ardamax | a518e8b1c1e97085cc255f42e34f76ff8e6a2a33a6ce8b141769b0e51a95203e

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
15-02-2025 21:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_fca6d612a6cec1d45fb75ba443cc2b0d.exe
Size

872KB
MD5

fca6d612a6cec1d45fb75ba443cc2b0d
SHA1

75106d302a139496da43308a3e0131b24610df91
SHA256

a518e8b1c1e97085cc255f42e34f76ff8e6a2a33a6ce8b141769b0e51a95203e
SHA512

a6e737c99b0889d7f7b4fcbbfbd40abd391bbbd75f55b3ac59ad7c4c7dd97b27b8293e4beeffa58fb9ad2ea94b666c5d747dfc6c28cf8f4d0e539355de036021
SSDEEP

24576:ZGy6DGcIUttZXjgOw8W5I3YCJJQBREwbcLkKRk:cScTZRw8Wa3Yy+3b

Score

10^/10

ardamax defense_evasion discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0006000000017497-21.dat	family_ardamax

Executes dropped EXE 3 IoCs

pid	Process
1880	1.exe
2892	QHVF.exe
2840	2.exe

Loads dropped DLL 6 IoCs

pid	Process
1880	1.exe
1880	1.exe
2892	QHVF.exe
2892	QHVF.exe
2840	2.exe
2840	2.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\QHVF Agent = "C:\\Windows\\SysWOW64\\28463\\QHVF.exe"	QHVF.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\QHVF.001	1.exe
File created	C:\Windows\SysWOW64\28463\QHVF.006	1.exe
File created	C:\Windows\SysWOW64\28463\QHVF.007	1.exe
File created	C:\Windows\SysWOW64\28463\QHVF.exe	1.exe
File created	C:\Windows\SysWOW64\28463\key.bin	1.exe
File created	C:\Windows\SysWOW64\28463\AKV.exe	1.exe
File opened for modification	C:\Windows\SysWOW64\28463	QHVF.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QHVF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe

Modifies registry class 35 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97EBADCB-6D30-4551-86A3-AFD34A98DD23}\DefaultIcon\	QHVF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97EBADCB-6D30-4551-86A3-AFD34A98DD23}\MiscStatus\ = "2228625"	QHVF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97EBADCB-6D30-4551-86A3-AFD34A98DD23}\ProgID\	QHVF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77E4FC29-0FAD-C5E5-ED46-364ED51C0053}\	QHVF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77E4FC29-0FAD-C5E5-ED46-364ED51C0053}\1.0\	QHVF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77E4FC29-0FAD-C5E5-ED46-364ED51C0053}\1.0\FLAGS\	QHVF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97EBADCB-6D30-4551-86A3-AFD34A98DD23}\TypeLib	QHVF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97EBADCB-6D30-4551-86A3-AFD34A98DD23}\Version\ = "1.0"	QHVF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97EBADCB-6D30-4551-86A3-AFD34A98DD23}\InProcServer32\ = "C:\\Windows\\SysWOW64\\mshtml.dll"	QHVF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77E4FC29-0FAD-C5E5-ED46-364ED51C0053}\1.0\0\win32\	QHVF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97EBADCB-6D30-4551-86A3-AFD34A98DD23}\TypeLib\ = "{77E4FC29-0FAD-C5E5-ED46-364ED51C0053}"	QHVF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97EBADCB-6D30-4551-86A3-AFD34A98DD23}\Version	QHVF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97EBADCB-6D30-4551-86A3-AFD34A98DD23}\Version\	QHVF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97EBADCB-6D30-4551-86A3-AFD34A98DD23}	QHVF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97EBADCB-6D30-4551-86A3-AFD34A98DD23}\BrowseInPlace\	QHVF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97EBADCB-6D30-4551-86A3-AFD34A98DD23}\InProcServer32\	QHVF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97EBADCB-6D30-4551-86A3-AFD34A98DD23}\MiscStatus	QHVF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97EBADCB-6D30-4551-86A3-AFD34A98DD23}\MiscStatus\	QHVF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77E4FC29-0FAD-C5E5-ED46-364ED51C0053}\1.0\0\win32\ = "%SystemRoot%\\SysWow64\\findnetprinters.dll\\1"	QHVF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77E4FC29-0FAD-C5E5-ED46-364ED51C0053}\1.0\FLAGS	QHVF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97EBADCB-6D30-4551-86A3-AFD34A98DD23}\ProgID\ = "svgfile"	QHVF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77E4FC29-0FAD-C5E5-ED46-364ED51C0053}\1.0\ = "Find Printers type library"	QHVF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77E4FC29-0FAD-C5E5-ED46-364ED51C0053}\1.0\0	QHVF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97EBADCB-6D30-4551-86A3-AFD34A98DD23}\TypeLib\	QHVF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97EBADCB-6D30-4551-86A3-AFD34A98DD23}\DefaultIcon	QHVF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97EBADCB-6D30-4551-86A3-AFD34A98DD23}\DefaultIcon\ = "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe,-19"	QHVF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77E4FC29-0FAD-C5E5-ED46-364ED51C0053}	QHVF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77E4FC29-0FAD-C5E5-ED46-364ED51C0053}\1.0\FLAGS\ = "0"	QHVF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97EBADCB-6D30-4551-86A3-AFD34A98DD23}\BrowseInPlace	QHVF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97EBADCB-6D30-4551-86A3-AFD34A98DD23}\InProcServer32	QHVF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77E4FC29-0FAD-C5E5-ED46-364ED51C0053}\1.0\0\	QHVF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77E4FC29-0FAD-C5E5-ED46-364ED51C0053}\1.0	QHVF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97EBADCB-6D30-4551-86A3-AFD34A98DD23}\ = "Papafo Object"	QHVF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97EBADCB-6D30-4551-86A3-AFD34A98DD23}\ProgID	QHVF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77E4FC29-0FAD-C5E5-ED46-364ED51C0053}\1.0\0\win32	QHVF.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	2892	QHVF.exe
Token: SeIncBasePriorityPrivilege	2892	QHVF.exe
Token: SeIncBasePriorityPrivilege	2892	QHVF.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2840	2.exe
2840	2.exe
2892	QHVF.exe
2892	QHVF.exe
2892	QHVF.exe
2892	QHVF.exe
2892	QHVF.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 1880	2988	JaffaCakes118_fca6d612a6cec1d45fb75ba443cc2b0d.exe	31
PID 2988 wrote to memory of 1880	2988	JaffaCakes118_fca6d612a6cec1d45fb75ba443cc2b0d.exe	31
PID 2988 wrote to memory of 1880	2988	JaffaCakes118_fca6d612a6cec1d45fb75ba443cc2b0d.exe	31
PID 2988 wrote to memory of 1880	2988	JaffaCakes118_fca6d612a6cec1d45fb75ba443cc2b0d.exe	31
PID 1880 wrote to memory of 2892	1880	1.exe	32
PID 1880 wrote to memory of 2892	1880	1.exe	32
PID 1880 wrote to memory of 2892	1880	1.exe	32
PID 1880 wrote to memory of 2892	1880	1.exe	32
PID 2988 wrote to memory of 2840	2988	JaffaCakes118_fca6d612a6cec1d45fb75ba443cc2b0d.exe	33
PID 2988 wrote to memory of 2840	2988	JaffaCakes118_fca6d612a6cec1d45fb75ba443cc2b0d.exe	33
PID 2988 wrote to memory of 2840	2988	JaffaCakes118_fca6d612a6cec1d45fb75ba443cc2b0d.exe	33
PID 2988 wrote to memory of 2840	2988	JaffaCakes118_fca6d612a6cec1d45fb75ba443cc2b0d.exe	33
PID 2892 wrote to memory of 1988	2892	QHVF.exe	35
PID 2892 wrote to memory of 1988	2892	QHVF.exe	35
PID 2892 wrote to memory of 1988	2892	QHVF.exe	35
PID 2892 wrote to memory of 1988	2892	QHVF.exe	35

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fca6d612a6cec1d45fb75ba443cc2b0d.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fca6d612a6cec1d45fb75ba443cc2b0d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Users\Admin\AppData\Local\Temp\1.exe
  "C:\Users\Admin\AppData\Local\Temp\1.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1880
- - C:\Windows\SysWOW64\28463\QHVF.exe
    "C:\Windows\system32\28463\QHVF.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2892
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\28463\QHVF.exe > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1988
- C:\Users\Admin\AppData\Local\Temp\2.exe
  "C:\Users\Admin\AppData\Local\Temp\2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
783KB

MD5
6724039cce21e08cb4a8086ab7ff9034

SHA1
f8b127f14a77dbfc2c4261fba22cdfa68e7ea8f5

SHA256
619fdc944030cd04e37cf1ae8d276e0c70452a6f43b73e9f65cec1dbebbf9297

SHA512
63fdeaa55c9a4f97358d1a63a87c387cc82850837d1e2c3c1f7e7cf3ba724f7ac05ba55a06771e82b9099ff07e3351510a6022f254b2c7a125a66729a081bff2

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe

Filesize
72KB

MD5
4aa2ced055a4a47ee8166b8a2eabaf62

SHA1
20a23c6ccaafd490b30a3e81c11f773d2554fce7

SHA256
23bc4f799105a4a905ad599e79c87d36eb0e6204badad21011b13cc63822ae4e

SHA512
46341bfc3883ce95d35ff74b2c9e675f31cac9a7e7f5889b448b7a26b66351870d798db2682d5feebc227fe793d1cb310d56af032e5e885896b50948ae63205d

Download Submit
C:\Windows\SysWOW64\28463\AKV.exe

Filesize
457KB

MD5
97eee85d1aebf93d5d9400cb4e9c771b

SHA1
26fa2bf5fce2d86b891ac0741a6999bff31397de

SHA256
30df6c8cbd255011d80fa6e959179d47c458bc4c4d9e78c4cf571aa611cd7d24

SHA512
8cecc533c07c91c67b93a7ae46102a0aae7f4d3d88d04c250231f0bcd8e1f173daf06e94b5253a66db3f2a052c51e62154554368929294178d2b3597c1cca7e6

Download Submit
C:\Windows\SysWOW64\28463\QHVF.001

Filesize
520B

MD5
450c67d4d93cdd6ebc2577569a965fb2

SHA1
4aaefe58a3fb230dee07d6ecad8d1e95a6e35b41

SHA256
741e7431f107c30b259ccdd50f219306538a20e998fbc05fefa6a6878839966b

SHA512
17b84b6ac87113dcb4626d7798826897eebc8ff0a0a93cc58362cc6e6d36fe77ac00ee3fb85732da4629b4be62100ea24b3c4c25ee001920ba83486663ad8bec

Download Submit
C:\Windows\SysWOW64\28463\QHVF.007

Filesize
5KB

MD5
a8e19de6669e831956049685225058a8

SHA1
6d2546d49d92b18591ad4fedbc92626686e7e979

SHA256
34856528d8b7e31caa83f350bc4dbc861120dc2da822a9eb896b773bc7e1f564

SHA512
5c407d4aa5731bd62c2a1756127f794382dc5e2b214298acfa68698c709fbbe3f2aa8dbdcbef02ed2a49f8f35969959946e9f727895bdca4500d16e84f4ef2e8

Download Submit
C:\Windows\SysWOW64\28463\key.bin

Filesize
105B

MD5
27c90d4d9b049f4cd00f32ed1d2e5baf

SHA1
338a3ea8f1e929d8916ece9b6e91e697eb562550

SHA256
172d6f21165fb3ca925e5b000451fd8946920206f7438018c28b158b90cf5ffb

SHA512
d73dadb3cf74c647ce5bad5b87d3fb42a212defcba8afb8cf962020b61a0369c0a2b1005797583daf1f1ae88b29b7288bc544a53d643f3519cf604aa0ffd6dae

Download Submit
\Users\Admin\AppData\Local\Temp\@BE21.tmp

Filesize
4KB

MD5
d73d89b1ea433724795b3d2b524f596c

SHA1
213514f48ece9f074266b122ee2d06e842871c8c

SHA256
8aef975a94c800d0e3e4929999d05861868a7129b766315c02a48a122e3455d6

SHA512
8b73be757ad3e0f2b29c0b130918e8f257375f9f3bf7b9609bac24b17369de2812341651547546af238936d70f38f050d6984afd16d47b467bcbba4992e42f41

Download Submit
\Windows\SysWOW64\28463\QHVF.006

Filesize
8KB

MD5
35b24c473bdcdb4411e326c6c437e8ed

SHA1
ec1055365bc2a66e52de2d66d24d742863c1ce3d

SHA256
4530fcc91e4d0697a64f5e24d70e2b327f0acab1a9013102ff04236841c5a617

SHA512
32722f1484013bbc9c1b41b3fdaf5cd244ec67facaa2232be0e90455719d664d65cae1cd670adf5c40c67f568122d910b30e3e50f7cc06b0350a6a2d34d371de

Download Submit
\Windows\SysWOW64\28463\QHVF.exe

Filesize
646KB

MD5
b863a9ac3bcdcde2fd7408944d5bf976

SHA1
4bd106cd9aefdf2b51f91079760855e04f73f3b0

SHA256
0fe8e3cd44a89c15dec75ff2949bac1a96e1ea7e0040f74df3230569ac9e37b0

SHA512
4b30c3b119c1e7b2747d2745b2b79c61669a33b84520b88ab54257793e3ed6e76378dea2b8ff048cb1822187ffdc20e921d658bb5b0482c23cfa7d70f4e7aa1a

Download Submit
memory/1880-25-0x0000000002980000-0x0000000002A5F000-memory.dmp

Filesize
892KB

Download
memory/2892-36-0x0000000001E90000-0x0000000001E91000-memory.dmp

Filesize
4KB

Download
memory/2892-52-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2892-38-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/2892-37-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/2892-71-0x0000000001D30000-0x0000000001D8A000-memory.dmp

Filesize
360KB

Download
memory/2892-35-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2892-40-0x00000000030B0000-0x00000000030B3000-memory.dmp

Filesize
12KB

Download
memory/2892-70-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2892-34-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/2892-33-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/2892-51-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2892-39-0x00000000030C0000-0x00000000030C1000-memory.dmp

Filesize
4KB

Download
memory/2892-31-0x0000000001D30000-0x0000000001D8A000-memory.dmp

Filesize
360KB

Download
memory/2892-27-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2892-67-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2892-63-0x0000000001D30000-0x0000000001D8A000-memory.dmp

Filesize
360KB

Download
memory/2892-61-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2988-8-0x000007FEF5700000-0x000007FEF609D000-memory.dmp

Filesize
9.6MB

Download
memory/2988-19-0x000007FEF5700000-0x000007FEF609D000-memory.dmp

Filesize
9.6MB

Download
memory/2988-46-0x000007FEF5700000-0x000007FEF609D000-memory.dmp

Filesize
9.6MB

Download
memory/2988-0-0x000007FEF59BE000-0x000007FEF59BF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads