ardamax | 1f4888ca2992dc1b3db556a1c8ea5a0f39b65c1993bd9f700b169d83d0bdd8a3

Analysis

max time kernel
142s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-02-2025 10:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_11fa97a4545d8b63aa1434ebd567b28f.exe
Size

1.5MB
MD5

11fa97a4545d8b63aa1434ebd567b28f
SHA1

1aa56e8bb40ebc8d69b90ecfaa20c27b4528d6e7
SHA256

1f4888ca2992dc1b3db556a1c8ea5a0f39b65c1993bd9f700b169d83d0bdd8a3
SHA512

55965ef3cf4a5a2457150acca36ab96585b2d3ccee083bca52cd6d3cf2be1a7913909c4c529c08befcf0cfaacb3b7c7e661379172f2c4727ed3ab50516a1dca4
SSDEEP

49152:HXisKBNdKFmfBRA2U+XRWZYuIHdL09C9Xj:Hysm/KFmjAXZYugdL092j

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0005000000019621-625.dat	family_ardamax

Executes dropped EXE 2 IoCs

pid	Process
1492	Sandboxie.exe
2600	QVV.exe

Loads dropped DLL 5 IoCs

pid	Process
1600	JaffaCakes118_11fa97a4545d8b63aa1434ebd567b28f.exe
1492	Sandboxie.exe
1492	Sandboxie.exe
2600	QVV.exe
2600	QVV.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\QVV Start = "C:\\Windows\\TUDUXF\\QVV.exe"	QVV.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\TUDUXF\QVV.004	Sandboxie.exe
File created	C:\Windows\TUDUXF\QVV.001	Sandboxie.exe
File created	C:\Windows\TUDUXF\QVV.002	Sandboxie.exe
File created	C:\Windows\TUDUXF\AKV.exe	Sandboxie.exe
File created	C:\Windows\TUDUXF\QVV.003	Sandboxie.exe
File created	C:\Windows\TUDUXF\QVV.exe	Sandboxie.exe
File opened for modification	C:\Windows\TUDUXF\	QVV.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_11fa97a4545d8b63aa1434ebd567b28f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sandboxie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QVV.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: 33	1600	JaffaCakes118_11fa97a4545d8b63aa1434ebd567b28f.exe
Token: SeIncBasePriorityPrivilege	1600	JaffaCakes118_11fa97a4545d8b63aa1434ebd567b28f.exe
Token: 33	1600	JaffaCakes118_11fa97a4545d8b63aa1434ebd567b28f.exe
Token: SeIncBasePriorityPrivilege	1600	JaffaCakes118_11fa97a4545d8b63aa1434ebd567b28f.exe
Token: 33	1600	JaffaCakes118_11fa97a4545d8b63aa1434ebd567b28f.exe
Token: SeIncBasePriorityPrivilege	1600	JaffaCakes118_11fa97a4545d8b63aa1434ebd567b28f.exe
Token: 33	1600	JaffaCakes118_11fa97a4545d8b63aa1434ebd567b28f.exe
Token: SeIncBasePriorityPrivilege	1600	JaffaCakes118_11fa97a4545d8b63aa1434ebd567b28f.exe
Token: 33	1492	Sandboxie.exe
Token: SeIncBasePriorityPrivilege	1492	Sandboxie.exe
Token: 33	2600	QVV.exe
Token: SeIncBasePriorityPrivilege	2600	QVV.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2600	QVV.exe
2600	QVV.exe
2600	QVV.exe
2600	QVV.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1600 wrote to memory of 1492	1600	JaffaCakes118_11fa97a4545d8b63aa1434ebd567b28f.exe	30
PID 1600 wrote to memory of 1492	1600	JaffaCakes118_11fa97a4545d8b63aa1434ebd567b28f.exe	30
PID 1600 wrote to memory of 1492	1600	JaffaCakes118_11fa97a4545d8b63aa1434ebd567b28f.exe	30
PID 1600 wrote to memory of 1492	1600	JaffaCakes118_11fa97a4545d8b63aa1434ebd567b28f.exe	30
PID 1492 wrote to memory of 2600	1492	Sandboxie.exe	31
PID 1492 wrote to memory of 2600	1492	Sandboxie.exe	31
PID 1492 wrote to memory of 2600	1492	Sandboxie.exe	31
PID 1492 wrote to memory of 2600	1492	Sandboxie.exe	31

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_11fa97a4545d8b63aa1434ebd567b28f.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_11fa97a4545d8b63aa1434ebd567b28f.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Users\Admin\AppData\Local\Xenocode\Sandbox\sccner tools\20.1.11.06\2012.08.02T18.54\Virtual\STUBEXE\@APPDATALOCAL@\Temp\Sandboxie.exe
  "C:\Users\Admin\AppData\Local\Temp\Sandboxie.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1492
- - C:\Users\Admin\AppData\Local\Xenocode\Sandbox\sccner tools\20.1.11.06\2012.08.02T18.54\Native\STUBEXE\@WINDIR@\TUDUXF\QVV.exe
    "C:\Windows\TUDUXF\QVV.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\TUDUXF\AKV.exe

Filesize
490KB

MD5
64a6cc55dc76d26448c30a8a1885f7cb

SHA1
149e467026647e080b4c69ab4f99b2d3c2b4dbe4

SHA256
5cbc0ec73c901be4ac182e13f6869f6f8cf0831b9603e542a3919f6a06087640

SHA512
de8cd7bea8113871ce8a36966fbaefd02b8ef7b09a8cbb631b4ac353bdf65b27d5630146ed700fd6edbc4276f4368ebad76b772d9b84349ddc2bd6f7127c377d

Download Submit
C:\Windows\TUDUXF\QVV.001

Filesize
61KB

MD5
bf311791d2f9ea9c82a8d4764a98c0d8

SHA1
405ba2bd110590abd0bf340d12e054405afb011f

SHA256
d720cf3d297743da7ab1da528f4c086a29d59ef553e1a96569b49a59831d583b

SHA512
8be092f068807767b0065de10f9da386b90d8e587356881ba3391380b953b199e818b527e74b305d7c714fc94cb6f8e66c76d89d1785fa9910aa4cb39c5cada8

Download Submit
C:\Windows\TUDUXF\QVV.002

Filesize
44KB

MD5
ce365878123962c3438e349621c10198

SHA1
5b861d9fc2923c61ef390a0b729a21078aa5fd59

SHA256
ba254f6675490a045d4c85a5f46681c175c1321692c20fc808c7c244173dd63f

SHA512
efc6f143d5e9244a6635562d7e9a9cea22ab7e7b304e933642a51d66da896e9038208b86c12f6da623a01b9175e73eeb40ab600e6625db3595144bfca1231a76

Download Submit
C:\Windows\TUDUXF\QVV.003

Filesize
66KB

MD5
26fb89dde71ef86ae196c9c851c6c137

SHA1
17d23cdc9e57190670d572b8fdf3ff05cfc99be4

SHA256
99b477f9c5655a10c703860525f0b764bfa0a0b7d0a1c106351d2f10ea04c618

SHA512
310a3971852555c7be8f9a7dbe470768f281b01756feab582e4eae5e2ef351f4c6471127fd7fea40c6335e13df022dddfab231dc1c379d3c9ef73cb81d057513

Download Submit
C:\Windows\TUDUXF\QVV.004

Filesize
1KB

MD5
2293ccfe288eedbe908190a365fbb8fe

SHA1
5fa55dde0e7dd4be690efc70a24c5b7979b19145

SHA256
9f0a30ffaf70c101523b6733f1b9956ad9383f55704ccdabb15b1a4644328add

SHA512
53ecc48b83f8b3deedf861555084176ed3c93343752f14dea0c3ab37ffea6670543fb835a1196493df03d1c2ef6205892a02b4ffd0f5c5f855095d6bca99de81

Download Submit
C:\Windows\TUDUXF\QVV.exe

Filesize
1.7MB

MD5
8f7590bbba70748e69612e9e2d5a9f2e

SHA1
f3ad9834bc38f33fe501b9076c65ac29d0410578

SHA256
2dec3a8fb4a5b198335e7f4a9b611194b0a081abf0c56f9df3f4e2697e69d9e4

SHA512
347e9ac793afd627e064ecdfea61c3e2b626ace0ea41928aad93a72567048b8e9bdf773f8a4a59a0d96ce8c08612c542c15982e8051828bef025fea6132838c6

Download Submit
\Users\Admin\AppData\Local\Xenocode\Sandbox\sccner tools\20.1.11.06\2012.08.02T18.54\Native\STUBEXE\@WINDIR@\TUDUXF\QVV.exe

Filesize
17KB

MD5
6c12dde03c841adf993fce8f4e4b7769

SHA1
319cb07bef797b7dc375280352b975b53cfe4710

SHA256
2e2e34855af6c0ea687d9766edbec5a48462000d5fd4165a47b4bf0f2209e4d7

SHA512
564b02e328924ba9937a7a75998d7cee359ae44047824a520defd986b8314a11a3a53054b62d3d4c74cbeaf6f2677bb0b0adb39819cd1231f408a311158333bb

Download Submit
\Users\Admin\AppData\Local\Xenocode\Sandbox\sccner tools\20.1.11.06\2012.08.02T18.54\Virtual\STUBEXE\@APPDATALOCAL@\Temp\Sandboxie.exe

Filesize
17KB

MD5
328d67859262bedc3fc3e5cbbe3ff858

SHA1
4968096277d51d8a69499b8036b6c7498e2ea309

SHA256
27dc3f9ac7e85a73b8e3e8216f4e74344a231589ecaae44bb9ca472dc49f0e79

SHA512
2e8b03df5dabf934cd61356c55f97bddd8fe1eb6b1d20178d4e95d5cd2651f80fd07a6d42cfef83dab9e2e8ae2960bfebb0f758cc48f0d05accd2ba3e857bfbc

Download Submit
memory/1600-14-0x0000000000630000-0x000000000069C000-memory.dmp

Filesize
432KB

Download
memory/1600-202-0x0000000000630000-0x000000000069C000-memory.dmp

Filesize
432KB

Download
memory/1600-6-0x0000000000630000-0x000000000069C000-memory.dmp

Filesize
432KB

Download
memory/1600-10-0x0000000000630000-0x000000000069C000-memory.dmp

Filesize
432KB

Download
memory/1600-47-0x0000000000630000-0x000000000069C000-memory.dmp

Filesize
432KB

Download
memory/1600-44-0x0000000000630000-0x000000000069C000-memory.dmp

Filesize
432KB

Download
memory/1600-42-0x0000000000630000-0x000000000069C000-memory.dmp

Filesize
432KB

Download
memory/1600-39-0x0000000000630000-0x000000000069C000-memory.dmp

Filesize
432KB

Download
memory/1600-34-0x0000000000630000-0x000000000069C000-memory.dmp

Filesize
432KB

Download
memory/1600-35-0x0000000000630000-0x000000000069C000-memory.dmp

Filesize
432KB

Download
memory/1600-33-0x0000000000630000-0x000000000069C000-memory.dmp

Filesize
432KB

Download
memory/1600-30-0x0000000000630000-0x000000000069C000-memory.dmp

Filesize
432KB

Download
memory/1600-26-0x0000000000630000-0x000000000069C000-memory.dmp

Filesize
432KB

Download
memory/1600-24-0x0000000000630000-0x000000000069C000-memory.dmp

Filesize
432KB

Download
memory/1600-63-0x0000000000630000-0x000000000069C000-memory.dmp

Filesize
432KB

Download
memory/1600-20-0x0000000000630000-0x000000000069C000-memory.dmp

Filesize
432KB

Download
memory/1600-18-0x0000000000630000-0x000000000069C000-memory.dmp

Filesize
432KB

Download
memory/1600-16-0x0000000000630000-0x000000000069C000-memory.dmp

Filesize
432KB

Download
memory/1600-4-0x0000000000630000-0x000000000069C000-memory.dmp

Filesize
432KB

Download
memory/1600-12-0x0000000000630000-0x000000000069C000-memory.dmp

Filesize
432KB

Download
memory/1600-8-0x0000000000630000-0x000000000069C000-memory.dmp

Filesize
432KB

Download
memory/1600-50-0x0000000076F10000-0x0000000076F11000-memory.dmp

Filesize
4KB

Download
memory/1600-49-0x0000000000630000-0x000000000069C000-memory.dmp

Filesize
432KB

Download
memory/1600-22-0x0000000000630000-0x000000000069C000-memory.dmp

Filesize
432KB

Download
memory/1600-225-0x0000000000630000-0x000000000069C000-memory.dmp

Filesize
432KB

Download
memory/1600-69-0x0000000000630000-0x000000000069C000-memory.dmp

Filesize
432KB

Download
memory/1600-283-0x0000000000630000-0x000000000069C000-memory.dmp

Filesize
432KB

Download
memory/1600-282-0x0000000000630000-0x000000000069C000-memory.dmp

Filesize
432KB

Download
memory/1600-273-0x0000000000630000-0x000000000069C000-memory.dmp

Filesize
432KB

Download
memory/1600-244-0x0000000000630000-0x000000000069C000-memory.dmp

Filesize
432KB

Download
memory/1600-210-0x0000000000630000-0x000000000069C000-memory.dmp

Filesize
432KB

Download
memory/1600-209-0x0000000076F10000-0x0000000076F11000-memory.dmp

Filesize
4KB

Download
memory/1600-208-0x0000000000630000-0x000000000069C000-memory.dmp

Filesize
432KB

Download
memory/1600-67-0x0000000000630000-0x000000000069C000-memory.dmp

Filesize
432KB

Download
memory/1600-65-0x0000000000630000-0x000000000069C000-memory.dmp

Filesize
432KB

Download
memory/1600-61-0x0000000000630000-0x000000000069C000-memory.dmp

Filesize
432KB

Download
memory/1600-59-0x0000000000630000-0x000000000069C000-memory.dmp

Filesize
432KB

Download
memory/1600-57-0x0000000000630000-0x000000000069C000-memory.dmp

Filesize
432KB

Download
memory/1600-55-0x0000000000630000-0x000000000069C000-memory.dmp

Filesize
432KB

Download
memory/1600-54-0x0000000000630000-0x000000000069C000-memory.dmp

Filesize
432KB

Download
memory/1600-1-0x0000000000630000-0x000000000069C000-memory.dmp

Filesize
432KB

Download
memory/1600-2-0x0000000000630000-0x000000000069C000-memory.dmp

Filesize
432KB

Download
memory/1600-0-0x0000000000630000-0x000000000069C000-memory.dmp

Filesize
432KB

Download
memory/1600-51-0x0000000000630000-0x000000000069C000-memory.dmp

Filesize
432KB

Download
memory/1600-638-0x0000000000630000-0x000000000069C000-memory.dmp

Filesize
432KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads