General

  • Target

    5a6277b26ac10b1c32f17a6981c00e09_JaffaCakes118

  • Size

    1.6MB

  • Sample

    240719-ek648avepc

  • MD5

    5a6277b26ac10b1c32f17a6981c00e09

  • SHA1

    157565cfd9a2aa677fc71000e54649618a9f2ade

  • SHA256

    96d6553cefc3e62741da5075c8cf651dbf2590bc89be0e03848bf428465525b4

  • SHA512

    756f551ffb22cc6ddbd8c48e52a8b3ca409fe7276b511d53e79c463fe5807f19166b8e49af916efece9f81eccd99ec69056917485f144e279bb375de9be21095

  • SSDEEP

    24576:oCwMV6flveP8NA2i2UtrqlcjTuZ1iuF7hEm90a6tElipicaGZak5R3115b+ZDymE:oCwhfl20CdvGi67KREYgcDj3ZbC/5J6X

Malware Config

Targets

    • Target

      5a6277b26ac10b1c32f17a6981c00e09_JaffaCakes118

    • Size

      1.6MB

    • MD5

      5a6277b26ac10b1c32f17a6981c00e09

    • SHA1

      157565cfd9a2aa677fc71000e54649618a9f2ade

    • SHA256

      96d6553cefc3e62741da5075c8cf651dbf2590bc89be0e03848bf428465525b4

    • SHA512

      756f551ffb22cc6ddbd8c48e52a8b3ca409fe7276b511d53e79c463fe5807f19166b8e49af916efece9f81eccd99ec69056917485f144e279bb375de9be21095

    • SSDEEP

      24576:oCwMV6flveP8NA2i2UtrqlcjTuZ1iuF7hEm90a6tElipicaGZak5R3115b+ZDymE:oCwhfl20CdvGi67KREYgcDj3ZbC/5J6X

    • Ardamax

      A keylogger first seen in 2013.

    • Ardamax main executable

    • Modifies WinLogon for persistence

    • Adds policy Run key to start application

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Modifies WinLogon

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks