ardamax | 18d51b0cb9e2bb5bf16f08e8caf9e8499d19d11239350a48325a8340d85dd60c

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-01-2025 13:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_8d8d80c3a9d63e91ec24f67c8d6c6b7a.exe
Size

655KB
MD5

8d8d80c3a9d63e91ec24f67c8d6c6b7a
SHA1

823caf0aeee07a2ee519619df24267d5c79fe64e
SHA256

18d51b0cb9e2bb5bf16f08e8caf9e8499d19d11239350a48325a8340d85dd60c
SHA512

a6b467cd8403eee3ee922beff621b9e327d4c29eb78d4f5741a7136a3850c30734749ffd650c213c80c1b58703ce61952d0540c427eb303fe6d7a0918785c7b7
SSDEEP

12288:SsL+/bmnuDBmaIZumD5YBZq6xGJOpqtAnWGgAIb3NEnCztPvnK3STFiY:/LMY6ma25Y+0Gkp0AWG1Imw83OFb

Score

10^/10

ardamax discovery keylogger stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0008000000017481-17.dat	family_ardamax

Executes dropped EXE 10 IoCs

pid	Process
2572	xecm.exe
2256	xecm.exe
2800	xecm.exe
2244	xecm.exe
2764	xecm.exe
2804	xecm.exe
2236	xecm.exe
2340	xecm.exe
2620	xecm.exe
2600	xecm.exe

Loads dropped DLL 20 IoCs

pid	Process
2248	JaffaCakes118_8d8d80c3a9d63e91ec24f67c8d6c6b7a.exe
2248	JaffaCakes118_8d8d80c3a9d63e91ec24f67c8d6c6b7a.exe
2248	JaffaCakes118_8d8d80c3a9d63e91ec24f67c8d6c6b7a.exe
2248	JaffaCakes118_8d8d80c3a9d63e91ec24f67c8d6c6b7a.exe
2248	JaffaCakes118_8d8d80c3a9d63e91ec24f67c8d6c6b7a.exe
2248	JaffaCakes118_8d8d80c3a9d63e91ec24f67c8d6c6b7a.exe
2248	JaffaCakes118_8d8d80c3a9d63e91ec24f67c8d6c6b7a.exe
2248	JaffaCakes118_8d8d80c3a9d63e91ec24f67c8d6c6b7a.exe
2248	JaffaCakes118_8d8d80c3a9d63e91ec24f67c8d6c6b7a.exe
2248	JaffaCakes118_8d8d80c3a9d63e91ec24f67c8d6c6b7a.exe
2248	JaffaCakes118_8d8d80c3a9d63e91ec24f67c8d6c6b7a.exe
2248	JaffaCakes118_8d8d80c3a9d63e91ec24f67c8d6c6b7a.exe
2248	JaffaCakes118_8d8d80c3a9d63e91ec24f67c8d6c6b7a.exe
2248	JaffaCakes118_8d8d80c3a9d63e91ec24f67c8d6c6b7a.exe
2248	JaffaCakes118_8d8d80c3a9d63e91ec24f67c8d6c6b7a.exe
2248	JaffaCakes118_8d8d80c3a9d63e91ec24f67c8d6c6b7a.exe
2248	JaffaCakes118_8d8d80c3a9d63e91ec24f67c8d6c6b7a.exe
2248	JaffaCakes118_8d8d80c3a9d63e91ec24f67c8d6c6b7a.exe
2248	JaffaCakes118_8d8d80c3a9d63e91ec24f67c8d6c6b7a.exe
2248	JaffaCakes118_8d8d80c3a9d63e91ec24f67c8d6c6b7a.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	\??\c:\windows\SysWOW64\23048\akv.cfg.tmp	JaffaCakes118_8d8d80c3a9d63e91ec24f67c8d6c6b7a.exe
File created	\??\c:\windows\SysWOW64\23048\akv.cfg	JaffaCakes118_8d8d80c3a9d63e91ec24f67c8d6c6b7a.exe
File created	\??\c:\windows\SysWOW64\23048\key.bin.tmp	JaffaCakes118_8d8d80c3a9d63e91ec24f67c8d6c6b7a.exe
File created	\??\c:\windows\SysWOW64\23048\key.bin	JaffaCakes118_8d8d80c3a9d63e91ec24f67c8d6c6b7a.exe
File created	\??\c:\windows\SysWOW64\23048\test.tmp	JaffaCakes118_8d8d80c3a9d63e91ec24f67c8d6c6b7a.exe
File created	\??\c:\windows\SysWOW64\23048\test	JaffaCakes118_8d8d80c3a9d63e91ec24f67c8d6c6b7a.exe
File created	\??\c:\windows\SysWOW64\23048\xecm.exe.tmp	JaffaCakes118_8d8d80c3a9d63e91ec24f67c8d6c6b7a.exe
File created	\??\c:\windows\SysWOW64\23048\xecm.exe	JaffaCakes118_8d8d80c3a9d63e91ec24f67c8d6c6b7a.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8d8d80c3a9d63e91ec24f67c8d6c6b7a.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 2572	2248	JaffaCakes118_8d8d80c3a9d63e91ec24f67c8d6c6b7a.exe	30
PID 2248 wrote to memory of 2572	2248	JaffaCakes118_8d8d80c3a9d63e91ec24f67c8d6c6b7a.exe	30
PID 2248 wrote to memory of 2572	2248	JaffaCakes118_8d8d80c3a9d63e91ec24f67c8d6c6b7a.exe	30
PID 2248 wrote to memory of 2572	2248	JaffaCakes118_8d8d80c3a9d63e91ec24f67c8d6c6b7a.exe	30
PID 2248 wrote to memory of 2340	2248	JaffaCakes118_8d8d80c3a9d63e91ec24f67c8d6c6b7a.exe	31
PID 2248 wrote to memory of 2340	2248	JaffaCakes118_8d8d80c3a9d63e91ec24f67c8d6c6b7a.exe	31
PID 2248 wrote to memory of 2340	2248	JaffaCakes118_8d8d80c3a9d63e91ec24f67c8d6c6b7a.exe	31
PID 2248 wrote to memory of 2340	2248	JaffaCakes118_8d8d80c3a9d63e91ec24f67c8d6c6b7a.exe	31
PID 2248 wrote to memory of 2256	2248	JaffaCakes118_8d8d80c3a9d63e91ec24f67c8d6c6b7a.exe	32
PID 2248 wrote to memory of 2256	2248	JaffaCakes118_8d8d80c3a9d63e91ec24f67c8d6c6b7a.exe	32
PID 2248 wrote to memory of 2256	2248	JaffaCakes118_8d8d80c3a9d63e91ec24f67c8d6c6b7a.exe	32
PID 2248 wrote to memory of 2256	2248	JaffaCakes118_8d8d80c3a9d63e91ec24f67c8d6c6b7a.exe	32
PID 2248 wrote to memory of 2804	2248	JaffaCakes118_8d8d80c3a9d63e91ec24f67c8d6c6b7a.exe	33
PID 2248 wrote to memory of 2804	2248	JaffaCakes118_8d8d80c3a9d63e91ec24f67c8d6c6b7a.exe	33
PID 2248 wrote to memory of 2804	2248	JaffaCakes118_8d8d80c3a9d63e91ec24f67c8d6c6b7a.exe	33
PID 2248 wrote to memory of 2804	2248	JaffaCakes118_8d8d80c3a9d63e91ec24f67c8d6c6b7a.exe	33
PID 2248 wrote to memory of 2800	2248	JaffaCakes118_8d8d80c3a9d63e91ec24f67c8d6c6b7a.exe	34
PID 2248 wrote to memory of 2800	2248	JaffaCakes118_8d8d80c3a9d63e91ec24f67c8d6c6b7a.exe	34
PID 2248 wrote to memory of 2800	2248	JaffaCakes118_8d8d80c3a9d63e91ec24f67c8d6c6b7a.exe	34
PID 2248 wrote to memory of 2800	2248	JaffaCakes118_8d8d80c3a9d63e91ec24f67c8d6c6b7a.exe	34
PID 2248 wrote to memory of 2236	2248	JaffaCakes118_8d8d80c3a9d63e91ec24f67c8d6c6b7a.exe	35
PID 2248 wrote to memory of 2236	2248	JaffaCakes118_8d8d80c3a9d63e91ec24f67c8d6c6b7a.exe	35
PID 2248 wrote to memory of 2236	2248	JaffaCakes118_8d8d80c3a9d63e91ec24f67c8d6c6b7a.exe	35
PID 2248 wrote to memory of 2236	2248	JaffaCakes118_8d8d80c3a9d63e91ec24f67c8d6c6b7a.exe	35
PID 2248 wrote to memory of 2244	2248	JaffaCakes118_8d8d80c3a9d63e91ec24f67c8d6c6b7a.exe	36
PID 2248 wrote to memory of 2244	2248	JaffaCakes118_8d8d80c3a9d63e91ec24f67c8d6c6b7a.exe	36
PID 2248 wrote to memory of 2244	2248	JaffaCakes118_8d8d80c3a9d63e91ec24f67c8d6c6b7a.exe	36
PID 2248 wrote to memory of 2244	2248	JaffaCakes118_8d8d80c3a9d63e91ec24f67c8d6c6b7a.exe	36
PID 2248 wrote to memory of 2620	2248	JaffaCakes118_8d8d80c3a9d63e91ec24f67c8d6c6b7a.exe	37
PID 2248 wrote to memory of 2620	2248	JaffaCakes118_8d8d80c3a9d63e91ec24f67c8d6c6b7a.exe	37
PID 2248 wrote to memory of 2620	2248	JaffaCakes118_8d8d80c3a9d63e91ec24f67c8d6c6b7a.exe	37
PID 2248 wrote to memory of 2620	2248	JaffaCakes118_8d8d80c3a9d63e91ec24f67c8d6c6b7a.exe	37
PID 2248 wrote to memory of 2764	2248	JaffaCakes118_8d8d80c3a9d63e91ec24f67c8d6c6b7a.exe	38
PID 2248 wrote to memory of 2764	2248	JaffaCakes118_8d8d80c3a9d63e91ec24f67c8d6c6b7a.exe	38
PID 2248 wrote to memory of 2764	2248	JaffaCakes118_8d8d80c3a9d63e91ec24f67c8d6c6b7a.exe	38
PID 2248 wrote to memory of 2764	2248	JaffaCakes118_8d8d80c3a9d63e91ec24f67c8d6c6b7a.exe	38
PID 2248 wrote to memory of 2600	2248	JaffaCakes118_8d8d80c3a9d63e91ec24f67c8d6c6b7a.exe	39
PID 2248 wrote to memory of 2600	2248	JaffaCakes118_8d8d80c3a9d63e91ec24f67c8d6c6b7a.exe	39
PID 2248 wrote to memory of 2600	2248	JaffaCakes118_8d8d80c3a9d63e91ec24f67c8d6c6b7a.exe	39
PID 2248 wrote to memory of 2600	2248	JaffaCakes118_8d8d80c3a9d63e91ec24f67c8d6c6b7a.exe	39

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8d8d80c3a9d63e91ec24f67c8d6c6b7a.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8d8d80c3a9d63e91ec24f67c8d6c6b7a.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2248
- \??\c:\windows\SysWOW64\23048\xecm.exe
  2⤵
  - Executes dropped EXE
  PID:2572
- \??\c:\windows\SysWOW64\23048\xecm.exe
  2⤵
  - Executes dropped EXE
  PID:2340
- \??\c:\windows\SysWOW64\23048\xecm.exe
  2⤵
  - Executes dropped EXE
  PID:2256
- \??\c:\windows\SysWOW64\23048\xecm.exe
  2⤵
  - Executes dropped EXE
  PID:2804
- \??\c:\windows\SysWOW64\23048\xecm.exe
  2⤵
  - Executes dropped EXE
  PID:2800
- \??\c:\windows\SysWOW64\23048\xecm.exe
  2⤵
  - Executes dropped EXE
  PID:2236
- \??\c:\windows\SysWOW64\23048\xecm.exe
  2⤵
  - Executes dropped EXE
  PID:2244
- \??\c:\windows\SysWOW64\23048\xecm.exe
  2⤵
  - Executes dropped EXE
  PID:2620
- \??\c:\windows\SysWOW64\23048\xecm.exe
  2⤵
  - Executes dropped EXE
  PID:2764
- \??\c:\windows\SysWOW64\23048\xecm.exe
  2⤵
  - Executes dropped EXE
  PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\23048\xecm.exe

Filesize
635KB

MD5
0da43e121a8d582e6bf615bdb9eb2e91

SHA1
d72ac23cddaf1671490e70653221ea8ea4abc453

SHA256
114f29c0a374b8c9cbc30c123d1797487a69d58c003147e7ed4deeaafeac9fff

SHA512
963d4acc4671149661d729dacd519024786879d67a8116994c2225694dc9e59ab15070334d497b30b5c8e4fcebc9e395a39d2bd0de8ba1b30668da33f2784d87

Download Submit
memory/2248-19-0x0000000001CB0000-0x0000000001D8F000-memory.dmp

Filesize
892KB

Download
memory/2248-95-0x0000000001CB0000-0x0000000001D8F000-memory.dmp

Filesize
892KB

Download
memory/2248-88-0x0000000001CB0000-0x0000000001D8F000-memory.dmp

Filesize
892KB

Download
memory/2248-45-0x0000000001CB0000-0x0000000001D8F000-memory.dmp

Filesize
892KB

Download
memory/2248-59-0x0000000001CB0000-0x0000000001D8F000-memory.dmp

Filesize
892KB

Download
memory/2248-97-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download