ardamax | d3dc6d1359e7ad3ba3601f5b19f339ec88ee9e407024dacf77ad55e88b44b205 | Triage

Submit
Reports

Overview

overview

Static

static

3

6b18170422...18.exe

windows7-x64

6b18170422...18.exe

windows10-2004-x64

Sharing

General

Target

6b1817042284839dbfd6c1f5175c13d7_JaffaCakes118
Size

1.3MB
Sample

240724-lknq7ssbld
MD5

6b1817042284839dbfd6c1f5175c13d7
SHA1

0e36607409ac6a4377723074ad09ac9e20c4e342
SHA256

d3dc6d1359e7ad3ba3601f5b19f339ec88ee9e407024dacf77ad55e88b44b205
SHA512

b93216e2791f29a51f5b18f1409f7e859d20114e52fc7db8585ef355f9b8ed3036a80d5da97efef51515aa2817a88b493d3c77a8062afb414781950844158243
SSDEEP

24576:yGLDngp5eo+32uLRmF0jvaUiW8DwyIZUuCOVWdaowv1okwOI1ZPVoWDoqZOPrtV4:HLo5eo+muLRFjyv7IzCKWy1jwFPVNo/s

Score

10^/10

ardamax discovery keylogger persistence stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

6b1817042284839dbfd6c1f5175c13d7_JaffaCakes118.exe

Resource

win7-20240704-en

ardamax discovery keylogger persistence stealer

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

6b1817042284839dbfd6c1f5175c13d7_JaffaCakes118.exe

Resource

win10v2004-20240709-en

ardamax discovery keylogger persistence stealer

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Targets

- Target
  
  6b1817042284839dbfd6c1f5175c13d7_JaffaCakes118
- Size
  
  1.3MB
- MD5
  
  6b1817042284839dbfd6c1f5175c13d7
- SHA1
  
  0e36607409ac6a4377723074ad09ac9e20c4e342
- SHA256
  
  d3dc6d1359e7ad3ba3601f5b19f339ec88ee9e407024dacf77ad55e88b44b205
- SHA512
  
  b93216e2791f29a51f5b18f1409f7e859d20114e52fc7db8585ef355f9b8ed3036a80d5da97efef51515aa2817a88b493d3c77a8062afb414781950844158243
- SSDEEP
  
  24576:yGLDngp5eo+32uLRmF0jvaUiW8DwyIZUuCOVWdaowv1okwOI1ZPVoWDoqZOPrtV4:HLo5eo+muLRFjyv7IzCKWy1jwFPVNo/s
Score

10^/10

ardamax discovery keylogger persistence stealer
- Ardamax
  A keylogger first seen in 2013.
  keylogger stealer ardamax
- Ardamax main executable
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

ardamaxdiscoverykeyloggerpersistencestealer

behavioral2

ardamaxdiscoverykeyloggerpersistencestealer

© 2018-2025

Terms | Privacy