ardamax | 19930c08bb581aba6540bcfe0f561f5dd5a4a498be9930bd529f416d67e7bb46

Analysis

max time kernel
146s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
08-02-2025 21:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_c76ad6972f8faddae5fd17f3654cd94d.exe
Size

603KB
MD5

c76ad6972f8faddae5fd17f3654cd94d
SHA1

299f564fe88d1b4a36aab11e864b862043eed825
SHA256

19930c08bb581aba6540bcfe0f561f5dd5a4a498be9930bd529f416d67e7bb46
SHA512

ce803b0f446a328271f82cde511e35880d9bb744d24cd961863c5c1477b84a992f26e7b8b33016457e095cca13a0662b0000655e38d014f7f62d64f7dae2f197
SSDEEP

12288:1z+E4EDqyjkl4EvzmSYlMT8ibZkBd9c0HwS/LX4wzmKBK:N+cjO4E7mSVT8il09LX3y7

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x000500000001a309-51.dat	family_ardamax

Deletes itself 1 IoCs

pid	Process
2816	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2884	Install.exe
2676	Exporer32.exe
2064	system32KWLM.exe

Loads dropped DLL 10 IoCs

pid	Process
2604	JaffaCakes118_c76ad6972f8faddae5fd17f3654cd94d.exe
2884	Install.exe
2884	Install.exe
2884	Install.exe
2884	Install.exe
2884	Install.exe
2676	Exporer32.exe
2676	Exporer32.exe
2676	Exporer32.exe
2676	Exporer32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\APIMon = "C:\\Windows\\system32\\Install.exe"	JaffaCakes118_c76ad6972f8faddae5fd17f3654cd94d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system32KWLM Agent = "C:\\Windows\\system32KWLM.exe"	system32KWLM.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Install.exe	JaffaCakes118_c76ad6972f8faddae5fd17f3654cd94d.exe
File opened for modification	C:\Windows\SysWOW64\Install.exe	Install.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\system32KWLM.007	Exporer32.exe
File created	C:\Windows\system32KWLM.exe	Exporer32.exe
File created	C:\Windows\system32AKV.exe	Exporer32.exe
File created	C:\Windows\system32KWLM.001	Exporer32.exe
File created	C:\Windows\system32KWLM.006	Exporer32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Exporer32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system32KWLM.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_c76ad6972f8faddae5fd17f3654cd94d.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2064	system32KWLM.exe
Token: SeIncBasePriorityPrivilege	2064	system32KWLM.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2056	DllHost.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2884	Install.exe
2064	system32KWLM.exe
2064	system32KWLM.exe
2064	system32KWLM.exe
2064	system32KWLM.exe
2064	system32KWLM.exe
2056	DllHost.exe
2056	DllHost.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 2884	2604	JaffaCakes118_c76ad6972f8faddae5fd17f3654cd94d.exe	30
PID 2604 wrote to memory of 2884	2604	JaffaCakes118_c76ad6972f8faddae5fd17f3654cd94d.exe	30
PID 2604 wrote to memory of 2884	2604	JaffaCakes118_c76ad6972f8faddae5fd17f3654cd94d.exe	30
PID 2604 wrote to memory of 2884	2604	JaffaCakes118_c76ad6972f8faddae5fd17f3654cd94d.exe	30
PID 2604 wrote to memory of 2884	2604	JaffaCakes118_c76ad6972f8faddae5fd17f3654cd94d.exe	30
PID 2604 wrote to memory of 2884	2604	JaffaCakes118_c76ad6972f8faddae5fd17f3654cd94d.exe	30
PID 2604 wrote to memory of 2884	2604	JaffaCakes118_c76ad6972f8faddae5fd17f3654cd94d.exe	30
PID 2604 wrote to memory of 2816	2604	JaffaCakes118_c76ad6972f8faddae5fd17f3654cd94d.exe	31
PID 2604 wrote to memory of 2816	2604	JaffaCakes118_c76ad6972f8faddae5fd17f3654cd94d.exe	31
PID 2604 wrote to memory of 2816	2604	JaffaCakes118_c76ad6972f8faddae5fd17f3654cd94d.exe	31
PID 2604 wrote to memory of 2816	2604	JaffaCakes118_c76ad6972f8faddae5fd17f3654cd94d.exe	31
PID 2884 wrote to memory of 2676	2884	Install.exe	33
PID 2884 wrote to memory of 2676	2884	Install.exe	33
PID 2884 wrote to memory of 2676	2884	Install.exe	33
PID 2884 wrote to memory of 2676	2884	Install.exe	33
PID 2884 wrote to memory of 2676	2884	Install.exe	33
PID 2884 wrote to memory of 2676	2884	Install.exe	33
PID 2884 wrote to memory of 2676	2884	Install.exe	33
PID 2676 wrote to memory of 2064	2676	Exporer32.exe	34
PID 2676 wrote to memory of 2064	2676	Exporer32.exe	34
PID 2676 wrote to memory of 2064	2676	Exporer32.exe	34
PID 2676 wrote to memory of 2064	2676	Exporer32.exe	34
PID 2676 wrote to memory of 2064	2676	Exporer32.exe	34
PID 2676 wrote to memory of 2064	2676	Exporer32.exe	34
PID 2676 wrote to memory of 2064	2676	Exporer32.exe	34

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c76ad6972f8faddae5fd17f3654cd94d.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c76ad6972f8faddae5fd17f3654cd94d.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Windows\SysWOW64\Install.exe
  "C:\Windows\system32\Install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Users\Admin\AppData\Local\Temp\Exporer32.exe
    "C:\Users\Admin\AppData\Local\Temp\Exporer32.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Windows\system32KWLM.exe
      "C:\Windows\system32KWLM.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2064
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\x.bat" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c76ad6972f8faddae5fd17f3654cd94d.exe"
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2816

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\KAKA.png

Filesize
72KB

MD5
89b9169915100c2bacb6136fa1e5eacc

SHA1
309c2c8027e01d57d5ad9f3c6b8fc6c7576ce51e

SHA256
e023327c4aabcc9ed4476c0b0637dbdda9b8d38557692d3ff5e5746521930e32

SHA512
ced168b2d7dcb389e9cab2a93b44be23c0c3b31253488662e5ac436a98ad8483319a0669d1f1c74919c5cecbd1ab537c986df9845c6fbaf1664b3325585932cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\x.bat

Filesize
512B

MD5
7a18a248c18ebe6e2d64a0a46795fd31

SHA1
9c7e43071d46c846919727dff6e44f83ae1018eb

SHA256
6817a966d98a4064fc81ba6e974fce9ffc370e5f43b8455d3c4d3ecc427f6963

SHA512
6907221fa79d5c9a701f7ca4c5fa1431a28fbb66912d199295b561b7ccbb5862f84f2a7505bf62870ddd0f2a01c421ce673379d63cb1b18fc7dafec17a679ff7

Download Submit
C:\Windows\system32KWLM.001

Filesize
428B

MD5
735453d7729e14db23c7d220c212c607

SHA1
8183eebb0e14d65e2d54dfdb0b8865f5300385d7

SHA256
3b9647308f03610d9c210e27e946f60b18592fb5be9097781bfaefd767a0b2de

SHA512
a9df19c8251f1986bc5eac5fec50caf1a22ab51a00a23bafd99a1bf05487793f32f56439fdff84c4ee771184d1ed27a0b4d9d112a45d6be72b6183974ce4eebd

Download Submit
C:\Windows\system32KWLM.006

Filesize
7KB

MD5
32dd7b4bc8b6f290b0ece3cc1c011c96

SHA1
b979683868b399c6a6204ebaed9fc9c784a0429a

SHA256
6dcce9bbba5c2de47eea3abf7597a9c4fb2e4d358efc3752fa65c169cccfa2a1

SHA512
9e0d720799fe816f7d09c8a722b762203b6f12a8625c1c93cd640219ecc35969bd641b4d9e6dc04ab6f95ceb73235a438eb7d48ee9402118db3618b5760551ea

Download Submit
C:\Windows\system32KWLM.007

Filesize
5KB

MD5
e8155b68775ed29590e14df80fdc0e9f

SHA1
ed449da02e648a524004c265f3c37496d2f07f1f

SHA256
b39ba894b0a9a3201461ddd9ee9b297928e793dff221a47f019e75c11df631f3

SHA512
b14e00c46cf9bed0aca0f85775f624ff064f2d2afe1fa68b61bee5729db73cf9a8eced669c52d7cbb9504ff1b369a9a16a0f36c71a70c13c0bd1eaf5e07ccc11

Download Submit
C:\Windows\system32KWLM.exe

Filesize
471KB

MD5
3c06bbc025b61d2182ef5573f2852bda

SHA1
ebc1464c00b13fb5b3f80a59c80b595020e1fe7c

SHA256
e7f64e7215284cdeb8ef1eba28733f7aeae7f6977f82809d8de1e76a2e249085

SHA512
9d839ada211b85fc1efb1fe7bb3ce66fcf0e8069221d958234649c2ac5dc0f1bd06f1a016f9c727077af36fb46cac5409be9c8a8201d17f689c6b473aa01acdc

Download Submit
\Users\Admin\AppData\Local\Temp\@8AB3.tmp

Filesize
4KB

MD5
d9e02f226fc338d14df200ba9a700625

SHA1
414f134a16a309b31e418ed9e08c0c48aaf6e2bc

SHA256
8165757efb79acceb9fd0bfae6b2c19b8f087cc0461abb17941d460dbdf2e260

SHA512
13c73381602fe2593312d41ab4bc5cd5f922ac651f9e71e3fe3c58e7f0c5c73ecc9d79d61ec46f33a0a81cf73373421eeb510bd99650c0f53af30974ed61b8ca

Download Submit
\Users\Admin\AppData\Local\Temp\Exporer32.exe

Filesize
501KB

MD5
2688b0fd498a21589dc1ea7ed8028ff3

SHA1
505f24b08b228e34f99ac63a8d26951fdc6fc991

SHA256
b04cba86b2944f30d1611249328e8680bebf7d0f58b7bcae556d928baded1883

SHA512
ec4950377b8540b11d1a1998611547d4e5e761a1c4250a8acae972d31b68c1aee31856a44509bf76511e938124f61e0b5e65a409b6cce831100f8da4559c6455

Download Submit
\Windows\SysWOW64\Install.exe

Filesize
521KB

MD5
549365bc58ff9679e2f55cf92bcf28d9

SHA1
af32bc5c73daccd154d56375c5585c6677563997

SHA256
7e85ddb7260345d9e673d23c7b8e4f64938b87b92019c51555a5f884cde13e5c

SHA512
0edd066ceb43e4d2f0e36301332068339309c1493ba1a5f8dc30743c39bab1025a72bb55918317d418d81159c271af59b283e247b6c472fb57f68f648777c301

Download Submit
memory/2056-2-0x00000000001B0000-0x00000000001B2000-memory.dmp

Filesize
8KB

Download
memory/2056-4-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2056-62-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2056-60-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/2056-61-0x0000000003860000-0x0000000003866000-memory.dmp

Filesize
24KB

Download
memory/2064-63-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/2064-64-0x0000000001F30000-0x0000000001F36000-memory.dmp

Filesize
24KB

Download
memory/2604-19-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2604-1-0x0000000000B20000-0x0000000000B22000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads