ardamax | d44d06840e3fccfa5616f98f8dfd2b8de78242040fe7cc14db1cd78bc165f1e7

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
01/02/2025, 13:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_71fbbc5924741e4d7edc1b689a5d9882.exe
Size

608KB
MD5

71fbbc5924741e4d7edc1b689a5d9882
SHA1

44d520f8d1f0a3dcf9e6be7996131fc9e57d05a9
SHA256

d44d06840e3fccfa5616f98f8dfd2b8de78242040fe7cc14db1cd78bc165f1e7
SHA512

c068c9e247c8382df94560404671a6eef8f27f71efffa01557ea88dddea9487c40dbab2512bc6b055cc5fbe0307eb276e419518b09d515a501ece47ce89d120d
SSDEEP

12288:1uEQlKRShvraBT31+I9K717p0tSN6iPSuCbnjrIC/YJw4TNWFXrNrtAr:1CScvrJBitSV4bIC/yfm9

Score

10^/10

ardamax defense_evasion discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000500000001e682-20.dat	family_ardamax

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000\Control Panel\International\Geo\Nation	JaffaCakes118_71fbbc5924741e4d7edc1b689a5d9882.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000\Control Panel\International\Geo\Nation	Install.exe

Executes dropped EXE 2 IoCs

pid	Process
656	Install.exe
2752	SAUF.exe

Loads dropped DLL 4 IoCs

pid	Process
656	Install.exe
2752	SAUF.exe
2752	SAUF.exe
2752	SAUF.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SAUF Agent = "C:\\Windows\\SysWOW64\\28463\\SAUF.exe"	SAUF.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\key.bin	Install.exe
File opened for modification	C:\Windows\SysWOW64\28463	SAUF.exe
File created	C:\Windows\SysWOW64\28463\SAUF.001	Install.exe
File created	C:\Windows\SysWOW64\28463\SAUF.006	Install.exe
File created	C:\Windows\SysWOW64\28463\SAUF.007	Install.exe
File created	C:\Windows\SysWOW64\28463\SAUF.exe	Install.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_71fbbc5924741e4d7edc1b689a5d9882.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SAUF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 35 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{401AE7F5-1B53-4C4D-C4BD-CB49CCEB6C61}\InprocServer32\	SAUF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C6487F7E-3061-40F4-5B4B-DF7FB62D8CDB}\1.0\0	SAUF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{401AE7F5-1B53-4C4D-C4BD-CB49CCEB6C61}\VersionIndependentProgID\	SAUF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{401AE7F5-1B53-4C4D-C4BD-CB49CCEB6C61}\Programmable	SAUF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C6487F7E-3061-40F4-5B4B-DF7FB62D8CDB}\1.0\0\	SAUF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C6487F7E-3061-40F4-5B4B-DF7FB62D8CDB}\1.0\HELPDIR	SAUF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{401AE7F5-1B53-4C4D-C4BD-CB49CCEB6C61}\InprocServer32	SAUF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{401AE7F5-1B53-4C4D-C4BD-CB49CCEB6C61}\ProgID\	SAUF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C6487F7E-3061-40F4-5B4B-DF7FB62D8CDB}\1.0\FLAGS	SAUF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{401AE7F5-1B53-4C4D-C4BD-CB49CCEB6C61}\ = "Owodipcoj Cozakmol Class"	SAUF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C6487F7E-3061-40F4-5B4B-DF7FB62D8CDB}\1.0\	SAUF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C6487F7E-3061-40F4-5B4B-DF7FB62D8CDB}\1.0\ = "VideoLAN VLC ActiveX Plugin"	SAUF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C6487F7E-3061-40F4-5B4B-DF7FB62D8CDB}\1.0\FLAGS\	SAUF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{401AE7F5-1B53-4C4D-C4BD-CB49CCEB6C61}\Version	SAUF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{401AE7F5-1B53-4C4D-C4BD-CB49CCEB6C61}\InprocServer32\ = "C:\\Windows\\SysWOW64\\RegCtrl.dll"	SAUF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{401AE7F5-1B53-4C4D-C4BD-CB49CCEB6C61}\ProgID	SAUF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{401AE7F5-1B53-4C4D-C4BD-CB49CCEB6C61}\ProgID\ = "RegisterControl.Register.1"	SAUF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C6487F7E-3061-40F4-5B4B-DF7FB62D8CDB}\	SAUF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C6487F7E-3061-40F4-5B4B-DF7FB62D8CDB}\1.0\HELPDIR\	SAUF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{401AE7F5-1B53-4C4D-C4BD-CB49CCEB6C61}\TypeLib	SAUF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{401AE7F5-1B53-4C4D-C4BD-CB49CCEB6C61}\TypeLib\ = "{C6487F7E-3061-40F4-5B4B-DF7FB62D8CDB}"	SAUF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C6487F7E-3061-40F4-5B4B-DF7FB62D8CDB}	SAUF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C6487F7E-3061-40F4-5B4B-DF7FB62D8CDB}\1.0\FLAGS\ = "0"	SAUF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{401AE7F5-1B53-4C4D-C4BD-CB49CCEB6C61}\TypeLib\	SAUF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{401AE7F5-1B53-4C4D-C4BD-CB49CCEB6C61}\Programmable\	SAUF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C6487F7E-3061-40F4-5B4B-DF7FB62D8CDB}\1.0	SAUF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C6487F7E-3061-40F4-5B4B-DF7FB62D8CDB}\1.0\0\win64	SAUF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C6487F7E-3061-40F4-5B4B-DF7FB62D8CDB}\1.0\0\win64\	SAUF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C6487F7E-3061-40F4-5B4B-DF7FB62D8CDB}\1.0\HELPDIR\ = "C:\\Program Files\\VideoLAN\\VLC"	SAUF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{401AE7F5-1B53-4C4D-C4BD-CB49CCEB6C61}\VersionIndependentProgID	SAUF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{401AE7F5-1B53-4C4D-C4BD-CB49CCEB6C61}	SAUF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C6487F7E-3061-40F4-5B4B-DF7FB62D8CDB}\1.0\0\win64\ = "C:\\Program Files\\VideoLAN\\VLC\\axvlc.dll"	SAUF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{401AE7F5-1B53-4C4D-C4BD-CB49CCEB6C61}\Version\	SAUF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{401AE7F5-1B53-4C4D-C4BD-CB49CCEB6C61}\Version\ = "1.0"	SAUF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{401AE7F5-1B53-4C4D-C4BD-CB49CCEB6C61}\VersionIndependentProgID\ = "RegisterControl.Register"	SAUF.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2752	SAUF.exe
Token: SeIncBasePriorityPrivilege	2752	SAUF.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2752	SAUF.exe
2752	SAUF.exe
2752	SAUF.exe
2752	SAUF.exe
2752	SAUF.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4560 wrote to memory of 656	4560	JaffaCakes118_71fbbc5924741e4d7edc1b689a5d9882.exe	88
PID 4560 wrote to memory of 656	4560	JaffaCakes118_71fbbc5924741e4d7edc1b689a5d9882.exe	88
PID 4560 wrote to memory of 656	4560	JaffaCakes118_71fbbc5924741e4d7edc1b689a5d9882.exe	88
PID 4560 wrote to memory of 4916	4560	JaffaCakes118_71fbbc5924741e4d7edc1b689a5d9882.exe	89
PID 4560 wrote to memory of 4916	4560	JaffaCakes118_71fbbc5924741e4d7edc1b689a5d9882.exe	89
PID 4560 wrote to memory of 4916	4560	JaffaCakes118_71fbbc5924741e4d7edc1b689a5d9882.exe	89
PID 656 wrote to memory of 2752	656	Install.exe	91
PID 656 wrote to memory of 2752	656	Install.exe	91
PID 656 wrote to memory of 2752	656	Install.exe	91

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_71fbbc5924741e4d7edc1b689a5d9882.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_71fbbc5924741e4d7edc1b689a5d9882.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4560
- C:\Users\Admin\AppData\Local\Temp\Install.exe
  "C:\Users\Admin\AppData\Local\Temp\Install.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:656
- - C:\Windows\SysWOW64\28463\SAUF.exe
    "C:\Windows\system32\28463\SAUF.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2752
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\JAFFAC~1.EXE >> NUL
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@BBCE.tmp

Filesize
4KB

MD5
557e0039dc13a0453af7ca9373a0d301

SHA1
50efb19b1b1eddd10ddb4c2ff23d18cccba92dfe

SHA256
54850e4c8644c042b15dab73a15135105ff84a240d26d1476c8b80d176a341fc

SHA512
d96fdc89ddbcd8459966c9548d3243a0fa319f8be2f418b4e17f313fb3f86d32dd7f254a035641f35e35ed849832773c0d1fe34ff362761309c64e959c025a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe

Filesize
590KB

MD5
dc7a20e6fcd4a76e14d3245796a36b13

SHA1
be9435bb144e9a0c5291876f40ee54ea2d2ea195

SHA256
0ddf2d4b7e78a971a551b82f95072fbf05266842149d8c5306bb2f4ed2dba9e9

SHA512
f4cc2ab3ab95a67fa42a199bb30503d2e0af108d928bd49428892ea233e430e3a961fe930d7431885cd8015879b8db99fcf63f467bb3f0f2528bd15646941213

Download Submit
C:\Windows\SysWOW64\28463\SAUF.001

Filesize
428B

MD5
8efe2ac4145729cd42e0004e674658ae

SHA1
d3fb66e77cc7cbdc0fb75b214ca97b74c48268be

SHA256
6d60dc6f1b5c7f4e8d17eeadec85a91821977ae6e8813a2b5bd715f3e61d800a

SHA512
7bc6003a5c813f6f9def80e5b4ca58dbafafefc91b651e0d8838b4dd8f253e2c009ba6fb62d5f6035185bd052b01793d252a3f2cfa8b2304fc064b9af1905709

Download Submit
C:\Windows\SysWOW64\28463\SAUF.006

Filesize
8KB

MD5
5153b016d36928c296131c5c8e669446

SHA1
c444f61a2dc49ede6a2325f26d76af66de5989d2

SHA256
4c52ec0d5d4cad21ed134af76f64c3cb44b826594641f44487e4625f5bc96f59

SHA512
c9084ff30f1f023b1f9cd00dc66cdbf846e95993093163c3e71a13535ccfc79d59be5b28a78ccfa6b0a82389b08b157676d71a9ccca2c170369080feac386f09

Download Submit
C:\Windows\SysWOW64\28463\SAUF.007

Filesize
5KB

MD5
80bbc7ace13d97396bd7b1abbaf4008b

SHA1
d013c0def603915675b1e0ce5877d413cdaf6523

SHA256
18dbfb27d4b10501e8426db1a78df8247f6570656d183f78b061d7db4c7865ae

SHA512
bc7afd0e730f432852d374812827077574181928aa97c25d8170ce1b766677383360bf2bb21afc51e8168eb3f6539ce8499c4002d86190f27d4836da3f907919

Download Submit
C:\Windows\SysWOW64\28463\SAUF.exe

Filesize
648KB

MD5
5530832fa82582288ce640f73a4915a0

SHA1
c40673ed59a61dd3b39f8ed6d0e1345838d98e44

SHA256
6f7daff3caf7f24a00e08e4ed414b4d23e13d2cac4657ad7a071d9cbeb42cb88

SHA512
ee2a2dc3c85a13b39f15a276f842afab8d341aacb457c1750b8bf0fa46b03a3bfabeff5be6439f3edf2c428d504ecabf07a399ebbdb09a75693309b55903775c

Download Submit
C:\Windows\SysWOW64\28463\key.bin

Filesize
105B

MD5
27c90d4d9b049f4cd00f32ed1d2e5baf

SHA1
338a3ea8f1e929d8916ece9b6e91e697eb562550

SHA256
172d6f21165fb3ca925e5b000451fd8946920206f7438018c28b158b90cf5ffb

SHA512
d73dadb3cf74c647ce5bad5b87d3fb42a212defcba8afb8cf962020b61a0369c0a2b1005797583daf1f1ae88b29b7288bc544a53d643f3519cf604aa0ffd6dae

Download Submit
memory/2752-40-0x0000000003250000-0x0000000003251000-memory.dmp

Filesize
4KB

Download
memory/2752-36-0x0000000003210000-0x0000000003211000-memory.dmp

Filesize
4KB

Download
memory/2752-51-0x0000000003250000-0x0000000003251000-memory.dmp

Filesize
4KB

Download
memory/2752-50-0x0000000003250000-0x0000000003251000-memory.dmp

Filesize
4KB

Download
memory/2752-49-0x0000000003250000-0x0000000003251000-memory.dmp

Filesize
4KB

Download
memory/2752-48-0x0000000003250000-0x0000000003251000-memory.dmp

Filesize
4KB

Download
memory/2752-47-0x0000000003250000-0x0000000003251000-memory.dmp

Filesize
4KB

Download
memory/2752-46-0x0000000003250000-0x0000000003251000-memory.dmp

Filesize
4KB

Download
memory/2752-45-0x0000000003250000-0x0000000003251000-memory.dmp

Filesize
4KB

Download
memory/2752-44-0x0000000003250000-0x0000000003251000-memory.dmp

Filesize
4KB

Download
memory/2752-43-0x0000000003250000-0x0000000003251000-memory.dmp

Filesize
4KB

Download
memory/2752-42-0x0000000003250000-0x0000000003251000-memory.dmp

Filesize
4KB

Download
memory/2752-41-0x0000000003250000-0x0000000003251000-memory.dmp

Filesize
4KB

Download
memory/2752-53-0x0000000003270000-0x0000000003271000-memory.dmp

Filesize
4KB

Download
memory/2752-39-0x0000000003250000-0x0000000003251000-memory.dmp

Filesize
4KB

Download
memory/2752-38-0x0000000003250000-0x0000000003251000-memory.dmp

Filesize
4KB

Download
memory/2752-37-0x0000000003200000-0x0000000003203000-memory.dmp

Filesize
12KB

Download
memory/2752-52-0x0000000003250000-0x0000000003251000-memory.dmp

Filesize
4KB

Download
memory/2752-35-0x0000000002380000-0x0000000002381000-memory.dmp

Filesize
4KB

Download
memory/2752-34-0x00000000023C0000-0x00000000023C1000-memory.dmp

Filesize
4KB

Download
memory/2752-33-0x0000000002410000-0x0000000002411000-memory.dmp

Filesize
4KB

Download
memory/2752-32-0x00000000023F0000-0x00000000023F1000-memory.dmp

Filesize
4KB

Download
memory/2752-31-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/2752-30-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/2752-54-0x0000000003250000-0x0000000003251000-memory.dmp

Filesize
4KB

Download
memory/2752-58-0x0000000003220000-0x0000000003221000-memory.dmp

Filesize
4KB

Download
memory/2752-59-0x0000000003260000-0x0000000003261000-memory.dmp

Filesize
4KB

Download
memory/2752-57-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/2752-56-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/2752-55-0x0000000003250000-0x0000000003251000-memory.dmp

Filesize
4KB

Download
memory/2752-28-0x00000000009D0000-0x0000000000A2A000-memory.dmp

Filesize
360KB

Download
memory/2752-27-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2752-66-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2752-67-0x00000000009D0000-0x0000000000A2A000-memory.dmp

Filesize
360KB

Download
memory/2752-68-0x0000000003250000-0x0000000003251000-memory.dmp

Filesize
4KB

Download
memory/2752-72-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads