ardamax | d7d05456dc79039ba0a8292c84b150f2182edd06d671aeb6eddbe35f1308748c

Analysis

max time kernel
149s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-01-2025 02:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_1d47116dfd00c5197ad0ebb23e61ee92.exe
Size

3.3MB
MD5

1d47116dfd00c5197ad0ebb23e61ee92
SHA1

d5299dcb21a0cbf5826e020da81def99d76a1373
SHA256

d7d05456dc79039ba0a8292c84b150f2182edd06d671aeb6eddbe35f1308748c
SHA512

59f5b04cc3accc8160e431ba0119ba2ed5cb7350aa861ea389407fbb2d3e3d14e5b1c375c43608c2b812a2e3887b06e5f051281630c7fdbb315eb8a87f1474f7
SSDEEP

24576:go/ADMPEzh/5bHYjbXrX4xxkzTf5uhaFHLWQoWilqVD2AwaIu9fMOs70vJZ4jbic:wa8alTl7DMZcACMtZWsKgNVFonN5KGo

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023c90-51.dat	family_ardamax

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	file1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Install.exe

Executes dropped EXE 5 IoCs

pid	Process
3508	file1.exe
2832	fire-heart-desktop-gadget.exe
2444	Install.exe
4296	system32GBAJ.exe
1848	rkverify.exe

Loads dropped DLL 14 IoCs

pid	Process
2444	Install.exe
1848	rkverify.exe
2832	fire-heart-desktop-gadget.exe
4296	system32GBAJ.exe
4296	system32GBAJ.exe
4296	system32GBAJ.exe
2832	fire-heart-desktop-gadget.exe
2832	fire-heart-desktop-gadget.exe
2832	fire-heart-desktop-gadget.exe
2832	fire-heart-desktop-gadget.exe
2832	fire-heart-desktop-gadget.exe
2832	fire-heart-desktop-gadget.exe
2832	fire-heart-desktop-gadget.exe
2832	fire-heart-desktop-gadget.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system32GBAJ Agent = "C:\\Windows\\system32GBAJ.exe"	system32GBAJ.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Fire Heart Desktop Gadget\fireheart.exe	fire-heart-desktop-gadget.exe
File created	C:\Program Files (x86)\Fire Heart Desktop Gadget\sample.jpg	fire-heart-desktop-gadget.exe
File created	C:\Program Files (x86)\Fire Heart Desktop Gadget\Uninstall.exe	fire-heart-desktop-gadget.exe
File created	C:\Program Files (x86)\Fire Heart Desktop Gadget\Readme.txt	fire-heart-desktop-gadget.exe
File created	C:\Program Files (x86)\Fire Heart Desktop Gadget\License.txt	fire-heart-desktop-gadget.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32GBAJ.001	Install.exe
File created	C:\Windows\system32GBAJ.006	Install.exe
File created	C:\Windows\system32GBAJ.007	Install.exe
File created	C:\Windows\system32GBAJ.exe	Install.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system32GBAJ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rkverify.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fire-heart-desktop-gadget.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x0008000000023c86-18.dat	nsis_installer_1
behavioral2/files/0x0008000000023c86-18.dat	nsis_installer_2

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1848	rkverify.exe
1848	rkverify.exe
1848	rkverify.exe
1848	rkverify.exe
1848	rkverify.exe
1848	rkverify.exe
1848	rkverify.exe
1848	rkverify.exe
1848	rkverify.exe
1848	rkverify.exe
1848	rkverify.exe
1848	rkverify.exe
1848	rkverify.exe
1848	rkverify.exe
1848	rkverify.exe
1848	rkverify.exe
1848	rkverify.exe
1848	rkverify.exe
1848	rkverify.exe
1848	rkverify.exe
1848	rkverify.exe
1848	rkverify.exe
1848	rkverify.exe
1848	rkverify.exe
1848	rkverify.exe
1848	rkverify.exe
1848	rkverify.exe
1848	rkverify.exe
1848	rkverify.exe
1848	rkverify.exe
1848	rkverify.exe
1848	rkverify.exe
1848	rkverify.exe
1848	rkverify.exe
1848	rkverify.exe
1848	rkverify.exe
1848	rkverify.exe
1848	rkverify.exe
1848	rkverify.exe
1848	rkverify.exe
1848	rkverify.exe
1848	rkverify.exe
1848	rkverify.exe
1848	rkverify.exe
1848	rkverify.exe
1848	rkverify.exe
1848	rkverify.exe
1848	rkverify.exe
1848	rkverify.exe
1848	rkverify.exe
1848	rkverify.exe
1848	rkverify.exe
1848	rkverify.exe
1848	rkverify.exe
1848	rkverify.exe
1848	rkverify.exe
1848	rkverify.exe
1848	rkverify.exe
1848	rkverify.exe
1848	rkverify.exe
1848	rkverify.exe
1848	rkverify.exe
1848	rkverify.exe
1848	rkverify.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4296	system32GBAJ.exe
Token: SeIncBasePriorityPrivilege	4296	system32GBAJ.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4296	system32GBAJ.exe
4296	system32GBAJ.exe
1848	rkverify.exe
1848	rkverify.exe
1848	rkverify.exe
1848	rkverify.exe
1848	rkverify.exe
1848	rkverify.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4292 wrote to memory of 3508	4292	JaffaCakes118_1d47116dfd00c5197ad0ebb23e61ee92.exe	83
PID 4292 wrote to memory of 3508	4292	JaffaCakes118_1d47116dfd00c5197ad0ebb23e61ee92.exe	83
PID 4292 wrote to memory of 3508	4292	JaffaCakes118_1d47116dfd00c5197ad0ebb23e61ee92.exe	83
PID 3508 wrote to memory of 2832	3508	file1.exe	84
PID 3508 wrote to memory of 2832	3508	file1.exe	84
PID 3508 wrote to memory of 2832	3508	file1.exe	84
PID 3508 wrote to memory of 2444	3508	file1.exe	85
PID 3508 wrote to memory of 2444	3508	file1.exe	85
PID 3508 wrote to memory of 2444	3508	file1.exe	85
PID 2444 wrote to memory of 4296	2444	Install.exe	86
PID 2444 wrote to memory of 4296	2444	Install.exe	86
PID 2444 wrote to memory of 4296	2444	Install.exe	86
PID 2832 wrote to memory of 1848	2832	fire-heart-desktop-gadget.exe	87
PID 2832 wrote to memory of 1848	2832	fire-heart-desktop-gadget.exe	87
PID 2832 wrote to memory of 1848	2832	fire-heart-desktop-gadget.exe	87

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1d47116dfd00c5197ad0ebb23e61ee92.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1d47116dfd00c5197ad0ebb23e61ee92.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4292
- C:\Users\Admin\AppData\Local\Temp\file1.exe
  C:\Users\Admin\AppData\Local\Temp\\file1.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3508
- - C:\Users\Admin\AppData\Local\Temp\fire-heart-desktop-gadget.exe
    "C:\Users\Admin\AppData\Local\Temp\fire-heart-desktop-gadget.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\Users\Admin\AppData\Local\Temp\rkverify.exe
      C:\Users\Admin\AppData\Local\Temp\rkverify.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:1848
- - C:\Users\Admin\AppData\Local\Temp\Install.exe
    "C:\Users\Admin\AppData\Local\Temp\Install.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2444
  - - C:\Windows\system32GBAJ.exe
      "C:\Windows\system32GBAJ.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:4296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Fire Heart Desktop Gadget\fireheart.exe

Filesize
1.9MB

MD5
a661c16d5a8ea0ec4dd12870eaad4aa6

SHA1
e6311368d398e67baf59650c8097e3cfc2c8039a

SHA256
8ac9a3287d73ba17c101438e728f22c61bd9f97fce5190e94a50ab48fb1bd71a

SHA512
95a133839ea494926690031dcebd6ca834a51ab77018283565411485f3c920ee6fc678c50018b974856e90c40c8984d3040990757d21e1886232f35d3ee8cd2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\@D5ED.tmp

Filesize
4KB

MD5
d9e02f226fc338d14df200ba9a700625

SHA1
414f134a16a309b31e418ed9e08c0c48aaf6e2bc

SHA256
8165757efb79acceb9fd0bfae6b2c19b8f087cc0461abb17941d460dbdf2e260

SHA512
13c73381602fe2593312d41ab4bc5cd5f922ac651f9e71e3fe3c58e7f0c5c73ecc9d79d61ec46f33a0a81cf73373421eeb510bd99650c0f53af30974ed61b8ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\CSMD755.tmp

Filesize
160KB

MD5
5ac09190daf249c3e93c3ac961067024

SHA1
bad9c0d552d54310f669d66b549dcada90583812

SHA256
f4934185f75518a13ef5425959f47516cc8467f513e838a82e749ffb782d7e23

SHA512
2a87686c038e8a34f8e04a844726de564a08baeedc87632219b86f455d5222efe2ed7557fad9658627e304d916a75cfcb3c9dede4e72057a070f64370aa52f39

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe

Filesize
270KB

MD5
60b27ce2169a9181b34058d6b9cf179a

SHA1
fa43b07ac006d4cd615c4028800aa127468b4368

SHA256
d55d37a7753a6413cc072d1fc2e611c3ce1f3e4704a7fc0f3ad0be12fe22c910

SHA512
4175d291c5cb8b81448f8d61fd36b7b2038c7c7a789b9bfc2afcbaf02e8d7295f969247932593f7ebab3c84a2d210785073bb09fa50ada0480786eeb07258a0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\file1.exe

Filesize
1.6MB

MD5
177a0ab800321eeb56da08e744f563de

SHA1
4386f9d3ecc0b9d5b373aef7267770faac68dc01

SHA256
472bd8764586dd344b5598e1d4e2de170b118b16becc20c6efe532e5c6b78b04

SHA512
9964f6bcab4d6543c278e161f8f40d9e841179f9dadc09517cdc6621a6bfee8eb061c669e4c4333e09f25566ae6a480107546fddfcc63830025455245efa1294

Download Submit
C:\Users\Admin\AppData\Local\Temp\fire-heart-desktop-gadget.exe

Filesize
1.3MB

MD5
bdf1df1389bb86a6dbef630f9b9dbe86

SHA1
a3fc52c62a46f9305f5cc6b0934a307fe4e12ec2

SHA256
d4df2a9a0dbc78d75e0a934f8791111d80cbf3db3e2d0662f259432a76e6b902

SHA512
845c78871b653b83a11a4876840d40307dadbf1d15b8009265e11c726e38344777a6fc75faa913e64f22565e43398fdf162d5e88b4c0388a82b9ead23d66d6f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrD6AB.tmp\InstallOptions.dll

Filesize
14KB

MD5
14c212bb2fa90fe52a6424b955c86ad6

SHA1
9e94f8ad17ff9b6b31e5f029ee5f726e307ac8ee

SHA256
1854afccace3053dca2707b10609ea78a30f0ee853bdb9f251c076317ee53120

SHA512
d42fa579f93b98d1446daf3d0734c19838fa310ef27cd05344e25d9f86ba37a5fa1752236e5de4df7c9f414236538bd7431bffda126fb9c74fd112539de0e713

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrD6AB.tmp\System.dll

Filesize
10KB

MD5
4c0c6163b636f627e0d505deda672c90

SHA1
2eae4e6f00673a03ae2434f1b22dc9218e4761a8

SHA256
bea71368433f91e32c597db990089ecb7599879f76a64f7f3446489578b2d5fb

SHA512
e817ad35f0e89ecce9d73add641d9eab95de6c6c30153e594673c8e0243e738a31dfb872cc76a8d51bc513775fc1dabc9adb65019298048539d6c3aa7d33e2ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrD6AB.tmp\_license_page.ini

Filesize
2KB

MD5
7c2bc369290efcef3d0364b553ee5ee3

SHA1
25a0bf0936c0e04cd9fd8d5bffce1d86de6e5c84

SHA256
67362ca84b70e3c38273ef408ac81006ebbd7ca72aaad397be10249a64ac2890

SHA512
ac2b38b12f3191667e8decd16b5fd4b10ed1140d2841f77e2dca30dfdce593a93b56579211ec81ed5c34de8c5adf0febfbc12e3e928fbf09cf6f739568be8d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrD6AB.tmp\_survey_page.ini

Filesize
2KB

MD5
587912b916f6bea24599b5bff97a3311

SHA1
d2f49e46441425dea3e9f61f53d651e347a2d76e

SHA256
d1646118c323d233d457a9fbca363776415f60583ecc5c7ac8ce8d6450e0b8c9

SHA512
7d5a85a72d49a786d0e3a058cda0cc56fdd97bca5ea9a5806ad044fe47fe9ebaa7a4ef1b084cb01880edc97544ccffa83f7d0ccdf3a3831f20ff5f2da9a8c7da

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrD6AB.tmp\_survey_page.ini

Filesize
2KB

MD5
559c1870b9e98dd09f91b83904c65c06

SHA1
430f0f0f0df9951e168e1be2b6be1fdb0fc1fdcb

SHA256
d95d19622129b45b1977d1276d5157e664b0e5cc14fbe0c038e6644ba7cd9173

SHA512
608f3c7508654efe87f118332a20169f7caee9a60a3537fb01e5128d94154f9d4e865e1389a6ab1e36710b425da5449448bb52bf6e726407404eba53a0329532

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrD6AB.tmp\ioSpecial.ini

Filesize
757B

MD5
388b387bbad3cfa6a13c51ed32072331

SHA1
717a908dc8d72c8763d4f7fc6e138431a4e9d522

SHA256
cd73946d71bd290fd90673ad728eaf1a78dd432c0528c00033d9f2b7b84d987a

SHA512
03499533081f7f1aa161558b8909b04dea16ba4d52e314f6554e40cee175805bc18ebf90ec3be9ccff47abddbe2556725ef9ad32b848da33c2b7264f81d4076b

Download Submit
C:\Users\Admin\AppData\Local\Temp\rkverify.exe

Filesize
268KB

MD5
020ce95075f8c93e6cc957953d7f4589

SHA1
e192a200e36974b8e0637230a8cb5905090f7555

SHA256
df9d068202c060a898cd441d5c170686cd9c2774a37cfda3ea10abc428e20ad3

SHA512
fb74170ed9b5ee078a176540c198513ed3a8c2e587fbcbf6d2384f840f0b6a2637fd20b6a01b2caf6e92e5f592d517b4733d34fdb349fd770eb04e1eac769170

Download Submit
C:\Windows\system32GBAJ.001

Filesize
414B

MD5
af2660c5c922592e1daf0d9ee443419c

SHA1
5deba5ed722e39229fb7f1f8571b34459ce74e4a

SHA256
cf3b005c11ca7b75474205ce6f6fe5fe4708a93dd237adb96a4aa7a6d451e8a5

SHA512
113df418d7b42b8b726c31c14b4181885738558b84622a8fd215b7ddfdb3d66c181cf654f2219aa219cd6ada5b4dd18882b4c0e4134e4aa78b3c4a906febbcc5

Download Submit
C:\Windows\system32GBAJ.006

Filesize
7KB

MD5
32dd7b4bc8b6f290b0ece3cc1c011c96

SHA1
b979683868b399c6a6204ebaed9fc9c784a0429a

SHA256
6dcce9bbba5c2de47eea3abf7597a9c4fb2e4d358efc3752fa65c169cccfa2a1

SHA512
9e0d720799fe816f7d09c8a722b762203b6f12a8625c1c93cd640219ecc35969bd641b4d9e6dc04ab6f95ceb73235a438eb7d48ee9402118db3618b5760551ea

Download Submit
C:\Windows\system32GBAJ.007

Filesize
5KB

MD5
e8155b68775ed29590e14df80fdc0e9f

SHA1
ed449da02e648a524004c265f3c37496d2f07f1f

SHA256
b39ba894b0a9a3201461ddd9ee9b297928e793dff221a47f019e75c11df631f3

SHA512
b14e00c46cf9bed0aca0f85775f624ff064f2d2afe1fa68b61bee5729db73cf9a8eced669c52d7cbb9504ff1b369a9a16a0f36c71a70c13c0bd1eaf5e07ccc11

Download Submit
C:\Windows\system32GBAJ.exe

Filesize
471KB

MD5
3c06bbc025b61d2182ef5573f2852bda

SHA1
ebc1464c00b13fb5b3f80a59c80b595020e1fe7c

SHA256
e7f64e7215284cdeb8ef1eba28733f7aeae7f6977f82809d8de1e76a2e249085

SHA512
9d839ada211b85fc1efb1fe7bb3ce66fcf0e8069221d958234649c2ac5dc0f1bd06f1a016f9c727077af36fb46cac5409be9c8a8201d17f689c6b473aa01acdc

Download Submit
memory/2832-218-0x00000000757D0000-0x00000000757F4000-memory.dmp

Filesize
144KB

Download
memory/2832-212-0x00000000757D0000-0x00000000757F4000-memory.dmp

Filesize
144KB

Download
memory/2832-500-0x0000000075D10000-0x0000000075EB0000-memory.dmp

Filesize
1.6MB

Download
memory/2832-489-0x0000000075D10000-0x0000000075EB0000-memory.dmp

Filesize
1.6MB

Download
memory/2832-217-0x0000000075D10000-0x0000000075EB0000-memory.dmp

Filesize
1.6MB

Download
memory/2832-211-0x0000000075D10000-0x0000000075EB0000-memory.dmp

Filesize
1.6MB

Download
memory/2832-154-0x00000000032E0000-0x0000000003308000-memory.dmp

Filesize
160KB

Download
memory/4292-6-0x000000001C280000-0x000000001C2CC000-memory.dmp

Filesize
304KB

Download
memory/4292-4-0x000000001C120000-0x000000001C1BC000-memory.dmp

Filesize
624KB

Download
memory/4292-5-0x000000001B4A0000-0x000000001B4A8000-memory.dmp

Filesize
32KB

Download
memory/4292-8-0x00007FFFD6FF0000-0x00007FFFD7991000-memory.dmp

Filesize
9.6MB

Download
memory/4292-42-0x00007FFFD6FF0000-0x00007FFFD7991000-memory.dmp

Filesize
9.6MB

Download
memory/4292-43-0x00007FFFD6FF0000-0x00007FFFD7991000-memory.dmp

Filesize
9.6MB

Download
memory/4292-3-0x000000001BB70000-0x000000001C03E000-memory.dmp

Filesize
4.8MB

Download
memory/4292-1-0x00007FFFD6FF0000-0x00007FFFD7991000-memory.dmp

Filesize
9.6MB

Download
memory/4292-0-0x00007FFFD72A5000-0x00007FFFD72A6000-memory.dmp

Filesize
4KB

Download
memory/4292-7-0x00007FFFD6FF0000-0x00007FFFD7991000-memory.dmp

Filesize
9.6MB

Download
memory/4292-2-0x000000001B5F0000-0x000000001B696000-memory.dmp

Filesize
664KB

Download