ardamax | 64c18cbee94fc9cb7a4978f908c79356433f3c6091a928654ea8555367fb0ca0 | Triage

Sharing

General

Target

358393682ba7a3ac9e63d0b9faa15178_JaffaCakes118
Size

1.1MB
Sample

240710-t1lksazhmc
MD5

358393682ba7a3ac9e63d0b9faa15178
SHA1

58656237e8d2299017bdcc15b4e5afda9074bf82
SHA256

64c18cbee94fc9cb7a4978f908c79356433f3c6091a928654ea8555367fb0ca0
SHA512

1739b80728187a3584eedc426498daafed943b12bb320f86bc5a23522485f9651b72581ffec7c9d7d8270e97504f9af20311156908d1309f960eb919213fd1de
SSDEEP

24576:cHvZT0d//nI2VA6hX5pdoHPPuRMp4uwUTVZKXGUWikDYRBTCr8A:kBTynImBc3AM8isGoICBTCr8

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.drivehq.com
Port:
21
Username:
homecomming

Targets

- Target
  
  358393682ba7a3ac9e63d0b9faa15178_JaffaCakes118
- Size
  
  1.1MB
- MD5
  
  358393682ba7a3ac9e63d0b9faa15178
- SHA1
  
  58656237e8d2299017bdcc15b4e5afda9074bf82
- SHA256
  
  64c18cbee94fc9cb7a4978f908c79356433f3c6091a928654ea8555367fb0ca0
- SHA512
  
  1739b80728187a3584eedc426498daafed943b12bb320f86bc5a23522485f9651b72581ffec7c9d7d8270e97504f9af20311156908d1309f960eb919213fd1de
- SSDEEP
  
  24576:cHvZT0d//nI2VA6hX5pdoHPPuRMp4uwUTVZKXGUWikDYRBTCr8A:kBTynImBc3AM8isGoICBTCr8
Score

10^/10

ardamax discovery keylogger persistence stealer
- Ardamax
  A keylogger first seen in 2013.
  keylogger stealer ardamax
- Ardamax main executable
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

ardamaxdiscoverykeyloggerpersistencestealer

behavioral2

ardamaxdiscoverykeyloggerpersistencestealer