Overview

overview

10

Static

static

3

ef72e24ab2...18.exe

windows7-x64

10

ef72e24ab2...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ef72e24ab26fd394f13956b3df4e7dbb_JaffaCakes118

  • Size

    512KB

  • Sample

    240414-zcrpsach92

  • MD5

    ef72e24ab26fd394f13956b3df4e7dbb

  • SHA1

    f07dc940787323a98e75275d63ff5c68bf8f7076

  • SHA256

    526f25bdae775dc2c34287399ad1187959a6e40b10dd810bb6289ec149a4323a

  • SHA512

    bf320952eff72795936e1d62356dd94dd96eebb636320e714055b8f380f017dc4ddd96cc763e37fe32ae11688480c81151f76747a5ccd51ba95a2c84bd8e8397

  • SSDEEP

    12288:Ul2+Opz90hGdqe6livhEuSIa4ocaYmoZ/yk1MGQVKiu:nVpz6Gdqe6li5u/qaLoxtMGQpu

Score
10/10
ardamaxkeyloggerpersistencestealer

Malware Config

Targets

    • Target

      ef72e24ab26fd394f13956b3df4e7dbb_JaffaCakes118

    • Size

      512KB

    • MD5

      ef72e24ab26fd394f13956b3df4e7dbb

    • SHA1

      f07dc940787323a98e75275d63ff5c68bf8f7076

    • SHA256

      526f25bdae775dc2c34287399ad1187959a6e40b10dd810bb6289ec149a4323a

    • SHA512

      bf320952eff72795936e1d62356dd94dd96eebb636320e714055b8f380f017dc4ddd96cc763e37fe32ae11688480c81151f76747a5ccd51ba95a2c84bd8e8397

    • SSDEEP

      12288:Ul2+Opz90hGdqe6livhEuSIa4ocaYmoZ/yk1MGQVKiu:nVpz6Gdqe6li5u/qaLoxtMGQpu

    Score
    10/10
    ardamaxkeyloggerpersistencestealer

    • Ardamax

      A keylogger first seen in 2013.

      keyloggerstealerardamax

    • Ardamax main executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks