ardamax | 15005ef320ea86fb763689a3fcd28ba4f75c7ed72fba38f4dd3ac18bd3efc687

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-12-2024 04:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e9cdf3dd25a6e8116699811b85eab09a_JaffaCakes118.exe
Size

807KB
MD5

e9cdf3dd25a6e8116699811b85eab09a
SHA1

54a64e4961c29ea81c3ce7ccf80ff84bb62cc6ae
SHA256

15005ef320ea86fb763689a3fcd28ba4f75c7ed72fba38f4dd3ac18bd3efc687
SHA512

639d728770df671c4780d631004d282705764bd8b2c5f33575171786ff9256efbb1b4f81a7ec61ed1b815eaf1235012adc7fe7d9a68fc3ce9b48cab0d017b4ea
SSDEEP

24576:OTV5ndLUZB/u3VVmpyMBoIxAzEV6JQi0cJUCjJD:QdiB2l0/BNxAYcScJUSt

Score

10^/10

ardamax defense_evasion discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x00070000000160d5-9.dat	family_ardamax

Executes dropped EXE 1 IoCs

pid	Process
2316	CMJB.exe

Loads dropped DLL 5 IoCs

pid	Process
1672	e9cdf3dd25a6e8116699811b85eab09a_JaffaCakes118.exe
1672	e9cdf3dd25a6e8116699811b85eab09a_JaffaCakes118.exe
2316	CMJB.exe
2316	CMJB.exe
2760	NOTEPAD.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CMJB Agent = "C:\\Windows\\SysWOW64\\28463\\CMJB.exe"	CMJB.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\CMJB.007	e9cdf3dd25a6e8116699811b85eab09a_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\28463\CMJB.exe	e9cdf3dd25a6e8116699811b85eab09a_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\28463\key.bin	e9cdf3dd25a6e8116699811b85eab09a_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\28463\AKV.exe	e9cdf3dd25a6e8116699811b85eab09a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\28463	CMJB.exe
File created	C:\Windows\SysWOW64\28463\CMJB.001	e9cdf3dd25a6e8116699811b85eab09a_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\28463\CMJB.006	e9cdf3dd25a6e8116699811b85eab09a_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e9cdf3dd25a6e8116699811b85eab09a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMJB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 37 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E39E88EB-FEDC-4441-1793-A0577DE7A036}\ = "Awolaja Qewat Vegor Class"	CMJB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E39E88EB-FEDC-4441-1793-A0577DE7A036}\InprocServer32\ = "C:\\Windows\\SysWOW64\\MSCOMCTL.OCX"	CMJB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E39E88EB-FEDC-4441-1793-A0577DE7A036}\MiscStatus	CMJB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E39E88EB-FEDC-4441-1793-A0577DE7A036}\Programmable\	CMJB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E39E88EB-FEDC-4441-1793-A0577DE7A036}\ToolboxBitmap32\	CMJB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EA5B4341-48EA-9948-4570-0BE272559A91}	CMJB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EA5B4341-48EA-9948-4570-0BE272559A91}\1.0\0\win32\ = "C:\\PROGRA~2\\MICROS~1\\Office14\\GROOVE.EXE\\119"	CMJB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EA5B4341-48EA-9948-4570-0BE272559A91}\1.0\HELPDIR	CMJB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EA5B4341-48EA-9948-4570-0BE272559A91}\1.0\HELPDIR\	CMJB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E39E88EB-FEDC-4441-1793-A0577DE7A036}	CMJB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E39E88EB-FEDC-4441-1793-A0577DE7A036}\Implemented Categories	CMJB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E39E88EB-FEDC-4441-1793-A0577DE7A036}\InprocServer32	CMJB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E39E88EB-FEDC-4441-1793-A0577DE7A036}\ToolboxBitmap32	CMJB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EA5B4341-48EA-9948-4570-0BE272559A91}\1.0	CMJB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E39E88EB-FEDC-4441-1793-A0577DE7A036}\TypeLib\	CMJB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E39E88EB-FEDC-4441-1793-A0577DE7A036}\TypeLib\ = "{EA5B4341-48EA-9948-4570-0BE272559A91}"	CMJB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E39E88EB-FEDC-4441-1793-A0577DE7A036}\Implemented Categories\	CMJB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E39E88EB-FEDC-4441-1793-A0577DE7A036}\MiscStatus\ = "0"	CMJB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E39E88EB-FEDC-4441-1793-A0577DE7A036}\Version	CMJB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E39E88EB-FEDC-4441-1793-A0577DE7A036}\Version\ = "2.0"	CMJB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E39E88EB-FEDC-4441-1793-A0577DE7A036}\Programmable	CMJB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EA5B4341-48EA-9948-4570-0BE272559A91}\1.0\0\	CMJB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EA5B4341-48EA-9948-4570-0BE272559A91}\1.0\FLAGS	CMJB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E39E88EB-FEDC-4441-1793-A0577DE7A036}\InprocServer32\	CMJB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E39E88EB-FEDC-4441-1793-A0577DE7A036}\MiscStatus\	CMJB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E39E88EB-FEDC-4441-1793-A0577DE7A036}\ToolboxBitmap32\ = "C:\\Windows\\SysWOW64\\MSCOMCTL.OCX, 3"	CMJB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EA5B4341-48EA-9948-4570-0BE272559A91}\	CMJB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EA5B4341-48EA-9948-4570-0BE272559A91}\1.0\ = "Groove Client 1.0 Type Library"	CMJB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EA5B4341-48EA-9948-4570-0BE272559A91}\1.0\0	CMJB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EA5B4341-48EA-9948-4570-0BE272559A91}\1.0\0\win32	CMJB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EA5B4341-48EA-9948-4570-0BE272559A91}\1.0\	CMJB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EA5B4341-48EA-9948-4570-0BE272559A91}\1.0\0\win32\	CMJB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EA5B4341-48EA-9948-4570-0BE272559A91}\1.0\FLAGS\	CMJB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EA5B4341-48EA-9948-4570-0BE272559A91}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\"	CMJB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E39E88EB-FEDC-4441-1793-A0577DE7A036}\TypeLib	CMJB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EA5B4341-48EA-9948-4570-0BE272559A91}\1.0\FLAGS\ = "0"	CMJB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E39E88EB-FEDC-4441-1793-A0577DE7A036}\Version\	CMJB.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	2316	CMJB.exe
Token: SeIncBasePriorityPrivilege	2316	CMJB.exe
Token: SeIncBasePriorityPrivilege	2316	CMJB.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2316	CMJB.exe
2316	CMJB.exe
2316	CMJB.exe
2316	CMJB.exe
2316	CMJB.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 2316	1672	e9cdf3dd25a6e8116699811b85eab09a_JaffaCakes118.exe	30
PID 1672 wrote to memory of 2316	1672	e9cdf3dd25a6e8116699811b85eab09a_JaffaCakes118.exe	30
PID 1672 wrote to memory of 2316	1672	e9cdf3dd25a6e8116699811b85eab09a_JaffaCakes118.exe	30
PID 1672 wrote to memory of 2316	1672	e9cdf3dd25a6e8116699811b85eab09a_JaffaCakes118.exe	30
PID 1672 wrote to memory of 2760	1672	e9cdf3dd25a6e8116699811b85eab09a_JaffaCakes118.exe	31
PID 1672 wrote to memory of 2760	1672	e9cdf3dd25a6e8116699811b85eab09a_JaffaCakes118.exe	31
PID 1672 wrote to memory of 2760	1672	e9cdf3dd25a6e8116699811b85eab09a_JaffaCakes118.exe	31
PID 1672 wrote to memory of 2760	1672	e9cdf3dd25a6e8116699811b85eab09a_JaffaCakes118.exe	31
PID 2316 wrote to memory of 2836	2316	CMJB.exe	33
PID 2316 wrote to memory of 2836	2316	CMJB.exe	33
PID 2316 wrote to memory of 2836	2316	CMJB.exe	33
PID 2316 wrote to memory of 2836	2316	CMJB.exe	33

C:\Users\Admin\AppData\Local\Temp\e9cdf3dd25a6e8116699811b85eab09a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e9cdf3dd25a6e8116699811b85eab09a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Windows\SysWOW64\28463\CMJB.exe
  "C:\Windows\system32\28463\CMJB.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\28463\CMJB.exe > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2836
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Okuyun..txt
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Okuyun..txt

Filesize
81B

MD5
19b2c20900c4b2af43663d2bc42bf6eb

SHA1
d50958be7e376036ea3bafc821c9c9f66f124b56

SHA256
7eabb00ecd447344d54026a6faed91c6759647c098cb03144c806634958815cd

SHA512
7d7c9f069fa3b0b3bf2cca4611f36dd78d048e8cda3b89359f1ebad7e20fd28825ef1ac2fcdeced2694a7d48e5a577f3d3aff9d1b72cb738ae1ec5b08e8b8300

Download Submit
C:\Windows\SysWOW64\28463\AKV.exe

Filesize
457KB

MD5
42e2202ac32edb39ccf9979515018d85

SHA1
c1e07fbe2fa759e2775d4dcf7de23a66d2422a1a

SHA256
367b4028baf3df4a5f77169bd64c9ef8fd7968a4d6c852ae3f81a726f4b37222

SHA512
a97d9e968b1f63dedba74999aabe6fd150aae985c1143d29b183cc0d663a45252c57494c3457136c5e500050c6af6c819f9ba7070b7d62300ede2e9a7c792768

Download Submit
C:\Windows\SysWOW64\28463\CMJB.001

Filesize
440B

MD5
f4325a6b407f5a44e46aaabaf5d86cbf

SHA1
dcbeb464607e71049e86f2ae5726984b2db4a459

SHA256
4a598cbd435123719e82e136216e1e43d4997d1f5ef8da12d163f85e87ca1cc4

SHA512
1f73d17a83b942713c3838b7c71f73d3a9b1a7cb7970a35492e588399ad6ba7cf28da34d79791971084b81d63b2c1583f18d9f7b600fedd79a1c9fee95aa7a0f

Download Submit
C:\Windows\SysWOW64\28463\CMJB.006

Filesize
8KB

MD5
3da3041787b72a7909d9f6184ce6bc5e

SHA1
fc7f00b8a1341b5341e2ba6f94ba85364bc90843

SHA256
18e06896cc71e99b717cff8d68cba86fea3eba5087b93734f6418e53cadab5b3

SHA512
150fa3f8eeec3621ac61eab0da3f2692dd776887ec0c1791404df3dd8784982563496e1e990217a99c4fd53c5d5d68e0574737879b72d78ab737033f1b08560a

Download Submit
C:\Windows\SysWOW64\28463\CMJB.007

Filesize
5KB

MD5
50d0bcf6b5a6b11d9e274ccefba3f02e

SHA1
57acf2a1236b7534f2db661a9d95aeadcd41aa2a

SHA256
a5e5cf8b3133031f25db37fd13b029cdfc9d1588ca7f68041e52349f46cbbf5c

SHA512
c0288f92c75f4a6ea45434e3960a3c5d8ed3d890121a3fd6da2449e1313db523224e301451d85a15ea8ee9b5c2fb3bf294ee90869a4d5608bcf48fa94458e938

Download Submit
C:\Windows\SysWOW64\28463\key.bin

Filesize
105B

MD5
27c90d4d9b049f4cd00f32ed1d2e5baf

SHA1
338a3ea8f1e929d8916ece9b6e91e697eb562550

SHA256
172d6f21165fb3ca925e5b000451fd8946920206f7438018c28b158b90cf5ffb

SHA512
d73dadb3cf74c647ce5bad5b87d3fb42a212defcba8afb8cf962020b61a0369c0a2b1005797583daf1f1ae88b29b7288bc544a53d643f3519cf604aa0ffd6dae

Download Submit
\Users\Admin\AppData\Local\Temp\@7EA2.tmp

Filesize
4KB

MD5
cb07753c45624238b4403480372be5db

SHA1
10af5bfbed599165d996470278f011728e866df7

SHA256
63c3ed8cbe11314a2f2cd6ff50305bad98075be9e09d22e45b47af557a3388e7

SHA512
2c72cca45ef924104c6892dd96f2e27a5d43bacc9f3eb0eeee24c871cc1bd1642d77734822d9d934f93a77c884fa1c682cf1ceddffe157a613978d9edd184312

Download Submit
\Windows\SysWOW64\28463\CMJB.exe

Filesize
647KB

MD5
a7b322839cedf8d56cb0a7dcdb50ab59

SHA1
d27855e65f5d9e87666f39d2af694a0d75330a75

SHA256
ba7362315c0608c9203c9d607fd85695fbc15f034ea40b3de7dd1abebd5859a3

SHA512
86a416ae639ca458e56093d5c04f3406ac0389cf9a1047f714424ba89ffd047ca58e6927bc941d285d4db9e8a95e91e0d578be3038a83945b6af90586ea9f649

Download Submit
memory/1672-15-0x0000000002A30000-0x0000000002B0F000-memory.dmp

Filesize
892KB

Download
memory/2316-29-0x00000000030B0000-0x00000000030B2000-memory.dmp

Filesize
8KB

Download
memory/2316-32-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2316-26-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/2316-25-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/2316-24-0x00000000022A0000-0x00000000022A1000-memory.dmp

Filesize
4KB

Download
memory/2316-23-0x00000000022B0000-0x00000000022B1000-memory.dmp

Filesize
4KB

Download
memory/2316-22-0x0000000000860000-0x0000000000861000-memory.dmp

Filesize
4KB

Download
memory/2316-34-0x00000000030D0000-0x00000000030D1000-memory.dmp

Filesize
4KB

Download
memory/2316-33-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2316-27-0x0000000000840000-0x0000000000841000-memory.dmp

Filesize
4KB

Download
memory/2316-28-0x00000000030C0000-0x00000000030C1000-memory.dmp

Filesize
4KB

Download
memory/2316-30-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/2316-18-0x0000000000380000-0x00000000003DA000-memory.dmp

Filesize
360KB

Download
memory/2316-16-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2316-44-0x0000000000380000-0x00000000003DA000-memory.dmp

Filesize
360KB

Download
memory/2316-43-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2316-45-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/2316-48-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2316-54-0x0000000000380000-0x00000000003DA000-memory.dmp

Filesize
360KB

Download
memory/2316-53-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads