ardamax | 96582d1f846d311dce160fa9e3705b911493378adb8e6f03a5cd5fd0b54c0970

Analysis

max time kernel
120s
max time network
127s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
16/03/2025, 06:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_7940fb0f5edc766dda2bb8bc506f8528.exe
Size

1.7MB
MD5

7940fb0f5edc766dda2bb8bc506f8528
SHA1

e026bdd7b840b6410ce1e5c4bdee0fe54f8b548c
SHA256

96582d1f846d311dce160fa9e3705b911493378adb8e6f03a5cd5fd0b54c0970
SHA512

b1a8a6d80a3d4ddc8972f345a643f0a819a5cd55b546010cec98e71b4bf86e5b9462f7e58d2a9d78c620bfe45172e1f67d54e71a1ae6d0041a279636af2cbe22
SSDEEP

24576:5NdvYD587wvogcEM0LzznZ30+ziOfIHHQhVlIhrhXxlvepBoyODuv0V:ODmgFxlz7fInQVIhrhzMTOyva

Score

10^/10

ardamax discovery keylogger stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x000800000001948c-9.dat	family_ardamax

Executes dropped EXE 2 IoCs

pid	Process
2912	RLJO.exe
2896	TibiaAutoSetup_1_11_2.exe

Loads dropped DLL 13 IoCs

pid	Process
3012	JaffaCakes118_7940fb0f5edc766dda2bb8bc506f8528.exe
3012	JaffaCakes118_7940fb0f5edc766dda2bb8bc506f8528.exe
3012	JaffaCakes118_7940fb0f5edc766dda2bb8bc506f8528.exe
3012	JaffaCakes118_7940fb0f5edc766dda2bb8bc506f8528.exe
2896	TibiaAutoSetup_1_11_2.exe
2896	TibiaAutoSetup_1_11_2.exe
2896	TibiaAutoSetup_1_11_2.exe
2912	RLJO.exe
2896	TibiaAutoSetup_1_11_2.exe
2896	TibiaAutoSetup_1_11_2.exe
2912	RLJO.exe
2896	TibiaAutoSetup_1_11_2.exe
2896	TibiaAutoSetup_1_11_2.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Sys\RLJO.001	JaffaCakes118_7940fb0f5edc766dda2bb8bc506f8528.exe
File created	C:\Windows\SysWOW64\Sys\RLJO.006	JaffaCakes118_7940fb0f5edc766dda2bb8bc506f8528.exe
File created	C:\Windows\SysWOW64\Sys\RLJO.007	JaffaCakes118_7940fb0f5edc766dda2bb8bc506f8528.exe
File created	C:\Windows\SysWOW64\Sys\RLJO.exe	JaffaCakes118_7940fb0f5edc766dda2bb8bc506f8528.exe
File opened for modification	C:\Windows\SysWOW64\Sys	RLJO.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7940fb0f5edc766dda2bb8bc506f8528.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RLJO.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TibiaAutoSetup_1_11_2.exe

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral1/files/0x0007000000019490-22.dat	nsis_installer_1

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2896	TibiaAutoSetup_1_11_2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2912	RLJO.exe
Token: SeIncBasePriorityPrivilege	2912	RLJO.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2912	RLJO.exe
2912	RLJO.exe
2912	RLJO.exe
2912	RLJO.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 2912	3012	JaffaCakes118_7940fb0f5edc766dda2bb8bc506f8528.exe	30
PID 3012 wrote to memory of 2912	3012	JaffaCakes118_7940fb0f5edc766dda2bb8bc506f8528.exe	30
PID 3012 wrote to memory of 2912	3012	JaffaCakes118_7940fb0f5edc766dda2bb8bc506f8528.exe	30
PID 3012 wrote to memory of 2912	3012	JaffaCakes118_7940fb0f5edc766dda2bb8bc506f8528.exe	30
PID 3012 wrote to memory of 2896	3012	JaffaCakes118_7940fb0f5edc766dda2bb8bc506f8528.exe	31
PID 3012 wrote to memory of 2896	3012	JaffaCakes118_7940fb0f5edc766dda2bb8bc506f8528.exe	31
PID 3012 wrote to memory of 2896	3012	JaffaCakes118_7940fb0f5edc766dda2bb8bc506f8528.exe	31
PID 3012 wrote to memory of 2896	3012	JaffaCakes118_7940fb0f5edc766dda2bb8bc506f8528.exe	31
PID 3012 wrote to memory of 2896	3012	JaffaCakes118_7940fb0f5edc766dda2bb8bc506f8528.exe	31
PID 3012 wrote to memory of 2896	3012	JaffaCakes118_7940fb0f5edc766dda2bb8bc506f8528.exe	31
PID 3012 wrote to memory of 2896	3012	JaffaCakes118_7940fb0f5edc766dda2bb8bc506f8528.exe	31

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7940fb0f5edc766dda2bb8bc506f8528.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7940fb0f5edc766dda2bb8bc506f8528.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Windows\SysWOW64\Sys\RLJO.exe
  "C:\Windows\system32\Sys\RLJO.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2912
- C:\Users\Admin\AppData\Local\Temp\TibiaAutoSetup_1_11_2.exe
  "C:\Users\Admin\AppData\Local\Temp\TibiaAutoSetup_1_11_2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsj9C51.tmp\installPageTibiaClient.ini

Filesize
157B

MD5
f4e933ea08b8e82c99b6b91d1f9532b9

SHA1
16ce79052fc283adcc2a8e608575f0c2de614bad

SHA256
68c4ce4bdaf878e1803da299e9c8570259157ea221a77da4df47f5faebc9100e

SHA512
4da59674ebe32365887cca5d2191e7117b84947896afa0db3b49a5b5d9e33baab50d17a958bfcf588130634f5231bd8914d803aec9e6d6312a5446a2d86c6c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj9C51.tmp\installPageTibiaClient.ini

Filesize
170B

MD5
65973351c98ee022846bb98f74c9b3ce

SHA1
60eceaac7b068c8ce41a3de2ea8e7f71a52a86d7

SHA256
103ddbc0990f9ed2e3d4a4d2db366622c569c6453371232c7c24351f2b0ea83b

SHA512
10c1edf852e35bd6b569a5bad19da0c048e11c2cc015fe066f8cea993bf6a8ac8855a1d500a99fdd831eee46f33ba9341a082e628b9189bf4bbcc31280ccba03

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj9C51.tmp\ioSpecial.ini

Filesize
702B

MD5
9ab838ca039c36e7b187089f5c87852c

SHA1
361a27001c94e1a652a63d4966f986444bf6505f

SHA256
5d5df5817c562250f4c6aba22bd4c35b0233de2d0b34011d8e9965b09e4528d5

SHA512
5081150f09d25aba36b0b53bbc335d51700fb8bf32f5b77aca60ab18e2605b092a9e1600e4fb4a0ed7db2f641023ba1b8936e2d23cf60a14668a3b79baa5db26

Download Submit
C:\Windows\SysWOW64\Sys\RLJO.001

Filesize
3KB

MD5
61c7ee56cfc2120dae8039a10dbcad32

SHA1
58796160aa012fc326ee2fd45a27ec17e0a5c317

SHA256
2d74cf64a5f638a0c164289872937310390a3e1cd6553500e6ffee658f5db727

SHA512
7d07e37b1c6e2167a3c77624ccfa866a53e43f811dd7ff1ece4858fd6a82300e8ff436a8b67db0f42e1b52a09e4f96942cca5f2c7ecd2e6e2a2b58e63b54e53a

Download Submit
C:\Windows\SysWOW64\Sys\RLJO.006

Filesize
5KB

MD5
271bbf07cc8006c3335db6fc21622be4

SHA1
cb0caf39bc1cab16ec8a39d6a11160865703c329

SHA256
5d6e4701d424e8e095b95c98f87bb1946ac0254bd089d128c4a4c3e5b13ed5d7

SHA512
65dd41d4bb119d1f3801dc3097254e967d747661c83bfe0cd3c061441b63e1dd4928a0476fbd4a015631ecf1d511d2f66ec87f2bd078b6bce0b86fdb659392c8

Download Submit
C:\Windows\SysWOW64\Sys\RLJO.007

Filesize
4KB

MD5
2d8ec35eb48bf5cbc8c38a7a8d6cfa51

SHA1
4f43dc1a30731acba6d33b52c3970c9815f5be34

SHA256
7b6d9330aba21844b6f267489d29f0e10b4beea3a749b72d5dec9e8761c98d3e

SHA512
0a2f41f3e88132e56f7ce3c83e24753c80c9344011b0dcd943def8733b79d197e10ad5fba82be08f0054ec5d4c9af731f1a1eb4e041a93cd81c25b364087176e

Download Submit
\Users\Admin\AppData\Local\Temp\@9666.tmp

Filesize
4KB

MD5
b8416a532c8e995dfb2789ff77fa5618

SHA1
b5421c4f4ae3f27a9278b60d6ef683deb3111251

SHA256
f93ff177d9d79a04d8a35a57689e9977babf939de260f27fbc832c0be981ca89

SHA512
30dcc35db52f723490ea03df3abe5efc9374035a339f060a7468cae79bf8ba379538a87ad5217f0f0e06b741fe6497917b4226e65ac9c0e3026900244c3094b3

Download Submit
\Users\Admin\AppData\Local\Temp\TibiaAutoSetup_1_11_2.exe

Filesize
1.4MB

MD5
4d5879fb1bab0edd4264ec247d82e741

SHA1
f905192cc62a8ed2043728c725ff794cd38f8d7d

SHA256
c911f3024cdfef36ec4db437642dcb6ee2464627e4fb6b5bf3132b272f88f1ce

SHA512
d5be389069a47bb70d589908035d55898ba99599a5093d19c7dc612b9674d8e29fe4a34ce00ab165d9973abc1e37d4e48308daffd491f02661bb3462a590986e

Download Submit
\Users\Admin\AppData\Local\Temp\nsj9C51.tmp\InstallOptions.dll

Filesize
12KB

MD5
444e1109d960c307df0ca2b33a24731b

SHA1
55e3b57d06128911ed4af44858d199d9b1945edc

SHA256
b3ba181120cd5b57e2cd5435bbd64c3257f7525ade359f89554e93f466692125

SHA512
9efdb45ee0eae73c24d3f01ff799160090f2b1f0f28ee8da3af52992fec220bf905070ce5a6cc1b5657642440ad29c22bc6889cd3ee1f674a908a935dcf4c2a8

Download Submit
\Windows\SysWOW64\Sys\RLJO.exe

Filesize
468KB

MD5
62401443a0feeb13a9940fcc78558090

SHA1
6200cf99b3a6a1bebde29378a6260ddf92d13370

SHA256
69761c67078239fa4e05676e0974f7d7410de0f6f00d19f8f69c9a180c0d5de7

SHA512
2001aa6875728c2ba75b1f8ee44fbb87a508598194f5ed6e5945292c2eb67874c3bc619da84a107ac0e5bc83748625eadcae0ccbd9f1f5414575db3fc3e92ce0

Download Submit
memory/2912-113-0x0000000077DDF000-0x0000000077DE0000-memory.dmp

Filesize
4KB

Download
memory/2912-118-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2912-24-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download