ardamax | f389a3334af3364d1920b4cb7fe291141db441672c98c1ffb1ebff94bdce0a93

Analysis

max time kernel
140s
max time network
126s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-02-2025 14:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_b7dc72142d729772324a6c50491addf1.exe
Size

584KB
MD5

b7dc72142d729772324a6c50491addf1
SHA1

b6afc2e9059082723ff577eab9e73e1127e6f586
SHA256

f389a3334af3364d1920b4cb7fe291141db441672c98c1ffb1ebff94bdce0a93
SHA512

63f3ac8bff6dba8cf97dd0785a343b7c6af6c044e5821108dd752655f950262c110a5b06c41ba565e4fb1d66c7b0846a5a1036c27c70653291bd9c9766522294
SSDEEP

12288:LEtCVqAH3JdNJ7HlrwfkHopxFgtnCPyuvmPG0bagWhatcREy1kQ:CCwYJdrHl90eZCLmPG0bqhlREy1k

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000016de8-20.dat	family_ardamax

Executes dropped EXE 2 IoCs

pid	Process
2396	Install.exe
2300	TWXO.exe

Loads dropped DLL 9 IoCs

pid	Process
2396	Install.exe
2396	Install.exe
2396	Install.exe
2396	Install.exe
2396	Install.exe
2300	TWXO.exe
2300	TWXO.exe
2300	TWXO.exe
2300	TWXO.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TWXO Agent = "C:\\Windows\\SysWOW64\\28463\\TWXO.exe"	TWXO.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\28463	TWXO.exe
File created	C:\Windows\SysWOW64\28463\TWXO.001	Install.exe
File created	C:\Windows\SysWOW64\28463\TWXO.006	Install.exe
File created	C:\Windows\SysWOW64\28463\TWXO.007	Install.exe
File created	C:\Windows\SysWOW64\28463\TWXO.exe	Install.exe
File created	C:\Windows\SysWOW64\28463\key.bin	Install.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TWXO.exe

Modifies registry class 37 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{31264849-AAFA-F605-917C-40BEF869358E}	TWXO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{31264849-AAFA-F605-917C-40BEF869358E}\1.0	TWXO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{31264849-AAFA-F605-917C-40BEF869358E}\1.0\0	TWXO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{31264849-AAFA-F605-917C-40BEF869358E}\1.0\HELPDIR\	TWXO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8B006A9A-58E9-4B49-B5B9-2DEDFA92A7AD}\VersionIndependentProgID\ = "MSVidCtl.MSVidStreamBufferV2Source"	TWXO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8B006A9A-58E9-4B49-B5B9-2DEDFA92A7AD}\ProgID\	TWXO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8B006A9A-58E9-4B49-B5B9-2DEDFA92A7AD}\Programmable\	TWXO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{31264849-AAFA-F605-917C-40BEF869358E}\1.0\FLAGS	TWXO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8B006A9A-58E9-4B49-B5B9-2DEDFA92A7AD}\Version\	TWXO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{31264849-AAFA-F605-917C-40BEF869358E}\1.0\0\win32	TWXO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{31264849-AAFA-F605-917C-40BEF869358E}\1.0\0\win32\	TWXO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{31264849-AAFA-F605-917C-40BEF869358E}\1.0\FLAGS\	TWXO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8B006A9A-58E9-4B49-B5B9-2DEDFA92A7AD}\Version	TWXO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8B006A9A-58E9-4B49-B5B9-2DEDFA92A7AD}\Implemented Categories	TWXO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8B006A9A-58E9-4B49-B5B9-2DEDFA92A7AD}\InprocServer32	TWXO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8B006A9A-58E9-4B49-B5B9-2DEDFA92A7AD}\TypeLib	TWXO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8B006A9A-58E9-4B49-B5B9-2DEDFA92A7AD}\InprocServer32\ = "C:\\Windows\\SysWOW64\\MSVidCtl.dll"	TWXO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{31264849-AAFA-F605-917C-40BEF869358E}\1.0\	TWXO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{31264849-AAFA-F605-917C-40BEF869358E}\1.0\0\win32\ = "C:\\PROGRA~2\\MICROS~1\\Office14\\GROOVE.EXE\\121"	TWXO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{31264849-AAFA-F605-917C-40BEF869358E}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\"	TWXO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8B006A9A-58E9-4B49-B5B9-2DEDFA92A7AD}\VersionIndependentProgID	TWXO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8B006A9A-58E9-4B49-B5B9-2DEDFA92A7AD}\VersionIndependentProgID\	TWXO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8B006A9A-58E9-4B49-B5B9-2DEDFA92A7AD}	TWXO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8B006A9A-58E9-4B49-B5B9-2DEDFA92A7AD}\ProgID	TWXO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8B006A9A-58E9-4B49-B5B9-2DEDFA92A7AD}\TypeLib\	TWXO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8B006A9A-58E9-4B49-B5B9-2DEDFA92A7AD}\Version\ = "1.0"	TWXO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8B006A9A-58E9-4B49-B5B9-2DEDFA92A7AD}\ = "Exewesa Vebiw Object"	TWXO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8B006A9A-58E9-4B49-B5B9-2DEDFA92A7AD}\InprocServer32\	TWXO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8B006A9A-58E9-4B49-B5B9-2DEDFA92A7AD}\ProgID\ = "MSVidCtl.MSVidStreamBufferV2Source.1"	TWXO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8B006A9A-58E9-4B49-B5B9-2DEDFA92A7AD}\Programmable	TWXO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{31264849-AAFA-F605-917C-40BEF869358E}\1.0\FLAGS\ = "0"	TWXO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8B006A9A-58E9-4B49-B5B9-2DEDFA92A7AD}\TypeLib\ = "{31264849-AAFA-F605-917C-40BEF869358E}"	TWXO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8B006A9A-58E9-4B49-B5B9-2DEDFA92A7AD}\Implemented Categories\	TWXO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{31264849-AAFA-F605-917C-40BEF869358E}\	TWXO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{31264849-AAFA-F605-917C-40BEF869358E}\1.0\ = "GrooveDiscussionToolDataDelegate"	TWXO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{31264849-AAFA-F605-917C-40BEF869358E}\1.0\0\	TWXO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{31264849-AAFA-F605-917C-40BEF869358E}\1.0\HELPDIR	TWXO.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2300	TWXO.exe
Token: SeIncBasePriorityPrivilege	2300	TWXO.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2300	TWXO.exe
2300	TWXO.exe
2300	TWXO.exe
2300	TWXO.exe
2300	TWXO.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 2396	2984	JaffaCakes118_b7dc72142d729772324a6c50491addf1.exe	30
PID 2984 wrote to memory of 2396	2984	JaffaCakes118_b7dc72142d729772324a6c50491addf1.exe	30
PID 2984 wrote to memory of 2396	2984	JaffaCakes118_b7dc72142d729772324a6c50491addf1.exe	30
PID 2984 wrote to memory of 2396	2984	JaffaCakes118_b7dc72142d729772324a6c50491addf1.exe	30
PID 2984 wrote to memory of 2396	2984	JaffaCakes118_b7dc72142d729772324a6c50491addf1.exe	30
PID 2984 wrote to memory of 2396	2984	JaffaCakes118_b7dc72142d729772324a6c50491addf1.exe	30
PID 2984 wrote to memory of 2396	2984	JaffaCakes118_b7dc72142d729772324a6c50491addf1.exe	30
PID 2396 wrote to memory of 2300	2396	Install.exe	31
PID 2396 wrote to memory of 2300	2396	Install.exe	31
PID 2396 wrote to memory of 2300	2396	Install.exe	31
PID 2396 wrote to memory of 2300	2396	Install.exe	31
PID 2396 wrote to memory of 2300	2396	Install.exe	31
PID 2396 wrote to memory of 2300	2396	Install.exe	31
PID 2396 wrote to memory of 2300	2396	Install.exe	31

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b7dc72142d729772324a6c50491addf1.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b7dc72142d729772324a6c50491addf1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Users\Admin\AppData\Local\Temp\Install.exe
  "C:\Users\Admin\AppData\Local\Temp\Install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Windows\SysWOW64\28463\TWXO.exe
    "C:\Windows\system32\28463\TWXO.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Install.exe

Filesize
566KB

MD5
2af18dd44920a6bebed2f548f1755135

SHA1
62eeffb45206364a72455c2db154fba1dd34460b

SHA256
b671f8776d85823476a65a869caaa9975a1af609c59283b600f2a2e6609b7f75

SHA512
1400fca61ea7f68e7ac59cbd3df8eeba0541ad4be59930e9369287b171eeec98b3b68530b023be8206123d7b1eaf9432ec49b9202e157c9a016b1f1490fddeaf

Download Submit
C:\Windows\SysWOW64\28463\TWXO.001

Filesize
398B

MD5
79d3e3a5a68e57e744b6220beac437f2

SHA1
50ec0616a38a939b3240ea282cf0b3590c345fc3

SHA256
43497b111caa6e97ca7a082b59c70e474f7fe5bb61097e278a5019e059e4cc97

SHA512
d4ccd613ab68f32ae8455076cf54606a1de91215d31d36ab6b974055790c32444ce27152330e045232a3515922b7758711e0bd22867b2839d4bb5042e87e4184

Download Submit
C:\Windows\SysWOW64\28463\TWXO.006

Filesize
8KB

MD5
5153b016d36928c296131c5c8e669446

SHA1
c444f61a2dc49ede6a2325f26d76af66de5989d2

SHA256
4c52ec0d5d4cad21ed134af76f64c3cb44b826594641f44487e4625f5bc96f59

SHA512
c9084ff30f1f023b1f9cd00dc66cdbf846e95993093163c3e71a13535ccfc79d59be5b28a78ccfa6b0a82389b08b157676d71a9ccca2c170369080feac386f09

Download Submit
C:\Windows\SysWOW64\28463\TWXO.007

Filesize
5KB

MD5
80bbc7ace13d97396bd7b1abbaf4008b

SHA1
d013c0def603915675b1e0ce5877d413cdaf6523

SHA256
18dbfb27d4b10501e8426db1a78df8247f6570656d183f78b061d7db4c7865ae

SHA512
bc7afd0e730f432852d374812827077574181928aa97c25d8170ce1b766677383360bf2bb21afc51e8168eb3f6539ce8499c4002d86190f27d4836da3f907919

Download Submit
C:\Windows\SysWOW64\28463\key.bin

Filesize
105B

MD5
27c90d4d9b049f4cd00f32ed1d2e5baf

SHA1
338a3ea8f1e929d8916ece9b6e91e697eb562550

SHA256
172d6f21165fb3ca925e5b000451fd8946920206f7438018c28b158b90cf5ffb

SHA512
d73dadb3cf74c647ce5bad5b87d3fb42a212defcba8afb8cf962020b61a0369c0a2b1005797583daf1f1ae88b29b7288bc544a53d643f3519cf604aa0ffd6dae

Download Submit
\Users\Admin\AppData\Local\Temp\@CB99.tmp

Filesize
4KB

MD5
557e0039dc13a0453af7ca9373a0d301

SHA1
50efb19b1b1eddd10ddb4c2ff23d18cccba92dfe

SHA256
54850e4c8644c042b15dab73a15135105ff84a240d26d1476c8b80d176a341fc

SHA512
d96fdc89ddbcd8459966c9548d3243a0fa319f8be2f418b4e17f313fb3f86d32dd7f254a035641f35e35ed849832773c0d1fe34ff362761309c64e959c025a98

Download Submit
\Windows\SysWOW64\28463\TWXO.exe

Filesize
648KB

MD5
5530832fa82582288ce640f73a4915a0

SHA1
c40673ed59a61dd3b39f8ed6d0e1345838d98e44

SHA256
6f7daff3caf7f24a00e08e4ed414b4d23e13d2cac4657ad7a071d9cbeb42cb88

SHA512
ee2a2dc3c85a13b39f15a276f842afab8d341aacb457c1750b8bf0fa46b03a3bfabeff5be6439f3edf2c428d504ecabf07a399ebbdb09a75693309b55903775c

Download Submit
memory/2300-30-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2300-32-0x00000000009D0000-0x0000000000AAF000-memory.dmp

Filesize
892KB

Download
memory/2300-33-0x00000000009D0000-0x0000000000AAF000-memory.dmp

Filesize
892KB

Download
memory/2300-41-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2300-42-0x00000000009D0000-0x0000000000AAF000-memory.dmp

Filesize
892KB

Download
memory/2300-46-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2984-35-0x000007FEF5420000-0x000007FEF5DBD000-memory.dmp

Filesize
9.6MB

Download
memory/2984-26-0x000007FEF5420000-0x000007FEF5DBD000-memory.dmp

Filesize
9.6MB

Download
memory/2984-0-0x000007FEF56DE000-0x000007FEF56DF000-memory.dmp

Filesize
4KB

Download
memory/2984-7-0x000007FEF5420000-0x000007FEF5DBD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads