ardamax | 4fbc330b4a0a7b524d6e4fbe166b2e644a87cb0b228c07fd84d9d6f46e93be6b

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-01-2025 15:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_369f3b0d8a6237be175eae349bb4bb5e.exe
Size

222KB
MD5

369f3b0d8a6237be175eae349bb4bb5e
SHA1

b828824c1c111b22605aa0b6a7671d7dab2c032a
SHA256

4fbc330b4a0a7b524d6e4fbe166b2e644a87cb0b228c07fd84d9d6f46e93be6b
SHA512

293d8bb0113886defe407dda0a18ecd315eab54fb78188984550dd21076bb2683c719c90a93dc3f3755596dd05563a0f2f5163ed626cffadfe90aa91770e45ee
SSDEEP

6144:kuylTvWzCVkCELU0LPRpL/yqmuYyOhcpqK:kuy9v4Yk5LU0d9yPuNr

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023ba1-12.dat	family_ardamax

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	JaffaCakes118_369f3b0d8a6237be175eae349bb4bb5e.exe

Executes dropped EXE 1 IoCs

pid	Process
740	CKM.exe

Loads dropped DLL 1 IoCs

pid	Process
2440	JaffaCakes118_369f3b0d8a6237be175eae349bb4bb5e.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CKM = "C:\\Windows\\SysWOW64\\CKM.exe"	CKM.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\CKM.001	JaffaCakes118_369f3b0d8a6237be175eae349bb4bb5e.exe
File created	C:\Windows\SysWOW64\CKM.006	JaffaCakes118_369f3b0d8a6237be175eae349bb4bb5e.exe
File created	C:\Windows\SysWOW64\CKM.007	JaffaCakes118_369f3b0d8a6237be175eae349bb4bb5e.exe
File created	C:\Windows\SysWOW64\CKM.exe	JaffaCakes118_369f3b0d8a6237be175eae349bb4bb5e.exe
File opened for modification	C:\Windows\SysWOW64\CKM.001	CKM.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_369f3b0d8a6237be175eae349bb4bb5e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CKM.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 740	2440	JaffaCakes118_369f3b0d8a6237be175eae349bb4bb5e.exe	82
PID 2440 wrote to memory of 740	2440	JaffaCakes118_369f3b0d8a6237be175eae349bb4bb5e.exe	82
PID 2440 wrote to memory of 740	2440	JaffaCakes118_369f3b0d8a6237be175eae349bb4bb5e.exe	82

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_369f3b0d8a6237be175eae349bb4bb5e.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_369f3b0d8a6237be175eae349bb4bb5e.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Windows\SysWOW64\CKM.exe
  "C:\Windows\system32\CKM.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@26FE.tmp

Filesize
4KB

MD5
b3ce78b324bbaf657fa5dfb80270240d

SHA1
3eacec137e3e0c898e916dfebee4668aa2c6ef3d

SHA256
da289a8e9545c71918bda3fa6f84e45eaec17a7016be8c885f35940aebfcd486

SHA512
1494fa678289bee54ff554e1fd7e63ca38f22135d60afc7b95a566879592d00e9cf29fd2e31d541ad0881fd28c057928c467e002965a21944467232852fda068

Download Submit
C:\Windows\SysWOW64\CKM.001

Filesize
1KB

MD5
a7e6484b6d2a29c51de7a83766ef45f5

SHA1
3da70caf64f07266cfe82b0fdbc3e68211e5d159

SHA256
0defa934ee175c5716fa823065da249128a77659178f29076e72beef9e5f1d28

SHA512
d2eb662817f4a46a4866ab26fdf950c1a2e04d28b4cc79a9c26b12b617b018e9970817136590f0ce9eeef2d033766ebbb9985f8b4138901601612f50ca9b5aa5

Download Submit
C:\Windows\SysWOW64\CKM.exe

Filesize
244KB

MD5
3d940db5a36c4850146a7515f36bf64e

SHA1
77e61d2cddbfe4722f623197856a8053a9d6ca73

SHA256
ba471b072fc8d13d946754e6cacc41c2c992581018bff3d051d4a07b5b2bc375

SHA512
ab629b4436dcec4e65899bb9c66263a0d74a48be6ced4a5fd472b20959e858bc69772a1f74b5b20c06ec4860ff03d01bb20074d2c79b567b60480c80c1648d83

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads