ardamax | fc80a12759fa305b39380e2f0293cd080fe7a9deef2f23d5d102ad7f64a43fe9

Analysis

max time kernel
143s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20250211-en
resource tags

arch:x64arch:x86image:win10v2004-20250211-enlocale:en-usos:windows10-2004-x64system
submitted
14-02-2025 16:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_f9a4e6c353dd321a77c04f0102c0601f.exe
Size

671KB
MD5

f9a4e6c353dd321a77c04f0102c0601f
SHA1

88179f6d798960d9f02a81065ff85a9478be6385
SHA256

fc80a12759fa305b39380e2f0293cd080fe7a9deef2f23d5d102ad7f64a43fe9
SHA512

9c1e8507fcf51d9c8393cd192bdb569ff935b5830d70993c8978ea1abc168908cb0742d50bb06c39863cc222f8e2b852139cf6dd79299216aedd7dfdfeed62fb
SSDEEP

12288:qUP86kpqTP7miyCMn9aWSE+YniyhOFWTzHvv5A4czoiJrE12/8:dP86kUHmiy5ndiy2WTDpFMoEE12k

Score

10^/10

ardamax discovery keylogger stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000200000001e798-32.dat	family_ardamax

Downloads MZ/PE file 1 IoCs

flow	pid	Process
30	3796	Process not Found

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	JaffaCakes118_f9a4e6c353dd321a77c04f0102c0601f.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1318997816-2171176372-1451785247-1000\Control Panel\International\Geo\Nation	JaffaCakes118_f9a4e6c353dd321a77c04f0102c0601f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1318997816-2171176372-1451785247-1000\Control Panel\International\Geo\Nation	Exporer32.exe

Executes dropped EXE 2 IoCs

pid	Process
1288	Exporer32.exe
216	IYJL.exe

Loads dropped DLL 4 IoCs

pid	Process
1288	Exporer32.exe
216	IYJL.exe
216	IYJL.exe
216	IYJL.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	JaffaCakes118_f9a4e6c353dd321a77c04f0102c0601f.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	JaffaCakes118_f9a4e6c353dd321a77c04f0102c0601f.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Sys\IYJL.exe	Exporer32.exe
File created	C:\Windows\SysWOW64\Sys\AKV.exe	Exporer32.exe
File opened for modification	C:\Windows\SysWOW64\Sys	IYJL.exe
File created	C:\Windows\SysWOW64\Sys\IYJL.001	Exporer32.exe
File created	C:\Windows\SysWOW64\Sys\IYJL.006	Exporer32.exe
File created	C:\Windows\SysWOW64\Sys\IYJL.007	Exporer32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_f9a4e6c353dd321a77c04f0102c0601f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Exporer32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IYJL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4912	MicrosoftEdgeUpdate.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	JaffaCakes118_f9a4e6c353dd321a77c04f0102c0601f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	JaffaCakes118_f9a4e6c353dd321a77c04f0102c0601f.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	JaffaCakes118_f9a4e6c353dd321a77c04f0102c0601f.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
932	JaffaCakes118_f9a4e6c353dd321a77c04f0102c0601f.exe
932	JaffaCakes118_f9a4e6c353dd321a77c04f0102c0601f.exe
932	JaffaCakes118_f9a4e6c353dd321a77c04f0102c0601f.exe
932	JaffaCakes118_f9a4e6c353dd321a77c04f0102c0601f.exe
932	JaffaCakes118_f9a4e6c353dd321a77c04f0102c0601f.exe
932	JaffaCakes118_f9a4e6c353dd321a77c04f0102c0601f.exe
932	JaffaCakes118_f9a4e6c353dd321a77c04f0102c0601f.exe
932	JaffaCakes118_f9a4e6c353dd321a77c04f0102c0601f.exe
932	JaffaCakes118_f9a4e6c353dd321a77c04f0102c0601f.exe
932	JaffaCakes118_f9a4e6c353dd321a77c04f0102c0601f.exe
932	JaffaCakes118_f9a4e6c353dd321a77c04f0102c0601f.exe
932	JaffaCakes118_f9a4e6c353dd321a77c04f0102c0601f.exe
932	JaffaCakes118_f9a4e6c353dd321a77c04f0102c0601f.exe
932	JaffaCakes118_f9a4e6c353dd321a77c04f0102c0601f.exe
932	JaffaCakes118_f9a4e6c353dd321a77c04f0102c0601f.exe
932	JaffaCakes118_f9a4e6c353dd321a77c04f0102c0601f.exe
932	JaffaCakes118_f9a4e6c353dd321a77c04f0102c0601f.exe
932	JaffaCakes118_f9a4e6c353dd321a77c04f0102c0601f.exe
932	JaffaCakes118_f9a4e6c353dd321a77c04f0102c0601f.exe
932	JaffaCakes118_f9a4e6c353dd321a77c04f0102c0601f.exe
932	JaffaCakes118_f9a4e6c353dd321a77c04f0102c0601f.exe
932	JaffaCakes118_f9a4e6c353dd321a77c04f0102c0601f.exe
932	JaffaCakes118_f9a4e6c353dd321a77c04f0102c0601f.exe
932	JaffaCakes118_f9a4e6c353dd321a77c04f0102c0601f.exe
932	JaffaCakes118_f9a4e6c353dd321a77c04f0102c0601f.exe
932	JaffaCakes118_f9a4e6c353dd321a77c04f0102c0601f.exe
932	JaffaCakes118_f9a4e6c353dd321a77c04f0102c0601f.exe
932	JaffaCakes118_f9a4e6c353dd321a77c04f0102c0601f.exe
932	JaffaCakes118_f9a4e6c353dd321a77c04f0102c0601f.exe
932	JaffaCakes118_f9a4e6c353dd321a77c04f0102c0601f.exe
932	JaffaCakes118_f9a4e6c353dd321a77c04f0102c0601f.exe
932	JaffaCakes118_f9a4e6c353dd321a77c04f0102c0601f.exe
932	JaffaCakes118_f9a4e6c353dd321a77c04f0102c0601f.exe
932	JaffaCakes118_f9a4e6c353dd321a77c04f0102c0601f.exe
932	JaffaCakes118_f9a4e6c353dd321a77c04f0102c0601f.exe
932	JaffaCakes118_f9a4e6c353dd321a77c04f0102c0601f.exe
932	JaffaCakes118_f9a4e6c353dd321a77c04f0102c0601f.exe
932	JaffaCakes118_f9a4e6c353dd321a77c04f0102c0601f.exe
932	JaffaCakes118_f9a4e6c353dd321a77c04f0102c0601f.exe
932	JaffaCakes118_f9a4e6c353dd321a77c04f0102c0601f.exe
932	JaffaCakes118_f9a4e6c353dd321a77c04f0102c0601f.exe
932	JaffaCakes118_f9a4e6c353dd321a77c04f0102c0601f.exe
932	JaffaCakes118_f9a4e6c353dd321a77c04f0102c0601f.exe
932	JaffaCakes118_f9a4e6c353dd321a77c04f0102c0601f.exe
932	JaffaCakes118_f9a4e6c353dd321a77c04f0102c0601f.exe
932	JaffaCakes118_f9a4e6c353dd321a77c04f0102c0601f.exe
932	JaffaCakes118_f9a4e6c353dd321a77c04f0102c0601f.exe
932	JaffaCakes118_f9a4e6c353dd321a77c04f0102c0601f.exe
932	JaffaCakes118_f9a4e6c353dd321a77c04f0102c0601f.exe
932	JaffaCakes118_f9a4e6c353dd321a77c04f0102c0601f.exe
932	JaffaCakes118_f9a4e6c353dd321a77c04f0102c0601f.exe
932	JaffaCakes118_f9a4e6c353dd321a77c04f0102c0601f.exe
932	JaffaCakes118_f9a4e6c353dd321a77c04f0102c0601f.exe
932	JaffaCakes118_f9a4e6c353dd321a77c04f0102c0601f.exe
932	JaffaCakes118_f9a4e6c353dd321a77c04f0102c0601f.exe
932	JaffaCakes118_f9a4e6c353dd321a77c04f0102c0601f.exe
932	JaffaCakes118_f9a4e6c353dd321a77c04f0102c0601f.exe
932	JaffaCakes118_f9a4e6c353dd321a77c04f0102c0601f.exe
932	JaffaCakes118_f9a4e6c353dd321a77c04f0102c0601f.exe
932	JaffaCakes118_f9a4e6c353dd321a77c04f0102c0601f.exe
932	JaffaCakes118_f9a4e6c353dd321a77c04f0102c0601f.exe
932	JaffaCakes118_f9a4e6c353dd321a77c04f0102c0601f.exe
932	JaffaCakes118_f9a4e6c353dd321a77c04f0102c0601f.exe
932	JaffaCakes118_f9a4e6c353dd321a77c04f0102c0601f.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	216	IYJL.exe
Token: SeIncBasePriorityPrivilege	216	IYJL.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
932	JaffaCakes118_f9a4e6c353dd321a77c04f0102c0601f.exe
216	IYJL.exe
216	IYJL.exe
216	IYJL.exe
216	IYJL.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 932 wrote to memory of 1288	932	JaffaCakes118_f9a4e6c353dd321a77c04f0102c0601f.exe	91
PID 932 wrote to memory of 1288	932	JaffaCakes118_f9a4e6c353dd321a77c04f0102c0601f.exe	91
PID 932 wrote to memory of 1288	932	JaffaCakes118_f9a4e6c353dd321a77c04f0102c0601f.exe	91
PID 1288 wrote to memory of 216	1288	Exporer32.exe	92
PID 1288 wrote to memory of 216	1288	Exporer32.exe	92
PID 1288 wrote to memory of 216	1288	Exporer32.exe	92

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f9a4e6c353dd321a77c04f0102c0601f.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f9a4e6c353dd321a77c04f0102c0601f.exe"
1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:932
- C:\Users\Admin\AppData\Local\Temp\Exporer32.exe
  "C:\Users\Admin\AppData\Local\Temp\Exporer32.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1288
- - C:\Windows\SysWOW64\Sys\IYJL.exe
    "C:\Windows\system32\Sys\IYJL.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:216

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MzNDNEEzRjEtRDNDRS00NEE3LUEzN0ItMUZDNTZDNkE3MTNDfSIgdXNlcmlkPSJ7QkNGOTJFRUMtMzYxQS00NEIwLUE1NkEtREQ2RUI0NEE4QkU3fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NzZCMjhBMkItNUQwNi00QjM0LUFGMkMtNUJFNDNBNUYzNEU5fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIzIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODMzNzEiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NDE5Mjc1MzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MTM3MTE2NDQwIi8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:4912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\jI82l\PCGWIN32.LI5

Filesize
2KB

MD5
0675053e1b6e626d2a5cd159660a6772

SHA1
bc705b6e5a70c837bf61a1bca3fad3e3340873ef

SHA256
24ffdf6281b8b847733821543b204671abef1b4d23d04a3e311f6a3ceba40d52

SHA512
2c8db04aa7737050b6c93b7b6a3b0d621036d2be9cb50ffb2d41cadd589a645d29995ccddec619d627f331e3796fd360b26c71e526ba893603af58ccbb2d7026

Download Submit
C:\Users\Admin\AppData\Local\Temp\@1519.tmp

Filesize
4KB

MD5
7d0fa2c93ab4e5ec218a2b3372eced35

SHA1
c8c319b328aea486ecb7c89af66c07ed240a1464

SHA256
32be4a8ec658f1bb27fd2aef1ecfe0523ffd8b430c8acd41821c2a3c71959a40

SHA512
929a30b6f5bb3dac62d6e30dd1d70844654dc23e92a6d36d32a84c1f866aead1d57f4ec8f12b468131f7b3efefce3bd6c74652149d7a65b3c534f96f221ea5b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Exporer32.exe

Filesize
495KB

MD5
3aa36487b00c6f2858aa71d4d6095979

SHA1
4643a980cc79cfdadbdb835f1aa3c412315c965e

SHA256
0cee883cf99f34b743966bce10a8ea635140f6fd807c119211e2d7c9c63c975b

SHA512
75d52a46a7f211a4b448df92e5f7aa7e1289ea57a2dd452ba799dba1df0d40a47cae608b3a2fd7198f7b977432c344cb0c7b08e3f2e0eb9474c6f0067915ac42

Download Submit
C:\Windows\SysWOW64\Sys\AKV.exe

Filesize
387KB

MD5
f8452c5ccc72af74cdfa34b1fd160e00

SHA1
3cbb1e5294406d23914be29a29a65df5208462c6

SHA256
14d63d007e8a1b4f640dd9ce33088ff6ac2c02802563d924c98f160ff057d60f

SHA512
85a25ab3abe010867bd8973d4ac69595302249c12aa740274ad38e2eb16260a4c926043efa3b1ff9d5a888554421b1ed84ba78b3a04adf3779e64feb7554ab2f

Download Submit
C:\Windows\SysWOW64\Sys\IYJL.001

Filesize
3KB

MD5
25dfcf54812879ee639672a7fd20ab14

SHA1
ef47a7898dca1718fb1830a61ae3ff9749b10da1

SHA256
c24c73a270342c74d72de61cdcb9b098aa3c16c12917f0bd9e773f5485c53a7e

SHA512
47bffd3ae351e08d8ae33ab8d6c8c5e9f8bab6843c1e7d2beb412cdaccaa66843e7e3acaf7a15cf545db930a175cb3df1371241966449fc5f531b6c642fdd0e5

Download Submit
C:\Windows\SysWOW64\Sys\IYJL.006

Filesize
5KB

MD5
8b20ee4ef305728ccab05c071db218d2

SHA1
754cdfa5d595d040b9ec54d68803a109c2c979b2

SHA256
b9028fdd1f0b5c349d20088ba694a0e1d0a4b100c058da42d2d816d942b42888

SHA512
233b915673fe76db860c57ec1554bc7174d5040c205b6d03d92b55415278596ad61fb6916f9aa43a21689b93b0a2db0078557ec52529ad1149264142a9989146

Download Submit
C:\Windows\SysWOW64\Sys\IYJL.007

Filesize
4KB

MD5
86a5c08403b37ae1117206bfac5c184b

SHA1
3c526d0bd92782d682cc1a14760ab87cf6da9351

SHA256
f06751c5072868ab3f8cbc7ad24594aa34ef6e85c5e10b902b0d51017fc15f40

SHA512
bd92e24f4ec2e115ded79c454d4f6f9850cca047425aad8db580e7aee5b642ac23e0e398608266c1abe80c29a0a729401b0e8bcff178e6a17d2ea911c6e46242

Download Submit
C:\Windows\SysWOW64\Sys\IYJL.exe

Filesize
468KB

MD5
ad696e3a354fd2816f0930732f7f0153

SHA1
cbb43eb9c8df87be92fafca6e461a205f8bfc4c3

SHA256
1fd2932edbd59bd33e321fbbce797f785bcada08dcd4f5a12c6dec2c746abf62

SHA512
c0f87046ad7cd508ae9b68a335ed6f55497375f36147618ce0ace2f17cc24d162804f23caafde8673e442a8c928217207cddec57eaac318809341f2fbba6b82b

Download Submit
memory/216-43-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/216-48-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/932-0-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/932-28-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download