ardamax | bdd3814b01416d98afb92b704d388f392ef5405766419948337fc27bb56396e2

Analysis

max time kernel
74s
max time network
18s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
06-02-2025 12:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_ab346829a6928d63a8ab9d0f37e551b2.exe
Size

548KB
MD5

ab346829a6928d63a8ab9d0f37e551b2
SHA1

2b1eaae67209ea87df3ef965d7d9b8b8b5c53e8a
SHA256

bdd3814b01416d98afb92b704d388f392ef5405766419948337fc27bb56396e2
SHA512

f59c3af1e8c7a07babb5b3bba9290cb6b5f0fb8f606405d79bf71426e0530c1e86e023e70bdf3607979c05c54f8bae2091c0a0823d4ba9a2d9d6d9a09d44c233
SSDEEP

6144:2HHX+UD7g3XhqPmlcjFJbj8SlgvDr/2CRyper6S+es8pcHNkixuUIpMZ5VRYL4F/:Wx/x4c5dj8UgvHdYMc0YxuU+MAL4FwBi

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x000500000001950f-38.dat	family_ardamax

Executes dropped EXE 3 IoCs

pid	Process
2948	ardm_serv.exe
2964	Pinnacle.exe
2844	OUCW.exe

Loads dropped DLL 9 IoCs

pid	Process
2044	JaffaCakes118_ab346829a6928d63a8ab9d0f37e551b2.exe
2044	JaffaCakes118_ab346829a6928d63a8ab9d0f37e551b2.exe
2948	ardm_serv.exe
2044	JaffaCakes118_ab346829a6928d63a8ab9d0f37e551b2.exe
2044	JaffaCakes118_ab346829a6928d63a8ab9d0f37e551b2.exe
2948	ardm_serv.exe
2948	ardm_serv.exe
2844	OUCW.exe
2844	OUCW.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OUCW Agent = "C:\\Windows\\SysWOW64\\Sys32\\OUCW.exe"	OUCW.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Sys32\OUCW.007	ardm_serv.exe
File created	C:\Windows\SysWOW64\Sys32\OUCW.exe	ardm_serv.exe
File created	C:\Windows\SysWOW64\Sys32\AKV.exe	ardm_serv.exe
File opened for modification	C:\Windows\SysWOW64\Sys32	OUCW.exe
File created	C:\Windows\SysWOW64\Sys32\OUCW.001	ardm_serv.exe
File created	C:\Windows\SysWOW64\Sys32\OUCW.006	ardm_serv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_ab346829a6928d63a8ab9d0f37e551b2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pinnacle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ardm_serv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OUCW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2844	OUCW.exe
Token: SeIncBasePriorityPrivilege	2844	OUCW.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2044	JaffaCakes118_ab346829a6928d63a8ab9d0f37e551b2.exe
2844	OUCW.exe
2844	OUCW.exe
2844	OUCW.exe
2844	OUCW.exe
2844	OUCW.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 2420	2044	JaffaCakes118_ab346829a6928d63a8ab9d0f37e551b2.exe	30
PID 2044 wrote to memory of 2420	2044	JaffaCakes118_ab346829a6928d63a8ab9d0f37e551b2.exe	30
PID 2044 wrote to memory of 2420	2044	JaffaCakes118_ab346829a6928d63a8ab9d0f37e551b2.exe	30
PID 2044 wrote to memory of 2420	2044	JaffaCakes118_ab346829a6928d63a8ab9d0f37e551b2.exe	30
PID 2044 wrote to memory of 2948	2044	JaffaCakes118_ab346829a6928d63a8ab9d0f37e551b2.exe	32
PID 2044 wrote to memory of 2948	2044	JaffaCakes118_ab346829a6928d63a8ab9d0f37e551b2.exe	32
PID 2044 wrote to memory of 2948	2044	JaffaCakes118_ab346829a6928d63a8ab9d0f37e551b2.exe	32
PID 2044 wrote to memory of 2948	2044	JaffaCakes118_ab346829a6928d63a8ab9d0f37e551b2.exe	32
PID 2044 wrote to memory of 2964	2044	JaffaCakes118_ab346829a6928d63a8ab9d0f37e551b2.exe	33
PID 2044 wrote to memory of 2964	2044	JaffaCakes118_ab346829a6928d63a8ab9d0f37e551b2.exe	33
PID 2044 wrote to memory of 2964	2044	JaffaCakes118_ab346829a6928d63a8ab9d0f37e551b2.exe	33
PID 2044 wrote to memory of 2964	2044	JaffaCakes118_ab346829a6928d63a8ab9d0f37e551b2.exe	33
PID 2948 wrote to memory of 2844	2948	ardm_serv.exe	34
PID 2948 wrote to memory of 2844	2948	ardm_serv.exe	34
PID 2948 wrote to memory of 2844	2948	ardm_serv.exe	34
PID 2948 wrote to memory of 2844	2948	ardm_serv.exe	34
PID 2420 wrote to memory of 2512	2420	cmd.exe	35
PID 2420 wrote to memory of 2512	2420	cmd.exe	35
PID 2420 wrote to memory of 2512	2420	cmd.exe	35
PID 2420 wrote to memory of 2512	2420	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ab346829a6928d63a8ab9d0f37e551b2.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ab346829a6928d63a8ab9d0f37e551b2.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hit.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Webzen\MU\Config" /f /v "Id" /t "REG_SZ" /d ""
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2512
- C:\Users\Admin\AppData\Local\Temp\ardm_serv.exe
  "C:\Users\Admin\AppData\Local\Temp\ardm_serv.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Windows\SysWOW64\Sys32\OUCW.exe
    "C:\Windows\system32\Sys32\OUCW.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2844
- C:\Users\Admin\AppData\Local\Temp\Pinnacle.exe
  "C:\Users\Admin\AppData\Local\Temp\Pinnacle.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Pinnacle.exe

Filesize
56KB

MD5
3695122fdf4c13d32dc9bbd962b184db

SHA1
0cc310847e5a92e8c463c9d6c33a029a12c3f993

SHA256
9e2ea0ac3c425dc3b003093a82b1587dc98f285852d5a1cd9261877ffa9975dc

SHA512
857aa1c19c1c12fa7c0b5e429c07092868265afe0c6416b788957a0275fde683357c20dd1e58460a71d541f496062d9433c0eb80eec52f3ab29aaa103ed55f9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\hit.bat

Filesize
112B

MD5
a9462bae83e7f8dcea82fceb2ecedfb3

SHA1
68431efa134e92052907ef47e36a866e21878559

SHA256
262dd81938d5d3611672c050244b7629e70bbbd93f0bd13e4e33c221027d2b06

SHA512
28afafca63aed98f8a6c1efb2111d7284a714d753d81d0ff2fe8970b4ab752c1cd06fa0dbfc703b97059632de9cb01ab0aae9d01cac048166160701d27a716ec

Download Submit
C:\Windows\SysWOW64\Sys32\AKV.exe

Filesize
391KB

MD5
75e14e922eeea4674c45a00335c28777

SHA1
f3268f7a91e0cef3ac1b03877daa694655e79fa1

SHA256
e103b85edbafbacc8e4ac50378ee4812b68ceccd2b6f2066243ac03674030f68

SHA512
b2c5e09c041bc235bf1be0a808c92dc5b8256447be95a0fb4bcfe9160123c63d14a4979eea28f5286a0f3f354c59f032c9a24586dfb7067150dae7339314f6fa

Download Submit
C:\Windows\SysWOW64\Sys32\OUCW.001

Filesize
488B

MD5
2085ba972166764ca02393d7870db96d

SHA1
f9c2a0e6e212b22d62943e111849e8ac6d9139f4

SHA256
301da4d5b175957e1eab0e423b07e868d7a1b7f976845fa4b5024699ce7136a4

SHA512
1fb4bb9294246b9398582fc23365e3defdb5c960c007dff33ef930602f50eb3dd1f29eb85ee159a9713604655575fa5239af8a6044ae7fc96026ec97d517c44a

Download Submit
C:\Windows\SysWOW64\Sys32\OUCW.006

Filesize
7KB

MD5
5001bd93dc919785a830ab883eefb04e

SHA1
eb4e7b7d42bf4669c1f011fcd0119012cfb957c0

SHA256
2027d2ecaa78d0ffdd4234ce531be60f230b8258ae6c001af587f6d73dba771c

SHA512
20f6a8fa9e2188aa29d101100edae17d77b4983f3e1dd4696c6fbcd47ef0bbcce392a0733c330dd7a707b0f5bb92720f684b04cdd8c0f1a0b186012001c477d8

Download Submit
C:\Windows\SysWOW64\Sys32\OUCW.007

Filesize
5KB

MD5
00c2e21155375b96338bf76afea81546

SHA1
9ec87a26f5a48db97c05b2e3990aedec0adaa999

SHA256
6f3c20f654f2f4aee0752b95d72d9f46ebf467422611b30e9baa5ad1d21a4534

SHA512
cbaf2efa919def1d351de8ad8b1e30af4bb754db833019f9d998f1c78a844b933b18c41e8764edd1632be2076fd23cd7f302cfaf3f8ed6538bc90db178db422a

Download Submit
\Users\Admin\AppData\Local\Temp\@99A1.tmp

Filesize
4KB

MD5
74ff002e34aadbe8a9f7d88d2532c5d5

SHA1
3c11c399973d2db9a94ad7a089870d026c8c859d

SHA256
57d3fc3ef8934afd806d28d705c05637c0bd2d64b91a1a3e87e9bfbbf95f6e8e

SHA512
704c6520a7c89e6432776ad31c3334d22db390474c141974fc189c03b84e4618a35707f70f7ab7337bb63775a3cc04c2f70e88d9e3f921cf9ab2116305ed1bde

Download Submit
\Users\Admin\AppData\Local\Temp\ardm_serv.exe

Filesize
480KB

MD5
cd28d44962cee104b6873cf0834d1c1c

SHA1
65e66fef27740d395add739f1a81f8a3313fceb4

SHA256
18e6f4576fccc6846fcacabbcdf1bb20839f2a21032d1b08d2ec852c940f694a

SHA512
5d3468d61c4b5b2e9ce1fce2dda1513444a5a36e9425bdaaafd1e1d6614de6cbf0a107da1c9daea6b3b6cb032d13048c4529dc07a64e8bfb3651e5a4b1844aeb

Download Submit
\Windows\SysWOW64\Sys32\OUCW.exe

Filesize
476KB

MD5
63ea07b550f22b1f5d5d6897f4d92894

SHA1
8107c9115d45c7857534f0e0b2d9837304f009f2

SHA256
729269e2ce40465fa2b512e2dfea0da818a2972070ae6fa57c92893a1276ea01

SHA512
c094235f36a1ecf1ce9082a22d34d33153595c91c941fb1e1bd9d3903e2142e6e7603db184dc19248258027e0b8377aa13f523b84a98c74c5645cd3e3c2cdf8c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads