ardamax | 48542559cb35465cdb32360ba981d1f4e5ae421abbc3ff7bc04c76bcd082a081

Analysis

max time kernel
107s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20250207-en
resource tags

arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
submitted
07-02-2025 16:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_b949c483be058356cc171fe1b74bd432.exe
Size

941KB
MD5

b949c483be058356cc171fe1b74bd432
SHA1

a2c57051e27716442a003efddfad0d8b668d7c60
SHA256

48542559cb35465cdb32360ba981d1f4e5ae421abbc3ff7bc04c76bcd082a081
SHA512

5fe0bed0ebf6c4fb7709e126d2610a249bfc0a0d2f76b0a9fca35419dae2303ce81091762ef64a36a03fe0c2165d06567b5a6ef1dbde80fc934010091de94a4a
SSDEEP

24576:/VPz3xmx+9rRTLf2n0R632q61Do2S39Q/yxmY8Q:/1z3cx+9rRTBjho2csY8Q

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023cc5-12.dat	family_ardamax

Downloads MZ/PE file 1 IoCs

flow	pid	Process
41	2864	Process not Found

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1290774215-692483676-1419523182-1000\Control Panel\International\Geo\Nation	JaffaCakes118_b949c483be058356cc171fe1b74bd432.exe

Executes dropped EXE 4 IoCs

pid	Process
380	MADK.exe
3688	epe.exe
5088	epe.tmp
3684	epe.exe

Loads dropped DLL 15 IoCs

pid	Process
1140	JaffaCakes118_b949c483be058356cc171fe1b74bd432.exe
380	MADK.exe
380	MADK.exe
380	MADK.exe
5088	epe.tmp
5088	epe.tmp
5088	epe.tmp
3688	epe.exe
3688	epe.exe
3688	epe.exe
5088	epe.tmp
5088	epe.tmp
3684	epe.exe
3684	epe.exe
3684	epe.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MADK Agent = "C:\\Windows\\SysWOW64\\28463\\MADK.exe"	MADK.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\MADK.001	JaffaCakes118_b949c483be058356cc171fe1b74bd432.exe
File created	C:\Windows\SysWOW64\28463\MADK.006	JaffaCakes118_b949c483be058356cc171fe1b74bd432.exe
File created	C:\Windows\SysWOW64\28463\MADK.007	JaffaCakes118_b949c483be058356cc171fe1b74bd432.exe
File created	C:\Windows\SysWOW64\28463\MADK.exe	JaffaCakes118_b949c483be058356cc171fe1b74bd432.exe
File created	C:\Windows\SysWOW64\28463\AKV.exe	JaffaCakes118_b949c483be058356cc171fe1b74bd432.exe
File opened for modification	C:\Windows\SysWOW64\28463	MADK.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Easy Photo Effects\unins000.dat	epe.tmp
File created	C:\Program Files (x86)\Easy Photo Effects\is-VL6N0.tmp	epe.tmp
File created	C:\Program Files (x86)\Easy Photo Effects\is-A0P2G.tmp	epe.tmp
File opened for modification	C:\Program Files (x86)\Easy Photo Effects\unins000.dat	epe.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	epe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b949c483be058356cc171fe1b74bd432.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MADK.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	epe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	epe.tmp

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
624	MicrosoftEdgeUpdate.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	380	MADK.exe
Token: SeIncBasePriorityPrivilege	380	MADK.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5088	epe.tmp

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
380	MADK.exe
380	MADK.exe
380	MADK.exe
380	MADK.exe
380	MADK.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1140 wrote to memory of 380	1140	JaffaCakes118_b949c483be058356cc171fe1b74bd432.exe	87
PID 1140 wrote to memory of 380	1140	JaffaCakes118_b949c483be058356cc171fe1b74bd432.exe	87
PID 1140 wrote to memory of 380	1140	JaffaCakes118_b949c483be058356cc171fe1b74bd432.exe	87
PID 1140 wrote to memory of 3688	1140	JaffaCakes118_b949c483be058356cc171fe1b74bd432.exe	88
PID 1140 wrote to memory of 3688	1140	JaffaCakes118_b949c483be058356cc171fe1b74bd432.exe	88
PID 1140 wrote to memory of 3688	1140	JaffaCakes118_b949c483be058356cc171fe1b74bd432.exe	88
PID 3688 wrote to memory of 5088	3688	epe.exe	90
PID 3688 wrote to memory of 5088	3688	epe.exe	90
PID 3688 wrote to memory of 5088	3688	epe.exe	90
PID 5088 wrote to memory of 3684	5088	epe.tmp	101
PID 5088 wrote to memory of 3684	5088	epe.tmp	101
PID 5088 wrote to memory of 3684	5088	epe.tmp	101

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b949c483be058356cc171fe1b74bd432.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b949c483be058356cc171fe1b74bd432.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1140
- C:\Windows\SysWOW64\28463\MADK.exe
  "C:\Windows\system32\28463\MADK.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:380
- C:\Users\Admin\AppData\Local\Temp\epe.exe
  "C:\Users\Admin\AppData\Local\Temp\epe.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3688
- - C:\Users\Admin\AppData\Local\Temp\is-9J18B.tmp\epe.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-9J18B.tmp\epe.tmp" /SL5="$50062,232654,66048,C:\Users\Admin\AppData\Local\Temp\epe.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:5088
  - - C:\Program Files (x86)\Easy Photo Effects\epe.exe
      "C:\Program Files (x86)\Easy Photo Effects\epe.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:3684

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NkY3N0M5RkMtRjM4My00QTMzLTlEMjctRkU0NEUxMTg2NjFFfSIgdXNlcmlkPSJ7QkYyRTFBREEtOEQ5Ri00ODc3LTg4MkEtMEZFODREQzUxRkM1fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7QjMzRUI5NTEtQjZDNy00QzY5LUI1NzYtOEIyOTAyRkQyOURFfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDQ5MjgiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxNzQzMjM4OTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0Nzk0MzA1MTg3Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Easy Photo Effects\epe.exe

Filesize
216KB

MD5
b4fc8cb0fb208e3a41efc5c5065ddef8

SHA1
10e6ae4aba4db1138140174cd940aa3fd19af2e8

SHA256
68c39f1ef906f6b9a439468ae28d404208a98e845ce6d12d58d8668b5bf797e1

SHA512
735c12c1625376f1db6d2ba5af28882af24704f266d5ed9591c3722e6a146a1b80bf3c1330c8eb331af791a4fe9b9e08093bd52b5dcedfcfba2d816eec983f01

Download Submit
C:\Users\Admin\AppData\Local\Temp\@800D.tmp

Filesize
4KB

MD5
25530555085337eb644b061f239aa9d4

SHA1
8d91e099aba5439d4bfa8bce464c94e3e1acf620

SHA256
3fb6b438ad1530abdd068bffb303fb8a4de51430e0e18ddb6b1a0469ffab8325

SHA512
b1f9de0c276533a5a7070aeb2b6415cc1c0bdd2baf5e0645c6ac5ba767cab0d76e5b4461800d89724992af2c863294ada3c1eb2e4516183fe2010c33d47d6a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\epe.exe

Filesize
475KB

MD5
0b6f2653919db1a6da412d8393adaa88

SHA1
b068af5c3d2900cc5fafdf01cbcacb38af19236b

SHA256
bdce73f52a5ebfad5e04c4c29caad46d9fa55c13206fa87d0a4fdf99dbecc01f

SHA512
508f6fce6b3bd24c876b4b3d0837192bb4df8396706a84a370644be1ff1ceb20436fa27d65b1cd5dc7b63518dc7644f0b4ff62b5d08ad6b8523fde9360968033

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9J18B.tmp\epe.tmp

Filesize
699KB

MD5
43bd34e0e3cd163bc8699a04d07bb7c6

SHA1
d5f2aedc2a673cb6b43fa7d4c3884d10149b7d77

SHA256
6921cdc882019f31f9f2b2f0c8a58c973903efdff3825b4e27c7725030cb4ef1

SHA512
fb3eb5f204ed61bb5d00179b450b094cd0736d863255c61241728f37aeac87813af0c5759ca41c953184fe0f8263716a76b1bff57e962382a305eced7e4003f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LI9RC.tmp\itdownload.dll

Filesize
200KB

MD5
d82a429efd885ca0f324dd92afb6b7b8

SHA1
86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea

SHA256
b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3

SHA512
5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

Download Submit
C:\Windows\SysWOW64\28463\AKV.exe

Filesize
395KB

MD5
d63cc8679a63448db1c64252e14e4ab5

SHA1
10b3a9ac4bc16e8ac1cd05e50b4d540fa3ef223e

SHA256
29b3646a556879a4a48e4f2f81e09179c34ac2051ed3e4f4c28e293092470d3d

SHA512
cb1911e1a77fb9be560aa4fd8bbef65e181b6d4438d65657501dbcd8dbf488ba01738a7222f35f8d4317e8df8c6f307d9e3623d6e3e45753e138b80fb68ff768

Download Submit
C:\Windows\SysWOW64\28463\MADK.001

Filesize
428B

MD5
5e116b4dc01fe3be8160742cfa1ae69a

SHA1
53814939b44f8af34acff85dd73a3ab16d5c38de

SHA256
19f19f17d27b9c6adc8e8e39e2ce6f0d88417517e1c9dc4901abe29d488c62c8

SHA512
d40641b8be65d47322d171a33f0b058068198a7f75320c679cbf4f15caa1135643e48d354bfda8652c6b5d4f61c8a2ccd6a392ba803d8219ddba0a6d4f866504

Download Submit
C:\Windows\SysWOW64\28463\MADK.006

Filesize
8KB

MD5
81e20f4361cf8f5a57812871c24d945e

SHA1
5d7877d6959ab26599b05795a71633f00c37a3da

SHA256
e6e8b4a29dccb3531f58c75b754caf7f26afe3e7043239305fd0ae7ab2f7571d

SHA512
69b1d75ab7123054bf98cf3a0f2cc7a0749cda8d85ebdef85be7d89f1454154ce29070907b934727a6c5276ff430e94810b87a5634d25d8529df9ee36fd20818

Download Submit
C:\Windows\SysWOW64\28463\MADK.007

Filesize
5KB

MD5
e9fbdcc2f5fb657fa519b3f5c69fc52d

SHA1
c49cca77b46a59d620711de7564d43e5dafcd2b5

SHA256
cc440cfc4ce1a1ff503cc9e8937c59aae64bfce4daa3e7dc757220a25cadc2e4

SHA512
913759967e16b99d8ea66433e5dc99d5ddbf737be6784306e67c2b23a525b7a578fcae1028221d3209abc452ff30508eb750c62113c3868a7af36b544e525fb1

Download Submit
C:\Windows\SysWOW64\28463\MADK.exe

Filesize
473KB

MD5
97d8ad45f48b4b28a93aab94699b7168

SHA1
8b69b7fd7c008b95d12386f6da415097e72151de

SHA256
661df22a66b2062b233eb0bd9665de924cfe0ac9c6ba29e20ffef24f817f9331

SHA512
3351eac970bab391de410fcf1937da75d2e4722b808f10332f487ddfe469544e32e7d4ed0e5bdc19bd5f472cffcc55ca1498c95945b4e9c4ceff6ff5cc521c8a

Download Submit
memory/380-33-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/380-64-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/3688-99-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3688-37-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/3688-35-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3688-65-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5088-61-0x0000000003930000-0x000000000396C000-memory.dmp

Filesize
240KB

Download
memory/5088-66-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/5088-71-0x0000000003930000-0x000000000396C000-memory.dmp

Filesize
240KB

Download
memory/5088-70-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/5088-73-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/5088-67-0x0000000003930000-0x000000000396C000-memory.dmp

Filesize
240KB

Download
memory/5088-98-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/5088-56-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads