ardamax | d8f9db1f77dea1a06f8bc3d381ee6e63ed859243d718f98ea840aed6d1d50056

Analysis

max time kernel
141s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28/01/2025, 03:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_4662b6b068f968b089f5767ed9404cc0.exe
Size

1.7MB
MD5

4662b6b068f968b089f5767ed9404cc0
SHA1

7e2e33e400c8f676e77c01e3432d7864c758d732
SHA256

d8f9db1f77dea1a06f8bc3d381ee6e63ed859243d718f98ea840aed6d1d50056
SHA512

b1038defa833c60c5832ee9c54844fae70efb0b3d7a849d4b0b2047b1c0882fa423bac663501f53cc9db0d972a83f5cdb5e04c8605f69d3d2d2a1fa8aee89655
SSDEEP

49152:LQijuS+GKkC7Q455bkJZ14xlBTUKBLmPYni4bHcrkKmP:LQWuS+B17QM5YbCxlRB9bHqvU

Score

10^/10

ardamax discovery keylogger stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x000e000000018676-11.dat	family_ardamax

Executes dropped EXE 1 IoCs

pid	Process
1996	BVAU.exe

Loads dropped DLL 5 IoCs

pid	Process
768	JaffaCakes118_4662b6b068f968b089f5767ed9404cc0.exe
768	JaffaCakes118_4662b6b068f968b089f5767ed9404cc0.exe
768	JaffaCakes118_4662b6b068f968b089f5767ed9404cc0.exe
1996	BVAU.exe
1996	BVAU.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Sys\AKV.exe	JaffaCakes118_4662b6b068f968b089f5767ed9404cc0.exe
File opened for modification	C:\Windows\SysWOW64\Sys	BVAU.exe
File created	C:\Windows\SysWOW64\Sys\BVAU.001	JaffaCakes118_4662b6b068f968b089f5767ed9404cc0.exe
File created	C:\Windows\SysWOW64\Sys\BVAU.006	JaffaCakes118_4662b6b068f968b089f5767ed9404cc0.exe
File created	C:\Windows\SysWOW64\Sys\BVAU.007	JaffaCakes118_4662b6b068f968b089f5767ed9404cc0.exe
File created	C:\Windows\SysWOW64\Sys\BVAU.exe	JaffaCakes118_4662b6b068f968b089f5767ed9404cc0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_4662b6b068f968b089f5767ed9404cc0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BVAU.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2180	vlc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2180	vlc.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	1996	BVAU.exe
Token: SeIncBasePriorityPrivilege	1996	BVAU.exe
Token: 33	2180	vlc.exe
Token: SeIncBasePriorityPrivilege	2180	vlc.exe

Suspicious use of FindShellTrayWindow 16 IoCs

pid	Process
2180	vlc.exe
2180	vlc.exe
2180	vlc.exe
2180	vlc.exe
2180	vlc.exe
2180	vlc.exe
2180	vlc.exe
2180	vlc.exe
2180	vlc.exe
2180	vlc.exe
2180	vlc.exe
2180	vlc.exe
2180	vlc.exe
2180	vlc.exe
2180	vlc.exe
2180	vlc.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
2180	vlc.exe
2180	vlc.exe
2180	vlc.exe
2180	vlc.exe
2180	vlc.exe
2180	vlc.exe
2180	vlc.exe
2180	vlc.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1996	BVAU.exe
1996	BVAU.exe
1996	BVAU.exe
1996	BVAU.exe
2180	vlc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 768 wrote to memory of 1996	768	JaffaCakes118_4662b6b068f968b089f5767ed9404cc0.exe	30
PID 768 wrote to memory of 1996	768	JaffaCakes118_4662b6b068f968b089f5767ed9404cc0.exe	30
PID 768 wrote to memory of 1996	768	JaffaCakes118_4662b6b068f968b089f5767ed9404cc0.exe	30
PID 768 wrote to memory of 1996	768	JaffaCakes118_4662b6b068f968b089f5767ed9404cc0.exe	30
PID 768 wrote to memory of 2180	768	JaffaCakes118_4662b6b068f968b089f5767ed9404cc0.exe	31
PID 768 wrote to memory of 2180	768	JaffaCakes118_4662b6b068f968b089f5767ed9404cc0.exe	31
PID 768 wrote to memory of 2180	768	JaffaCakes118_4662b6b068f968b089f5767ed9404cc0.exe	31
PID 768 wrote to memory of 2180	768	JaffaCakes118_4662b6b068f968b089f5767ed9404cc0.exe	31

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4662b6b068f968b089f5767ed9404cc0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4662b6b068f968b089f5767ed9404cc0.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:768
- C:\Windows\SysWOW64\Sys\BVAU.exe
  "C:\Windows\system32\Sys\BVAU.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1996
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Opasna crnka pusi - erotski.3gp"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Opasna crnka pusi - erotski.3gp

Filesize
1.3MB

MD5
007205a9e8bdde6cca968bb071c91f03

SHA1
c3a53aa89a3273208752e9b0b4eaeb7e0a7bb4c7

SHA256
69162537742ac573aff4b881709e9d3bed3d435ea96ff5fa2d7fe8a12fba3c2d

SHA512
daa8a026fa1d2f09fa29520ca4b4b05977b577e396cb26ed5c637d3730def54856f560cb2fc30db0a74fa66ca739b6f872d3eb92bdcddc9230f82f9f81a85faf

Download Submit
C:\Windows\SysWOW64\Sys\AKV.exe

Filesize
387KB

MD5
bcf6fab667525797024d0962e41e9b7b

SHA1
86b3d41b65eb4ed85c6610a4bb595df787bb2a6a

SHA256
916385eb000bc6011cac9b11d89fd08ffaaddf7d727f9c9bf0764bbcf905b877

SHA512
7e04832d129e3bacb4d4d83259ec02e1e6f5da4da742dbbf010345ccd90a0547e12fcca68da3cff284687a112f570ca269596512605715b3477ae99933afc82c

Download Submit
C:\Windows\SysWOW64\Sys\BVAU.001

Filesize
3KB

MD5
e803ec9ff94c31dcd5f2644cc39ea3d0

SHA1
15b69ff5d2536d87bdf502d6648485dea5fffcfc

SHA256
7b8024d433583b2267ead222b012691a158639dcbeb9996158d0b5d12f73cd04

SHA512
1dacb5502a287c7009bfce7c8abd0381a906cfe977edebb02ff0b006e72a5d05a696fa75d8c8556ad3d8a3fea891da9bfbf603347eb07faab99ec6c9e8e93c48

Download Submit
C:\Windows\SysWOW64\Sys\BVAU.006

Filesize
5KB

MD5
3a2ef41ad6d9415229e0b76ec6df1baf

SHA1
e72f2c0d664a4d2323872bd1f586ec60bb0a6342

SHA256
b7e321cf9dacead275e600c2b531e96a62c671e0a2d641e141acbefb509adf2b

SHA512
b8d5f62e7da21d4114f8764afb16bc409921935d3440f8e712740a50dd7a01f850cfda31f0a4b41e4f514d6bb64e407a83e8e034e5be65cddde27817c728caeb

Download Submit
C:\Windows\SysWOW64\Sys\BVAU.007

Filesize
4KB

MD5
cb576a1e67ddeb42dc0e23a541cefdb8

SHA1
9684e67a013de4f0f5066856f553674db0f2749c

SHA256
8a9a4e62b646f072f6c1b5415b8461af96db307f59c4d32c9e4f455477ffc221

SHA512
e173475fbf9541daa6790133ceef4b8af414491c0a198e356ba1b1c2fcbdcf7044e8b8ae22d72f39b2b7b888e254fd742b9b09ae3c4e63fa64b5171508247942

Download Submit
\Users\Admin\AppData\Local\Temp\@928F.tmp

Filesize
4KB

MD5
b429300c8148810d2e6a8d40009fc124

SHA1
93ec9660cc0d68cadc6c7f44b35ea0a0ef684ae8

SHA256
98445d51b61014815fc43e44933e5dc126c4fe763545141e78ee1358e487b4b7

SHA512
47a1cfdba6c1e04a322116538a62b22d61cf6b31966e53cfe4e54eb75a58530a7636e3deffcfb7e96ff2bdae2b99c7bcb312685d1ceac2f79c118f6347bf2407

Download Submit
\Windows\SysWOW64\Sys\BVAU.exe

Filesize
468KB

MD5
4b64ea8b01e25e1af067d11698778ce4

SHA1
20c4d03590cc3ef10e0b3ddbfcdf6fbb41149847

SHA256
08b9f18c1098036ae8830caae054c451c66478490dcd4c653a01abaa937ee7c5

SHA512
5bea198540fa4dd9234017ec3e7a0cf79da4d3bc53cb715a3a6335567c08ff0871b886d6f4dd80e9f4e9df4cac8be392fc7d0e3456c14624583c6cf337ce65d0

Download Submit
memory/1996-25-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/1996-28-0x0000000077C0F000-0x0000000077C10000-memory.dmp

Filesize
4KB

Download
memory/1996-35-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2180-58-0x000007FEF51A0000-0x000007FEF5207000-memory.dmp

Filesize
412KB

Download
memory/2180-47-0x000007FEF5210000-0x000007FEF541B000-memory.dmp

Filesize
2.0MB

Download
memory/2180-44-0x000007FEF7140000-0x000007FEF715D000-memory.dmp

Filesize
116KB

Download
memory/2180-45-0x000007FEF7120000-0x000007FEF7131000-memory.dmp

Filesize
68KB

Download
memory/2180-43-0x000007FEF7160000-0x000007FEF7171000-memory.dmp

Filesize
68KB

Download
memory/2180-42-0x000007FEF7180000-0x000007FEF7197000-memory.dmp

Filesize
92KB

Download
memory/2180-40-0x000007FEFADD0000-0x000007FEFADE7000-memory.dmp

Filesize
92KB

Download
memory/2180-41-0x000007FEF7CA0000-0x000007FEF7CB1000-memory.dmp

Filesize
68KB

Download
memory/2180-38-0x000007FEF64D0000-0x000007FEF6786000-memory.dmp

Filesize
2.7MB

Download
memory/2180-39-0x000007FEFC1E0000-0x000007FEFC1F8000-memory.dmp

Filesize
96KB

Download
memory/2180-48-0x000007FEF6C60000-0x000007FEF6CA1000-memory.dmp

Filesize
260KB

Download
memory/2180-49-0x000007FEF6C30000-0x000007FEF6C51000-memory.dmp

Filesize
132KB

Download
memory/2180-50-0x000007FEF6C10000-0x000007FEF6C28000-memory.dmp

Filesize
96KB

Download
memory/2180-51-0x000007FEF6BF0000-0x000007FEF6C01000-memory.dmp

Filesize
68KB

Download
memory/2180-52-0x000007FEF6BD0000-0x000007FEF6BE1000-memory.dmp

Filesize
68KB

Download
memory/2180-53-0x000007FEF6BB0000-0x000007FEF6BC1000-memory.dmp

Filesize
68KB

Download
memory/2180-54-0x000007FEF6B90000-0x000007FEF6BAB000-memory.dmp

Filesize
108KB

Download
memory/2180-55-0x000007FEF6B70000-0x000007FEF6B81000-memory.dmp

Filesize
68KB

Download
memory/2180-56-0x000007FEF6B50000-0x000007FEF6B68000-memory.dmp

Filesize
96KB

Download
memory/2180-57-0x000007FEF6B20000-0x000007FEF6B50000-memory.dmp

Filesize
192KB

Download
memory/2180-37-0x000007FEF7CC0000-0x000007FEF7CF4000-memory.dmp

Filesize
208KB

Download
memory/2180-59-0x000007FEF5120000-0x000007FEF519C000-memory.dmp

Filesize
496KB

Download
memory/2180-63-0x000007FEF4F20000-0x000007FEF4F37000-memory.dmp

Filesize
92KB

Download
memory/2180-46-0x000007FEF5420000-0x000007FEF64D0000-memory.dmp

Filesize
16.7MB

Download
memory/2180-62-0x000007FEF4F40000-0x000007FEF50C0000-memory.dmp

Filesize
1.5MB

Download
memory/2180-36-0x000000013FA10000-0x000000013FB08000-memory.dmp

Filesize
992KB

Download
memory/2180-61-0x000007FEF50C0000-0x000007FEF5117000-memory.dmp

Filesize
348KB

Download
memory/2180-60-0x000007FEF6B00000-0x000007FEF6B11000-memory.dmp

Filesize
68KB

Download
memory/2180-65-0x000007FEF34A0000-0x000007FEF36A6000-memory.dmp

Filesize
2.0MB

Download
memory/2180-66-0x000007FEF3480000-0x000007FEF3492000-memory.dmp

Filesize
72KB

Download
memory/2180-69-0x000007FEFADC0000-0x000007FEFADD0000-memory.dmp

Filesize
64KB

Download
memory/2180-72-0x000007FEF2F50000-0x000007FEF2F66000-memory.dmp

Filesize
88KB

Download
memory/2180-71-0x000007FEF2F70000-0x000007FEF2F81000-memory.dmp

Filesize
68KB

Download
memory/2180-70-0x000007FEF2F90000-0x000007FEF2FBF000-memory.dmp

Filesize
188KB

Download
memory/2180-64-0x000007FEF36B0000-0x000007FEF4F1F000-memory.dmp

Filesize
24.4MB

Download
memory/2180-68-0x000007FEF33E0000-0x000007FEF342D000-memory.dmp

Filesize
308KB

Download
memory/2180-67-0x000007FEF3430000-0x000007FEF3472000-memory.dmp

Filesize
264KB

Download
memory/2180-73-0x000007FEF2E80000-0x000007FEF2F45000-memory.dmp

Filesize
788KB

Download
memory/2180-74-0x000007FEF2E30000-0x000007FEF2E72000-memory.dmp

Filesize
264KB

Download
memory/2180-75-0x000007FEF2DC0000-0x000007FEF2E22000-memory.dmp

Filesize
392KB

Download
memory/2180-76-0x000007FEF2D50000-0x000007FEF2DBD000-memory.dmp

Filesize
436KB

Download
memory/2180-80-0x000007FEF28B0000-0x000007FEF28C3000-memory.dmp

Filesize
76KB

Download
memory/2180-77-0x000007FEF2920000-0x000007FEF2BD0000-memory.dmp

Filesize
2.7MB

Download
memory/2180-79-0x000007FEF28D0000-0x000007FEF28F3000-memory.dmp

Filesize
140KB

Download
memory/2180-78-0x000007FEF2900000-0x000007FEF2915000-memory.dmp

Filesize
84KB

Download
memory/2180-83-0x000007FEF2300000-0x000007FEF2311000-memory.dmp

Filesize
68KB

Download
memory/2180-82-0x000007FEF2760000-0x000007FEF2771000-memory.dmp

Filesize
68KB

Download
memory/2180-81-0x000007FEF2780000-0x000007FEF2886000-memory.dmp

Filesize
1.0MB

Download
memory/2180-84-0x000007FEF2290000-0x000007FEF22F1000-memory.dmp

Filesize
388KB

Download
memory/2180-85-0x000007FEF2240000-0x000007FEF2287000-memory.dmp

Filesize
284KB

Download
memory/2180-86-0x000007FEF21C0000-0x000007FEF2234000-memory.dmp

Filesize
464KB

Download
memory/2180-87-0x000007FEF1B80000-0x000007FEF1BB4000-memory.dmp

Filesize
208KB

Download