ardamax | 75f22218e16289f3a8079a28532434d795b30dbb43b2a688fae8578221ccd736

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-01-2025 03:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_137cc722921829df11208ae82a652cd7.exe
Size

718KB
MD5

137cc722921829df11208ae82a652cd7
SHA1

06b7cb4353456aa6609c767930636165ac388ec4
SHA256

75f22218e16289f3a8079a28532434d795b30dbb43b2a688fae8578221ccd736
SHA512

bdf93865dda2b25494070a1d886aa9c1b95a68210ed01a4a082ca31bc8d38588e62e6045de58c2d893f086255f5fa237f4e96036f87a0c5c0b390d71ca73ef6e
SSDEEP

12288:1TRWsN4vWGWzJzzsMtTtsY+KqPIwztvOWKpO0Li7vB1iVuqw87R:ShvW/PsMtJyzvtGWKpzLi/rZ8t

Score

10^/10

ardamax discovery keylogger persistence stealer upx

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023b90-12.dat	family_ardamax

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	JaffaCakes118_137cc722921829df11208ae82a652cd7.exe

Executes dropped EXE 2 IoCs

pid	Process
1712	system32HBID.exe
3452	Project VDC.exe

Loads dropped DLL 5 IoCs

pid	Process
4816	JaffaCakes118_137cc722921829df11208ae82a652cd7.exe
1712	system32HBID.exe
3452	Project VDC.exe
1712	system32HBID.exe
1712	system32HBID.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system32HBID Agent = "C:\\Windows\\system32HBID.exe"	system32HBID.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000a000000023b93-21.dat	upx
behavioral2/memory/3452-27-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral2/memory/3452-36-0x0000000000400000-0x000000000046E000-memory.dmp	upx

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\system32AKV.exe	JaffaCakes118_137cc722921829df11208ae82a652cd7.exe
File created	C:\Windows\system32HBID.001	JaffaCakes118_137cc722921829df11208ae82a652cd7.exe
File created	C:\Windows\system32HBID.006	JaffaCakes118_137cc722921829df11208ae82a652cd7.exe
File created	C:\Windows\system32HBID.007	JaffaCakes118_137cc722921829df11208ae82a652cd7.exe
File created	C:\Windows\system32HBID.exe	JaffaCakes118_137cc722921829df11208ae82a652cd7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_137cc722921829df11208ae82a652cd7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system32HBID.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Project VDC.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3452	Project VDC.exe
3452	Project VDC.exe
3452	Project VDC.exe
3452	Project VDC.exe
3452	Project VDC.exe
3452	Project VDC.exe
3452	Project VDC.exe
3452	Project VDC.exe
3452	Project VDC.exe
3452	Project VDC.exe
3452	Project VDC.exe
3452	Project VDC.exe
3452	Project VDC.exe
3452	Project VDC.exe
3452	Project VDC.exe
3452	Project VDC.exe
3452	Project VDC.exe
3452	Project VDC.exe
3452	Project VDC.exe
3452	Project VDC.exe
3452	Project VDC.exe
3452	Project VDC.exe
3452	Project VDC.exe
3452	Project VDC.exe
3452	Project VDC.exe
3452	Project VDC.exe
3452	Project VDC.exe
3452	Project VDC.exe
3452	Project VDC.exe
3452	Project VDC.exe
3452	Project VDC.exe
3452	Project VDC.exe
3452	Project VDC.exe
3452	Project VDC.exe
3452	Project VDC.exe
3452	Project VDC.exe
3452	Project VDC.exe
3452	Project VDC.exe
3452	Project VDC.exe
3452	Project VDC.exe
3452	Project VDC.exe
3452	Project VDC.exe
3452	Project VDC.exe
3452	Project VDC.exe
3452	Project VDC.exe
3452	Project VDC.exe
3452	Project VDC.exe
3452	Project VDC.exe
3452	Project VDC.exe
3452	Project VDC.exe
3452	Project VDC.exe
3452	Project VDC.exe
3452	Project VDC.exe
3452	Project VDC.exe
3452	Project VDC.exe
3452	Project VDC.exe
3452	Project VDC.exe
3452	Project VDC.exe
3452	Project VDC.exe
3452	Project VDC.exe
3452	Project VDC.exe
3452	Project VDC.exe
3452	Project VDC.exe
3452	Project VDC.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1712	system32HBID.exe
Token: SeIncBasePriorityPrivilege	1712	system32HBID.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3452	Project VDC.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
3452	Project VDC.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1712	system32HBID.exe
1712	system32HBID.exe
1712	system32HBID.exe
1712	system32HBID.exe
1712	system32HBID.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4816 wrote to memory of 1712	4816	JaffaCakes118_137cc722921829df11208ae82a652cd7.exe	82
PID 4816 wrote to memory of 1712	4816	JaffaCakes118_137cc722921829df11208ae82a652cd7.exe	82
PID 4816 wrote to memory of 1712	4816	JaffaCakes118_137cc722921829df11208ae82a652cd7.exe	82
PID 4816 wrote to memory of 3452	4816	JaffaCakes118_137cc722921829df11208ae82a652cd7.exe	83
PID 4816 wrote to memory of 3452	4816	JaffaCakes118_137cc722921829df11208ae82a652cd7.exe	83
PID 4816 wrote to memory of 3452	4816	JaffaCakes118_137cc722921829df11208ae82a652cd7.exe	83

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_137cc722921829df11208ae82a652cd7.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_137cc722921829df11208ae82a652cd7.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4816
- C:\Windows\system32HBID.exe
  "C:\Windows\system32HBID.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1712
- C:\Users\Admin\AppData\Local\Temp\Project VDC.exe
  "C:\Users\Admin\AppData\Local\Temp\Project VDC.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@9D1B.tmp

Filesize
4KB

MD5
51bee0ab97691836dc058cc6edb0a3bc

SHA1
e7a79d9eeaa9b3eb4650389d590e72f3305767d4

SHA256
fcb57ac50b7ced25bba2f806824dbbbcdf26208a1ceb2244c6f52a572b1f5f06

SHA512
92e15cf965bf2e4c258e6bf53543647b470fba9376c0fb3e9cc8d003f3be74f87f7d7935cf67b66205f1cc103df613856e2aef129a4b373336b1f0f1b5645fcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Project VDC.exe

Filesize
243KB

MD5
97bacf4e79415c1bd1afa578eefb2e35

SHA1
f7ae523b22e44106e4be136098f367614fd6061f

SHA256
b7488daa93b04130e29a35ac6c6445fdd6f240824a6b98ab76d2c87e9bdabc52

SHA512
a6524e2d74ab97e8158ed3457ba3481f70278ae7cba5ea861f59c60acd5dba4e3177124ebade52e94ca9f0d85d0a3d5c6b249f3b287d543645b4e4ad75142303

Download Submit
C:\Windows\system32HBID.001

Filesize
548B

MD5
1f91a75464d0a381ba3bea745365ade7

SHA1
f9fe08c9a420088e6a6cf7e3b093dacd8155c01a

SHA256
c4955dfe16787cce82668fc42fa2845fd2120588e7f7aa9dbbba8fd1f956d862

SHA512
50785c2a7a7113132c4e0e42ea15b0c060db7c56417b969657eeaccd9fc82323305916ed17057d323bf7a449c41c1655a9e9ef6cfa0fc084e2a2817bb39d351b

Download Submit
C:\Windows\system32HBID.006

Filesize
7KB

MD5
ed3c7e9a789e0c5c8c49e46d4bf6a3df

SHA1
e74e617680edd83ea0172960c4389ba3f7ed431d

SHA256
f2b983e3e8cdcad665bdd0024725bb03a1a4919dcf115d031d1d4e4fe3225856

SHA512
1c70224ccf2d95563d54c8eb52e0e3fc09dee8528a8a0041517f1f85f36eec5f08ed5b8e9064827290a7b66f48849575ecb2cce3e81b4250e12806ffb7aff06d

Download Submit
C:\Windows\system32HBID.007

Filesize
5KB

MD5
d7b3b4076038485800c17684ac22550f

SHA1
d6ce8bc1a16d46cf6bdae41308f4eafd8d24ae4f

SHA256
7f67f9360d43cc337ad5f878372e1eec94a83e7cf6b5cf56c43a8c7e2e8d869a

SHA512
209eae97c7854f26fb32132be5722a5fb7b0c275774599b456b3f8a99c5b70d90a676ecf17ab7867c47a0f653c3f7d80d02d902ddb116acb7ba366ab0662750b

Download Submit
C:\Windows\system32HBID.exe

Filesize
471KB

MD5
186403d9ea3c30fb5c9cc7ec135c7866

SHA1
0b2ee531ae2f5c0658ffa720c1c71e986433a4fc

SHA256
99b102ae1b219cc471c47aa54da4ab4c3f4d0ee7a07ef85c7f0bca8cc6eb9bf1

SHA512
af30f64237e9998c4c2c41213a67c0bbf8687318c8e957f8a87aff43e383dd301ca674e0158cde5ab209bcf03263625fefcd0b6602c14f3d40231da7d9809dcd

Download Submit
memory/1712-29-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/1712-38-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/3452-27-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3452-36-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download