ardamax | f0b91cd0711855a8ccabb024d1e4a0f84d187975cc063b21780c7c60f8cef240

Analysis

max time kernel
140s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-02-2025 12:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_0beafefbcce2420c65a29115df6a59b0.exe
Size

800KB
MD5

0beafefbcce2420c65a29115df6a59b0
SHA1

76d5676c3ff23a65e5930612211898065427ea3a
SHA256

f0b91cd0711855a8ccabb024d1e4a0f84d187975cc063b21780c7c60f8cef240
SHA512

11ea9c0d74a8150acfcfd8fc810617a672df82af209355e6837cc0be6336fb27e339bdd1ddedc32789ec7894ba39503c0fd1b05d844addb6eb1830f64d4156e6
SSDEEP

12288:IEtkFVViAH/JfNp7/PfwfkB+Mrtf/ExYjrgq8W3aBcR6y1mQmlfGncWdm2jximcW:GYIJfb/Pr7JcYjrX73pR6y1mMndm2Xx

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x000700000001487c-12.dat	family_ardamax

Executes dropped EXE 1 IoCs

pid	Process
2576	EQPN.exe

Loads dropped DLL 4 IoCs

pid	Process
2032	JaffaCakes118_0beafefbcce2420c65a29115df6a59b0.exe
2032	JaffaCakes118_0beafefbcce2420c65a29115df6a59b0.exe
2576	EQPN.exe
2576	EQPN.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EQPN Agent = "C:\\Windows\\SysWOW64\\28463\\EQPN.exe"	EQPN.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\EQPN.007	JaffaCakes118_0beafefbcce2420c65a29115df6a59b0.exe
File created	C:\Windows\SysWOW64\28463\EQPN.exe	JaffaCakes118_0beafefbcce2420c65a29115df6a59b0.exe
File created	C:\Windows\SysWOW64\28463\key.bin	JaffaCakes118_0beafefbcce2420c65a29115df6a59b0.exe
File created	C:\Windows\SysWOW64\28463\AKV.exe	JaffaCakes118_0beafefbcce2420c65a29115df6a59b0.exe
File opened for modification	C:\Windows\SysWOW64\28463	EQPN.exe
File created	C:\Windows\SysWOW64\28463\EQPN.001	JaffaCakes118_0beafefbcce2420c65a29115df6a59b0.exe
File created	C:\Windows\SysWOW64\28463\EQPN.006	JaffaCakes118_0beafefbcce2420c65a29115df6a59b0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0beafefbcce2420c65a29115df6a59b0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EQPN.exe

Modifies registry class 33 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4E3948AE-0D80-44CE-0188-C7A67ECEA59C}\ = "Bamob Object"	EQPN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4E3948AE-0D80-44CE-0188-C7A67ECEA59C}\ProgID\	EQPN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3895269D-8CF2-C72F-40C1-1E503878DFFD}\1.0\0\win64	EQPN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4E3948AE-0D80-44CE-0188-C7A67ECEA59C}	EQPN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4E3948AE-0D80-44CE-0188-C7A67ECEA59C}\InprocServer32	EQPN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3895269D-8CF2-C72F-40C1-1E503878DFFD}\1.0\0\	EQPN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3895269D-8CF2-C72F-40C1-1E503878DFFD}\1.0\0\win32	EQPN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3895269D-8CF2-C72F-40C1-1E503878DFFD}\1.0\0\win32\ = "%SystemRoot%\\SysWow64\\iassdo.dll\\1"	EQPN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4E3948AE-0D80-44CE-0188-C7A67ECEA59C}\InprocServer32\ = "C:\\Windows\\SysWOW64\\psisdecd.dll"	EQPN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3895269D-8CF2-C72F-40C1-1E503878DFFD}\1.0\	EQPN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4E3948AE-0D80-44CE-0188-C7A67ECEA59C}\TypeLib	EQPN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4E3948AE-0D80-44CE-0188-C7A67ECEA59C}\Version\ = "1.0"	EQPN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4E3948AE-0D80-44CE-0188-C7A67ECEA59C}\VersionIndependentProgID\ = "Psisdecd.CIsdb"	EQPN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4E3948AE-0D80-44CE-0188-C7A67ECEA59C}\ProgID	EQPN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3895269D-8CF2-C72F-40C1-1E503878DFFD}\	EQPN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4E3948AE-0D80-44CE-0188-C7A67ECEA59C}\TypeLib\ = "{3895269D-8CF2-C72F-40C1-1E503878DFFD}"	EQPN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4E3948AE-0D80-44CE-0188-C7A67ECEA59C}\InprocServer32\	EQPN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3895269D-8CF2-C72F-40C1-1E503878DFFD}\1.0\0\win32\	EQPN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3895269D-8CF2-C72F-40C1-1E503878DFFD}\1.0\0\win64\	EQPN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3895269D-8CF2-C72F-40C1-1E503878DFFD}\1.0\FLAGS\	EQPN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3895269D-8CF2-C72F-40C1-1E503878DFFD}\1.0\FLAGS\ = "0"	EQPN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4E3948AE-0D80-44CE-0188-C7A67ECEA59C}\VersionIndependentProgID\	EQPN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4E3948AE-0D80-44CE-0188-C7A67ECEA59C}\ProgID\ = "Psisdecd.CIsdb.1"	EQPN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3895269D-8CF2-C72F-40C1-1E503878DFFD}	EQPN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3895269D-8CF2-C72F-40C1-1E503878DFFD}\1.0\0\win64\ = "%SystemRoot%\\SysWow64\\iassdo.dll\\1"	EQPN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3895269D-8CF2-C72F-40C1-1E503878DFFD}\1.0\FLAGS	EQPN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4E3948AE-0D80-44CE-0188-C7A67ECEA59C}\Version\	EQPN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3895269D-8CF2-C72F-40C1-1E503878DFFD}\1.0	EQPN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3895269D-8CF2-C72F-40C1-1E503878DFFD}\1.0\ = "IAS SDO 1.0 Type Library"	EQPN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3895269D-8CF2-C72F-40C1-1E503878DFFD}\1.0\0	EQPN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4E3948AE-0D80-44CE-0188-C7A67ECEA59C}\TypeLib\	EQPN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4E3948AE-0D80-44CE-0188-C7A67ECEA59C}\Version	EQPN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4E3948AE-0D80-44CE-0188-C7A67ECEA59C}\VersionIndependentProgID	EQPN.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2576	EQPN.exe
Token: SeIncBasePriorityPrivilege	2576	EQPN.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2576	EQPN.exe
2576	EQPN.exe
2576	EQPN.exe
2576	EQPN.exe
2576	EQPN.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 2576	2032	JaffaCakes118_0beafefbcce2420c65a29115df6a59b0.exe	28
PID 2032 wrote to memory of 2576	2032	JaffaCakes118_0beafefbcce2420c65a29115df6a59b0.exe	28
PID 2032 wrote to memory of 2576	2032	JaffaCakes118_0beafefbcce2420c65a29115df6a59b0.exe	28
PID 2032 wrote to memory of 2576	2032	JaffaCakes118_0beafefbcce2420c65a29115df6a59b0.exe	28

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0beafefbcce2420c65a29115df6a59b0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0beafefbcce2420c65a29115df6a59b0.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Windows\SysWOW64\28463\EQPN.exe
  "C:\Windows\system32\28463\EQPN.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\28463\AKV.exe

Filesize
457KB

MD5
bf3f029b48698972471caaa7e9cea759

SHA1
304ef8b5c72bf95e5d3efa18e5587c6d9cacfd15

SHA256
2f55fb7d6318f940c208276c25d63d7a7a8406da1c82f51305f1ce6381ac1aa5

SHA512
0fcc2c42ba1cf816152f1e116789c615956024b58a06a985c79ac9b71fa10dc232a5c4210f18f4d3a70730454cbdc2b3da56d24e4da207d58ce2446424b68d00

Download Submit
C:\Windows\SysWOW64\28463\EQPN.001

Filesize
362B

MD5
e915e398f7d2eaaf8da28c67f923b8c9

SHA1
5665aec7604d023ea5d8aca50209df40660dbdbc

SHA256
3b4c59fee8e89f81fee6a2760fb2f751247c2d39c18e7fd97c1143ba2f9e2f4a

SHA512
2892b49b912f20a259d8ae879070f0b3d901776e1daa5fab971d35d1913a048c452e1cea9e537be2ba29f8e08fae8cdac61c82da1d23f62a00debc0f8d7b8c55

Download Submit
C:\Windows\SysWOW64\28463\EQPN.006

Filesize
8KB

MD5
5153b016d36928c296131c5c8e669446

SHA1
c444f61a2dc49ede6a2325f26d76af66de5989d2

SHA256
4c52ec0d5d4cad21ed134af76f64c3cb44b826594641f44487e4625f5bc96f59

SHA512
c9084ff30f1f023b1f9cd00dc66cdbf846e95993093163c3e71a13535ccfc79d59be5b28a78ccfa6b0a82389b08b157676d71a9ccca2c170369080feac386f09

Download Submit
C:\Windows\SysWOW64\28463\EQPN.007

Filesize
5KB

MD5
80bbc7ace13d97396bd7b1abbaf4008b

SHA1
d013c0def603915675b1e0ce5877d413cdaf6523

SHA256
18dbfb27d4b10501e8426db1a78df8247f6570656d183f78b061d7db4c7865ae

SHA512
bc7afd0e730f432852d374812827077574181928aa97c25d8170ce1b766677383360bf2bb21afc51e8168eb3f6539ce8499c4002d86190f27d4836da3f907919

Download Submit
C:\Windows\SysWOW64\28463\EQPN.exe

Filesize
648KB

MD5
5530832fa82582288ce640f73a4915a0

SHA1
c40673ed59a61dd3b39f8ed6d0e1345838d98e44

SHA256
6f7daff3caf7f24a00e08e4ed414b4d23e13d2cac4657ad7a071d9cbeb42cb88

SHA512
ee2a2dc3c85a13b39f15a276f842afab8d341aacb457c1750b8bf0fa46b03a3bfabeff5be6439f3edf2c428d504ecabf07a399ebbdb09a75693309b55903775c

Download Submit
C:\Windows\SysWOW64\28463\key.bin

Filesize
106B

MD5
61cfbaa287e6cc38c70b1f64d7f72569

SHA1
42c5fa65fd14ca73cae62c2a3b9c23559db33078

SHA256
271840d5892781b401517fa4348444f48979416221c3434df3e329f859127904

SHA512
d52bb21072322c09876a6570a9f83a2076cbc61cb4b734aaa6021951af093744b4e403f8597dbf353605347499b156391f6b0242dfa9de419c5ce26805ebe0cd

Download Submit
\Users\Admin\AppData\Local\Temp\@58F9.tmp

Filesize
4KB

MD5
557e0039dc13a0453af7ca9373a0d301

SHA1
50efb19b1b1eddd10ddb4c2ff23d18cccba92dfe

SHA256
54850e4c8644c042b15dab73a15135105ff84a240d26d1476c8b80d176a341fc

SHA512
d96fdc89ddbcd8459966c9548d3243a0fa319f8be2f418b4e17f313fb3f86d32dd7f254a035641f35e35ed849832773c0d1fe34ff362761309c64e959c025a98

Download Submit
memory/2576-24-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/2576-20-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/2576-29-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/2576-28-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/2576-27-0x00000000030B0000-0x00000000030B3000-memory.dmp

Filesize
12KB

Download
memory/2576-26-0x00000000030C0000-0x00000000030C1000-memory.dmp

Filesize
4KB

Download
memory/2576-25-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/2576-31-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/2576-23-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/2576-22-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/2576-21-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/2576-30-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/2576-37-0x0000000003110000-0x0000000003111000-memory.dmp

Filesize
4KB

Download
memory/2576-36-0x00000000030D0000-0x00000000030D1000-memory.dmp

Filesize
4KB

Download
memory/2576-35-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2576-34-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2576-32-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/2576-33-0x0000000003120000-0x0000000003121000-memory.dmp

Filesize
4KB

Download
memory/2576-17-0x0000000000350000-0x00000000003AA000-memory.dmp

Filesize
360KB

Download
memory/2576-18-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2576-45-0x0000000000350000-0x00000000003AA000-memory.dmp

Filesize
360KB

Download
memory/2576-46-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2576-47-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/2576-51-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads