ardamax | 413f84240e67722bb4283f33973be3463d2ca00c145ec760be0955f792b967ff | Triage

Submit
Reports

Overview

overview

Static

static

3

fccab87b3e...18.exe

windows7-x64

fccab87b3e...18.exe

windows10-2004-x64

Sharing

General

Target

fccab87b3e02ca1086acbb0e300e5a5d_JaffaCakes118
Size

1.3MB
Sample

240420-pw6myagh92
MD5

fccab87b3e02ca1086acbb0e300e5a5d
SHA1

1ac0a2f03888c8f4cade6194ecbe9b4e29e6e92c
SHA256

413f84240e67722bb4283f33973be3463d2ca00c145ec760be0955f792b967ff
SHA512

7e7bf6bcd3680eb41118e172c913e2380a9641634c52924692fc9137c380f085168cdeab51ff9e8f9a3a4392fa3b774ccb00c96c109c67bb02288fd8e03f80cb
SSDEEP

24576:33LJTPvKxaL7pUbhqq/dg5Pd3m6WkVHVlL4pE+eZ88rH8xXEmGQK/kwlln6a/3/b:33tT3KxaibhqSqPd0EJZBHSeQKPp6aH

Score

10^/10

ardamax discovery keylogger persistence stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

fccab87b3e02ca1086acbb0e300e5a5d_JaffaCakes118.exe

Resource

win7-20240221-en

ardamax discovery keylogger persistence stealer

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

fccab87b3e02ca1086acbb0e300e5a5d_JaffaCakes118.exe

Resource

win10v2004-20240412-en

ardamax discovery keylogger persistence stealer

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Targets

- Target
  
  fccab87b3e02ca1086acbb0e300e5a5d_JaffaCakes118
- Size
  
  1.3MB
- MD5
  
  fccab87b3e02ca1086acbb0e300e5a5d
- SHA1
  
  1ac0a2f03888c8f4cade6194ecbe9b4e29e6e92c
- SHA256
  
  413f84240e67722bb4283f33973be3463d2ca00c145ec760be0955f792b967ff
- SHA512
  
  7e7bf6bcd3680eb41118e172c913e2380a9641634c52924692fc9137c380f085168cdeab51ff9e8f9a3a4392fa3b774ccb00c96c109c67bb02288fd8e03f80cb
- SSDEEP
  
  24576:33LJTPvKxaL7pUbhqq/dg5Pd3m6WkVHVlL4pE+eZ88rH8xXEmGQK/kwlln6a/3/b:33tT3KxaibhqSqPd0EJZBHSeQKPp6aH
Score

10^/10

ardamax discovery keylogger persistence stealer
- Ardamax
  A keylogger first seen in 2013.
  keylogger stealer ardamax
- Ardamax main executable
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

ardamaxdiscoverykeyloggerpersistencestealer

behavioral2

ardamaxdiscoverykeyloggerpersistencestealer

© 2018-2024

Terms | Privacy