ardamax | 27a912b442042bf9c301f23048e34abd2d33c2dd6615c96c3555c8ce4b6c126c

Analysis

max time kernel
142s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-01-2025 01:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_2717b3c5c7662818b2b0379afac8ec4d.exe
Size

1.1MB
MD5

2717b3c5c7662818b2b0379afac8ec4d
SHA1

fc5e7cbbccb8b37f7c0f72bc5a345ab1807ba5e9
SHA256

27a912b442042bf9c301f23048e34abd2d33c2dd6615c96c3555c8ce4b6c126c
SHA512

68203a1ab123501717f836e147100c3a596213bd29444962508bb651b9bfe7abf2e2614866e2935d1e3c602d246fb8c490b566caee36e67d99163f56a9a5a817
SSDEEP

24576:+OW1Sq70k4ChkpYiGd1Tr6efemMU7xB/OkPlU84tkNx07:+OWgq70kvKqTd12efem/7xROkkuNx07

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x000500000001960e-624.dat	family_ardamax

Executes dropped EXE 2 IoCs

pid	Process
2376	Install.exe
1712	KJOM.exe

Loads dropped DLL 13 IoCs

pid	Process
2824	JaffaCakes118_2717b3c5c7662818b2b0379afac8ec4d.exe
2376	Install.exe
2376	Install.exe
2376	Install.exe
1712	KJOM.exe
1712	KJOM.exe
1712	KJOM.exe
1712	KJOM.exe
1712	KJOM.exe
1712	KJOM.exe
1172	DllHost.exe
1172	DllHost.exe
2376	Install.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\KJOM Agent = "C:\\Windows\\SysWOW64\\28463\\KJOM.exe"	KJOM.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\AKV.exe	Install.exe
File created	C:\Windows\SysWOW64\28463\KJOM.004	Install.exe
File created	C:\Windows\SysWOW64\28463\KJOM.003	Install.exe
File opened for modification	C:\Windows\SysWOW64\28463\KJOM.009	KJOM.exe
File created	C:\Windows\SysWOW64\28463\KJOM.006	Install.exe
File created	C:\Windows\SysWOW64\28463\KJOM.007	Install.exe
File opened for modification	C:\Windows\SysWOW64\28463	KJOM.exe
File created	C:\Windows\SysWOW64\28463\KJOM.009	KJOM.exe
File created	C:\Windows\SysWOW64\28463\KJOM.001	Install.exe
File created	C:\Windows\SysWOW64\28463\KJOM.exe	Install.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KJOM.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_2717b3c5c7662818b2b0379afac8ec4d.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: 33	2824	JaffaCakes118_2717b3c5c7662818b2b0379afac8ec4d.exe
Token: SeIncBasePriorityPrivilege	2824	JaffaCakes118_2717b3c5c7662818b2b0379afac8ec4d.exe
Token: 33	2824	JaffaCakes118_2717b3c5c7662818b2b0379afac8ec4d.exe
Token: SeIncBasePriorityPrivilege	2824	JaffaCakes118_2717b3c5c7662818b2b0379afac8ec4d.exe
Token: 33	2824	JaffaCakes118_2717b3c5c7662818b2b0379afac8ec4d.exe
Token: SeIncBasePriorityPrivilege	2824	JaffaCakes118_2717b3c5c7662818b2b0379afac8ec4d.exe
Token: 33	2376	Install.exe
Token: SeIncBasePriorityPrivilege	2376	Install.exe
Token: 33	1712	KJOM.exe
Token: SeIncBasePriorityPrivilege	1712	KJOM.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1172	DllHost.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1712	KJOM.exe
1712	KJOM.exe
1712	KJOM.exe
1712	KJOM.exe
1712	KJOM.exe
1172	DllHost.exe
1172	DllHost.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 2376	2824	JaffaCakes118_2717b3c5c7662818b2b0379afac8ec4d.exe	30
PID 2824 wrote to memory of 2376	2824	JaffaCakes118_2717b3c5c7662818b2b0379afac8ec4d.exe	30
PID 2824 wrote to memory of 2376	2824	JaffaCakes118_2717b3c5c7662818b2b0379afac8ec4d.exe	30
PID 2824 wrote to memory of 2376	2824	JaffaCakes118_2717b3c5c7662818b2b0379afac8ec4d.exe	30
PID 2824 wrote to memory of 2376	2824	JaffaCakes118_2717b3c5c7662818b2b0379afac8ec4d.exe	30
PID 2824 wrote to memory of 2376	2824	JaffaCakes118_2717b3c5c7662818b2b0379afac8ec4d.exe	30
PID 2824 wrote to memory of 2376	2824	JaffaCakes118_2717b3c5c7662818b2b0379afac8ec4d.exe	30
PID 2376 wrote to memory of 1712	2376	Install.exe	31
PID 2376 wrote to memory of 1712	2376	Install.exe	31
PID 2376 wrote to memory of 1712	2376	Install.exe	31
PID 2376 wrote to memory of 1712	2376	Install.exe	31
PID 2376 wrote to memory of 1712	2376	Install.exe	31
PID 2376 wrote to memory of 1712	2376	Install.exe	31
PID 2376 wrote to memory of 1712	2376	Install.exe	31

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2717b3c5c7662818b2b0379afac8ec4d.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2717b3c5c7662818b2b0379afac8ec4d.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Users\Admin\AppData\Local\Xenocode\Sandbox\1.0.0.0\2012.06.16T13.22\Virtual\STUBEXE\@APPDATALOCAL@\Temp\Install.exe
  "C:\Users\Admin\AppData\Local\Temp\Install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Users\Admin\AppData\Local\Xenocode\Sandbox\1.0.0.0\2012.06.16T13.22\Native\STUBEXE\@SYSTEM@\28463\KJOM.exe
    "C:\Windows\system32\28463\KJOM.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1712

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\eco-tours-seychelles-beach.jpg

Filesize
249KB

MD5
e49134536b7707440dab0e0027d9cf22

SHA1
ed0a494350dc0f7a8bf683293c2f730d1c7b382d

SHA256
7e5df9890cc0173dbe8d0912d76992539e1c95e8ebc30d1b4b37e3ccba151cd5

SHA512
a3b9979eda2a741a0cf8b3aacaaaa8860adacfd2b6ee657d7db3cc8801d760fd973b509d7bec4b6bdaabe9b968ed13e800c40c80604c5ee90961cead22e8558d

Download Submit
C:\Windows\SysWOW64\28463\AKV.exe

Filesize
395KB

MD5
b8fa30233794772b8b76b4b1d91c7321

SHA1
0cf9561be2528944285e536f41d502be24c3aa87

SHA256
14116fa79ccc105fabd312b4dff74933f8684c6b27db37e5e3a79d159092d29a

SHA512
10ce8b18e7afb8c7e30bb90b0a1f199ef0b77873fa7a9efc596606e151be6b516c0ec6222a9032bdcc527e80964f53d20a28fa1881a08b4df303b2e28204549d

Download Submit
C:\Windows\SysWOW64\28463\KJOM.001

Filesize
382B

MD5
0a04c6562d661eb7879409af095d7021

SHA1
bef05a0ac42074422125daeacf367d8715546aff

SHA256
7cad462384c0897982de6d35f4f981d3c1d027b04441149a5b4d365640edd6e1

SHA512
bdfff62bd5e9528497adaf4963aa3348b6210582c8741136cf0b2f37f8d2f8b531e87bea8ad332ea364f3a31f565c8ee9b94407a11f7973268eee21dd2c4ac1b

Download Submit
C:\Windows\SysWOW64\28463\KJOM.004

Filesize
14KB

MD5
bda4860df26a5882b42b6b861376199d

SHA1
8437ec07c9bc3001756ae0cb214b99e1e8a53fdb

SHA256
9ed69f6ee86a7fca1f3ef7801d08b38d9e82ab649e6169e894e48ce85b43dc30

SHA512
484f45aaacdb4be03752df49c337c7596d539ee0442412083fcfeea78e1c485caf1fbb25cf8a749611358e3a895232f8d0c61c91545d98a3f2a3e1aa504859c6

Download Submit
C:\Windows\SysWOW64\28463\KJOM.exe

Filesize
473KB

MD5
17535dddecf8cb1efdba1f1952126547

SHA1
a862a9a3eb6c201751be1038537522a5281ea6cb

SHA256
1a3d28ac6359e58aa656f4734f9f36b6c09badadcf9fb900b9b118d90c38a9dd

SHA512
b4f31b552ab3bb3dafa365aa7a31f58674ae7ee82ce1d23457f2e7047431430b00abb3b5498491725639daf583b526b278a737168cfdc4e9ec796dfbc14a53d8

Download Submit
\Users\Admin\AppData\Local\Temp\@74A3.tmp

Filesize
4KB

MD5
c3679c3ff636d1a6b8c65323540da371

SHA1
d184758721a426467b687bec2a4acc80fe44c6f8

SHA256
d4eba51c616b439a8819218bddf9a6fa257d55c9f04cf81441cc99cc945ad3eb

SHA512
494a0a32eef4392ecb54df6e1da7d93183473c4e45f4ac4bd6ec3b0ed8c85c58303a0d36edec41420d05ff624195f08791b6b7e018419a3251b7e71ec9b730e7

Download Submit
\Users\Admin\AppData\Local\Xenocode\Sandbox\1.0.0.0\2012.06.16T13.22\Native\STUBEXE\@SYSTEM@\28463\KJOM.exe

Filesize
17KB

MD5
bd1a7e7752d57865328f7586e873cfce

SHA1
8759c72e07ebc46fa1989c0d92083baaba8852f9

SHA256
53227a39a4f4e313117dc9f995f39ab1e7588be410a8365e8eff2d618d13091d

SHA512
1c37109301c962cd23e3d190adcb47e89743095fa64e8edd9e8b82c81239a85d6b9eefbb5d457fddcc388ec0bae9867d881adb8946a9acd930fc3f9bee77014a

Download Submit
\Users\Admin\AppData\Local\Xenocode\Sandbox\1.0.0.0\2012.06.16T13.22\Virtual\STUBEXE\@APPDATALOCAL@\Temp\Install.exe

Filesize
17KB

MD5
448c2fb2b2388ace37fee72504b2ce2c

SHA1
f9e6d59e37e459f8c1970c64cbb9cbd8cd560282

SHA256
1eb6a671abacd4a61c5b4d5a67019a373132b15517f21557a74b121798394d0f

SHA512
1eac65ff991b43252d45322b7d16c131aaf1fcd4f19a3633386987a8c379b747da7def185c8b58773b62347af91177f2579b49e7c77aea0028cff565c276f7de

Download Submit
\Windows\SysWOW64\28463\KJOM.006

Filesize
8KB

MD5
43f02e9974b1477c1e6388882f233db0

SHA1
f3e27b231193f8d5b2e1b09d05ae3a62795cf339

SHA256
3c9e56e51d5a7a1b9aefe853c12a98bf246039aa46db94227ea128f6331782ba

SHA512
e22d14735606fe75ee5e55204807c3f5531d3e0c4f63aa4a3b2d4bb6abda6128c7e2816753f2e64400ac6dae8f8ef1e013a7a464dff2a79ad9937c48821a067f

Download Submit
\Windows\SysWOW64\28463\KJOM.007

Filesize
5KB

MD5
b5a87d630436f958c6e1d82d15f98f96

SHA1
d3ff5e92198d4df0f98a918071aca53550bf1cff

SHA256
a895ad4d23e8b2c2dc552092f645ca309e62c36d4721ebfe7afd2eee7765d4b2

SHA512
fd7bae85a86bdaa12fec826d1d38728a90e2037cb3182ad7652d8a9f54c4b322734c587b62221e6f907fce24fcf2e0ae4cce1f5e3d8861661064b4da24bd87ce

Download Submit
memory/2824-22-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2824-197-0x0000000077B00000-0x0000000077B01000-memory.dmp

Filesize
4KB

Download
memory/2824-50-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2824-51-0x0000000077B00000-0x0000000077B01000-memory.dmp

Filesize
4KB

Download
memory/2824-46-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2824-44-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2824-42-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2824-40-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2824-38-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2824-56-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2824-34-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2824-32-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2824-30-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2824-28-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2824-26-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2824-24-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2824-18-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2824-20-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2824-16-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2824-14-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2824-12-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2824-10-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2824-8-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2824-36-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2824-218-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2824-242-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2824-259-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2824-66-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2824-64-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2824-289-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2824-279-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2824-274-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2824-225-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2824-210-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2824-1-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2824-2-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2824-6-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2824-4-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2824-62-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2824-60-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2824-58-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2824-54-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2824-52-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2824-958-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2824-0-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads