ardamax | c0a8b6643f150f9880906e506d3d3285fa05b4b4f1d50c0fc3aec91d6f713022

Analysis

max time kernel
145s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-01-2025 15:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_056ec67070913a1cef384248b4ad205d.exe
Size

910KB
MD5

056ec67070913a1cef384248b4ad205d
SHA1

a5bfaa100e418d01ce4bcb5c304f4b6446a20edd
SHA256

c0a8b6643f150f9880906e506d3d3285fa05b4b4f1d50c0fc3aec91d6f713022
SHA512

23455b2f0e8f0d026e2abf8ed9898d2103be7f97da246838c193962e95d10a607ab8955124eb35d5f3981e554c70b53f61a8787f3a541a9081bb9f6f2637d692
SSDEEP

24576:+7s2mwpbYY3/E9lQlUkhRVWh8SWqP3Uv3uPT:+7bpbYqM9S+IA8E31r

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023c0a-21.dat	family_ardamax

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	HelpMe.exe

Executes dropped EXE 2 IoCs

pid	Process
4540	HelpMe.exe
4152	EHMM.exe

Loads dropped DLL 4 IoCs

pid	Process
4540	HelpMe.exe
4152	EHMM.exe
4152	EHMM.exe
4152	EHMM.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\EHMM Agent = "C:\\Windows\\SysWOW64\\28463\\EHMM.exe"	EHMM.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\EHMM.007	HelpMe.exe
File created	C:\Windows\SysWOW64\28463\EHMM.exe	HelpMe.exe
File created	C:\Windows\SysWOW64\28463\key.bin	HelpMe.exe
File created	C:\Windows\SysWOW64\28463\AKV.exe	HelpMe.exe
File opened for modification	C:\Windows\SysWOW64\28463	EHMM.exe
File opened for modification	C:\Windows\SysWOW64\HelpMe.exe	JaffaCakes118_056ec67070913a1cef384248b4ad205d.exe
File created	C:\Windows\SysWOW64\28463\EHMM.001	HelpMe.exe
File created	C:\Windows\SysWOW64\28463\EHMM.006	HelpMe.exe
File created	C:\Windows\SysWOW64\28463\EHMM.009	EHMM.exe
File opened for modification	C:\Windows\SysWOW64\28463\EHMM.009	EHMM.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EHMM.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_056ec67070913a1cef384248b4ad205d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HelpMe.exe

Modifies registry class 33 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0DB7F78F-CB3A-44C3-3883-113D66A11D0B}\ = "Amefoz.Kasocnej Class"	EHMM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0DB7F78F-CB3A-44C3-3883-113D66A11D0B}\ProgID	EHMM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0DB7F78F-CB3A-44C3-3883-113D66A11D0B}\ProgID\	EHMM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0FF6FC9E-B017-22C8-F918-8F49F708D960}\1.0\	EHMM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0FF6FC9E-B017-22C8-F918-8F49F708D960}\1.0\0\win32\ = "%SystemRoot%\\SysWow64\\netprofm.dll"	EHMM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0DB7F78F-CB3A-44C3-3883-113D66A11D0B}\TypeLib	EHMM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0DB7F78F-CB3A-44C3-3883-113D66A11D0B}\InprocServer32\	EHMM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0FF6FC9E-B017-22C8-F918-8F49F708D960}	EHMM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0FF6FC9E-B017-22C8-F918-8F49F708D960}\1.0	EHMM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0DB7F78F-CB3A-44C3-3883-113D66A11D0B}\InprocServer32	EHMM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0FF6FC9E-B017-22C8-F918-8F49F708D960}\1.0\0	EHMM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0FF6FC9E-B017-22C8-F918-8F49F708D960}\1.0\0\win64\ = "%SystemRoot%\\SysWow64\\netprofm.dll"	EHMM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0FF6FC9E-B017-22C8-F918-8F49F708D960}\1.0\HELPDIR	EHMM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0FF6FC9E-B017-22C8-F918-8F49F708D960}\1.0\HELPDIR\	EHMM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0DB7F78F-CB3A-44C3-3883-113D66A11D0B}\VersionIndependentProgID	EHMM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0DB7F78F-CB3A-44C3-3883-113D66A11D0B}\InprocServer32\ = "%SystemRoot%\\SysWow64\\sppcomapi.dll"	EHMM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0DB7F78F-CB3A-44C3-3883-113D66A11D0B}\ProgID\ = "SppComApi.TokenActivation.1"	EHMM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0FF6FC9E-B017-22C8-F918-8F49F708D960}\	EHMM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0FF6FC9E-B017-22C8-F918-8F49F708D960}\1.0\FLAGS\ = "0"	EHMM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0FF6FC9E-B017-22C8-F918-8F49F708D960}\1.0\HELPDIR\ = "%SystemRoot%\\SysWow64\\"	EHMM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0DB7F78F-CB3A-44C3-3883-113D66A11D0B}\VersionIndependentProgID\ = "SppComApi.TokenActivation"	EHMM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0FF6FC9E-B017-22C8-F918-8F49F708D960}\1.0\0\win32\	EHMM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0FF6FC9E-B017-22C8-F918-8F49F708D960}\1.0\FLAGS	EHMM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0DB7F78F-CB3A-44C3-3883-113D66A11D0B}\TypeLib\	EHMM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0FF6FC9E-B017-22C8-F918-8F49F708D960}\1.0\ = "Network List Manager 1.0 Type Library"	EHMM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0FF6FC9E-B017-22C8-F918-8F49F708D960}\1.0\0\win32	EHMM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0FF6FC9E-B017-22C8-F918-8F49F708D960}\1.0\0\win64	EHMM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0DB7F78F-CB3A-44C3-3883-113D66A11D0B}\TypeLib\ = "{0FF6FC9E-B017-22C8-F918-8F49F708D960}"	EHMM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0DB7F78F-CB3A-44C3-3883-113D66A11D0B}\VersionIndependentProgID\	EHMM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0DB7F78F-CB3A-44C3-3883-113D66A11D0B}	EHMM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0FF6FC9E-B017-22C8-F918-8F49F708D960}\1.0\0\	EHMM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0FF6FC9E-B017-22C8-F918-8F49F708D960}\1.0\0\win64\	EHMM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0FF6FC9E-B017-22C8-F918-8F49F708D960}\1.0\FLAGS\	EHMM.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4152	EHMM.exe
Token: SeIncBasePriorityPrivilege	4152	EHMM.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4008	JaffaCakes118_056ec67070913a1cef384248b4ad205d.exe
4152	EHMM.exe
4152	EHMM.exe
4152	EHMM.exe
4152	EHMM.exe
4152	EHMM.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4008 wrote to memory of 4540	4008	JaffaCakes118_056ec67070913a1cef384248b4ad205d.exe	83
PID 4008 wrote to memory of 4540	4008	JaffaCakes118_056ec67070913a1cef384248b4ad205d.exe	83
PID 4008 wrote to memory of 4540	4008	JaffaCakes118_056ec67070913a1cef384248b4ad205d.exe	83
PID 4540 wrote to memory of 4152	4540	HelpMe.exe	84
PID 4540 wrote to memory of 4152	4540	HelpMe.exe	84
PID 4540 wrote to memory of 4152	4540	HelpMe.exe	84

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_056ec67070913a1cef384248b4ad205d.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_056ec67070913a1cef384248b4ad205d.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4008
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4540
- - C:\Windows\SysWOW64\28463\EHMM.exe
    "C:\Windows\system32\28463\EHMM.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@8B48.tmp

Filesize
4KB

MD5
d5456446c39c8c55dbd2b96fc3db832c

SHA1
29170d2a36967d7221f4be4880b91a7ac39694fa

SHA256
954225a0073664a8630c6397073d2a95ddc05fc42c6df67fa9c93cd88a3c250d

SHA512
73e2e6a7486f9888086821a80f43dedafb36411327b1fa939b7cf10d79d0edbe3b6e8ffc8653dbf7bd91d9f1891cb0a138966b72435008f551610da7906eb508

Download Submit
C:\Windows\SysWOW64\28463\AKV.exe

Filesize
457KB

MD5
32d387217d894806faf6f8ef1b19edc1

SHA1
56a7c7d087886dc6ff4fc6e6afcb1f16a3f7441e

SHA256
623f80699931ff51a65c868c8c0b4a7ca0f5e7294aa65e5fc7b8006d144237fa

SHA512
8688f01c370b5ea6b7a3a8f810a204dbbeadf4240f900f7844d8f862bfd2115fa3a34999df36ed83bd6958bb8383a5e70f999c984ebe9b86cdb6d4bd81a08197

Download Submit
C:\Windows\SysWOW64\28463\EHMM.001

Filesize
378B

MD5
6e55fdd492efac0dae9babfbeeacbc9c

SHA1
5544c3fe4b3435ead0af4e31127213f6413e3a7d

SHA256
97aef09d18387edf915a6f3dad1510c1e8a2fce86deb01ef9706df89bb1d3c23

SHA512
9d0061622a94221e1cedca80803fac4fbec1fed6140d383a61ee9d1a08dff54e29934e135f4cd5a32c0df4f7907b04b3ddcaa7600607e3d5889738bc08198d3b

Download Submit
C:\Windows\SysWOW64\28463\EHMM.006

Filesize
8KB

MD5
ba8459868e395dec4cc2885877f2b8f2

SHA1
11fd7512269764e97fa5a255d2b48b4a38f9c556

SHA256
29e51eb35517943254213cb110d750a39de8767d7b5e2e87e53c88ef360a5e25

SHA512
6052a789cba2ad980a45d3cdf2e6da8ada4ead32599610c3c03325f2c986e77561eb6507ef3c84085f93c8149cb126fde06aba916dede73868a799491f16a009

Download Submit
C:\Windows\SysWOW64\28463\EHMM.007

Filesize
5KB

MD5
64b9577b7fc43cb891865e5a06a2589d

SHA1
3ce4d64477d31bcbac456e711f0263672f4d1fd9

SHA256
52949d0ae8c840a41254afa02155cf9b6647ac9df13d6a20cbcab787c42ae01f

SHA512
1f16f81674d2e6688243280dbabd50ad958061558e71e9d5425011ab943b4073b01e4181abfcb7c5051d7ef0419900acfb14652f4c3ada564e45178b02c4e4f0

Download Submit
C:\Windows\SysWOW64\28463\EHMM.009

Filesize
1.5MB

MD5
34b73606f79642b002aa02c0a82bffd8

SHA1
58e345cd7a323e156bbae0502c3e0a06f310e7a5

SHA256
2cfd712ba176e91422af0579b2f6f95143b4c1c83dd5a578781829f959a2809b

SHA512
3dd9213d7c42b8905d03ab88e554dffc9f3c53a1b7c1d116120f4bffb6a43c58842b39be978c737cb74a049713dce8848712c8fdf190df2da50c18c019bc8879

Download Submit
C:\Windows\SysWOW64\28463\EHMM.exe

Filesize
648KB

MD5
4c5175d7b877a344e2b864dbd1d8a0ab

SHA1
6d8691610ee3d98293eb9b23db7ad8571267e535

SHA256
53660357b82c4db447ae1dc50d23d986235616eae3cfffe95550af8499e601da

SHA512
54712d8291d52a315ab3b1fb1802f5e9fe31eaafe4bbaee0071ab6ab7bc85fcf825b4213ce040a31792954e227626dd3fc3c0e8510696e53875a0e80ccf50555

Download Submit
C:\Windows\SysWOW64\28463\key.bin

Filesize
105B

MD5
27c90d4d9b049f4cd00f32ed1d2e5baf

SHA1
338a3ea8f1e929d8916ece9b6e91e697eb562550

SHA256
172d6f21165fb3ca925e5b000451fd8946920206f7438018c28b158b90cf5ffb

SHA512
d73dadb3cf74c647ce5bad5b87d3fb42a212defcba8afb8cf962020b61a0369c0a2b1005797583daf1f1ae88b29b7288bc544a53d643f3519cf604aa0ffd6dae

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
786KB

MD5
eab6c4cfb81147c07d07ea5575ad6d69

SHA1
ba8973e450a6cc4400adc4f62eaaf16c918244f8

SHA256
9af810441a451b48f8faef643e2af7c81770c7487154a0dae64942c5e195892c

SHA512
67472d12ad67db87b31b3119138f2e5c42bcf89ac58758a2d2425b9a02181a473dc9b0c11d605e23128435d0d046f2bb9f07c9742bab043609f6446f73882bfe

Download Submit
memory/4152-41-0x00000000033A0000-0x00000000033A1000-memory.dmp

Filesize
4KB

Download
memory/4152-45-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/4152-38-0x0000000003360000-0x0000000003361000-memory.dmp

Filesize
4KB

Download
memory/4152-37-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/4152-36-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/4152-35-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/4152-40-0x00000000033A0000-0x00000000033A1000-memory.dmp

Filesize
4KB

Download
memory/4152-33-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/4152-32-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/4152-47-0x00000000033B0000-0x00000000033B1000-memory.dmp

Filesize
4KB

Download
memory/4152-46-0x0000000003370000-0x0000000003371000-memory.dmp

Filesize
4KB

Download
memory/4152-39-0x0000000003350000-0x0000000003353000-memory.dmp

Filesize
12KB

Download
memory/4152-44-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/4152-42-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/4152-43-0x00000000033A0000-0x00000000033A1000-memory.dmp

Filesize
4KB

Download
memory/4152-34-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/4152-30-0x0000000000B20000-0x0000000000B7A000-memory.dmp

Filesize
360KB

Download
memory/4152-55-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4152-56-0x0000000000B20000-0x0000000000B7A000-memory.dmp

Filesize
360KB

Download
memory/4152-59-0x00000000033A0000-0x00000000033A1000-memory.dmp

Filesize
4KB

Download
memory/4152-60-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4152-29-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4152-70-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads