ardamax | d84527c17d545b9b10fb4b8bcb7bcc179f6f2d046e928c2cd3ed3940de8ad4df

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24/01/2025, 10:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_206d3feff992b73f942faf61a3feb937.exe
Size

389KB
MD5

206d3feff992b73f942faf61a3feb937
SHA1

2d094207dabd70dca35d1d26ee9482cf3aeda949
SHA256

d84527c17d545b9b10fb4b8bcb7bcc179f6f2d046e928c2cd3ed3940de8ad4df
SHA512

b1d95397bab9347c330404d58d0ca1f39311b75026da9a7ae07bcafa41ea5509c508a72071f4584c2a02ec34a7d872c86a02cf8ae83d91277b7908493de28fcc
SSDEEP

12288:DP6JTxHHaVFoHmr9x70L41wC3OIOeWsr/iJJ3:2xnlHmrf0s1XGePkJ

Score

10^/10

ardamax discovery keylogger persistence stealer upx

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000015d64-16.dat	family_ardamax

Executes dropped EXE 2 IoCs

pid	Process
2840	UIB.exe
2928	pinnacle.exe

Loads dropped DLL 7 IoCs

pid	Process
2324	JaffaCakes118_206d3feff992b73f942faf61a3feb937.exe
2324	JaffaCakes118_206d3feff992b73f942faf61a3feb937.exe
2324	JaffaCakes118_206d3feff992b73f942faf61a3feb937.exe
2324	JaffaCakes118_206d3feff992b73f942faf61a3feb937.exe
2324	JaffaCakes118_206d3feff992b73f942faf61a3feb937.exe
2840	UIB.exe
2928	pinnacle.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UIB = "C:\\Windows\\SysWOW64\\UIB.exe"	UIB.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\UIB.001	JaffaCakes118_206d3feff992b73f942faf61a3feb937.exe
File created	C:\Windows\SysWOW64\UIB.006	JaffaCakes118_206d3feff992b73f942faf61a3feb937.exe
File created	C:\Windows\SysWOW64\UIB.007	JaffaCakes118_206d3feff992b73f942faf61a3feb937.exe
File created	C:\Windows\SysWOW64\UIB.exe	JaffaCakes118_206d3feff992b73f942faf61a3feb937.exe
File opened for modification	C:\Windows\SysWOW64\pj.dll	pinnacle.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2928-29-0x0000000000400000-0x000000000047C000-memory.dmp	upx
behavioral1/files/0x0007000000015d6d-26.dat	upx
behavioral1/memory/2928-37-0x0000000000400000-0x000000000047C000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64	UIB.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_206d3feff992b73f942faf61a3feb937.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UIB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pinnacle.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2928	pinnacle.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2840	UIB.exe
Token: SeIncBasePriorityPrivilege	2840	UIB.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2840	UIB.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2840	UIB.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe
2928	pinnacle.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2840	UIB.exe
2840	UIB.exe
2840	UIB.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 2840	2324	JaffaCakes118_206d3feff992b73f942faf61a3feb937.exe	28
PID 2324 wrote to memory of 2840	2324	JaffaCakes118_206d3feff992b73f942faf61a3feb937.exe	28
PID 2324 wrote to memory of 2840	2324	JaffaCakes118_206d3feff992b73f942faf61a3feb937.exe	28
PID 2324 wrote to memory of 2840	2324	JaffaCakes118_206d3feff992b73f942faf61a3feb937.exe	28
PID 2324 wrote to memory of 2928	2324	JaffaCakes118_206d3feff992b73f942faf61a3feb937.exe	29
PID 2324 wrote to memory of 2928	2324	JaffaCakes118_206d3feff992b73f942faf61a3feb937.exe	29
PID 2324 wrote to memory of 2928	2324	JaffaCakes118_206d3feff992b73f942faf61a3feb937.exe	29
PID 2324 wrote to memory of 2928	2324	JaffaCakes118_206d3feff992b73f942faf61a3feb937.exe	29

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_206d3feff992b73f942faf61a3feb937.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_206d3feff992b73f942faf61a3feb937.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Windows\SysWOW64\UIB.exe
  "C:\Windows\system32\UIB.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2840
- C:\Users\Admin\AppData\Local\Temp\pinnacle.exe
  "C:\Users\Admin\AppData\Local\Temp\pinnacle.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\pinnacle.exe

Filesize
204KB

MD5
1c51397708fcefb812b4f8eb59952800

SHA1
29cb838da1caae86d7c87296747701b73abfabc4

SHA256
92a22d4e3b7d847e5bc5ff94256013bc8f8c08f65220006a6046e90165115b0e

SHA512
e6371a89217b8b7d30b60e7f32fa022719860f37ec7f2862c9f5ae1583c195692ef6295edeb70117e40fb45822df8559a4d349dda44d91e824119a8ee671ede6

Download Submit
C:\Windows\SysWOW64\UIB.001

Filesize
2KB

MD5
67ee78d82d910f2bbe235d1b32d36572

SHA1
cf7a3a465d1736c4013144bd50d6c31ebc5de397

SHA256
c818611e70f42fd56f1a7d83272731f37e4b2bf77de382707cce98f70fc422c4

SHA512
166d5f220d6926d13a2b129ef21e65da90b85eb85214d82cf6a75ac28b856dd38abe5bd9fe6db8a1be9384f0dbf6339ef59d6b0d1e829226727c2f75f110d6e2

Download Submit
C:\Windows\SysWOW64\UIB.exe

Filesize
286KB

MD5
47d45da7bc718cef809ecec470987248

SHA1
9137c8c0e84516bc08daf6b7e08192c7b9e17959

SHA256
d47237c917f006acc443546e338c68bad94c5cfa54eaabaffde0ad2dfbcdaa4e

SHA512
c8f39999ea258021318821a3336125fe1e41993572ec8264885437c689d080b2c606fbeecb72f0c6702e562f9598820d0105fee539cde51d8cf1b17119f4ffe9

Download Submit
\Users\Admin\AppData\Local\Temp\@88DF.tmp

Filesize
4KB

MD5
e5fb7457989a4bce5e8b24219b516c6f

SHA1
580ba07dc5c71115cad40fcda27a03f6605464d2

SHA256
5c34a7520cace89cc3b6a1c800e36817462e92ee628c9c1dd2ee34cbd379859b

SHA512
3ddfda190aae244a6a84ae7468b5946db4464e30d48f3db0de67e9bf5c3dadbff05cfb539577083c51bf8efd2098a95bf430278f5430f66691bc785329a0eca2

Download Submit
\Windows\SysWOW64\UIB.006

Filesize
5KB

MD5
db98486706de28b2f52ef5b74feacb47

SHA1
c3298decb5d15adb02016a7c14f39fcf179e33db

SHA256
d74d932e2e6833928a42c8ffa69132758b832f8d3eafef727e3690b441d972cb

SHA512
1d722b668d35b12637c8c427aca422dba828f17b9eb297fef63c3f7d03a4ba2d164fee825dee450208e1fbe2ce830b62060cc8be1b1dd7c41551efcdeb53f1b3

Download Submit
memory/2324-28-0x0000000002A20000-0x0000000002A9C000-memory.dmp

Filesize
496KB

Download
memory/2324-27-0x0000000002A20000-0x0000000002A9C000-memory.dmp

Filesize
496KB

Download
memory/2840-31-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2840-39-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2928-29-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2928-37-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads