ardamax | 33af96aa00811b0adc665c86a70fd75fb1dc973fe93cc266eb9476a3c4debc29

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27/03/2025, 19:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_8a031f1d901c597e30b574f1abd2feed.exe
Size

769KB
MD5

8a031f1d901c597e30b574f1abd2feed
SHA1

b095c70b8699bf763cbd6295661a2d791327ae5e
SHA256

33af96aa00811b0adc665c86a70fd75fb1dc973fe93cc266eb9476a3c4debc29
SHA512

b32a38413d64bf910c7969db4910f119e865dc27c2ab97e06c7bee82fedf157b893c994f679ca29d9dab9adde73db0edb9687da9aa894aac72346bff4b7a4cb6
SSDEEP

24576:e0U4O6BGdptgSQ43JPtMJmDagYZmLxLx09F:e0USBggSQWAbmLxa/

Score

10^/10

ardamax discovery keylogger persistence stealer upx

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x00090000000160ae-18.dat	family_ardamax

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 2 IoCs

pid	Process
2528	FFPX.exe
2452	PerX.exe

Loads dropped DLL 9 IoCs

pid	Process
2176	JaffaCakes118_8a031f1d901c597e30b574f1abd2feed.exe
2176	JaffaCakes118_8a031f1d901c597e30b574f1abd2feed.exe
2176	JaffaCakes118_8a031f1d901c597e30b574f1abd2feed.exe
2176	JaffaCakes118_8a031f1d901c597e30b574f1abd2feed.exe
2176	JaffaCakes118_8a031f1d901c597e30b574f1abd2feed.exe
2528	FFPX.exe
2528	FFPX.exe
2452	PerX.exe
2452	PerX.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FFPX Agent = "C:\\Windows\\SysWOW64\\Sys32\\FFPX.exe"	FFPX.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Sys32\FFPX.006	JaffaCakes118_8a031f1d901c597e30b574f1abd2feed.exe
File created	C:\Windows\SysWOW64\Sys32\FFPX.007	JaffaCakes118_8a031f1d901c597e30b574f1abd2feed.exe
File created	C:\Windows\SysWOW64\Sys32\FFPX.exe	JaffaCakes118_8a031f1d901c597e30b574f1abd2feed.exe
File created	C:\Windows\SysWOW64\Sys32\AKV.exe	JaffaCakes118_8a031f1d901c597e30b574f1abd2feed.exe
File opened for modification	C:\Windows\SysWOW64\Sys32	FFPX.exe
File created	C:\Windows\SysWOW64\Sys32\FFPX.001	JaffaCakes118_8a031f1d901c597e30b574f1abd2feed.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2452-28-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/files/0x0006000000018d68-27.dat	upx
behavioral1/memory/2452-41-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2452-44-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2452-45-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2452-48-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2452-54-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2452-55-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2452-61-0x0000000000400000-0x00000000004B5000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8a031f1d901c597e30b574f1abd2feed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FFPX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PerX.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2452	PerX.exe
2452	PerX.exe
2452	PerX.exe
2452	PerX.exe
2452	PerX.exe
2452	PerX.exe
2452	PerX.exe
2452	PerX.exe
2452	PerX.exe
2452	PerX.exe
2452	PerX.exe
2452	PerX.exe
2452	PerX.exe
2452	PerX.exe
2452	PerX.exe
2452	PerX.exe
2452	PerX.exe
2452	PerX.exe
2452	PerX.exe
2452	PerX.exe
2452	PerX.exe
2452	PerX.exe
2452	PerX.exe
2452	PerX.exe
2452	PerX.exe
2452	PerX.exe
2452	PerX.exe
2452	PerX.exe
2452	PerX.exe
2452	PerX.exe
2452	PerX.exe
2452	PerX.exe
2452	PerX.exe
2452	PerX.exe
2452	PerX.exe
2452	PerX.exe
2452	PerX.exe
2452	PerX.exe
2452	PerX.exe
2452	PerX.exe
2452	PerX.exe
2452	PerX.exe
2452	PerX.exe
2452	PerX.exe
2452	PerX.exe
2452	PerX.exe
2452	PerX.exe
2452	PerX.exe
2452	PerX.exe
2452	PerX.exe
2452	PerX.exe
2452	PerX.exe
2452	PerX.exe
2452	PerX.exe
2452	PerX.exe
2452	PerX.exe
2452	PerX.exe
2452	PerX.exe
2452	PerX.exe
2452	PerX.exe
2452	PerX.exe
2452	PerX.exe
2452	PerX.exe
2452	PerX.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2872	explorer.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: 33	2528	FFPX.exe
Token: SeIncBasePriorityPrivilege	2528	FFPX.exe
Token: SeShutdownPrivilege	2872	explorer.exe
Token: SeShutdownPrivilege	2872	explorer.exe
Token: SeShutdownPrivilege	2872	explorer.exe
Token: SeShutdownPrivilege	2872	explorer.exe
Token: SeShutdownPrivilege	2872	explorer.exe
Token: SeShutdownPrivilege	2872	explorer.exe
Token: SeShutdownPrivilege	2872	explorer.exe
Token: SeShutdownPrivilege	2872	explorer.exe
Token: SeShutdownPrivilege	2872	explorer.exe
Token: SeShutdownPrivilege	2872	explorer.exe
Token: SeShutdownPrivilege	2872	explorer.exe
Token: SeShutdownPrivilege	2872	explorer.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe

Suspicious use of SendNotifyMessage 57 IoCs

pid	Process
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2528	FFPX.exe
2528	FFPX.exe
2528	FFPX.exe
2528	FFPX.exe
2528	FFPX.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 2528	2176	JaffaCakes118_8a031f1d901c597e30b574f1abd2feed.exe	30
PID 2176 wrote to memory of 2528	2176	JaffaCakes118_8a031f1d901c597e30b574f1abd2feed.exe	30
PID 2176 wrote to memory of 2528	2176	JaffaCakes118_8a031f1d901c597e30b574f1abd2feed.exe	30
PID 2176 wrote to memory of 2528	2176	JaffaCakes118_8a031f1d901c597e30b574f1abd2feed.exe	30
PID 2176 wrote to memory of 2452	2176	JaffaCakes118_8a031f1d901c597e30b574f1abd2feed.exe	31
PID 2176 wrote to memory of 2452	2176	JaffaCakes118_8a031f1d901c597e30b574f1abd2feed.exe	31
PID 2176 wrote to memory of 2452	2176	JaffaCakes118_8a031f1d901c597e30b574f1abd2feed.exe	31
PID 2176 wrote to memory of 2452	2176	JaffaCakes118_8a031f1d901c597e30b574f1abd2feed.exe	31

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a031f1d901c597e30b574f1abd2feed.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a031f1d901c597e30b574f1abd2feed.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Windows\SysWOW64\Sys32\FFPX.exe
  "C:\Windows\system32\Sys32\FFPX.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2528
- C:\Users\Admin\AppData\Local\Temp\PerX.exe
  "C:\Users\Admin\AppData\Local\Temp\PerX.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2452

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\PerX.exe

Filesize
262KB

MD5
e974a7ed7fa0c096aa1f59ae6d8cce72

SHA1
24b215e712fa745ac94d033ee7c5a556a5df0dab

SHA256
d042a6add7b1547e5165d0c0c0f0eb21ee778b44c27e0a2bbce9f02b79156c0b

SHA512
156cfa7b252d8737a4d3fdc3f8095353051d7f15e1293d6c1213de36ea44d526fd94e75765b3a1f75ed83f9b02dd4329b9eab466e9188fea107e622d0c1d6ba4

Download Submit
C:\Windows\SysWOW64\Sys32\AKV.exe

Filesize
391KB

MD5
869461e168a87283a8782e70f5d5a3a8

SHA1
ab189b5f2682ae66162226b4f646b1e80486c653

SHA256
992cb5ea845b2d24c02f4e40873bf4ebd7b58b57ae2e001907228af4879e575b

SHA512
e4e77e07eb0ef2adb6d5ebdb9629f4632c417cf3d1a22e4c414b806bfbd259df13f6c88265f9346ed2b22bf67eb3d63924d86767c8508be4abdc9067f15a82ae

Download Submit
C:\Windows\SysWOW64\Sys32\FFPX.001

Filesize
502B

MD5
db12acbe34a8d6a27e88d5d7703f8a1f

SHA1
7c4a6798e8219f0c231b3057f0c08dad28ce8248

SHA256
f91596bf56f9299d738c9356dbe7b23c6ee33bcc1d6ca05ad846950577fc30d9

SHA512
672e1b29a3d066e3a030ef50f2441a45005f87b0ed2db7781b29e28b570819ed7d04f647d451422410b33d323c6c0742dbfd4c49c1272c7d6eef3cc93516ec39

Download Submit
C:\Windows\SysWOW64\Sys32\FFPX.exe

Filesize
476KB

MD5
ef52b540cb404d908338e9cbf7cff283

SHA1
778765e1736c0a197685978c3fee7a44e7bde419

SHA256
39d8bdb975fbfcbcec8fe63be4e9fe6ce39ae5d23a005118aeffa07b17a3f815

SHA512
596b77bf5b15455c326a5a2efd66bc69685eb625e3e211ea0341ad4d8920ada7618a7107e42f2c0963fe6c2d92f2acf47b641ef33071a7c42004e5874d5219a6

Download Submit
\Users\Admin\AppData\Local\Temp\@B348.tmp

Filesize
4KB

MD5
33303ca8abef9221cb410b8a232e9fe4

SHA1
0cdfc25dbf0e9ad7d4585cd9037dc2e6604be00c

SHA256
5110301dee966f0f26307ab1b430279d1e4999c2c4a0ea924ff32f1a9ded869a

SHA512
da29821045773ba776def985966b62e09e69bb5bf1786b16c2fff6feb68a03b9e22c5f7d081e3dd58d1785cd7ac64736497c043b7cf6c7149c3a54f8ef111800

Download Submit
\Windows\SysWOW64\Sys32\FFPX.006

Filesize
7KB

MD5
928cc65dc793834c709a054ca57c19c8

SHA1
a1e5d8407199c1bd6a4b274044de640fe0d9e99b

SHA256
e3473d81a02ed30e4236591384136f41f17b6a4aae24b5468789644ccd4bf192

SHA512
f7c8f7a75c4f8a418630e2ac15676740a902449d9a3c4baf3184409f8701c9caa3e82304d141362d95503f1af6b693eed7b77f690d92ca0162f7ea3ecbc80fdf

Download Submit
\Windows\SysWOW64\Sys32\FFPX.007

Filesize
5KB

MD5
3e1f5d5a06cf97b0495b8d129fbe02e4

SHA1
b0de258a813f5edde85004f6865b6ed91f6d6f8f

SHA256
f49448fc7c567e64eaeb9cc4dbd3c8021a82b5d9df0a622a439f7b42dc2f26d7

SHA512
b0e0b81cb5776d298e96346aa61027c9799a47191c94de50be2209c32747774959d002ddeb98fd15556ee893b0d7bd1f0c8a901469dce4e3acf94e2c4c3e2bfd

Download Submit
memory/2452-42-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2452-44-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2452-40-0x000000007777F000-0x0000000077780000-memory.dmp

Filesize
4KB

Download
memory/2452-28-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2452-41-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2452-36-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2452-43-0x000000007777F000-0x0000000077780000-memory.dmp

Filesize
4KB

Download
memory/2452-61-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2452-45-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2452-48-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2452-54-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2452-55-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2528-34-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2872-60-0x00000000030C0000-0x00000000030D0000-memory.dmp

Filesize
64KB

Download