe

Filesize
109KB

MD5
8bb9f65c6a658dc66200c140bc5c6c82

SHA1
29e0f61646d6fe592a01088f81df016ef23c2d64

SHA256
796d3cc236b6e8bebe5612b3fb142d64a4b06700b0f31912a7be57f7f66a6bcc

SHA512
9e241655bb6dd3c7d12d78a3a26a25230f48c57a53d6239642788d89e7cc8b1f950b8405515a6b44e4d1800446fff4ee01db9219e208f1bc644e732c8bd45636

Download Submit
C:\Windows\SysWOW64\28463\AKV.exe

Filesize
395KB

MD5
adbec81b510dcfe49835f95940ef961d

SHA1
77940f6e46fbd5f53de23bd49afe9172470769d0

SHA256
466efb4b00255f21075b340fc2d2444f182947ab90270840543658c5fd3a9b95

SHA512
ef4324a06fbe960933f5551ea6ac587cd87cb6025bc6879a2b81a4d1033cfe87e244b6a87fb5db5ad065321ccbe8035cf24a668452d5b0c6a4063a355a12b2a7

Download Submit
C:\Windows\SysWOW64\28463\VECS.001

Filesize
530B

MD5
d4c1824d14c2ae41dbcd4b364ce6e43f

SHA1
3e6cf46decf037d4f97d7e162247a331896ec506

SHA256
e2fe03cc50b68339821ee086c76490a81e3f746f02f598be8202466b78b6de7d

SHA512
dcc4f3fa0d58fc8dd842b45d598137eb75393d3e8a27d3f3d0a3662b681218def12cd405231609d117d9f9f3c2071d9352cb4f559c78a41c7331931da9db926c

Download Submit
C:\Windows\SysWOW64\28463\VECS.004

Filesize
14KB

MD5
88e10dbb9d6579b1274ba1a516d2eb3d

SHA1
e8526d9ec1441d6c5d759312a921e5572b0904c1

SHA256
35ac045ba6dac7ef2e68fd4c284e9409c18168eebf074c6f4f1326a418784e3c

SHA512
f1cf89fe03e6a357b32158177bf67ed2e3ff56ea883aedbd8cac82b46a4b848cfc45c53791d77b144a636b2aeb5a10fdfb94249dd199651475c04a7bb8facdf1

Download Submit
C:\Windows\SysWOW64\28463\VECS.009

Filesize
146KB

MD5
dc81ec5a23cc27d4058e15c7f49a5767

SHA1
3355dda605a169c1ee71d000a82ec580b62aa138

SHA256
82bb0f9e1e453fb6e028d039bf903ec822b541d0ad52fc71c4a4b7fe5bb8257c

SHA512
c7a9b5e3c577b93c92f7898877a7c60d9ed5da2e18c519cee0efbd70e883b29da97217e6bb43e85013abf2c2ea1d06a90da04a8562dd347d5e0173a80f50858f

Download Submit
C:\Windows\SysWOW64\28463\VECS.chm

Filesize
33KB

MD5
1f56948052387ea26004f6bccab86076

SHA1
b1502dc7a4b77a5776c8c2bd561380d06ef85c12

SHA256
9339776a2735fd3eca8ac6e3ffd9790eb522d8d1cade9251966e2b028fcd9043

SHA512
ea536597cf10a280f8b5ca06ad3ab65a23a612ffea92cbc0a8bff3fc8baa95dd53c1054a3f4ac1ad394b2d74e83ab7b5d3636024661dc9ab911d3942d75c56c0

Download Submit
\Users\Admin\AppData\Local\Temp\@C793.tmp

Filesize
4KB

MD5
13e10cd76f11d6cb43182dcba7370171

SHA1
e6b8ce329e49ff09f1cb529c60fc466cb9a579c8

SHA256
f1265c88f0077009eaa18db413f156cc7ad8d41dc9d797dd1032b0e0ae9c40d5

SHA512
ee32ef3f50838936417e51dfd365b166456900e327dbe51902700bb3d562dea22e6fbd9009c822ba0562687001802a2e61d38123f81ae19f7b3d05bb1fd5cda8

Download Submit
\Windows\SysWOW64\28463\VECS.006

Filesize
8KB

MD5
f5eff4f716427529b003207d5c953df5

SHA1
79696d6c8d67669ea690d240ef8978672e3d151c

SHA256
ac54ebb9eec3212f294462ce012fdc42f4b0896d785d776a5a2cc3599dc5bcde

SHA512
5a48599a5855f06c3e7d6f89c4e06bab1f4381b9d30cf3824c465b8fd6c142b316e6bd6aaad73d1f9b3e84d96113fb5e7374831bf503744013c9e1a0632a0caf

Download Submit
\Windows\SysWOW64\28463\VECS.007

Filesize
5KB

MD5
bc75eddaa64823014fef0fe70bd34ffc

SHA1
15cd2ace3b68257faed33c78b794b2333eab7c0a

SHA256
9eada36d17635bedb85ce96a62cb019dbfee696b9986f69de7d5b5bc1f44df5d

SHA512
20db25f32f9cfdbffa4f30c0065125052c6e20b7dcc147fa7ebff38e37b51f6a43e48e486f148d7ee11671479b9fb0bbe1c6df151101af3b50c65fd334d13baa

Download Submit
\Windows\SysWOW64\28463\VECS.exe

Filesize
473KB

MD5
3c90d45b1c004e86a7f7a7a340f1abc8

SHA1
10602c450bcbda2735dc036f2e399646f0c64f4c

SHA256
f6d9c3bba7fc4dfa681cadf68f41093e3c431501c6789e891e599719e5d2781c

SHA512
85457be4c2aa76ede288cd185131d46e5f0b37187313f3a54fe789e28929ec6e44282f4ba0981f46354705cd5da83990586c8846f52fcdb807908254c8719cc1

Download Submit
memory/2268-31-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2268-43-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2272-40-0x000007FEF628E000-0x000007FEF628F000-memory.dmp

Filesize
4KB

Download
memory/2272-41-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

Filesize
9.6MB

Download
memory/2272-42-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

Filesize
9.6MB

Download
memory/2272-44-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads