ardamax | e19c57cc7422b89c8e46a340280ba77f843e157d3b92e07d323e54a6b530ab3e

Analysis

max time kernel
140s
max time network
119s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
03-02-2025 18:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_8b47a5ee24e37deb41a54b0f6a7e90b4.exe
Size

802KB
MD5

8b47a5ee24e37deb41a54b0f6a7e90b4
SHA1

3695492b3dd4fb60771c99babac34c0c2e043f4f
SHA256

e19c57cc7422b89c8e46a340280ba77f843e157d3b92e07d323e54a6b530ab3e
SHA512

4933c2eb99ccd1d9a593b298148b1e4ddd4f5eb5c895910381f2ede497c7c7372c27670afdbbf7e7abb72af1f0b49a505f8046125c702ffd837d8af8fdeb9872
SSDEEP

24576:qXYMJtez+cSYtDbrrfrMwll8QjbxC6CRP7h:qXYWI+t4PrWQjb9CP7h

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0005000000019458-28.dat	family_ardamax

Executes dropped EXE 2 IoCs

pid	Process
2284	INSTALL.EXE
2460	DEQE.exe

Loads dropped DLL 8 IoCs

pid	Process
2284	INSTALL.EXE
2284	INSTALL.EXE
2460	DEQE.exe
2460	DEQE.exe
2460	DEQE.exe
2420	WINWORD.EXE
2460	DEQE.exe
2420	WINWORD.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DEQE Agent = "C:\\Windows\\SysWOW64\\28463\\DEQE.exe"	DEQE.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\key.bin	INSTALL.EXE
File created	C:\Windows\SysWOW64\28463\AKV.exe	INSTALL.EXE
File opened for modification	C:\Windows\SysWOW64\28463	DEQE.exe
File created	C:\Windows\SysWOW64\28463\DEQE.001	INSTALL.EXE
File created	C:\Windows\SysWOW64\28463\DEQE.006	INSTALL.EXE
File created	C:\Windows\SysWOW64\28463\DEQE.007	INSTALL.EXE
File created	C:\Windows\SysWOW64\28463\DEQE.exe	INSTALL.EXE

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\CARTA2.RTF	WINWORD.EXE
File created	C:\Windows\~$CARTA2.RTF	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File created	C:\Windows\CCARTA2.RTF	JaffaCakes118_8b47a5ee24e37deb41a54b0f6a7e90b4.exe
File created	C:\Windows\CARTA2.RTF	JaffaCakes118_8b47a5ee24e37deb41a54b0f6a7e90b4.exe
File created	C:\Windows\CINSTALL.EXE	JaffaCakes118_8b47a5ee24e37deb41a54b0f6a7e90b4.exe
File created	C:\Windows\INSTALL.EXE	JaffaCakes118_8b47a5ee24e37deb41a54b0f6a7e90b4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8b47a5ee24e37deb41a54b0f6a7e90b4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	INSTALL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEQE.exe

Office loads VBA resources, possible macro or embedded object present

Modifies registry class 33 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7778738C-48E5-5D6E-4816-CD8ABD4BB4BA}\	DEQE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7778738C-48E5-5D6E-4816-CD8ABD4BB4BA}\1.0\	DEQE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7778738C-48E5-5D6E-4816-CD8ABD4BB4BA}\1.0\FLAGS\ = "0"	DEQE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{78D8174B-19D1-427D-948B-3EE313799840}\Version	DEQE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{78D8174B-19D1-427D-948B-3EE313799840}\VersionIndependentProgID	DEQE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{78D8174B-19D1-427D-948B-3EE313799840}\ProgID	DEQE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7778738C-48E5-5D6E-4816-CD8ABD4BB4BA}\1.0\0\win32\	DEQE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{78D8174B-19D1-427D-948B-3EE313799840}\TypeLib\ = "{7778738C-48E5-5D6E-4816-CD8ABD4BB4BA}"	DEQE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{78D8174B-19D1-427D-948B-3EE313799840}\VersionIndependentProgID\ = "IMEAPI.CImeProductObjectJK"	DEQE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{78D8174B-19D1-427D-948B-3EE313799840}\ = "Fogip"	DEQE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{78D8174B-19D1-427D-948B-3EE313799840}\TypeLib	DEQE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{78D8174B-19D1-427D-948B-3EE313799840}\InprocServer32\ = "%SystemRoot%\\SysWow64\\ime\\shared\\imjkapi.dll"	DEQE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7778738C-48E5-5D6E-4816-CD8ABD4BB4BA}\1.0\0\win32\ = "C:\\PROGRA~2\\MICROS~1\\Office14\\GROOVE.EXE\\31"	DEQE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{78D8174B-19D1-427D-948B-3EE313799840}\Version\	DEQE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7778738C-48E5-5D6E-4816-CD8ABD4BB4BA}\1.0\0	DEQE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7778738C-48E5-5D6E-4816-CD8ABD4BB4BA}\1.0\ = "Groove Web Services Properties Service"	DEQE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7778738C-48E5-5D6E-4816-CD8ABD4BB4BA}\1.0\0\win32	DEQE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7778738C-48E5-5D6E-4816-CD8ABD4BB4BA}\1.0\FLAGS	DEQE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7778738C-48E5-5D6E-4816-CD8ABD4BB4BA}\1.0\FLAGS\	DEQE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7778738C-48E5-5D6E-4816-CD8ABD4BB4BA}\1.0\HELPDIR	DEQE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7778738C-48E5-5D6E-4816-CD8ABD4BB4BA}\1.0\HELPDIR\	DEQE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{78D8174B-19D1-427D-948B-3EE313799840}	DEQE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{78D8174B-19D1-427D-948B-3EE313799840}\ProgID\	DEQE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7778738C-48E5-5D6E-4816-CD8ABD4BB4BA}	DEQE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7778738C-48E5-5D6E-4816-CD8ABD4BB4BA}\1.0	DEQE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7778738C-48E5-5D6E-4816-CD8ABD4BB4BA}\1.0\0\	DEQE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7778738C-48E5-5D6E-4816-CD8ABD4BB4BA}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\"	DEQE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{78D8174B-19D1-427D-948B-3EE313799840}\TypeLib\	DEQE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{78D8174B-19D1-427D-948B-3EE313799840}\Version\ = "1.0"	DEQE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{78D8174B-19D1-427D-948B-3EE313799840}\InprocServer32\	DEQE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{78D8174B-19D1-427D-948B-3EE313799840}\ProgID\ = "IMEAPI.CImeProductObjectJK.1"	DEQE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{78D8174B-19D1-427D-948B-3EE313799840}\VersionIndependentProgID\	DEQE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{78D8174B-19D1-427D-948B-3EE313799840}\InprocServer32	DEQE.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2420	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2460	DEQE.exe
Token: SeIncBasePriorityPrivilege	2460	DEQE.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2420	WINWORD.EXE
2420	WINWORD.EXE
2460	DEQE.exe
2460	DEQE.exe
2460	DEQE.exe
2460	DEQE.exe
2460	DEQE.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2420	2372	JaffaCakes118_8b47a5ee24e37deb41a54b0f6a7e90b4.exe	30
PID 2372 wrote to memory of 2420	2372	JaffaCakes118_8b47a5ee24e37deb41a54b0f6a7e90b4.exe	30
PID 2372 wrote to memory of 2420	2372	JaffaCakes118_8b47a5ee24e37deb41a54b0f6a7e90b4.exe	30
PID 2372 wrote to memory of 2420	2372	JaffaCakes118_8b47a5ee24e37deb41a54b0f6a7e90b4.exe	30
PID 2372 wrote to memory of 2284	2372	JaffaCakes118_8b47a5ee24e37deb41a54b0f6a7e90b4.exe	31
PID 2372 wrote to memory of 2284	2372	JaffaCakes118_8b47a5ee24e37deb41a54b0f6a7e90b4.exe	31
PID 2372 wrote to memory of 2284	2372	JaffaCakes118_8b47a5ee24e37deb41a54b0f6a7e90b4.exe	31
PID 2372 wrote to memory of 2284	2372	JaffaCakes118_8b47a5ee24e37deb41a54b0f6a7e90b4.exe	31
PID 2372 wrote to memory of 2284	2372	JaffaCakes118_8b47a5ee24e37deb41a54b0f6a7e90b4.exe	31
PID 2372 wrote to memory of 2284	2372	JaffaCakes118_8b47a5ee24e37deb41a54b0f6a7e90b4.exe	31
PID 2372 wrote to memory of 2284	2372	JaffaCakes118_8b47a5ee24e37deb41a54b0f6a7e90b4.exe	31
PID 2284 wrote to memory of 2460	2284	INSTALL.EXE	32
PID 2284 wrote to memory of 2460	2284	INSTALL.EXE	32
PID 2284 wrote to memory of 2460	2284	INSTALL.EXE	32
PID 2284 wrote to memory of 2460	2284	INSTALL.EXE	32
PID 2284 wrote to memory of 2460	2284	INSTALL.EXE	32
PID 2284 wrote to memory of 2460	2284	INSTALL.EXE	32
PID 2284 wrote to memory of 2460	2284	INSTALL.EXE	32
PID 2420 wrote to memory of 1816	2420	WINWORD.EXE	35
PID 2420 wrote to memory of 1816	2420	WINWORD.EXE	35
PID 2420 wrote to memory of 1816	2420	WINWORD.EXE	35
PID 2420 wrote to memory of 1816	2420	WINWORD.EXE	35

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8b47a5ee24e37deb41a54b0f6a7e90b4.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8b47a5ee24e37deb41a54b0f6a7e90b4.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\CARTA2.RTF"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:1816
- C:\Windows\INSTALL.EXE
  "C:\Windows\INSTALL.EXE"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2284
- - C:\Windows\SysWOW64\28463\DEQE.exe
    "C:\Windows\system32\28463\DEQE.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\CARTA2.RTF

Filesize
162B

MD5
1bde52580d0b49e07694d397ca7b9728

SHA1
09f96c681b6276b2ffe2e6a31e62626ffcbdbe00

SHA256
325b9acdb7af6bd166a0c98a4124a97cf9869ee5f2dd73e6ba024d4fac82eb68

SHA512
3b5d130c419a29146d1ffdc57d9ff83d9fff9c813c0361742de548d22c9aab9eaf6982bec4c8ad686d2f51d666fac1e26de8013085dbd8b6bfbe98d087e999d6

Download Submit
C:\Windows\INSTALL.EXE

Filesize
785KB

MD5
c5c715bc41dd8863bee9d4054c18a776

SHA1
4a46d82a1d74d2fb89041361b09d0ff616be40e6

SHA256
770af96ad2c77b3dfbbeb639277d01487e1cba3310ef953436f4d03fd2f0d955

SHA512
502a9b58fb41f6a39a79c59d762308e85c8492ae4ba0db17008c1591b98d9b5493641e5ff75f41d2ca54a4c4ba7b7f244712f6ec0498c0386627f9a7e178b7ee

Download Submit
C:\Windows\SysWOW64\28463\AKV.exe

Filesize
457KB

MD5
a43e1122468a435c6ae6a60cd30e3de9

SHA1
d1ffe6b5531828527fd08a66be790e8d898d049f

SHA256
403e10c426a22957a5bd10ca44af3de1d30d06531f36455e4b154a0cdbb934df

SHA512
b7b0f04cbff71f46a7525b80a02a3b1c0830bb7539ccefc854cb88e404e651cb483b4e1e77feb118c15d4fac6082be3c0802d5e0156a78d3d3bf1b90a68d34e1

Download Submit
C:\Windows\SysWOW64\28463\DEQE.001

Filesize
490B

MD5
82a5c42efd4caabc1ba5e3e5433dde54

SHA1
01eba9744f62ce0bd24c9a85559069698b437b80

SHA256
e98349d01775d5f93d6e7700470751a08bcbccc0912a21b33ae97a11271fd6a1

SHA512
02f6d5a86ac3f92c33b157e7f82912dadf79163222d4895925877ba58291007f6412eb39969628d050dd26d7e23bd9ca0fe54b010566059b770a81cccba9c9a3

Download Submit
C:\Windows\SysWOW64\28463\DEQE.006

Filesize
8KB

MD5
46a1750fd57f2a74c12136324fd040bf

SHA1
cf6f9fa1975bd4748fd4c2f49a7251c0f34ca38e

SHA256
c1fb8c544b603f93868941a480a2e75732181697e1563b026ac440acb10747f7

SHA512
62c60a2b7724542973a633d4b7e3d65d94024b7b36dbc04ab990634b7c2be9f45ee1375e48171463b919f9e335830ba2434c95154e7dbfcf2608502ef868af22

Download Submit
C:\Windows\SysWOW64\28463\DEQE.007

Filesize
5KB

MD5
8c3f1e556193e7171d15ebaf2ef3dd39

SHA1
a395f873258af8f0b127f9fea07190ac562c9fbb

SHA256
8dda8e9d04b81e67d444dae44570941f31eb6f32fbdd9ad61047316f13ba2586

SHA512
c275050fe29567d083a66fd70adb48be0aa3d78c7ef19cea1e5c8c165a9000df0fb8917b49365c8265a80f1167d3fcad0e27696245de79e4bb31d805c6c62165

Download Submit
C:\Windows\SysWOW64\28463\key.bin

Filesize
105B

MD5
27c90d4d9b049f4cd00f32ed1d2e5baf

SHA1
338a3ea8f1e929d8916ece9b6e91e697eb562550

SHA256
172d6f21165fb3ca925e5b000451fd8946920206f7438018c28b158b90cf5ffb

SHA512
d73dadb3cf74c647ce5bad5b87d3fb42a212defcba8afb8cf962020b61a0369c0a2b1005797583daf1f1ae88b29b7288bc544a53d643f3519cf604aa0ffd6dae

Download Submit
\Users\Admin\AppData\Local\Temp\@C2A3.tmp

Filesize
4KB

MD5
6c399234a0f298b0ba4b77446425fa28

SHA1
ff086167b29f98bf3bd043ca0d397409ce714083

SHA256
40fcae632679e1d7cc4d4f5133758362dc3b08676bd2c631e9831226c10d5036

SHA512
0409551aa3165020dd03df2e882cdcc9247456e4e392b802a15baedc2d0b407817dbe6e1e671fa4e9834da07bbdfb35cc276ba0f9dda826c153af616ee5cc558

Download Submit
\Windows\SysWOW64\28463\DEQE.exe

Filesize
647KB

MD5
5ef8b4e9a6c2679b5940244b226d06d2

SHA1
ed775e618a237ddb8ca32769f7fceb10bd4536b0

SHA256
e3289a040cf84bce45def733a231d82c9ced3dc95d24cbcf624018563feeade9

SHA512
62a1ce5c0431479ef3945d6391a51779430511a2272b3be27d79a374e8c3c7f38b70d8c6c891d013f6fe629ddb0375a17b5f318a2e8dfbc37217fce8eb68638d

Download Submit
memory/2284-64-0x0000000002A20000-0x0000000002AFF000-memory.dmp

Filesize
892KB

Download
memory/2284-35-0x0000000002A20000-0x0000000002AFF000-memory.dmp

Filesize
892KB

Download
memory/2372-4-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2372-14-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2420-19-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2420-26-0x00000000718FD000-0x0000000071908000-memory.dmp

Filesize
44KB

Download
memory/2420-10-0x000000002F101000-0x000000002F102000-memory.dmp

Filesize
4KB

Download
memory/2420-63-0x00000000718FD000-0x0000000071908000-memory.dmp

Filesize
44KB

Download
memory/2460-37-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2460-41-0x00000000004E0000-0x00000000005BF000-memory.dmp

Filesize
892KB

Download
memory/2460-65-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2460-69-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads