Overview

overview

10

Static

static

10

JaffaCakes...cc.exe

windows7-x64

7

JaffaCakes...cc.exe

windows10-2004-x64

10

setup_akl.exe

windows7-x64

10

setup_akl.exe

windows10-2004-x64

10

$PLUGINSDI...ns.dll

windows7-x64

3

$PLUGINSDI...ns.dll

windows10-2004-x64

8

AKV.exe

windows7-x64

3

AKV.exe

windows10-2004-x64

8

HTV.dll

windows7-x64

3

HTV.dll

windows10-2004-x64

3

HTV.exe

windows7-x64

6

HTV.exe

windows10-2004-x64

6

HTV.dll

windows7-x64

3

HTV.dll

windows10-2004-x64

8

HTV.dll

windows7-x64

3

HTV.dll

windows10-2004-x64

8

HTV.chm

windows7-x64

1

HTV.chm

windows10-2004-x64

8

HTV.exe

windows7-x64

6

HTV.exe

windows10-2004-x64

6

Uninstall.exe

windows7-x64

7

Uninstall.exe

windows10-2004-x64

8

qs.html

windows7-x64

3

qs.html

windows10-2004-x64

8

update.exe

windows7-x64

3

update.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    112s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    10-02-2025 10:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    setup_akl.exe

  • Size

    418KB

  • MD5

    f6699e0d27e915996f33ddf617c9bf6c

  • SHA1

    74d69a9449331b90e46ae01577b4714b1a35391a

  • SHA256

    e2dc1886ca386f8717079b28cd52c1843de737ee24f2e521972730b9a6503c1f

  • SHA512

    104451a409acf12db353259e86b00e40b079e657f2c456a9f339977cd0a972dc23af16d2f85da12b6728294560b3cf13afe380dafe1a87ba62c81ff72b127c54

  • SSDEEP

    12288:XDKLYe6zUbRrda8Kb9zoNVSbVhyzCe1PXcZgE:TKLuGJa8Kb9q+XI51PMZgE

Score
10/10
ardamaxdiscoverykeyloggerpersistencestealer

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax family
    ardamax
  • Ardamax main executable 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 12 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 13 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • NSIS installer 1 IoCs
    installer
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
    "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2600
    • C:\Program Files (x86)\HTV\HTV.exe
      "C:\Program Files (x86)\HTV\HTV.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:316
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Program Files (x86)\HTV\qs.html
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1436
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1436 CREDAT:275457 /prefetch:2
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2504

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\HTV\HTV.003
    Filesize

    4KB

    MD5

    c3679c3ff636d1a6b8c65323540da371

    SHA1

    d184758721a426467b687bec2a4acc80fe44c6f8

    SHA256

    d4eba51c616b439a8819218bddf9a6fa257d55c9f04cf81441cc99cc945ad3eb

    SHA512

    494a0a32eef4392ecb54df6e1da7d93183473c4e45f4ac4bd6ec3b0ed8c85c58303a0d36edec41420d05ff624195f08791b6b7e018419a3251b7e71ec9b730e7

    Download Submit

  • C:\Program Files (x86)\HTV\HTV.004
    Filesize

    14KB

    MD5

    bda4860df26a5882b42b6b861376199d

    SHA1

    8437ec07c9bc3001756ae0cb214b99e1e8a53fdb

    SHA256

    9ed69f6ee86a7fca1f3ef7801d08b38d9e82ab649e6169e894e48ce85b43dc30

    SHA512

    484f45aaacdb4be03752df49c337c7596d539ee0442412083fcfeea78e1c485caf1fbb25cf8a749611358e3a895232f8d0c61c91545d98a3f2a3e1aa504859c6

    Download Submit

  • C:\Program Files (x86)\HTV\HTV.006
    Filesize

    8KB

    MD5

    43f02e9974b1477c1e6388882f233db0

    SHA1

    f3e27b231193f8d5b2e1b09d05ae3a62795cf339

    SHA256

    3c9e56e51d5a7a1b9aefe853c12a98bf246039aa46db94227ea128f6331782ba

    SHA512

    e22d14735606fe75ee5e55204807c3f5531d3e0c4f63aa4a3b2d4bb6abda6128c7e2816753f2e64400ac6dae8f8ef1e013a7a464dff2a79ad9937c48821a067f

    Download Submit

  • C:\Program Files (x86)\HTV\HTV.007
    Filesize

    5KB

    MD5

    b5a87d630436f958c6e1d82d15f98f96

    SHA1

    d3ff5e92198d4df0f98a918071aca53550bf1cff

    SHA256

    a895ad4d23e8b2c2dc552092f645ca309e62c36d4721ebfe7afd2eee7765d4b2

    SHA512

    fd7bae85a86bdaa12fec826d1d38728a90e2037cb3182ad7652d8a9f54c4b322734c587b62221e6f907fce24fcf2e0ae4cce1f5e3d8861661064b4da24bd87ce

    Download Submit

  • C:\Program Files (x86)\HTV\HTV.chm
    Filesize

    33KB

    MD5

    0195038e7af8da97742eb0188204c3bf

    SHA1

    b8c089c701ab283fa5aa921270b317c07cbee2c7

    SHA256

    fc14326e0719e0a59ba8fbb6763f2cc41b47d59ef177c90dc3535cd3a38720b9

    SHA512

    938c3a59895d861eb67a56f365fd387b122d42ff7bb52e5014faa738150d1eed2cd4a52b231ff70f1184fd7e3f0eb991096813b9933e574a7b4383f768384b04

    Download Submit

  • C:\Program Files (x86)\HTV\Uninstall.exe
    Filesize

    43KB

    MD5

    916ced19a86ac3006f26ea60719dd648

    SHA1

    68278a4c3d5202fff273844d8e4b488fc1daddcd

    SHA256

    3dc70f9fc553517666be9008ebcfab2b044ff711036d49e40144e0dd97910734

    SHA512

    9c08cbca52a17f810f3892d66a72ff37c3af5a60ebe34f56e3937c933e265ae0e4207410f7778434cb203a76e36dc62df09a08f3b3f4338d35b44d5c5bc8bb28

    Download Submit

  • C:\Program Files (x86)\HTV\menu.gif
    Filesize

    22KB

    MD5

    20fe009bce33b78dd40b48bc5f8accc6

    SHA1

    cd614d9b9e088eecb7e63722f61a39a0cf0ec196

    SHA256

    979c4b395172a53794b18d996df95c75c68d70ec3573aba66cdfe28c8d1cf0eb

    SHA512

    f6be54be78bfdf770c7c131c5d108b0b33376886b9b4a66598e2c92543a2e83ffafdaea36b9d749784a978d4327cdf52ce0ac6feb9a28d683162b0b3f2f40a37

    Download Submit

  • C:\Program Files (x86)\HTV\qs.html
    Filesize

    1KB

    MD5

    40d00fa24b9cc44fbf2d724842808473

    SHA1

    c0852aa2fb916c051652a8b2142ffb9d8c7ac87a

    SHA256

    35b0f1bb808e1623ad534fbc1e72cea25ac28f71340e9c543f01d1bfdd094035

    SHA512

    9eb750e08ca9750988290626ae8ed32a2ecfa7c8ca021b3e26b3da0a94de952b991a9a6a0ad5729d7d5ccf7b3b36fb36fd24047f705d0468ad04908ba8a7154c

    Download Submit

  • C:\Program Files (x86)\HTV\tray.gif
    Filesize

    7KB

    MD5

    0ac69330c3b9181b8a109fddb91fa128

    SHA1

    ef9698ccce041ce8ba3f4af37d0c2b577f19b375

    SHA256

    e675fecb791ed568aae7f1c24b159f7c0f7e23fe8a7ce76f72b3dd1a4ac00e9d

    SHA512

    3a74c04baf3e1e842c0a2568a6480e4ece05baef31171397763de638c6e5b0d26255cf1d7802ea53c355563b8e4b600d24d04afb5168fbc54f66414445327749

    Download Submit

  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ardamax Keylogger\Ardamax Keylogger.lnk
    Filesize

    950B

    MD5

    2e4110e60772199afe704a5d6a894b61

    SHA1

    c4022eed4b50db9aeebe0f7d249722d655d82d37

    SHA256

    cfa16aa09de7283a49b42980c2f1b6f9756d70e634e8f3501a856d587e48e391

    SHA512

    b425b7013e804857b4b9a94b43241f9163826272265784635335285caf4515be4991c482e6df237c8166c202b3b4dfc9ae4a916118b9e57e5b03c7075c940b63

    Download Submit

  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ardamax Keylogger\Help.lnk
    Filesize

    906B

    MD5

    b0f6274a1f3477faa5fa90f16ba56e3b

    SHA1

    e5e8f2d8b82a9b62c7e8ddc2467162e3693ee238

    SHA256

    40f01dfadcce6cde8e26db5a2ccc0cec6085701afadffc5eec24646916a00845

    SHA512

    bb715ee8d52455bf842283a607baf0b441ab26af7b156d830a44f9c83d096753ddd3dc58ecf932b512a4a74719fa5daf6db652cbe9633a593d26d15e55790e50

    Download Submit

  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ardamax Keylogger\Log Viewer.lnk
    Filesize

    964B

    MD5

    0e071ad8fd162961500740ee6ac06c57

    SHA1

    965cce27e0f4038c1dd5d6da751813c68f35e37b

    SHA256

    fd0e1eb81548450db1f1c3e799d1a75ee564799635f84fe08bfc1030de910c0d

    SHA512

    238bf7f6c1da8e54ac1f94797147e86ba6338ce0835d9550c9a2113fd6ac87f5adb8bb49aac5fe39f94b88946f336dd9fd87e61f1903dd85fc45025cbaf420b7

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    c7fb21b6831f34de4cf314f76dbeef1f

    SHA1

    6178824a618031221e596dfa00826a5e21e0096f

    SHA256

    4baffb2ad07e546f2aa511ecfc79688ae663d17a2b9fa688af5fe71c06c8fe5c

    SHA512

    48fa16de43fe11b6804e2c96e86eb57831dfd591e6d77806c67082d54990352c56c9aa16558b38ce9c8baac36d2a3b8669630a5b7a03c6e90187db82cd4981de

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    9c3b461d5963ff583d1d3b1f355f9390

    SHA1

    b6153ca95466448590e67dab82df4d97a64a07db

    SHA256

    2815fc5d90f8dfef8f5308432555c267a4e9e74fbc0fa55bd46a86399e5684f2

    SHA512

    b0a518e3f7b490623b21eb6678fa6df8f59ec11dc6f4dc27b53b94540d0e838fec940813b23ba3ca31ccc86b2d55972f94214546f9a62f2236ad4185b1465204

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    82ea2a555e0430c2783d17ae314cdd09

    SHA1

    b04aa5b9bbbd99ff30810f149ad1513cc1a3c0db

    SHA256

    610f4a6f5df26e19a1fdb95f5800cbc6b5840d9327e05a0a03e9e318f4124e07

    SHA512

    a760a9bfe08ad81f21dbdd15c2ddb11fcd9ea0f6176cd9033c4771ac273067305d7bbbaffaa878ae332ffa8e21926df0a54a27342d5b2695aa6fccdcce0bda32

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    d63f049beffbe23bced3f4c9a5cd017d

    SHA1

    00c2d4276261116811d4dcff17749f53318c231e

    SHA256

    a940af0ae33d3c273f9c4e6f9b1dcb6c6783e7c3533fe5b62929324d09a0f5c7

    SHA512

    39a14c3da59ebab21d7eb3c086db206b941a67925f87cb1ba36b31164762e27b6006c4ba5bbfdaf804479bdb573cf8b6a44e51be2744e4f1a4e03b634da3d07d

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    7c8aaa696e8a6e78c600d292d8ff870a

    SHA1

    8fcfb3afa0636099ee330ce209c91b82d87294e4

    SHA256

    02a8254ae3beae1e06cd1b67e939f76ef496f8ff4ac5c2e7626471b8e5429547

    SHA512

    147114f1b4093116f159ef192e04f7bc59399b5d3d05ffc5f16112246d425ede930bbd1d337af76182ca1854875f282e4e065bf81152ff5c8918053705890269

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    039f6c5e469c62798a088013286e0354

    SHA1

    444f859b38471fb50a290983a3acae4742221971

    SHA256

    5e1e28b75a8cb4ad1ab7c2ff9b753ad7e8233e793672e21f9da516e1e36e2862

    SHA512

    1929696083892f7129ad91a2d8e7527a9dd7d1a3ed839fd0095931f64a335d2235eca2b78ca02d523e0c50fa846532ff77a221018ea0c4370fdf2d514c162a8b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab39C.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar3DE.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsu7532.tmp\ioSpecial.ini
    Filesize

    719B

    MD5

    97af48994b2901058a79edb884ae1609

    SHA1

    8d6d74f490d7838a916d6d57a9ed2b334a7e0c71

    SHA256

    b4e7567ab8aedb02e60d0e16e4dd663e12cae16e008cf15390b655b0c56f7dec

    SHA512

    f7c3205d63ff67f5ad3e02d5a67a8de3b04d5c3b790f7b9482df7fc90e3f50be0fa1849483bac30d28d321fdb5b5d6f90d34aed74a8d11f8f759f4e8b8609b6b

    Download Submit

  • \Program Files (x86)\HTV\AKV.exe
    Filesize

    395KB

    MD5

    b8fa30233794772b8b76b4b1d91c7321

    SHA1

    0cf9561be2528944285e536f41d502be24c3aa87

    SHA256

    14116fa79ccc105fabd312b4dff74933f8684c6b27db37e5e3a79d159092d29a

    SHA512

    10ce8b18e7afb8c7e30bb90b0a1f199ef0b77873fa7a9efc596606e151be6b516c0ec6222a9032bdcc527e80964f53d20a28fa1881a08b4df303b2e28204549d

    Download Submit

  • \Program Files (x86)\HTV\HTV.exe
    Filesize

    473KB

    MD5

    17535dddecf8cb1efdba1f1952126547

    SHA1

    a862a9a3eb6c201751be1038537522a5281ea6cb

    SHA256

    1a3d28ac6359e58aa656f4734f9f36b6c09badadcf9fb900b9b118d90c38a9dd

    SHA512

    b4f31b552ab3bb3dafa365aa7a31f58674ae7ee82ce1d23457f2e7047431430b00abb3b5498491725639daf583b526b278a737168cfdc4e9ec796dfbc14a53d8

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsu7532.tmp\InstallOptions.dll
    Filesize

    14KB

    MD5

    296a5f3179fa8d7a7a855eaf696ede44

    SHA1

    57aa5b71553ed282dd22c768e039a187f5c13f63

    SHA256

    ee0ad77e681c4d0fdf1d67df5f4ca03e6bdd8e3b05dfb47a83ad5c733ed62960

    SHA512

    bc527d1485f468e8d098057e0e38e8cb7aa6eb64d4ca30927b99b1552a3177b132b989015ff95bdf2ca046bf11a54b4b456f51e024fbc734fbb548c3499e53f6

    Download Submit