ardamax | df4e0b1a2c9a074d75e59d23973c66933f38c6b75cf63001606a2bbac2ad2f14

Analysis

max time kernel
144s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250211-en
resource tags

arch:x64arch:x86image:win10v2004-20250211-enlocale:en-usos:windows10-2004-x64system
submitted
14-02-2025 11:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_f73b38e94bd220140fb887a3879b7da2.exe
Size

2.3MB
MD5

f73b38e94bd220140fb887a3879b7da2
SHA1

e4480f6c532de1e100676ea967f4d9af73f38e1c
SHA256

df4e0b1a2c9a074d75e59d23973c66933f38c6b75cf63001606a2bbac2ad2f14
SHA512

50bcd7c0214321b8ffdfe4cb4c67b59394688024aa837acad1dc369a64aa7d57df19ebe9e15ac08f318c7ffc6a0f8e64b5a11bf202a019990988d8b467617fef
SSDEEP

49152:qkGY5DR6PotY25kb8AQoy3dF8eVbHlVCKurV4RQ6wf08bv3f:qXY596PolmQAny3L8eVLqryuP08bv3f

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000300000001e5bf-51.dat	family_ardamax

Downloads MZ/PE file 1 IoCs

flow	pid	Process
36	2364	Process not Found

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000\Control Panel\International\Geo\Nation	Fix.exe

Executes dropped EXE 2 IoCs

pid	Process
1520	Fix.exe
4520	QHCM.exe

Loads dropped DLL 10 IoCs

pid	Process
4856	JaffaCakes118_f73b38e94bd220140fb887a3879b7da2.exe
4856	JaffaCakes118_f73b38e94bd220140fb887a3879b7da2.exe
4856	JaffaCakes118_f73b38e94bd220140fb887a3879b7da2.exe
1520	Fix.exe
4520	QHCM.exe
964	NOTEPAD.EXE
4520	QHCM.exe
4520	QHCM.exe
964	NOTEPAD.EXE
964	NOTEPAD.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\QHCM Agent = "C:\\Windows\\SysWOW64\\28463\\QHCM.exe"	QHCM.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\AKV.exe	Fix.exe
File opened for modification	C:\Windows\SysWOW64\28463	QHCM.exe
File created	C:\Windows\SysWOW64\28463\QHCM.001	Fix.exe
File created	C:\Windows\SysWOW64\28463\QHCM.006	Fix.exe
File created	C:\Windows\SysWOW64\28463\QHCM.007	Fix.exe
File created	C:\Windows\SysWOW64\28463\QHCM.exe	Fix.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_f73b38e94bd220140fb887a3879b7da2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QHCM.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1756	MicrosoftEdgeUpdate.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000_Classes\Local Settings	Fix.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
964	NOTEPAD.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4520	QHCM.exe
Token: SeIncBasePriorityPrivilege	4520	QHCM.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4520	QHCM.exe
4520	QHCM.exe
4520	QHCM.exe
4520	QHCM.exe
4520	QHCM.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4856 wrote to memory of 1520	4856	JaffaCakes118_f73b38e94bd220140fb887a3879b7da2.exe	91
PID 4856 wrote to memory of 1520	4856	JaffaCakes118_f73b38e94bd220140fb887a3879b7da2.exe	91
PID 4856 wrote to memory of 1520	4856	JaffaCakes118_f73b38e94bd220140fb887a3879b7da2.exe	91
PID 1520 wrote to memory of 4520	1520	Fix.exe	92
PID 1520 wrote to memory of 4520	1520	Fix.exe	92
PID 1520 wrote to memory of 4520	1520	Fix.exe	92
PID 1520 wrote to memory of 964	1520	Fix.exe	93
PID 1520 wrote to memory of 964	1520	Fix.exe	93
PID 1520 wrote to memory of 964	1520	Fix.exe	93

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f73b38e94bd220140fb887a3879b7da2.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f73b38e94bd220140fb887a3879b7da2.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4856
- C:\Arquivos de programas\Arquivos comuns\Fix.exe
  "C:\Arquivos de programas\Arquivos comuns\Fix" Evil Spirit.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1520
- - C:\Windows\SysWOW64\28463\QHCM.exe
    "C:\Windows\system32\28463\QHCM.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4520
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\3.txt
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Opens file in notepad (likely ransom note)
    PID:964

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7OTY5NjNCMjAtMDFENi00RjgwLTkyOTUtQzdEQ0RCRTg3NDVBfSIgdXNlcmlkPSJ7QjBCOTE1RTgtMEY4NC00RTA0LUIwNzEtMjgwQjZFRUFFRDdFfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NDQ2ODZEMDctNkMyRS00NDdGLUI4MEItRjk3MTdDRjUyMDE1fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIyIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODM0MTAiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NTUzNjg2NzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MzMwMDYzNzgyIi8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:1756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Arquivos de programas\Arquivos comuns\Fix.exe

Filesize
479KB

MD5
eb4aeda4a3581d32de85ee409da668a1

SHA1
78186d571ae449048f7fff46300907af03aa54e2

SHA256
d86350f70ae86a0118b894e2fc95c5f98e953b8802f5733ead21eed6c5268ab9

SHA512
b4f44afcae3430aafc3aa33d498cdee73d29830e18e72e27921224f6ceaa491b576e70162e8d2a2a4a31e14d316eb8fb3744ae716c9e3d42995f14dd2f7dd88f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3.txt

Filesize
49B

MD5
373ab017b2c347746fbab158b66fca75

SHA1
d7329d0dbe0cb964d9518e6eea97dc90baa111bc

SHA256
3d9947f18697e78d95624b8889d32f2df3737c74f5e8689d9f0a9b47d1225af2

SHA512
f11763fbd4fd529471618bffff8c4683344fc6d5c318ee1e8824c3835af6dff0b5d9921a03b4052608d4df7bc4c22e0c20c5def0fa2301d394ee71acf72ffb3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\@172D.tmp

Filesize
4KB

MD5
908f7f4b0cf93759447afca95cd84aa6

SHA1
d1903a49b211bcb4a460904019ee7441420aa961

SHA256
3e6378164f9dc4148b86c9312b63c5a6b1fabcfebf9557f182d331e9cb32fc23

SHA512
958e0880565b008cdb045d6aba5103f0ba820ac037facf24b78924187a119258e3a8a97de4c3874694962114ef672d41a55feb71b92d5038e7d45bc3d91d6b0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\gentee00\1Install - 2.bmp

Filesize
20KB

MD5
f6dc62a8543452e5fac9f4dc897b47c5

SHA1
3d421d5a6ce66a2ac9a117056ba945a97ece81f9

SHA256
a6a8fa6296f63cf3cf3c181f7f483b053447597d6825fbcfef73a87ece5ce026

SHA512
525db38873459986e6e02457bb9894f6dc50af0abe15eff8af758b3f589fe5f34e71b03155253e6f835d30508ea852c68b060e24d671c70186fe3adb9d6c10c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\gentee00\2Default - 2.bmp

Filesize
3KB

MD5
5cdf0741bead2afdc7f381d82d43a1b3

SHA1
5629321a955a6ece9c45ce3dd6783442a083032f

SHA256
7294b02eebbe31d7a01026883fa8a95d94f47ab408f611e9e4a7421bef2673c8

SHA512
5dc500222471537eb24994cbd08d6d7782e2258eca8bc36f6c7b3c3218f5ad45e60af23c615cc53f4429420500c0069257b6d3a21fa018cdd8f63750d1abe74d

Download Submit
C:\Users\Admin\AppData\Local\Temp\gentee00\gentee.dll

Filesize
100KB

MD5
30439e079a3d603c461d2c2f4f8cb064

SHA1
aaf470f6bd8deadedbc31adf17035041176c6134

SHA256
d6d0535175fb2302e5b5a498119823c37f6bddff4ab24f551aa7e038c343077a

SHA512
607a81be02bde679aff45770e2fd5c2471d64439fdb23c3e494aed98970131e5d677e1eba3b7b36fca5b8d5b99580856bb8cf1806139c9f73693afb512126b9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\gentee00\guig.dll

Filesize
20KB

MD5
fa3db33dcefded7b4fdcb948a5e6e53e

SHA1
0adfd644e4422ffcbcfd8bfc27fcec727f04836e

SHA256
424025e13c1a624d5900f7b264145907e1092ef68e9c51d76a2648d14fdb9a17

SHA512
9be40412d7a8939a41c764058b138f1aa6fa73e0f1d2aa8c251c4e58c0cedbcf9aeee1bf669fc4347e1bccc7a9310f25ebe4731530cc5d99c64e31ef6073623a

Download Submit
C:\Windows\SysWOW64\28463\AKV.exe

Filesize
393KB

MD5
b0b09699ea39c0107af1c0833f07c054

SHA1
b730e2fb0bda9bf4a1b1f8768a00838e3ca9dcc1

SHA256
be63e3b5a6c3fbec11a737332d4e0040a23cc2d17182b4bc5e7d5dd41d930ee1

SHA512
55430e53058964961808f37d738c31f1502c3ec4a14b0296bef7bad22e468734bcd119eedba14cc87894d4acc81c9266572aff9919b18bd584823c47fa149796

Download Submit
C:\Windows\SysWOW64\28463\QHCM.001

Filesize
532B

MD5
cac1d15c2303b1a1c71a0415706d36b2

SHA1
5dc2130bec0bca24760f27cad9f6a58ce6602852

SHA256
0c6e61dcf8e9a3a1ee714b1a38558cc750d189239a2418bc53c60f97f2442c19

SHA512
1a86cb8a939d9a1c8d4296e2379a6e32f66c688e1f758627cb6f7a9c4df8c1adedd2376f4f39fa5f074c442b319c082ae7f6a8c4398e26abdfb4ffd8c4b73060

Download Submit
C:\Windows\SysWOW64\28463\QHCM.006

Filesize
7KB

MD5
e0fcfa7cad88d1a8a462cee6b06cf668

SHA1
a7e49078517abc929a6da261df06556c8f5a8cf0

SHA256
340ff9f7f784e299030abb9982c88547e67251a6cca07d30ca8073d01a2840c4

SHA512
430fd640432769047de7bb4432f710193855a5121fe5944ef07f6b68749608312e7c22b29834967d429637fc9b285671cd10bbc9e1cfb43654695a206ba9cf82

Download Submit
C:\Windows\SysWOW64\28463\QHCM.007

Filesize
5KB

MD5
ca72cd485d116033f1b776903ce7ee0a

SHA1
85b0b73a75b0498f56200dd1a5cf0de5371e42a3

SHA256
e583532d6b4d8cfc1def5e550674e9e1a4eef2a107adacddf729fddac64f49c4

SHA512
8dbf6920af64aac6a80c3da4a567473dc20c8d4e24078f7e66bb5aa1a08641e5081b0a1ee05f82fb1dd14218b62572c198ff39b1add5f19893008b3d8e54538f

Download Submit
C:\Windows\SysWOW64\28463\QHCM.exe

Filesize
472KB

MD5
7ca78f42e7c88f01fb7fd88321b283ff

SHA1
8f6fb4e3f5b696cac4fd54490d5f8c1862d0bb6b

SHA256
2354f408b272232ea4bb74d17d22a4332b97f1003fb9bace174a9811f2b41729

SHA512
06e822f04a4657b492a485b5a542e5c8400060abf7e71020d17965fee11f1f7c0807e32b5f9426a4fb9b4d7dd05a68ae871e5fef0807e24204351ebe569eb4ca

Download Submit
memory/4520-64-0x0000000000A60000-0x0000000000A61000-memory.dmp

Filesize
4KB

Download
memory/4520-72-0x0000000000A60000-0x0000000000A61000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads