ardamax | eace3b6b6ae216917e610afadf783aa921d3c6bfa99703792380a07ec7472349

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-01-2025 17:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_0641af48c87c8d6eb9a2cc2cc36f5340.exe
Size

723KB
MD5

0641af48c87c8d6eb9a2cc2cc36f5340
SHA1

90e4e1e22692aca3661962a17e63f27550f6208f
SHA256

eace3b6b6ae216917e610afadf783aa921d3c6bfa99703792380a07ec7472349
SHA512

6904939c69196c97e47fe4945226160edbc354d91460af84bdafe082f64405c27179aa36817c91a8a79cb3ea371db86e27c9304b592f5269cc19034eef67f00d
SSDEEP

12288:z7bHFZlx5GuOIV8nQWCSnwW6dpdV2/ND/OC8GGCtI/BFl/6TQGqbNzseY:jT5Gu7KQW/wvpa1TOCGD/BFlGQGgNz9Y

Score

10^/10

ardamax defense_evasion discovery keylogger stealer upx

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023b88-12.dat	family_ardamax

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	JaffaCakes118_0641af48c87c8d6eb9a2cc2cc36f5340.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	DMUX.exe

Executes dropped EXE 2 IoCs

pid	Process
3700	DMUX.exe
4720	Cópia de quenta Pinnacle.exe

Loads dropped DLL 5 IoCs

pid	Process
4500	JaffaCakes118_0641af48c87c8d6eb9a2cc2cc36f5340.exe
3700	DMUX.exe
3700	DMUX.exe
3700	DMUX.exe
4720	Cópia de quenta Pinnacle.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Sys\DMUX.006	JaffaCakes118_0641af48c87c8d6eb9a2cc2cc36f5340.exe
File created	C:\Windows\SysWOW64\Sys\DMUX.exe	JaffaCakes118_0641af48c87c8d6eb9a2cc2cc36f5340.exe
File created	C:\Windows\SysWOW64\Sys\AKV.exe	JaffaCakes118_0641af48c87c8d6eb9a2cc2cc36f5340.exe
File created	C:\Windows\SysWOW64\Sys\DMUX.009	DMUX.exe
File created	C:\Windows\SysWOW64\Sys\DMUX.009.tmp	DMUX.exe
File created	C:\Windows\SysWOW64\Sys\DMUX.001	JaffaCakes118_0641af48c87c8d6eb9a2cc2cc36f5340.exe
File created	C:\Windows\SysWOW64\Sys\DMUX.007	JaffaCakes118_0641af48c87c8d6eb9a2cc2cc36f5340.exe
File opened for modification	C:\Windows\SysWOW64\Sys	DMUX.exe
File opened for modification	C:\Windows\SysWOW64\Sys\DMUX.009	DMUX.exe
File created	C:\Windows\SysWOW64\Sys\Jan_21_2025__17_22_30.jpg	DMUX.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000a000000023b8b-21.dat	upx
behavioral2/memory/4720-33-0x0000000000400000-0x0000000000482000-memory.dmp	upx
behavioral2/memory/4720-40-0x0000000000400000-0x0000000000482000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0641af48c87c8d6eb9a2cc2cc36f5340.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DMUX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cópia de quenta Pinnacle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4720	Cópia de quenta Pinnacle.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	3700	DMUX.exe
Token: SeIncBasePriorityPrivilege	3700	DMUX.exe
Token: SeIncBasePriorityPrivilege	3700	DMUX.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe
4720	Cópia de quenta Pinnacle.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3700	DMUX.exe
3700	DMUX.exe
3700	DMUX.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4500 wrote to memory of 3700	4500	JaffaCakes118_0641af48c87c8d6eb9a2cc2cc36f5340.exe	84
PID 4500 wrote to memory of 3700	4500	JaffaCakes118_0641af48c87c8d6eb9a2cc2cc36f5340.exe	84
PID 4500 wrote to memory of 3700	4500	JaffaCakes118_0641af48c87c8d6eb9a2cc2cc36f5340.exe	84
PID 4500 wrote to memory of 4720	4500	JaffaCakes118_0641af48c87c8d6eb9a2cc2cc36f5340.exe	85
PID 4500 wrote to memory of 4720	4500	JaffaCakes118_0641af48c87c8d6eb9a2cc2cc36f5340.exe	85
PID 4500 wrote to memory of 4720	4500	JaffaCakes118_0641af48c87c8d6eb9a2cc2cc36f5340.exe	85
PID 3700 wrote to memory of 1700	3700	DMUX.exe	95
PID 3700 wrote to memory of 1700	3700	DMUX.exe	95
PID 3700 wrote to memory of 1700	3700	DMUX.exe	95

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0641af48c87c8d6eb9a2cc2cc36f5340.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0641af48c87c8d6eb9a2cc2cc36f5340.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4500
- C:\Windows\SysWOW64\Sys\DMUX.exe
  "C:\Windows\system32\Sys\DMUX.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3700
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\Sys\DMUX.exe > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1700
- C:\Users\Admin\AppData\Local\Temp\Cópia de quenta Pinnacle.exe
  "C:\Users\Admin\AppData\Local\Temp\Cópia de quenta Pinnacle.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@7A50.tmp

Filesize
4KB

MD5
b429300c8148810d2e6a8d40009fc124

SHA1
93ec9660cc0d68cadc6c7f44b35ea0a0ef684ae8

SHA256
98445d51b61014815fc43e44933e5dc126c4fe763545141e78ee1358e487b4b7

SHA512
47a1cfdba6c1e04a322116538a62b22d61cf6b31966e53cfe4e54eb75a58530a7636e3deffcfb7e96ff2bdae2b99c7bcb312685d1ceac2f79c118f6347bf2407

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cópia de quenta Pinnacle.exe

Filesize
219KB

MD5
973290c8107622d6a877253a58d5c78b

SHA1
0a010a93aa60cbd914a6a178386d2c3c529e1474

SHA256
0cab30fcc4766aff19e53e299991292febb8313d343b956937ea762210d9ba6f

SHA512
085a7e637588890be44351e8bb1f493713ceedba652c774b9d575c0416378126772116fd7a32d93d0ba72e22231a04559ecf38831811a4d3b05429ccee859251

Download Submit
C:\Windows\SysWOW64\Sys\AKV.exe

Filesize
387KB

MD5
bcf6fab667525797024d0962e41e9b7b

SHA1
86b3d41b65eb4ed85c6610a4bb595df787bb2a6a

SHA256
916385eb000bc6011cac9b11d89fd08ffaaddf7d727f9c9bf0764bbcf905b877

SHA512
7e04832d129e3bacb4d4d83259ec02e1e6f5da4da742dbbf010345ccd90a0547e12fcca68da3cff284687a112f570ca269596512605715b3477ae99933afc82c

Download Submit
C:\Windows\SysWOW64\Sys\DMUX.001

Filesize
3KB

MD5
221018ee82eed2581eb86800d0dfe357

SHA1
7f5080b5743ff8c7f7d4df0be8201cad83989306

SHA256
88031b2fbe98af87422540831d70ab74020b71fc7b12fe9065db6f95987b8536

SHA512
4da62da9d1f3c52e521eb3f3bac4befaf311ef2552ccf6722ddb1edcd0e707406709a8093905f7bb53fcddc8c19f454c576c55fbffc9477a64ecf65ecc3be7b3

Download Submit
C:\Windows\SysWOW64\Sys\DMUX.006

Filesize
5KB

MD5
3a2ef41ad6d9415229e0b76ec6df1baf

SHA1
e72f2c0d664a4d2323872bd1f586ec60bb0a6342

SHA256
b7e321cf9dacead275e600c2b531e96a62c671e0a2d641e141acbefb509adf2b

SHA512
b8d5f62e7da21d4114f8764afb16bc409921935d3440f8e712740a50dd7a01f850cfda31f0a4b41e4f514d6bb64e407a83e8e034e5be65cddde27817c728caeb

Download Submit
C:\Windows\SysWOW64\Sys\DMUX.007

Filesize
4KB

MD5
cb576a1e67ddeb42dc0e23a541cefdb8

SHA1
9684e67a013de4f0f5066856f553674db0f2749c

SHA256
8a9a4e62b646f072f6c1b5415b8461af96db307f59c4d32c9e4f455477ffc221

SHA512
e173475fbf9541daa6790133ceef4b8af414491c0a198e356ba1b1c2fcbdcf7044e8b8ae22d72f39b2b7b888e254fd742b9b09ae3c4e63fa64b5171508247942

Download Submit
C:\Windows\SysWOW64\Sys\DMUX.exe

Filesize
468KB

MD5
4b64ea8b01e25e1af067d11698778ce4

SHA1
20c4d03590cc3ef10e0b3ddbfcdf6fbb41149847

SHA256
08b9f18c1098036ae8830caae054c451c66478490dcd4c653a01abaa937ee7c5

SHA512
5bea198540fa4dd9234017ec3e7a0cf79da4d3bc53cb715a3a6335567c08ff0871b886d6f4dd80e9f4e9df4cac8be392fc7d0e3456c14624583c6cf337ce65d0

Download Submit
memory/3700-34-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3700-41-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/4720-33-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4720-40-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download