ardamax | e9f8b461830ec4fb8db0929b1483635487aba50fa85f110b31e22989206bf5d0

Analysis

max time kernel
144s
max time network
127s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
07-02-2025 02:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_b1bdda75292f2af0348a91d116a7009d.exe
Size

4.1MB
MD5

b1bdda75292f2af0348a91d116a7009d
SHA1

95aa3a27d749b6ba4991f6e47508b6df28790390
SHA256

e9f8b461830ec4fb8db0929b1483635487aba50fa85f110b31e22989206bf5d0
SHA512

2af1d8e0a65ef1442f19ca0bc23292cda9c442b0b9458d420879b219ffe631638b41994b7e05cd06439720d5278e6296a3f42dc25ae3ac149172840202462435
SSDEEP

98304:oBXfxVOmIzJ+PCNmiRXkEI0eIDFOxvNqonb+x/1H8QrvRJxTwy:onkmIzJMCNrOH0edZnb+p1d1XTr

Score

10^/10

ardamax defense_evasion discovery keylogger persistence stealer trojan

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x00050000000193b8-618.dat	family_ardamax

Executes dropped EXE 3 IoCs

pid	Process
2012	Install.exe
2056	ECW.exe
2252	install_flash_player_ax.exe

Loads dropped DLL 14 IoCs

pid	Process
2332	JaffaCakes118_b1bdda75292f2af0348a91d116a7009d.exe
2012	Install.exe
2012	Install.exe
2056	ECW.exe
2056	ECW.exe
2012	Install.exe
2252	install_flash_player_ax.exe
2252	install_flash_player_ax.exe
2056	ECW.exe
2252	install_flash_player_ax.exe
2056	ECW.exe
2252	install_flash_player_ax.exe
2252	install_flash_player_ax.exe
2252	install_flash_player_ax.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ECW Start = "C:\\Windows\\SysWOW64\\FFKMDP\\ECW.exe"	ECW.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	install_flash_player_ax.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\FFKMDP\ECW.004	Install.exe
File created	C:\Windows\SysWOW64\FFKMDP\ECW.001	Install.exe
File created	C:\Windows\SysWOW64\FFKMDP\ECW.002	Install.exe
File created	C:\Windows\SysWOW64\FFKMDP\AKV.exe	Install.exe
File created	C:\Windows\SysWOW64\FFKMDP\ECW.exe	Install.exe
File opened for modification	C:\Windows\SysWOW64\FFKMDP\	ECW.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b1bdda75292f2af0348a91d116a7009d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ECW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	install_flash_player_ax.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2252	install_flash_player_ax.exe
2252	install_flash_player_ax.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: 33	2332	JaffaCakes118_b1bdda75292f2af0348a91d116a7009d.exe
Token: SeIncBasePriorityPrivilege	2332	JaffaCakes118_b1bdda75292f2af0348a91d116a7009d.exe
Token: 33	2332	JaffaCakes118_b1bdda75292f2af0348a91d116a7009d.exe
Token: SeIncBasePriorityPrivilege	2332	JaffaCakes118_b1bdda75292f2af0348a91d116a7009d.exe
Token: 33	2332	JaffaCakes118_b1bdda75292f2af0348a91d116a7009d.exe
Token: SeIncBasePriorityPrivilege	2332	JaffaCakes118_b1bdda75292f2af0348a91d116a7009d.exe
Token: 33	2012	Install.exe
Token: SeIncBasePriorityPrivilege	2012	Install.exe
Token: 33	2056	ECW.exe
Token: SeIncBasePriorityPrivilege	2056	ECW.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2056	ECW.exe
2056	ECW.exe
2056	ECW.exe
2056	ECW.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 2012	2332	JaffaCakes118_b1bdda75292f2af0348a91d116a7009d.exe	31
PID 2332 wrote to memory of 2012	2332	JaffaCakes118_b1bdda75292f2af0348a91d116a7009d.exe	31
PID 2332 wrote to memory of 2012	2332	JaffaCakes118_b1bdda75292f2af0348a91d116a7009d.exe	31
PID 2332 wrote to memory of 2012	2332	JaffaCakes118_b1bdda75292f2af0348a91d116a7009d.exe	31
PID 2332 wrote to memory of 2012	2332	JaffaCakes118_b1bdda75292f2af0348a91d116a7009d.exe	31
PID 2332 wrote to memory of 2012	2332	JaffaCakes118_b1bdda75292f2af0348a91d116a7009d.exe	31
PID 2332 wrote to memory of 2012	2332	JaffaCakes118_b1bdda75292f2af0348a91d116a7009d.exe	31
PID 2012 wrote to memory of 2056	2012	Install.exe	32
PID 2012 wrote to memory of 2056	2012	Install.exe	32
PID 2012 wrote to memory of 2056	2012	Install.exe	32
PID 2012 wrote to memory of 2056	2012	Install.exe	32
PID 2012 wrote to memory of 2056	2012	Install.exe	32
PID 2012 wrote to memory of 2056	2012	Install.exe	32
PID 2012 wrote to memory of 2056	2012	Install.exe	32
PID 2012 wrote to memory of 2252	2012	Install.exe	33
PID 2012 wrote to memory of 2252	2012	Install.exe	33
PID 2012 wrote to memory of 2252	2012	Install.exe	33
PID 2012 wrote to memory of 2252	2012	Install.exe	33
PID 2012 wrote to memory of 2252	2012	Install.exe	33
PID 2012 wrote to memory of 2252	2012	Install.exe	33
PID 2012 wrote to memory of 2252	2012	Install.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b1bdda75292f2af0348a91d116a7009d.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b1bdda75292f2af0348a91d116a7009d.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Scanner Tools\20.1.11.06\2012.04.15T06.40\Virtual\STUBEXE\@APPDATALOCAL@\Temp\Install.exe
  "C:\Users\Admin\AppData\Local\Temp\Install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Scanner Tools\20.1.11.06\2012.04.15T06.40\Native\STUBEXE\@SYSTEM@\FFKMDP\ECW.exe
    "C:\Windows\system32\FFKMDP\ECW.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2056
- - C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Scanner Tools\20.1.11.06\2012.04.15T06.40\Native\STUBEXE\@APPDATALOCAL@\Temp\install_flash_player_ax.exe
    "C:\Users\Admin\AppData\Local\Temp\install_flash_player_ax.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install_flash_player_ax.exe

Filesize
2.7MB

MD5
0766fa410de6928f1220023d08d00289

SHA1
944c1f2055cd85af37ef44629773c2cf1d02a21c

SHA256
03c5efe2065b5100cf8a72f0c16273abd59e856c51d652a13fa020d70632ae19

SHA512
0adf3e013eb67b563c629448423149fb084f9311486d56f2da154912b7d532ab27c59313917092ac3d61ace9b440082043c9d4b9cf95182165c279eafc76407a

Download Submit
C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Scanner Tools\20.1.11.06\2012.04.15T06.40\Native\STUBEXE\@APPDATALOCAL@\Temp\install_flash_player_ax.exe

Filesize
17KB

MD5
92008c373ef62064de18a9b4db4023a9

SHA1
8f5b8775e754ba9370603b24deb31928cce705ee

SHA256
73efa286284199ce2d31d55d782e79256331be77baa5e26dc7239c0c22f3e0d6

SHA512
d8aea28aa484d7d94296696e444a6fd6b83ebfe0516d841a10d82bdceaa04c6f8fd40ceeb016c00f6182614cb172e045aacab6f66af1187d492656c1a146bca6

Download Submit
C:\Windows\SysWOW64\FFKMDP\AKV.exe

Filesize
456KB

MD5
51507d91d43683b9c4b8fafeb4d888f8

SHA1
ead2f68338da7af4720378cd46133589fc9405ba

SHA256
71b3aecefd36e4855a369019ac5871c544d39f8889d23cd455466a24cdecce6b

SHA512
a5a7ff3f8ffb72719b7e2c9dc2719c99ea32bd68994918ea027c0d7d54cfe0c80bfd34486dd8d3cdd390376bc4c8d1f7d97de4b98b7d39a3e10c3e2682c07d1c

Download Submit
C:\Windows\SysWOW64\FFKMDP\ECW.002

Filesize
43KB

MD5
93df156c4bd9d7341f4c4a4847616a69

SHA1
c7663b32c3c8e247bc16b51aff87b45484652dc1

SHA256
e55b6eabf0f99b90bd4cf3777c25813bded7b6fc5c9955188c8aa5224d299c3e

SHA512
ed2e98c5fd1f0d49e5bac8baa515d489c89f8d42772ae05e4b7a32da8f06d511adad27867034ca0865beae9f78223e95c7d0f826154fc663f2fab9bd61e36e35

Download Submit
C:\Windows\SysWOW64\FFKMDP\ECW.004

Filesize
1KB

MD5
c7fd5964dbe2004bd8612ca43a7cd68c

SHA1
13cb9aacfbc475e1ea5edbe7dba272a2cce770cb

SHA256
2c076d964840b74188bc9c2177402a21faa945920b3f7402ba73e2475577a8e1

SHA512
ac8a8982ed7abf79e48c62f2925f01c50e420bebe7c3a81dc97a628a151b9cbc269fd7890a5c77acb144b06272dacae1170cdbae3d21f05ef74e0f8cef579245

Download Submit
C:\Windows\SysWOW64\FFKMDP\ECW.exe

Filesize
1.7MB

MD5
3cd29c0df98a7aeb69a9692843ca3edb

SHA1
7c86aea093f1979d18901bd1b89a2b02a60ac3e2

SHA256
5a37cd66508fa3fc85ae547de3498e709bd45167cb57f5e9b271dc3a1cb71a32

SHA512
e78f3206b1878e8db1766d4038a375bbebcbcdb8d1b0a0cb9b0dc72c54881392b9c27e2864ad9118702da58f203f13e0ad5d230980ad1ef2370391a2c4acffc9

Download Submit
\Users\Admin\AppData\Local\Temp\1008.tmp

Filesize
304KB

MD5
cf6e2c2b79a9f3e7762faacd53e98457

SHA1
00cea67381b601e376b0a0de202589db3ef9896d

SHA256
bae6b00723831624c79c2f0c868f283529776f05ec9aca6aad2dfaacd1ccd96f

SHA512
056d1e95b75b92cfcd149c3c3277aff3ef18b498268c4c0b09be15eb3c2229f6a1ed7b7380ee68fb2241062e34a9b23b2b1e42fdfdecf399fd444b6c2ad4fe56

Download Submit
\Users\Admin\AppData\Local\Temp\1372.tmp

Filesize
229KB

MD5
c0914cac813eb9b99a67fef8c951ee53

SHA1
11b945fabd8dfb57ebf20773020522ee02db402e

SHA256
75f9cec60688a9524bcb20433334ef4d07d5e28b9af7ac407da4b63ca7b82bec

SHA512
514340ba03df99f87e3195bf3be5b9a7cc15b90a0df43abd4ae2739df6cfdd9c98a18b7c5b28fb38c24133adc8503a8eaa14999c52d8a6248c11b3a80c596690

Download Submit
\Users\Admin\AppData\Local\Xenocode\Sandbox\Scanner Tools\20.1.11.06\2012.04.15T06.40\Native\STUBEXE\@SYSTEM@\FFKMDP\ECW.exe

Filesize
17KB

MD5
3c69601eda703669caf6e866408f02ca

SHA1
6c7a9efe6ce4b5ecba79bc52a51ea8feb3a4aacb

SHA256
036ae1db34e1964ca5745e3d9bf2028ace023a63362164c6eae3219f0ab5d52b

SHA512
fdd3dcfce298b012b0a8264b6935eb0cf1afdb483ad7479dae0ba658084ed22f7405b8d5812bb7db10a211d6885dd287ccb1752875adb0235c6763a6d5fd092c

Download Submit
\Users\Admin\AppData\Local\Xenocode\Sandbox\Scanner Tools\20.1.11.06\2012.04.15T06.40\Virtual\STUBEXE\@APPDATALOCAL@\Temp\Install.exe

Filesize
17KB

MD5
52c26eb1935be0e3747c0b9bc8ad3658

SHA1
28ce4419480b1f6d23c0f689b7ca8608e6454ea0

SHA256
7848da8349abaeb6a153e0b9dd6f94afff69dfc9f6935ab1c1114b7b185ea557

SHA512
404b485d0d563812409bb25b2011b3465d82dc619d6258580936d323845b00b91fc56d86f60105a553c6e53a96209f2d4bf154e631f0d3b9da63b9ae4eaca4b0

Download Submit
\Windows\SysWOW64\FFKMDP\ECW.001

Filesize
61KB

MD5
383d5f5d4240d590e7dec3f7312a4ac7

SHA1
f6bcade8d37afb80cf52a89b3e84683f4643fbce

SHA256
7e87f6817b17a75106d34ce9884c40ddfb381bf8f2013930916498d1df0a6422

SHA512
e652c41ec95d653940b869426bc2cbd8e5b3159110ffaab7d623e23eebe1f34ca65be6a9a9cdcd5f41aec7567469d6b4d6362d24ae92267cddb8940e1265806a

Download Submit
memory/2332-114-0x0000000077480000-0x0000000077481000-memory.dmp

Filesize
4KB

Download
memory/2332-56-0x00000000008C0000-0x000000000092C000-memory.dmp

Filesize
432KB

Download
memory/2332-18-0x00000000008C0000-0x000000000092C000-memory.dmp

Filesize
432KB

Download
memory/2332-16-0x00000000008C0000-0x000000000092C000-memory.dmp

Filesize
432KB

Download
memory/2332-14-0x00000000008C0000-0x000000000092C000-memory.dmp

Filesize
432KB

Download
memory/2332-12-0x00000000008C0000-0x000000000092C000-memory.dmp

Filesize
432KB

Download
memory/2332-10-0x00000000008C0000-0x000000000092C000-memory.dmp

Filesize
432KB

Download
memory/2332-8-0x00000000008C0000-0x000000000092C000-memory.dmp

Filesize
432KB

Download
memory/2332-6-0x00000000008C0000-0x000000000092C000-memory.dmp

Filesize
432KB

Download
memory/2332-4-0x00000000008C0000-0x000000000092C000-memory.dmp

Filesize
432KB

Download
memory/2332-2-0x00000000008C0000-0x000000000092C000-memory.dmp

Filesize
432KB

Download
memory/2332-1-0x00000000008C0000-0x000000000092C000-memory.dmp

Filesize
432KB

Download
memory/2332-0-0x00000000008C0000-0x000000000092C000-memory.dmp

Filesize
432KB

Download
memory/2332-54-0x00000000008C0000-0x000000000092C000-memory.dmp

Filesize
432KB

Download
memory/2332-66-0x00000000008C0000-0x000000000092C000-memory.dmp

Filesize
432KB

Download
memory/2332-22-0x00000000008C0000-0x000000000092C000-memory.dmp

Filesize
432KB

Download
memory/2332-129-0x00000000008C0000-0x000000000092C000-memory.dmp

Filesize
432KB

Download
memory/2332-64-0x00000000008C0000-0x000000000092C000-memory.dmp

Filesize
432KB

Download
memory/2332-62-0x00000000008C0000-0x000000000092C000-memory.dmp

Filesize
432KB

Download
memory/2332-60-0x00000000008C0000-0x000000000092C000-memory.dmp

Filesize
432KB

Download
memory/2332-58-0x00000000008C0000-0x000000000092C000-memory.dmp

Filesize
432KB

Download
memory/2332-20-0x00000000008C0000-0x000000000092C000-memory.dmp

Filesize
432KB

Download
memory/2332-52-0x00000000008C0000-0x000000000092C000-memory.dmp

Filesize
432KB

Download
memory/2332-50-0x00000000008C0000-0x000000000092C000-memory.dmp

Filesize
432KB

Download
memory/2332-48-0x00000000008C0000-0x000000000092C000-memory.dmp

Filesize
432KB

Download
memory/2332-46-0x00000000008C0000-0x000000000092C000-memory.dmp

Filesize
432KB

Download
memory/2332-44-0x00000000008C0000-0x000000000092C000-memory.dmp

Filesize
432KB

Download
memory/2332-42-0x00000000008C0000-0x000000000092C000-memory.dmp

Filesize
432KB

Download
memory/2332-40-0x00000000008C0000-0x000000000092C000-memory.dmp

Filesize
432KB

Download
memory/2332-39-0x0000000077480000-0x0000000077481000-memory.dmp

Filesize
4KB

Download
memory/2332-38-0x00000000008C0000-0x000000000092C000-memory.dmp

Filesize
432KB

Download
memory/2332-144-0x00000000008C0000-0x000000000092C000-memory.dmp

Filesize
432KB

Download
memory/2332-146-0x0000000077480000-0x0000000077481000-memory.dmp

Filesize
4KB

Download
memory/2332-147-0x00000000008C0000-0x000000000092C000-memory.dmp

Filesize
432KB

Download
memory/2332-254-0x00000000008C0000-0x000000000092C000-memory.dmp

Filesize
432KB

Download
memory/2332-24-0x00000000008C0000-0x000000000092C000-memory.dmp

Filesize
432KB

Download
memory/2332-26-0x00000000008C0000-0x000000000092C000-memory.dmp

Filesize
432KB

Download
memory/2332-28-0x00000000008C0000-0x000000000092C000-memory.dmp

Filesize
432KB

Download
memory/2332-32-0x00000000008C0000-0x000000000092C000-memory.dmp

Filesize
432KB

Download
memory/2332-34-0x00000000008C0000-0x000000000092C000-memory.dmp

Filesize
432KB

Download
memory/2332-30-0x00000000008C0000-0x000000000092C000-memory.dmp

Filesize
432KB

Download
memory/2332-820-0x00000000008C0000-0x000000000092C000-memory.dmp

Filesize
432KB

Download