ardamax | 96582d1f846d311dce160fa9e3705b911493378adb8e6f03a5cd5fd0b54c0970

Analysis

max time kernel
104s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
16/03/2025, 06:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_7940fb0f5edc766dda2bb8bc506f8528.exe
Size

1.7MB
MD5

7940fb0f5edc766dda2bb8bc506f8528
SHA1

e026bdd7b840b6410ce1e5c4bdee0fe54f8b548c
SHA256

96582d1f846d311dce160fa9e3705b911493378adb8e6f03a5cd5fd0b54c0970
SHA512

b1a8a6d80a3d4ddc8972f345a643f0a819a5cd55b546010cec98e71b4bf86e5b9462f7e58d2a9d78c620bfe45172e1f67d54e71a1ae6d0041a279636af2cbe22
SSDEEP

24576:5NdvYD587wvogcEM0LzznZ30+ziOfIHHQhVlIhrhXxlvepBoyODuv0V:ODmgFxlz7fInQVIhrhzMTOyva

Score

10^/10

ardamax discovery keylogger stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000700000002430a-12.dat	family_ardamax

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	JaffaCakes118_7940fb0f5edc766dda2bb8bc506f8528.exe

Executes dropped EXE 2 IoCs

pid	Process
3228	RLJO.exe
3272	TibiaAutoSetup_1_11_2.exe

Loads dropped DLL 11 IoCs

pid	Process
4344	JaffaCakes118_7940fb0f5edc766dda2bb8bc506f8528.exe
3228	RLJO.exe
3272	TibiaAutoSetup_1_11_2.exe
3228	RLJO.exe
3228	RLJO.exe
3272	TibiaAutoSetup_1_11_2.exe
3272	TibiaAutoSetup_1_11_2.exe
3272	TibiaAutoSetup_1_11_2.exe
3272	TibiaAutoSetup_1_11_2.exe
3272	TibiaAutoSetup_1_11_2.exe
3272	TibiaAutoSetup_1_11_2.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Sys\RLJO.001	JaffaCakes118_7940fb0f5edc766dda2bb8bc506f8528.exe
File created	C:\Windows\SysWOW64\Sys\RLJO.006	JaffaCakes118_7940fb0f5edc766dda2bb8bc506f8528.exe
File created	C:\Windows\SysWOW64\Sys\RLJO.007	JaffaCakes118_7940fb0f5edc766dda2bb8bc506f8528.exe
File created	C:\Windows\SysWOW64\Sys\RLJO.exe	JaffaCakes118_7940fb0f5edc766dda2bb8bc506f8528.exe
File opened for modification	C:\Windows\SysWOW64\Sys	RLJO.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7940fb0f5edc766dda2bb8bc506f8528.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RLJO.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TibiaAutoSetup_1_11_2.exe

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral2/files/0x000700000002430b-24.dat	nsis_installer_1

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	3228	RLJO.exe
Token: SeIncBasePriorityPrivilege	3228	RLJO.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3228	RLJO.exe
3228	RLJO.exe
3228	RLJO.exe
3228	RLJO.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4344 wrote to memory of 3228	4344	JaffaCakes118_7940fb0f5edc766dda2bb8bc506f8528.exe	89
PID 4344 wrote to memory of 3228	4344	JaffaCakes118_7940fb0f5edc766dda2bb8bc506f8528.exe	89
PID 4344 wrote to memory of 3228	4344	JaffaCakes118_7940fb0f5edc766dda2bb8bc506f8528.exe	89
PID 4344 wrote to memory of 3272	4344	JaffaCakes118_7940fb0f5edc766dda2bb8bc506f8528.exe	90
PID 4344 wrote to memory of 3272	4344	JaffaCakes118_7940fb0f5edc766dda2bb8bc506f8528.exe	90
PID 4344 wrote to memory of 3272	4344	JaffaCakes118_7940fb0f5edc766dda2bb8bc506f8528.exe	90

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7940fb0f5edc766dda2bb8bc506f8528.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7940fb0f5edc766dda2bb8bc506f8528.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4344
- C:\Windows\SysWOW64\Sys\RLJO.exe
  "C:\Windows\system32\Sys\RLJO.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3228
- C:\Users\Admin\AppData\Local\Temp\TibiaAutoSetup_1_11_2.exe
  "C:\Users\Admin\AppData\Local\Temp\TibiaAutoSetup_1_11_2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@7ED5.tmp

Filesize
4KB

MD5
b8416a532c8e995dfb2789ff77fa5618

SHA1
b5421c4f4ae3f27a9278b60d6ef683deb3111251

SHA256
f93ff177d9d79a04d8a35a57689e9977babf939de260f27fbc832c0be981ca89

SHA512
30dcc35db52f723490ea03df3abe5efc9374035a339f060a7468cae79bf8ba379538a87ad5217f0f0e06b741fe6497917b4226e65ac9c0e3026900244c3094b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\TibiaAutoSetup_1_11_2.exe

Filesize
1.4MB

MD5
4d5879fb1bab0edd4264ec247d82e741

SHA1
f905192cc62a8ed2043728c725ff794cd38f8d7d

SHA256
c911f3024cdfef36ec4db437642dcb6ee2464627e4fb6b5bf3132b272f88f1ce

SHA512
d5be389069a47bb70d589908035d55898ba99599a5093d19c7dc612b9674d8e29fe4a34ce00ab165d9973abc1e37d4e48308daffd491f02661bb3462a590986e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss80DA.tmp\InstallOptions.dll

Filesize
12KB

MD5
444e1109d960c307df0ca2b33a24731b

SHA1
55e3b57d06128911ed4af44858d199d9b1945edc

SHA256
b3ba181120cd5b57e2cd5435bbd64c3257f7525ade359f89554e93f466692125

SHA512
9efdb45ee0eae73c24d3f01ff799160090f2b1f0f28ee8da3af52992fec220bf905070ce5a6cc1b5657642440ad29c22bc6889cd3ee1f674a908a935dcf4c2a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss80DA.tmp\installPageTibiaClient.ini

Filesize
170B

MD5
aded140d6b8f55ce5ec70a4f376415e4

SHA1
f9b9553d5064aee179d17dc1055089e72a960dbc

SHA256
a6623f32a0141f9f58991a178361f47622430c0aea2feeb67395ef508e94f909

SHA512
fd34283842b3de0d88cb5554ab5a9b032b6ffc479c48e7114aa3cc56e2a6a1e020e75bdfe8737489c22215b83922f025d299db1e4f2069df7148f5daec2539d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss80DA.tmp\ioSpecial.ini

Filesize
702B

MD5
1c555f03a260a078b5625e2c8377fbec

SHA1
c9eb996ce511b50140578d0a73dfcbc831104fe9

SHA256
bf5a1704aa983ae8ef68edbe1e08dafadbb84aaf0dba2e630b14dacece091779

SHA512
9f3082202d04ff3a8150d5aa64f674e501a2572f20d0a27c5f26543d54b7e2283b099af196ba3501aa5fcebe42baf3d216e671326fddbd21e606fb3907584765

Download Submit
C:\Windows\SysWOW64\Sys\RLJO.001

Filesize
3KB

MD5
61c7ee56cfc2120dae8039a10dbcad32

SHA1
58796160aa012fc326ee2fd45a27ec17e0a5c317

SHA256
2d74cf64a5f638a0c164289872937310390a3e1cd6553500e6ffee658f5db727

SHA512
7d07e37b1c6e2167a3c77624ccfa866a53e43f811dd7ff1ece4858fd6a82300e8ff436a8b67db0f42e1b52a09e4f96942cca5f2c7ecd2e6e2a2b58e63b54e53a

Download Submit
C:\Windows\SysWOW64\Sys\RLJO.006

Filesize
5KB

MD5
271bbf07cc8006c3335db6fc21622be4

SHA1
cb0caf39bc1cab16ec8a39d6a11160865703c329

SHA256
5d6e4701d424e8e095b95c98f87bb1946ac0254bd089d128c4a4c3e5b13ed5d7

SHA512
65dd41d4bb119d1f3801dc3097254e967d747661c83bfe0cd3c061441b63e1dd4928a0476fbd4a015631ecf1d511d2f66ec87f2bd078b6bce0b86fdb659392c8

Download Submit
C:\Windows\SysWOW64\Sys\RLJO.007

Filesize
4KB

MD5
2d8ec35eb48bf5cbc8c38a7a8d6cfa51

SHA1
4f43dc1a30731acba6d33b52c3970c9815f5be34

SHA256
7b6d9330aba21844b6f267489d29f0e10b4beea3a749b72d5dec9e8761c98d3e

SHA512
0a2f41f3e88132e56f7ce3c83e24753c80c9344011b0dcd943def8733b79d197e10ad5fba82be08f0054ec5d4c9af731f1a1eb4e041a93cd81c25b364087176e

Download Submit
C:\Windows\SysWOW64\Sys\RLJO.exe

Filesize
468KB

MD5
62401443a0feeb13a9940fcc78558090

SHA1
6200cf99b3a6a1bebde29378a6260ddf92d13370

SHA256
69761c67078239fa4e05676e0974f7d7410de0f6f00d19f8f69c9a180c0d5de7

SHA512
2001aa6875728c2ba75b1f8ee44fbb87a508598194f5ed6e5945292c2eb67874c3bc619da84a107ac0e5bc83748625eadcae0ccbd9f1f5414575db3fc3e92ce0

Download Submit
memory/3228-22-0x00000000004A0000-0x00000000004A1000-memory.dmp

Filesize
4KB

Download
memory/3228-118-0x00000000004A0000-0x00000000004A1000-memory.dmp

Filesize
4KB

Download