ardamax | 22b38ee022a7e7e2f55626a236607ce1985dcb049980802216eddce095842e25

Analysis

max time kernel
141s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-02-2025 17:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_a2381438830c9dea5950abda8fa2cf4d.exe
Size

1.1MB
MD5

a2381438830c9dea5950abda8fa2cf4d
SHA1

bb97b90003d7ec0e7598b26ff6723b57a8c7ede8
SHA256

22b38ee022a7e7e2f55626a236607ce1985dcb049980802216eddce095842e25
SHA512

37aac29d987e59030f47df263fa4dd3d3dfbab0963b134457cb8b38b45c893fa3d7913f0d8b7e167de73a93f951fd5532f013467e972fe50bff06372318ae157
SSDEEP

24576:FZjyFYRX2KMA9xU2QQ6RAC+UDT3tOSsqW8bSVW5:FEuxca7cRAC+UX3tKqBSc5

Score

10^/10

ardamax discovery keylogger stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0014000000018657-49.dat	family_ardamax

Executes dropped EXE 2 IoCs

pid	Process
2396	Olly.exe
2740	CJPO.exe

Loads dropped DLL 14 IoCs

pid	Process
1248	cmd.exe
1248	cmd.exe
2396	Olly.exe
2396	Olly.exe
2396	Olly.exe
2396	Olly.exe
2740	CJPO.exe
2740	CJPO.exe
2740	CJPO.exe
2936	DllHost.exe
1248	cmd.exe
2396	Olly.exe
2740	CJPO.exe
2936	DllHost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\CJPO.001	Olly.exe
File created	C:\Windows\SysWOW64\28463\CJPO.006	Olly.exe
File created	C:\Windows\SysWOW64\28463\CJPO.007	Olly.exe
File created	C:\Windows\SysWOW64\28463\CJPO.exe	Olly.exe
File created	C:\Windows\SysWOW64\28463\key.bin	Olly.exe
File created	C:\Windows\SysWOW64\28463\AKV.exe	Olly.exe
File opened for modification	C:\Windows\SysWOW64\28463	CJPO.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CJPO.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_a2381438830c9dea5950abda8fa2cf4d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olly.exe

Modifies registry class 30 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E1265F97-1DE5-485E-4D92-826AE80A5117}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\BCSRuntime.dll"	CJPO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E1265F97-1DE5-485E-4D92-826AE80A5117}\ProgID	CJPO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C800E1D0-D589-598B-610C-1CEF5A89A3A9}\2.6	CJPO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C800E1D0-D589-598B-610C-1CEF5A89A3A9}\2.6\HELPDIR	CJPO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C800E1D0-D589-598B-610C-1CEF5A89A3A9}\2.6\HELPDIR\ = "%CommonProgramFiles%\\System\\ado\\"	CJPO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C800E1D0-D589-598B-610C-1CEF5A89A3A9}\	CJPO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C800E1D0-D589-598B-610C-1CEF5A89A3A9}\2.6\0\	CJPO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C800E1D0-D589-598B-610C-1CEF5A89A3A9}\2.6\FLAGS\ = "0"	CJPO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E1265F97-1DE5-485E-4D92-826AE80A5117}\VersionIndependentProgID	CJPO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C800E1D0-D589-598B-610C-1CEF5A89A3A9}\2.6\HELPDIR\	CJPO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C800E1D0-D589-598B-610C-1CEF5A89A3A9}\2.6\0\win32\ = "%CommonProgramFiles%\\System\\ado\\msjro.dll"	CJPO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C800E1D0-D589-598B-610C-1CEF5A89A3A9}\2.6\FLAGS	CJPO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E1265F97-1DE5-485E-4D92-826AE80A5117}	CJPO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E1265F97-1DE5-485E-4D92-826AE80A5117}\ = "Oqebo.Ataja"	CJPO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E1265F97-1DE5-485E-4D92-826AE80A5117}\InprocServer32\	CJPO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E1265F97-1DE5-485E-4D92-826AE80A5117}\ProgID\ = "BCSRuntime.AssociationEntityInstanceReferencesDictionary.1"	CJPO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C800E1D0-D589-598B-610C-1CEF5A89A3A9}	CJPO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C800E1D0-D589-598B-610C-1CEF5A89A3A9}\2.6\	CJPO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C800E1D0-D589-598B-610C-1CEF5A89A3A9}\2.6\0	CJPO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E1265F97-1DE5-485E-4D92-826AE80A5117}\TypeLib\	CJPO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E1265F97-1DE5-485E-4D92-826AE80A5117}\VersionIndependentProgID\	CJPO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C800E1D0-D589-598B-610C-1CEF5A89A3A9}\2.6\ = "Microsoft Jet and Replication Objects 2.6 Library"	CJPO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C800E1D0-D589-598B-610C-1CEF5A89A3A9}\2.6\0\win32\	CJPO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C800E1D0-D589-598B-610C-1CEF5A89A3A9}\2.6\FLAGS\	CJPO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E1265F97-1DE5-485E-4D92-826AE80A5117}\TypeLib	CJPO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E1265F97-1DE5-485E-4D92-826AE80A5117}\InprocServer32	CJPO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E1265F97-1DE5-485E-4D92-826AE80A5117}\ProgID\	CJPO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C800E1D0-D589-598B-610C-1CEF5A89A3A9}\2.6\0\win32	CJPO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E1265F97-1DE5-485E-4D92-826AE80A5117}\TypeLib\ = "{C800E1D0-D589-598B-610C-1CEF5A89A3A9}"	CJPO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E1265F97-1DE5-485E-4D92-826AE80A5117}\VersionIndependentProgID\ = "BCSRuntime.AssociationEntityInstanceReferencesDictionary"	CJPO.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	2740	CJPO.exe
Token: SeIncBasePriorityPrivilege	2740	CJPO.exe
Token: SeRestorePrivilege	2212	JaffaCakes118_a2381438830c9dea5950abda8fa2cf4d.exe
Token: SeBackupPrivilege	2212	JaffaCakes118_a2381438830c9dea5950abda8fa2cf4d.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2936	DllHost.exe
2936	DllHost.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
2740	CJPO.exe
2740	CJPO.exe
2740	CJPO.exe
2740	CJPO.exe
2740	CJPO.exe
2936	DllHost.exe
2936	DllHost.exe
2936	DllHost.exe
2936	DllHost.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 1248	2212	JaffaCakes118_a2381438830c9dea5950abda8fa2cf4d.exe	30
PID 2212 wrote to memory of 1248	2212	JaffaCakes118_a2381438830c9dea5950abda8fa2cf4d.exe	30
PID 2212 wrote to memory of 1248	2212	JaffaCakes118_a2381438830c9dea5950abda8fa2cf4d.exe	30
PID 2212 wrote to memory of 1248	2212	JaffaCakes118_a2381438830c9dea5950abda8fa2cf4d.exe	30
PID 2212 wrote to memory of 1248	2212	JaffaCakes118_a2381438830c9dea5950abda8fa2cf4d.exe	30
PID 2212 wrote to memory of 1248	2212	JaffaCakes118_a2381438830c9dea5950abda8fa2cf4d.exe	30
PID 2212 wrote to memory of 1248	2212	JaffaCakes118_a2381438830c9dea5950abda8fa2cf4d.exe	30
PID 1248 wrote to memory of 2396	1248	cmd.exe	32
PID 1248 wrote to memory of 2396	1248	cmd.exe	32
PID 1248 wrote to memory of 2396	1248	cmd.exe	32
PID 1248 wrote to memory of 2396	1248	cmd.exe	32
PID 1248 wrote to memory of 2396	1248	cmd.exe	32
PID 1248 wrote to memory of 2396	1248	cmd.exe	32
PID 1248 wrote to memory of 2396	1248	cmd.exe	32
PID 2396 wrote to memory of 2740	2396	Olly.exe	34
PID 2396 wrote to memory of 2740	2396	Olly.exe	34
PID 2396 wrote to memory of 2740	2396	Olly.exe	34
PID 2396 wrote to memory of 2740	2396	Olly.exe	34
PID 2396 wrote to memory of 2740	2396	Olly.exe	34
PID 2396 wrote to memory of 2740	2396	Olly.exe	34
PID 2396 wrote to memory of 2740	2396	Olly.exe	34

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a2381438830c9dea5950abda8fa2cf4d.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a2381438830c9dea5950abda8fa2cf4d.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Arquivos de programas\jk.bat" "
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1248
- - C:\Arquivos de programas\Olly.exe
    Olly.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2396
  - - C:\Windows\SysWOW64\28463\CJPO.exe
      "C:\Windows\system32\28463\CJPO.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2740

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Arquivos de programas\4.jpeg

Filesize
172KB

MD5
c0351960ce0aa29da4f918149d3cfe3f

SHA1
74a4e1babf879f0d2fb731d77ef114e4b058e4ab

SHA256
5e6e70d3d38ef9307f402cbc8f9c16e10c6e170a568d29e8804d933f4d29193f

SHA512
46da503e98b560c3d89789fee24248df2b5e8d7a1c4f5846752d5d59e8972b8ff43160c22addb27578959354c3898a9c57609342b01082aefaf1bcef2b72af74

Download Submit
C:\Arquivos de programas\jk.bat

Filesize
28B

MD5
fb2ad654057a9889563decebd169baf6

SHA1
eb0eef6aad39e529bc4742bcad615f8f7980e657

SHA256
357424002bbaea2ca847158c4b42bc90860013a04c2178f729f55f626b7a58cb

SHA512
6512fe8c0ff2b32d6aa571ae9350603f35ccaa7283f3c6a843e47320ff191de7b8c5755a5ea71562aacc596e65f4d6c023a7540af6d54b981a0379993008e265

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.JPG

Filesize
125KB

MD5
37716e966bbf128f2841a8f7e9f8bba7

SHA1
9cf1abfb1ac3ad3abaef63d60491e3d76e30d1df

SHA256
b4236ddd0e86537d15455f5ce484831b2769c40abe8179ae1d3c92a60844a8df

SHA512
7ed560de9d813294e3ed72dbaefe445af29e2550446afad088b36cb0876bb356eb897dea1d860efaca582adc039a24841e8e44af83657cf9fdfdf6961aa9b70f

Download Submit
C:\Windows\SysWOW64\28463\AKV.exe

Filesize
457KB

MD5
828586f5f9fd7e6bd99401fe7cece954

SHA1
8eb70f4af2cec3c3dd3ec1491913369e99b7b874

SHA256
02b8379b1838ea70f7f17e0785aaaedb7c721d9b6e262577723bba9492748d0c

SHA512
16b64be59cf9ae403fb3b7e1fc8da98cb2a5db84aef0e352910172796ecf96dcf86a7e16afe78fa7e22b7b6948e8a1fa027da7161d5a0ad98e76175d764ed6a7

Download Submit
C:\Windows\SysWOW64\28463\CJPO.001

Filesize
298B

MD5
d945741b753dc8c65bc3e23811a7de74

SHA1
43b5a06ec39bea29a21e89da8ec8f555ca59f5af

SHA256
5c34c5d27a2e44ad9398d1f30988701300687a9c4d4d9adb97866e1a3456423e

SHA512
410bc2dd4394c9a07572ecb065a2ec189d505e23890328ef5301bb20381bc3e100393da05b6909f0b3e9f54b96df5b1413f4a5d74ec06d2b7c8d1870a6f4c479

Download Submit
C:\Windows\SysWOW64\28463\CJPO.006

Filesize
8KB

MD5
69db8c925f2dd8136d956a086ed1ee41

SHA1
9d0f653cc7ab881eb45fe93490a9c096f2dec6cf

SHA256
984da5476c2c69a779bc99d0901569347cc605a36499e2284706cda3ed6e13f3

SHA512
fa5cedd539dca3631511488aea8bcb7821db1d53452c1b61ee663cb5700bb9919b092593a7f5eb7a3c3a75f801b2980f817de4a66bf8aa51093ced4b30ffd068

Download Submit
C:\Windows\SysWOW64\28463\CJPO.007

Filesize
5KB

MD5
9e9da4c851850726c789bb4b94a41bb3

SHA1
1e2fd71f1d1a3ac15d3c820d8459635cd775cf24

SHA256
94f6502a4e94de0301ae07befd63767a4de35d9b2d2d00687a3130e883ab1963

SHA512
4c60e951056c5773d769a9c88245fc4a597949deb72a1a7546991488e85ffc4ff2a34840ad227595bcdc105cf187207721b57c457ac832ee0159dd0e1d9be063

Download Submit
C:\Windows\SysWOW64\28463\key.bin

Filesize
106B

MD5
639d75ab6799987dff4f0cf79fa70c76

SHA1
be2678476d07f78bb81e8813c9ee2bfff7cc7efb

SHA256
fc42ab050ffdfed8c8c7aac6d7e4a7cad4696218433f7ca327bcfdf9f318ac98

SHA512
4b511d0330d7204af948ce7b15615d745e8d4ea0a73bbece4e00fb23ba2635dd99e4fa54a76236d6f74bdbcdba57d32fd4c36b608d52628e72d11d5ed6f8cde2

Download Submit
\Arquivos de programas\Olly.exe

Filesize
896KB

MD5
a4123ae48cffd1eeb6881cdcb3edae9d

SHA1
b368043362d7ccd4065e4ef78639bfd9ac3f7905

SHA256
d56f1f993340b9cf299273eddd4aa5270fbb4cc8422d870d470b45b63bc4a431

SHA512
b22fca4e1cebd02197892ad84f3d2bef0c4802d779ef3bbd3a0ac4d4177814c8936ed3a8b7150ed281a036bb16f7a3e28ce384d698b4821207252ac155bf85bd

Download Submit
\Users\Admin\AppData\Local\Temp\@BD08.tmp

Filesize
4KB

MD5
ccf39f70a662f70e7cae4cfc81255c44

SHA1
00177d41252c2a5322be8e54567a845217072e2c

SHA256
4c9cca81f2f2d91b636c0ec747e96821749788368c48981bf04accfeb5c2e5d0

SHA512
2cc006d3bd6af737f31707b457caaa267ee1361cfd0afab0be8b74be8587d02b20909962d138e137fe79252e0d112bd3be091a98ba50863520b5bbf21bb9501d

Download Submit
\Windows\SysWOW64\28463\CJPO.exe

Filesize
648KB

MD5
c5ca2c96edc99cf9edf0f861d784209a

SHA1
6cb654b3eb20c85224a4849c4cc30012cabbdbaa

SHA256
0ca27dfe22971bfb19c7f3d6fe03cd398816a88fc50943ba9821fa6b91be7807

SHA512
aeb36bbbf68c7b733ddd856f8f0cdd9548ff597843a22611757c98f69a589035410fecfa692bb83c740823ddae6432d3be5cb66f4309a9d0f5fedeb7b017ff36

Download Submit
memory/1248-81-0x0000000000750000-0x0000000000752000-memory.dmp

Filesize
8KB

Download
memory/1248-17-0x0000000000180000-0x0000000000188000-memory.dmp

Filesize
32KB

Download
memory/1248-18-0x0000000000180000-0x0000000000188000-memory.dmp

Filesize
32KB

Download
memory/2212-97-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2396-96-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2396-83-0x0000000002BC0000-0x0000000002BC2000-memory.dmp

Filesize
8KB

Download
memory/2396-59-0x0000000002A40000-0x0000000002B1F000-memory.dmp

Filesize
892KB

Download
memory/2396-23-0x0000000000020000-0x0000000000028000-memory.dmp

Filesize
32KB

Download
memory/2740-60-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2740-61-0x0000000000960000-0x0000000000A3F000-memory.dmp

Filesize
892KB

Download
memory/2740-101-0x0000000000960000-0x0000000000A3F000-memory.dmp

Filesize
892KB

Download
memory/2740-100-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2936-82-0x0000000000420000-0x0000000000422000-memory.dmp

Filesize
8KB

Download