ardamax | f5f6eb2ba2e0a9e80bc39e303fc0c028d32a2379a928e1dc7eaf361fe822b3d5

Analysis

max time kernel
150s
max time network
127s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
20/03/2025, 10:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_8260879646a378026c3d4863fdfcc7eb.exe
Size

560KB
MD5

8260879646a378026c3d4863fdfcc7eb
SHA1

e5c7b78487bbea6d435e39414094ceadb838f0b4
SHA256

f5f6eb2ba2e0a9e80bc39e303fc0c028d32a2379a928e1dc7eaf361fe822b3d5
SHA512

b45abd450a17f1946472d66bc5dcfa680ed04150d8a32cfa306e3679e2251278eac2c1abf36b42dca0f7d664d123c4e85a52e28357f7a430689b40fc8b50179f
SSDEEP

12288:5lQD3uWAxchoSJnr4WXBSETiELm3xIS12IcFTB:ZxchoSJrvoEfLm3x3SB

Score

10^/10

ardamax discovery keylogger persistence stealer upx

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0006000000018b28-9.dat	family_ardamax

Executes dropped EXE 2 IoCs

pid	Process
2880	HILY.exe
1852	X1nject.exe

Loads dropped DLL 9 IoCs

pid	Process
2332	JaffaCakes118_8260879646a378026c3d4863fdfcc7eb.exe
2332	JaffaCakes118_8260879646a378026c3d4863fdfcc7eb.exe
2332	JaffaCakes118_8260879646a378026c3d4863fdfcc7eb.exe
2332	JaffaCakes118_8260879646a378026c3d4863fdfcc7eb.exe
2332	JaffaCakes118_8260879646a378026c3d4863fdfcc7eb.exe
2880	HILY.exe
2880	HILY.exe
1852	X1nject.exe
1852	X1nject.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HILY Agent = "C:\\Windows\\SysWOW64\\28463\\HILY.exe"	HILY.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\HILY.exe	JaffaCakes118_8260879646a378026c3d4863fdfcc7eb.exe
File opened for modification	C:\Windows\SysWOW64\28463	HILY.exe
File created	C:\Windows\SysWOW64\28463\HILY.001	JaffaCakes118_8260879646a378026c3d4863fdfcc7eb.exe
File created	C:\Windows\SysWOW64\28463\HILY.006	JaffaCakes118_8260879646a378026c3d4863fdfcc7eb.exe
File created	C:\Windows\SysWOW64\28463\HILY.007	JaffaCakes118_8260879646a378026c3d4863fdfcc7eb.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000018b50-27.dat	upx
behavioral1/memory/1852-28-0x0000000000400000-0x00000000004BD000-memory.dmp	upx
behavioral1/memory/1852-41-0x0000000000400000-0x00000000004BD000-memory.dmp	upx
behavioral1/memory/1852-56-0x0000000000400000-0x00000000004BD000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8260879646a378026c3d4863fdfcc7eb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HILY.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	X1nject.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1852	X1nject.exe
1852	X1nject.exe
1852	X1nject.exe
1852	X1nject.exe
1852	X1nject.exe
1852	X1nject.exe
1852	X1nject.exe
1852	X1nject.exe
1852	X1nject.exe
1852	X1nject.exe
1852	X1nject.exe
1852	X1nject.exe
1852	X1nject.exe
1852	X1nject.exe
1852	X1nject.exe
1852	X1nject.exe
1852	X1nject.exe
1852	X1nject.exe
1852	X1nject.exe
1852	X1nject.exe
1852	X1nject.exe
1852	X1nject.exe
1852	X1nject.exe
1852	X1nject.exe
1852	X1nject.exe
1852	X1nject.exe
1852	X1nject.exe
1852	X1nject.exe
1852	X1nject.exe
1852	X1nject.exe
1852	X1nject.exe
1852	X1nject.exe
1852	X1nject.exe
1852	X1nject.exe
1852	X1nject.exe
1852	X1nject.exe
1852	X1nject.exe
1852	X1nject.exe
1852	X1nject.exe
1852	X1nject.exe
1852	X1nject.exe
1852	X1nject.exe
1852	X1nject.exe
1852	X1nject.exe
1852	X1nject.exe
1852	X1nject.exe
1852	X1nject.exe
1852	X1nject.exe
1852	X1nject.exe
1852	X1nject.exe
1852	X1nject.exe
1852	X1nject.exe
1852	X1nject.exe
1852	X1nject.exe
1852	X1nject.exe
1852	X1nject.exe
1852	X1nject.exe
1852	X1nject.exe
1852	X1nject.exe
1852	X1nject.exe
1852	X1nject.exe
1852	X1nject.exe
1852	X1nject.exe
1852	X1nject.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2880	HILY.exe
Token: SeIncBasePriorityPrivilege	2880	HILY.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2880	HILY.exe
2880	HILY.exe
2880	HILY.exe
2880	HILY.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 2880	2332	JaffaCakes118_8260879646a378026c3d4863fdfcc7eb.exe	31
PID 2332 wrote to memory of 2880	2332	JaffaCakes118_8260879646a378026c3d4863fdfcc7eb.exe	31
PID 2332 wrote to memory of 2880	2332	JaffaCakes118_8260879646a378026c3d4863fdfcc7eb.exe	31
PID 2332 wrote to memory of 2880	2332	JaffaCakes118_8260879646a378026c3d4863fdfcc7eb.exe	31
PID 2332 wrote to memory of 1852	2332	JaffaCakes118_8260879646a378026c3d4863fdfcc7eb.exe	32
PID 2332 wrote to memory of 1852	2332	JaffaCakes118_8260879646a378026c3d4863fdfcc7eb.exe	32
PID 2332 wrote to memory of 1852	2332	JaffaCakes118_8260879646a378026c3d4863fdfcc7eb.exe	32
PID 2332 wrote to memory of 1852	2332	JaffaCakes118_8260879646a378026c3d4863fdfcc7eb.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8260879646a378026c3d4863fdfcc7eb.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8260879646a378026c3d4863fdfcc7eb.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Windows\SysWOW64\28463\HILY.exe
  "C:\Windows\system32\28463\HILY.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2880
- C:\Users\Admin\AppData\Local\Temp\X1nject.exe
  "C:\Users\Admin\AppData\Local\Temp\X1nject.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\X1nject.exe

Filesize
262KB

MD5
ed16b07449d0cd7e2d7c6f918878ab00

SHA1
7dd4b0ebafd2987041f4a18da74f3e562343843f

SHA256
b308449cdf6ec26d55138d6bbf147f86f09a45a87d142eadf3c65be58cc7a5a1

SHA512
09e8dacfbd6b8071ba52353ebdab7a3d05b774863152b3d398bc4b98dae1cad59331dea3abfefea3e160b05d475318e2a96910f1f1ae3e8c09beef251d661c90

Download Submit
C:\Windows\SysWOW64\28463\HILY.001

Filesize
532B

MD5
2fac1d00ef413f48256555ca991dc172

SHA1
b2d266c634db1cec6810324f8fbbe1107ca006e3

SHA256
cb6553eabc4d3cdb1040f55429a35d37f7cfc4749c877bb6a8395669b2214c9c

SHA512
431709602a09b6d3e9208aa7d3deb86db4b43cfe04236b7d8947ecb6562e7fa45e0aaa325a6f3f15d5d36b69836f3836b9e30a084acacaeab89bf758a2995879

Download Submit
C:\Windows\SysWOW64\28463\HILY.006

Filesize
8KB

MD5
f5eff4f716427529b003207d5c953df5

SHA1
79696d6c8d67669ea690d240ef8978672e3d151c

SHA256
ac54ebb9eec3212f294462ce012fdc42f4b0896d785d776a5a2cc3599dc5bcde

SHA512
5a48599a5855f06c3e7d6f89c4e06bab1f4381b9d30cf3824c465b8fd6c142b316e6bd6aaad73d1f9b3e84d96113fb5e7374831bf503744013c9e1a0632a0caf

Download Submit
C:\Windows\SysWOW64\28463\HILY.007

Filesize
5KB

MD5
bc75eddaa64823014fef0fe70bd34ffc

SHA1
15cd2ace3b68257faed33c78b794b2333eab7c0a

SHA256
9eada36d17635bedb85ce96a62cb019dbfee696b9986f69de7d5b5bc1f44df5d

SHA512
20db25f32f9cfdbffa4f30c0065125052c6e20b7dcc147fa7ebff38e37b51f6a43e48e486f148d7ee11671479b9fb0bbe1c6df151101af3b50c65fd334d13baa

Download Submit
\Users\Admin\AppData\Local\Temp\@2DE.tmp

Filesize
4KB

MD5
13e10cd76f11d6cb43182dcba7370171

SHA1
e6b8ce329e49ff09f1cb529c60fc466cb9a579c8

SHA256
f1265c88f0077009eaa18db413f156cc7ad8d41dc9d797dd1032b0e0ae9c40d5

SHA512
ee32ef3f50838936417e51dfd365b166456900e327dbe51902700bb3d562dea22e6fbd9009c822ba0562687001802a2e61d38123f81ae19f7b3d05bb1fd5cda8

Download Submit
\Windows\SysWOW64\28463\HILY.exe

Filesize
473KB

MD5
3c90d45b1c004e86a7f7a7a340f1abc8

SHA1
10602c450bcbda2735dc036f2e399646f0c64f4c

SHA256
f6d9c3bba7fc4dfa681cadf68f41093e3c431501c6789e891e599719e5d2781c

SHA512
85457be4c2aa76ede288cd185131d46e5f0b37187313f3a54fe789e28929ec6e44282f4ba0981f46354705cd5da83990586c8846f52fcdb807908254c8719cc1

Download Submit
memory/1852-28-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1852-29-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1852-39-0x000000007747F000-0x0000000077480000-memory.dmp

Filesize
4KB

Download
memory/1852-41-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1852-42-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1852-44-0x000000007747F000-0x0000000077480000-memory.dmp

Filesize
4KB

Download
memory/1852-56-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2332-26-0x0000000002680000-0x000000000273D000-memory.dmp

Filesize
756KB

Download
memory/2332-40-0x0000000002680000-0x000000000273D000-memory.dmp

Filesize
756KB

Download
memory/2880-34-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2880-43-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download