ardamax | df8e7ef1fe0b61acbd6c72c509d322ad3998c67308b2dc04e4015b6d160d3fa2

Analysis

max time kernel
142s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-02-2025 11:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_aaa3c4c38bd5f1088db6553c3401dc79.exe
Size

2.1MB
MD5

aaa3c4c38bd5f1088db6553c3401dc79
SHA1

061993f5d8b8eca381474640c2d2b3e8b8cac8bf
SHA256

df8e7ef1fe0b61acbd6c72c509d322ad3998c67308b2dc04e4015b6d160d3fa2
SHA512

1b10403cc07ecb4ab4df4bb2e90f0aaa25b9eb6273533c309abc547b29a9d1a3c3f230f5ffca33457a0c7912f5d6b4a590e2fe741e232ce4c73c52c966449613
SSDEEP

12288:0Rq28oax930xPLD0K/uzSm1/ZLBHkt0/N8/wyDT4wA7Nm3CYvY0:0Uyaz0xPhaz3HkT/p4wimI0

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.drivehq.com
Port:
21
Username:
skatenjoi92222

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000016d5e-31.dat	family_ardamax

Executes dropped EXE 4 IoCs

pid	Process
2352	PuzSol.exe
1864	GETTHISBITCH.exe
2748	NGHP.exe
2664	PuzSol.exe

Loads dropped DLL 26 IoCs

pid	Process
2536	JaffaCakes118_aaa3c4c38bd5f1088db6553c3401dc79.exe
2536	JaffaCakes118_aaa3c4c38bd5f1088db6553c3401dc79.exe
2536	JaffaCakes118_aaa3c4c38bd5f1088db6553c3401dc79.exe
1864	GETTHISBITCH.exe
1864	GETTHISBITCH.exe
1864	GETTHISBITCH.exe
1864	GETTHISBITCH.exe
2352	PuzSol.exe
2352	PuzSol.exe
1864	GETTHISBITCH.exe
1864	GETTHISBITCH.exe
2748	NGHP.exe
2748	NGHP.exe
2748	NGHP.exe
2748	NGHP.exe
2748	NGHP.exe
2352	PuzSol.exe
2352	PuzSol.exe
2352	PuzSol.exe
2664	PuzSol.exe
2664	PuzSol.exe
2664	PuzSol.exe
2664	PuzSol.exe
2664	PuzSol.exe
2664	PuzSol.exe
2664	PuzSol.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NGHP Agent = "C:\\Windows\\SysWOW64\\28463\\NGHP.exe"	NGHP.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\28463	NGHP.exe
File created	C:\Windows\SysWOW64\28463\NGHP.009	NGHP.exe
File opened for modification	C:\Windows\SysWOW64\28463\NGHP.009	NGHP.exe
File created	C:\Windows\SysWOW64\28463\NGHP.001	GETTHISBITCH.exe
File created	C:\Windows\SysWOW64\28463\NGHP.006	GETTHISBITCH.exe
File created	C:\Windows\SysWOW64\28463\NGHP.007	GETTHISBITCH.exe
File created	C:\Windows\SysWOW64\28463\NGHP.exe	GETTHISBITCH.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PuzSol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NGHP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PuzSol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_aaa3c4c38bd5f1088db6553c3401dc79.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GETTHISBITCH.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2748	NGHP.exe
Token: SeIncBasePriorityPrivilege	2748	NGHP.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2748	NGHP.exe
2748	NGHP.exe
2748	NGHP.exe
2748	NGHP.exe
2748	NGHP.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 2352	2536	JaffaCakes118_aaa3c4c38bd5f1088db6553c3401dc79.exe	30
PID 2536 wrote to memory of 2352	2536	JaffaCakes118_aaa3c4c38bd5f1088db6553c3401dc79.exe	30
PID 2536 wrote to memory of 2352	2536	JaffaCakes118_aaa3c4c38bd5f1088db6553c3401dc79.exe	30
PID 2536 wrote to memory of 2352	2536	JaffaCakes118_aaa3c4c38bd5f1088db6553c3401dc79.exe	30
PID 2536 wrote to memory of 2352	2536	JaffaCakes118_aaa3c4c38bd5f1088db6553c3401dc79.exe	30
PID 2536 wrote to memory of 2352	2536	JaffaCakes118_aaa3c4c38bd5f1088db6553c3401dc79.exe	30
PID 2536 wrote to memory of 2352	2536	JaffaCakes118_aaa3c4c38bd5f1088db6553c3401dc79.exe	30
PID 2536 wrote to memory of 1864	2536	JaffaCakes118_aaa3c4c38bd5f1088db6553c3401dc79.exe	31
PID 2536 wrote to memory of 1864	2536	JaffaCakes118_aaa3c4c38bd5f1088db6553c3401dc79.exe	31
PID 2536 wrote to memory of 1864	2536	JaffaCakes118_aaa3c4c38bd5f1088db6553c3401dc79.exe	31
PID 2536 wrote to memory of 1864	2536	JaffaCakes118_aaa3c4c38bd5f1088db6553c3401dc79.exe	31
PID 2536 wrote to memory of 1864	2536	JaffaCakes118_aaa3c4c38bd5f1088db6553c3401dc79.exe	31
PID 2536 wrote to memory of 1864	2536	JaffaCakes118_aaa3c4c38bd5f1088db6553c3401dc79.exe	31
PID 2536 wrote to memory of 1864	2536	JaffaCakes118_aaa3c4c38bd5f1088db6553c3401dc79.exe	31
PID 1864 wrote to memory of 2748	1864	GETTHISBITCH.exe	32
PID 1864 wrote to memory of 2748	1864	GETTHISBITCH.exe	32
PID 1864 wrote to memory of 2748	1864	GETTHISBITCH.exe	32
PID 1864 wrote to memory of 2748	1864	GETTHISBITCH.exe	32
PID 1864 wrote to memory of 2748	1864	GETTHISBITCH.exe	32
PID 1864 wrote to memory of 2748	1864	GETTHISBITCH.exe	32
PID 1864 wrote to memory of 2748	1864	GETTHISBITCH.exe	32
PID 2352 wrote to memory of 2664	2352	PuzSol.exe	33
PID 2352 wrote to memory of 2664	2352	PuzSol.exe	33
PID 2352 wrote to memory of 2664	2352	PuzSol.exe	33
PID 2352 wrote to memory of 2664	2352	PuzSol.exe	33
PID 2352 wrote to memory of 2664	2352	PuzSol.exe	33
PID 2352 wrote to memory of 2664	2352	PuzSol.exe	33
PID 2352 wrote to memory of 2664	2352	PuzSol.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_aaa3c4c38bd5f1088db6553c3401dc79.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_aaa3c4c38bd5f1088db6553c3401dc79.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Users\Admin\AppData\Local\Temp\PuzSol.exe
  "C:\Users\Admin\AppData\Local\Temp\PuzSol.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2352
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\PuzSol.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PuzSol.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2664
- C:\Users\Admin\AppData\Local\Temp\GETTHISBITCH.exe
  "C:\Users\Admin\AppData\Local\Temp\GETTHISBITCH.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1864
- - C:\Windows\SysWOW64\28463\NGHP.exe
    "C:\Windows\system32\28463\NGHP.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Gunning\gunning.png

Filesize
5KB

MD5
69902a4414830469ebe68368e4124ea0

SHA1
5be8676f5a6707029396f011e2b8a3d95e6fac1f

SHA256
8fa2ddc04826b9f7c971122edc08c25d670d611f80ef49b634b5b86518b33bf3

SHA512
d55143196e1c331e5fbb088e0d14381cf16d2bf7cb60191093eb1f0295b916f4cf6e4523f06a42bd1ec0b2ebc19dfd116206cfa9ad8d6af36ba812dfccfd8593

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\MySql.Data.dll

Filesize
344KB

MD5
93340a23133f995b119130db803527de

SHA1
1fe6fe7884a62015f7e02348e0d8e2c5ed122d5a

SHA256
86525a33e425f2afbd00cbaedaa0135bb69145db51a042b65b0c46b1b5dbeb81

SHA512
2ba3b3978c0c77c90f64aa57dff17d2e0fc22a2616603f4924b377ac3c779cb9464801341980a1d6a1892e0f50bbf4f6c6ad08c1c4ca5fd850f06efaf238f29c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\puzsol.bmp

Filesize
11KB

MD5
12e1bf4ce6e8f39e5429a66ba02506a3

SHA1
fea6d251d6310be127e1ec4cf88ea4fbd989bc8f

SHA256
cc8455add7ec41b00a86c6298d2cf030ae7f262fa9060ecdca8523d8526c4db2

SHA512
1fb75cf0fbbd088ed814f97bf93ca16746f12b7bbda161d52a12c43d329cbf912a0f528a25b940f8cfe6b552de169499ca3d1bce2a13d20b58b89c38dd17778f

Download Submit
C:\Windows\SysWOW64\28463\NGHP.001

Filesize
416B

MD5
dbf2e2c5051159fd5b63e974b84d8382

SHA1
ab75bc0f8770513f03a73d6dde2718b9071c3b32

SHA256
8386b4f3edc8fdac2fbc39e4be5e488d4e8b653c6472e04f192fa345522e87f6

SHA512
002d3ade7f9cdb23e56d5ee8a5f874077e471db3e9a1a9f88574ead52239d2b3744be41f195cb3fb3d0817dc9cb0d2cb3cd40ca4bfb2a9bb6dd2dc5f2d3d1bd3

Download Submit
C:\Windows\SysWOW64\28463\NGHP.006

Filesize
8KB

MD5
43f02e9974b1477c1e6388882f233db0

SHA1
f3e27b231193f8d5b2e1b09d05ae3a62795cf339

SHA256
3c9e56e51d5a7a1b9aefe853c12a98bf246039aa46db94227ea128f6331782ba

SHA512
e22d14735606fe75ee5e55204807c3f5531d3e0c4f63aa4a3b2d4bb6abda6128c7e2816753f2e64400ac6dae8f8ef1e013a7a464dff2a79ad9937c48821a067f

Download Submit
C:\Windows\SysWOW64\28463\NGHP.007

Filesize
5KB

MD5
b5a87d630436f958c6e1d82d15f98f96

SHA1
d3ff5e92198d4df0f98a918071aca53550bf1cff

SHA256
a895ad4d23e8b2c2dc552092f645ca309e62c36d4721ebfe7afd2eee7765d4b2

SHA512
fd7bae85a86bdaa12fec826d1d38728a90e2037cb3182ad7652d8a9f54c4b322734c587b62221e6f907fce24fcf2e0ae4cce1f5e3d8861661064b4da24bd87ce

Download Submit
C:\Windows\SysWOW64\28463\NGHP.009

Filesize
367KB

MD5
cef6f02b238ac5fcc0c573702a25e501

SHA1
53e5462fa644231e77f828d053b5619ae765dcc7

SHA256
2bf9609e30d10b6bd1e19388da80ae79ae62c3523cff2521639d7e4d26011d43

SHA512
9fd04cf179e3c12bf7647d628992431ef76e4a0539f007d9d87f82807f5fd68b90a00932dfb2bc5f0a0bf127fbeaf28f5a25f4f74c50b8af3298892d4eb916c9

Download Submit
\Users\Admin\AppData\Local\Temp\@867E.tmp

Filesize
4KB

MD5
c3679c3ff636d1a6b8c65323540da371

SHA1
d184758721a426467b687bec2a4acc80fe44c6f8

SHA256
d4eba51c616b439a8819218bddf9a6fa257d55c9f04cf81441cc99cc945ad3eb

SHA512
494a0a32eef4392ecb54df6e1da7d93183473c4e45f4ac4bd6ec3b0ed8c85c58303a0d36edec41420d05ff624195f08791b6b7e018419a3251b7e71ec9b730e7

Download Submit
\Users\Admin\AppData\Local\Temp\GETTHISBITCH.exe

Filesize
271KB

MD5
ad747eafd305160145bf3035e73ae6e5

SHA1
1a346794bcfe8e3bff58c21050a84de290e964a6

SHA256
b22330c269cfd29ac3d12e4234e823bac87d39a54fba0583a586fe002794dba4

SHA512
9d7b39c955153e32d77f22b939aee00954f6773857d25a9cb48003b19277354df75bee6d4615c69825153bb7444c01093fbdf9853b5bc7fb9b95fd9943b70613

Download Submit
\Users\Admin\AppData\Local\Temp\PuzSol.exe

Filesize
259KB

MD5
52669c5dff6b70e1705d7702e391faf8

SHA1
c0e3a6a464558078d40ae9d5ac239a66998ae963

SHA256
12577f88cc5f0a380fb37f13a9fe4550f9865f69010593b12a4fd9911ebe1198

SHA512
e13590abd9456b23167481f98ea40d4c8eb3c8917eac3f2a7ae5d26069e96bce80a85f47c504dab2dc5c941adc5f0d0d3bb0c07e754418a010f19009327b4853

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\PuzSol.exe

Filesize
56KB

MD5
68c9d291ce3b5c4350619c62701c4d6d

SHA1
0dce35db4d8b7bd1785cbd3f7f17c1826ea71c78

SHA256
fc8b904016047532f3dc7864f6432f8dae3f22bd87bc97784882a8aa1952a47d

SHA512
21601cfe9c71ffe7d9a0d81d62a16e464c1dfe63a84b73fb7c0c8ebaf13e1258aa4a8a2ef953322647d4eff31f155a28bacba65421e3f7f2f5634b79041930c3

Download Submit
\Windows\SysWOW64\28463\NGHP.exe

Filesize
473KB

MD5
17535dddecf8cb1efdba1f1952126547

SHA1
a862a9a3eb6c201751be1038537522a5281ea6cb

SHA256
1a3d28ac6359e58aa656f4734f9f36b6c09badadcf9fb900b9b118d90c38a9dd

SHA512
b4f31b552ab3bb3dafa365aa7a31f58674ae7ee82ce1d23457f2e7047431430b00abb3b5498491725639daf583b526b278a737168cfdc4e9ec796dfbc14a53d8

Download Submit
memory/2352-93-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads