ardamax | dc830c6e64c88ef9a70275308524f5d35325f297d97e4a24ae05dee2fbfba71e

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
04-02-2025 01:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_8e5b677ce9f2667e863c291158775bb4.exe
Size

932KB
MD5

8e5b677ce9f2667e863c291158775bb4
SHA1

b1806348fd174ea11c5b43bf5e8cbfed3ddb3fcd
SHA256

dc830c6e64c88ef9a70275308524f5d35325f297d97e4a24ae05dee2fbfba71e
SHA512

9aab6222c69626296cf8486e57dcd045125e91b5acf4d6697032c2830e7fd33b49cd77049b7549bc39260c9f006857fe1984afe7b277d4a294539eec195fb1e4
SSDEEP

24576:3gITlEib8hhvPlUGksxK3ilj7VjNK8ySVMViCe3C/jc:3R8hh3WTij7VjNlg18sjc

Score

10^/10

ardamax discovery keylogger stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023c8b-12.dat	family_ardamax

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	JaffaCakes118_8e5b677ce9f2667e863c291158775bb4.exe

Executes dropped EXE 2 IoCs

pid	Process
3472	alg.exe
3056	mv1xfull.exe

Loads dropped DLL 11 IoCs

pid	Process
1460	JaffaCakes118_8e5b677ce9f2667e863c291158775bb4.exe
3472	alg.exe
3056	mv1xfull.exe
3472	alg.exe
3472	alg.exe
3056	mv1xfull.exe
3056	mv1xfull.exe
3056	mv1xfull.exe
3056	mv1xfull.exe
3056	mv1xfull.exe
3056	mv1xfull.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Sys\alg.001	JaffaCakes118_8e5b677ce9f2667e863c291158775bb4.exe
File created	C:\Windows\SysWOW64\Sys\alg.006	JaffaCakes118_8e5b677ce9f2667e863c291158775bb4.exe
File created	C:\Windows\SysWOW64\Sys\alg.007	JaffaCakes118_8e5b677ce9f2667e863c291158775bb4.exe
File created	C:\Windows\SysWOW64\Sys\alg.exe	JaffaCakes118_8e5b677ce9f2667e863c291158775bb4.exe
File opened for modification	C:\Windows\SysWOW64\Sys	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8e5b677ce9f2667e863c291158775bb4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mv1xfull.exe

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral2/files/0x0007000000023c8d-20.dat	nsis_installer_1

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	3472	alg.exe
Token: SeIncBasePriorityPrivilege	3472	alg.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3472	alg.exe
3472	alg.exe
3472	alg.exe
3472	alg.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1460 wrote to memory of 3472	1460	JaffaCakes118_8e5b677ce9f2667e863c291158775bb4.exe	86
PID 1460 wrote to memory of 3472	1460	JaffaCakes118_8e5b677ce9f2667e863c291158775bb4.exe	86
PID 1460 wrote to memory of 3472	1460	JaffaCakes118_8e5b677ce9f2667e863c291158775bb4.exe	86
PID 1460 wrote to memory of 3056	1460	JaffaCakes118_8e5b677ce9f2667e863c291158775bb4.exe	87
PID 1460 wrote to memory of 3056	1460	JaffaCakes118_8e5b677ce9f2667e863c291158775bb4.exe	87
PID 1460 wrote to memory of 3056	1460	JaffaCakes118_8e5b677ce9f2667e863c291158775bb4.exe	87

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8e5b677ce9f2667e863c291158775bb4.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8e5b677ce9f2667e863c291158775bb4.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1460
- C:\Windows\SysWOW64\Sys\alg.exe
  "C:\Windows\system32\Sys\alg.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3472
- C:\Users\Admin\AppData\Local\Temp\mv1xfull.exe
  "C:\Users\Admin\AppData\Local\Temp\mv1xfull.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@93F3.tmp

Filesize
4KB

MD5
868c14b03cc4b2c2712084ee91f47236

SHA1
c55462ec4e726c73406b118e3f294151efa0922d

SHA256
1ed0fbb0e5cc7750aac7b13d725f190f3e09272c3802420e3a283f2012da665e

SHA512
dfb30d958e3c15dbccb05f8f75a54e2246d35b4add0fc9a5bae027cb4a228a1fa8bb5937a2c4b69539aa3deb773ed701f962ec17df29c5062d5777f2b365e0bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\mv1xfull.exe

Filesize
680KB

MD5
038dc2471514324d7048e721bcc033dd

SHA1
cbedc1572e729e347c810d631ac12e847e6ebc38

SHA256
43f906e18bd31606e17d25b0d3b8eafd756975b78069064340b1442e29bfdd66

SHA512
4a559a6226cc21736792da69c2759c2fc66127e7d6ac55ff3fe16b5380a41245ec5dfb0c26549ddf44345c9a3eb87f7a28f6ff690137f221b84e82a717bd302c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr9695.tmp\InstallOptions.dll

Filesize
12KB

MD5
4c7d97d0786ff08b20d0e8315b5fc3cb

SHA1
bb6f475e867b2bf55e4cd214bd4ef68e26d70f6c

SHA256
75e20f4c5eb00e9e5cb610273023e9d2c36392fa3b664c264b736c7cc2d1ac84

SHA512
f37093fd5cdda74d8f7376c60a05b442f884e9d370347c7c39d84eca88f23fbea6221da2e57197acd78c817a74703c49fb28b89d41c3e34817cc9301b0b6485a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr9695.tmp\StartMenu.dll

Filesize
6KB

MD5
388c408cff35a38d04e3cda18f63af07

SHA1
9c2aa2ed8b526ace4267acbcf5648b2601019ac4

SHA256
4f945ad53b7aa8ed516b2f58c2ed9f15c13bbdf0e489d71c7347b80583cee5fd

SHA512
542292d61ff209f6c98c62ebad549024611a7d42fb951f8cc211b886f0d202d5e0da3b754c84c8a00043c748ed527351fc524357412cf88875e6bf729cbba46f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr9695.tmp\ioSpecial.ini

Filesize
692B

MD5
11787058665767cf1e06c489c393a3da

SHA1
6f90c1426362faa9e1a7139e706774add07a54d6

SHA256
dbb32d95522078a948e0286904bb6f8c37f0a7b37fb1247651b4f501f9b512b9

SHA512
ca6896dd99612f47b4c96c134905d51d4b41eecfbbbb97ae7314ad30a40d708e0aac8ea256b302a9e800545f7eca2dd72ac5b2368f3abd56ca8bd8f1a6585994

Download Submit
C:\Windows\SysWOW64\Sys\alg.001

Filesize
3KB

MD5
320993565318553c0a40a228b78c0877

SHA1
eff7d1d12b8bbdf04281321d3332060c814abcbf

SHA256
801ccad927fa02fa728ff0ef764cd75d6f5ad5a045b94948c8ae57afff262206

SHA512
4e430073c3ccfcf8de3733d97e154459143fccffc66a876a59188bdb2e602bf21f0fa2f0a8536c0e7b4ccfdb714d031bb7a2afea856b498db1de7a0bc946ddfc

Download Submit
C:\Windows\SysWOW64\Sys\alg.006

Filesize
5KB

MD5
42a4dcefb295e1f6671b7b48f9d9896b

SHA1
9a12737cd4ae54a86705cb644359ae6c46cc6168

SHA256
9206b89a2d8da683d9704be8f9ae90ca75a4c7b77ddb6d4769d34941a664268f

SHA512
56ed35b99aa21529bf0d90de32d359eb3edb191e6de1ea72b338101fd587cc0baed234a2d501e0b5d056c3a871b9696cd86bcac8a8efe35f54575ecd7442fe64

Download Submit
C:\Windows\SysWOW64\Sys\alg.007

Filesize
4KB

MD5
d2ca336725bebd1933a538f6c6543b20

SHA1
5b8401db73e11798cd5081e9564acfc197aaed8b

SHA256
d69b55bba99dc18b410da4808479adc13dd0ce9648322f5bbbea9711361bca6c

SHA512
3c17e344550c34e362e8fdc894dea8ce35d88e9a436a6aa182e0359439e90b7d382934e5386820c3f96c134dfd4035446f54e363d20ff833cc2ca8ca80e764bf

Download Submit
C:\Windows\SysWOW64\Sys\alg.exe

Filesize
459KB

MD5
897d9baaec16e826271a294e3f76467b

SHA1
bcf3e07b97ba883e8c07c729682fd227bb5a5f5a

SHA256
4b41c30b67e8a0d2c9ae07ba1b54725af0717f7ef233a528e85ab1d08912cf62

SHA512
018c15ca6e0c85264a27f2952edc73f09b1ab51e82e5ddeb4c54d4acd762f8441c84b9e1591f50854690953e664170cd80aa1edfaf9e7da09e3802e3a955bf48

Download Submit
memory/3472-28-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/3472-113-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download