ardamax | 81531f40d60e1c0666ab36c1b93521f86ba9c4133810dbea71463e41405f1fe0

Analysis

max time kernel
140s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14-02-2025 16:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_f9cd7a0b3fddabf2d5b67002be60420f.exe
Size

1.6MB
MD5

f9cd7a0b3fddabf2d5b67002be60420f
SHA1

26f867c2ef368cba06e5ba8bef2055403769ea75
SHA256

81531f40d60e1c0666ab36c1b93521f86ba9c4133810dbea71463e41405f1fe0
SHA512

cd4902c1fc2821bc63bee641b1b94c30d6bb6469654b7aad061bff378e64e84129032399c99babe6b0f85f77c898e08effe62224d4177dbce0f357014570815d
SSDEEP

24576:uiIT1TTHZGKwp0dPLqGAKlbfX2IAO1fUBCJWZWWeUs2wOwP+iR1iOVd4KfvcA0vT:u3T1fH+8qGnlRhtW58Bx3fvLeC69

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000016d50-6.dat	family_ardamax

Executes dropped EXE 1 IoCs

pid	Process
1856	IKN.exe

Loads dropped DLL 2 IoCs

pid	Process
2856	JaffaCakes118_f9cd7a0b3fddabf2d5b67002be60420f.exe
1856	IKN.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\IKN Start = "C:\\Windows\\SysWOW64\\GJJYRV\\IKN.exe"	IKN.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\GJJYRV\IKN.004	JaffaCakes118_f9cd7a0b3fddabf2d5b67002be60420f.exe
File created	C:\Windows\SysWOW64\GJJYRV\IKN.001	JaffaCakes118_f9cd7a0b3fddabf2d5b67002be60420f.exe
File created	C:\Windows\SysWOW64\GJJYRV\IKN.002	JaffaCakes118_f9cd7a0b3fddabf2d5b67002be60420f.exe
File created	C:\Windows\SysWOW64\GJJYRV\AKV.exe	JaffaCakes118_f9cd7a0b3fddabf2d5b67002be60420f.exe
File created	C:\Windows\SysWOW64\GJJYRV\IKN.exe	JaffaCakes118_f9cd7a0b3fddabf2d5b67002be60420f.exe
File opened for modification	C:\Windows\SysWOW64\GJJYRV\	IKN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_f9cd7a0b3fddabf2d5b67002be60420f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IKN.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2816	vlc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1856	IKN.exe
1856	IKN.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2816	vlc.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	1856	IKN.exe
Token: SeIncBasePriorityPrivilege	1856	IKN.exe
Token: 33	2816	vlc.exe
Token: SeIncBasePriorityPrivilege	2816	vlc.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
2816	vlc.exe
2816	vlc.exe
2816	vlc.exe
2816	vlc.exe
2816	vlc.exe
2816	vlc.exe
2816	vlc.exe
2816	vlc.exe
2816	vlc.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
2816	vlc.exe
2816	vlc.exe
2816	vlc.exe
2816	vlc.exe
2816	vlc.exe
2816	vlc.exe
2816	vlc.exe
2816	vlc.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1856	IKN.exe
1856	IKN.exe
1856	IKN.exe
1856	IKN.exe
2816	vlc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 1856	2856	JaffaCakes118_f9cd7a0b3fddabf2d5b67002be60420f.exe	31
PID 2856 wrote to memory of 1856	2856	JaffaCakes118_f9cd7a0b3fddabf2d5b67002be60420f.exe	31
PID 2856 wrote to memory of 1856	2856	JaffaCakes118_f9cd7a0b3fddabf2d5b67002be60420f.exe	31
PID 2856 wrote to memory of 1856	2856	JaffaCakes118_f9cd7a0b3fddabf2d5b67002be60420f.exe	31
PID 2856 wrote to memory of 2816	2856	JaffaCakes118_f9cd7a0b3fddabf2d5b67002be60420f.exe	32
PID 2856 wrote to memory of 2816	2856	JaffaCakes118_f9cd7a0b3fddabf2d5b67002be60420f.exe	32
PID 2856 wrote to memory of 2816	2856	JaffaCakes118_f9cd7a0b3fddabf2d5b67002be60420f.exe	32
PID 2856 wrote to memory of 2816	2856	JaffaCakes118_f9cd7a0b3fddabf2d5b67002be60420f.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f9cd7a0b3fddabf2d5b67002be60420f.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f9cd7a0b3fddabf2d5b67002be60420f.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Windows\SysWOW64\GJJYRV\IKN.exe
  "C:\Windows\system32\GJJYRV\IKN.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1856
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Dla Benego!.mp3"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Dla Benego!.mp3

Filesize
389KB

MD5
d53dc7ffb2930e4b36501cec86dec94b

SHA1
9f527da0b9839942d093156a547554ad6fb8617f

SHA256
cfe558587bdaaa2c7738a4fcace52bd6a53db6aba2dc94298f0de1befdd7dcc4

SHA512
fff2d6e56109879620159d65478365f9c2cc9ecadb314fa4d6a3f4198f9646222ef13585555ea6143f1898256b02c4056cd539472d1a1312eb986e710e38e46e

Download Submit
C:\Windows\SysWOW64\GJJYRV\AKV.exe

Filesize
490KB

MD5
51b7a820e5252ff5158f0143780fc427

SHA1
56f3ecebbf3c70a0b2e432395a70cb4d44c618d0

SHA256
47152ec42883b545842660514c80b62fc76cc47f9449104fe4b473b9c32fb46c

SHA512
441a6a4ca70e6929989664c4f7c96afb9244ddf106816c8af88363ed15acfd3a95a1a1f6cfb0722a133cfee943a1cc7c424d1c33bf3192eaad5d60bcc7c6c545

Download Submit
C:\Windows\SysWOW64\GJJYRV\IKN.002

Filesize
44KB

MD5
8e7df9075891cde8051cd8e40eeeddf7

SHA1
8156fd5804ee054a3160ba7f511134355508b128

SHA256
30f963b1f86a713a53e6c3b9ec39f339158793e800406d245bfc9565272118d9

SHA512
56f835ff92fbb41cc6aac150e5a99dfaa6bb0221f7e4e503136d7ee1d29c13d235607498ee5bac84407a9b56af9f895fcfdd5795706d3a9b99d7a69a14c5d780

Download Submit
C:\Windows\SysWOW64\GJJYRV\IKN.004

Filesize
1KB

MD5
bb939f2bfe822fbac5f710480f734e16

SHA1
a90c24528e97ab78773980b9f1f2998ebfeb167b

SHA256
eab42092b9a29b8f8af8ea358ebaa4ed194312f770612587d111f5829fd1988b

SHA512
c9047c6c6a25b4496c944a8f452aa851e1247796848738861a4fc0d64035dca40e7ed9f8ccc12a6912232f1bd1b06a73a2818db064b6477c11c75c3933664c00

Download Submit
\Windows\SysWOW64\GJJYRV\IKN.001

Filesize
61KB

MD5
d02c94d02f324be4517cd570672a38eb

SHA1
af21c078c41fbc66aac65e7afc782d1dfb9684f0

SHA256
c6684fb800ddfaa11070587fc66c613eb96b00bf4534144a747fbc1b711cb965

SHA512
45dd3aeb10cd17901509dad15c1f3bf941cf1771671ff3cdc7743c790066aaa16c659b511fdf375d4908ab5347f0aa1005e950272ffa9f5f5564ff757e65a685

Download Submit
\Windows\SysWOW64\GJJYRV\IKN.exe

Filesize
1.7MB

MD5
91dcc602af4df48468e5f60724f2e6fb

SHA1
3f466e5628c80891fc10822f85ac547d461aee6e

SHA256
6067d9a2efd2176dcfc41db3d20cf6657cce911dba1bd6a08aac55bfea99830d

SHA512
d671d43977fb9a3e892354768c16393edfc7d462226c3986b350b9aa6267751ebf4b4bbb269a4372313befdd26a1edf0927efb14f22f6f1a5706aae87fc2f67a

Download Submit
memory/1856-16-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1856-61-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2816-58-0x000007FEF27F0000-0x000007FEF2801000-memory.dmp

Filesize
68KB

Download
memory/2816-54-0x000007FEF4750000-0x000007FEF4761000-memory.dmp

Filesize
68KB

Download
memory/2816-28-0x000007FEFAB90000-0x000007FEFABA7000-memory.dmp

Filesize
92KB

Download
memory/2816-29-0x000007FEFA990000-0x000007FEFA9A1000-memory.dmp

Filesize
68KB

Download
memory/2816-30-0x000007FEFA5B0000-0x000007FEFA5C7000-memory.dmp

Filesize
92KB

Download
memory/2816-33-0x000007FEF6710000-0x000007FEF6721000-memory.dmp

Filesize
68KB

Download
memory/2816-32-0x000007FEF6730000-0x000007FEF674D000-memory.dmp

Filesize
116KB

Download
memory/2816-31-0x000007FEF7250000-0x000007FEF7261000-memory.dmp

Filesize
68KB

Download
memory/2816-26-0x000007FEF7270000-0x000007FEF7526000-memory.dmp

Filesize
2.7MB

Download
memory/2816-35-0x000007FEF59F0000-0x000007FEF5BFB000-memory.dmp

Filesize
2.0MB

Download
memory/2816-36-0x000007FEF66C0000-0x000007FEF6701000-memory.dmp

Filesize
260KB

Download
memory/2816-34-0x000007FEF4790000-0x000007FEF5840000-memory.dmp

Filesize
16.7MB

Download
memory/2816-59-0x000007FEF27D0000-0x000007FEF27E2000-memory.dmp

Filesize
72KB

Download
memory/2816-55-0x000007FEF4680000-0x000007FEF4745000-memory.dmp

Filesize
788KB

Download
memory/2816-24-0x000000013F630000-0x000000013F728000-memory.dmp

Filesize
992KB

Download
memory/2816-57-0x000007FEF29D0000-0x000007FEF29F8000-memory.dmp

Filesize
160KB

Download
memory/2816-56-0x000007FEF2A00000-0x000007FEF2A57000-memory.dmp

Filesize
348KB

Download
memory/2816-25-0x000007FEFA5D0000-0x000007FEFA604000-memory.dmp

Filesize
208KB

Download
memory/2816-60-0x000007FEF2650000-0x000007FEF27CA000-memory.dmp

Filesize
1.5MB

Download
memory/2816-27-0x000007FEFB4E0000-0x000007FEFB4F8000-memory.dmp

Filesize
96KB

Download
memory/2816-53-0x000007FEF4770000-0x000007FEF4783000-memory.dmp

Filesize
76KB

Download
memory/2816-52-0x000007FEF5870000-0x000007FEF589F000-memory.dmp

Filesize
188KB

Download
memory/2816-51-0x000007FEF58A0000-0x000007FEF58F7000-memory.dmp

Filesize
348KB

Download
memory/2816-48-0x000007FEF5FB0000-0x000007FEF5FC1000-memory.dmp

Filesize
68KB

Download
memory/2816-50-0x000007FEF5F70000-0x000007FEF5F81000-memory.dmp

Filesize
68KB

Download
memory/2816-49-0x000007FEF5F90000-0x000007FEF5FA8000-memory.dmp

Filesize
96KB

Download
memory/2816-47-0x000007FEF5900000-0x000007FEF597C000-memory.dmp

Filesize
496KB

Download
memory/2816-46-0x000007FEF5980000-0x000007FEF59E7000-memory.dmp

Filesize
412KB

Download
memory/2816-45-0x000007FEF5FD0000-0x000007FEF6000000-memory.dmp

Filesize
192KB

Download
memory/2816-44-0x000007FEF6000000-0x000007FEF6018000-memory.dmp

Filesize
96KB

Download
memory/2816-43-0x000007FEF6020000-0x000007FEF6031000-memory.dmp

Filesize
68KB

Download
memory/2816-42-0x000007FEF6040000-0x000007FEF605B000-memory.dmp

Filesize
108KB

Download
memory/2816-41-0x000007FEF6060000-0x000007FEF6071000-memory.dmp

Filesize
68KB

Download
memory/2816-40-0x000007FEF6210000-0x000007FEF6221000-memory.dmp

Filesize
68KB

Download
memory/2816-39-0x000007FEF6230000-0x000007FEF6241000-memory.dmp

Filesize
68KB

Download
memory/2816-38-0x000007FEF6250000-0x000007FEF6268000-memory.dmp

Filesize
96KB

Download
memory/2816-37-0x000007FEF6270000-0x000007FEF6291000-memory.dmp

Filesize
132KB

Download
memory/2816-64-0x000007FEF7270000-0x000007FEF7526000-memory.dmp

Filesize
2.7MB

Download