General

  • Target

    5adf5054164aad4e498b051333cddac6_JaffaCakes118

  • Size

    1.3MB

  • Sample

    240719-hkpfysxdrr

  • MD5

    5adf5054164aad4e498b051333cddac6

  • SHA1

    b48ee1e453d4fb1a179d3d8a6a928f743693b9fa

  • SHA256

    e478636ae8b59a322f86e51c501a0a2371558b7b8ce079cfb1adcfabadd7b633

  • SHA512

    8492541d3e393c228d3f9b41cee8760f92eae81081f2af9baee30913b9d5db84cd3be7d34335099059cd2e4dc05291ab0643dd812c2da390d04557f1818e17fb

  • SSDEEP

    24576:uiFK9PAU/h+cG3gUdZUrjWH8f3R5qiQ7P7AhNJ+9qsV3o:HF4PrhE9dZUuH8i5T7Ahn

Malware Config

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.hi2.ro
  • Port:
    21
  • Username:
    viteza11
  • Password:
    liverpool

Targets

    • Target

      5adf5054164aad4e498b051333cddac6_JaffaCakes118

    • Size

      1.3MB

    • MD5

      5adf5054164aad4e498b051333cddac6

    • SHA1

      b48ee1e453d4fb1a179d3d8a6a928f743693b9fa

    • SHA256

      e478636ae8b59a322f86e51c501a0a2371558b7b8ce079cfb1adcfabadd7b633

    • SHA512

      8492541d3e393c228d3f9b41cee8760f92eae81081f2af9baee30913b9d5db84cd3be7d34335099059cd2e4dc05291ab0643dd812c2da390d04557f1818e17fb

    • SSDEEP

      24576:uiFK9PAU/h+cG3gUdZUrjWH8f3R5qiQ7P7AhNJ+9qsV3o:HF4PrhE9dZUuH8i5T7Ahn

    • Ardamax

      A keylogger first seen in 2013.

    • Ardamax main executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks