General

  • Target

    7a0a68789a27b734e85fd5a2cf87dd71_JaffaCakes118

  • Size

    1.2MB

  • Sample

    240730-z1fbnaygkl

  • MD5

    7a0a68789a27b734e85fd5a2cf87dd71

  • SHA1

    4a56bd1f82931786583661f3f8497a5716905db8

  • SHA256

    8f21f79872d5464fa516c9d71af269757acc2c558657ee73593028bc544a5b3b

  • SHA512

    bcd6db40a6ebfdf5328163551150fe00c4160cc2b354caae74e85b69c6b6f026859141459bbda742b04d2c7a678363c27861444dd9902cabce359c1bb9d97c5c

  • SSDEEP

    24576:Z/6GrWipCSBOfKoJtVKEHIys01hkc9GyXt/iZrZ8tZRXfjfZxQg9p13waz5J:U6jC/yUHs+h/9GWtqZrZ8tZRXfjIgxpf

Malware Config

Targets

    • Target

      RsClient.exe

    • Size

      1.2MB

    • MD5

      e024b24af0e1ef588848965213667812

    • SHA1

      eb756777047dde576365bad023f5402b3cfce21c

    • SHA256

      57052b19ec30d1c8a5fb21816bb8a41d83106a589bbbd6e984604f4a945e9408

    • SHA512

      53652436264058b03b3afbc408e659e18ace415b570c2541deb0f16e51fc6e1de0c9376c9c24b6356cb5b21948377b4d94601ddd4c396e228cf92e20c35b59c2

    • SSDEEP

      24576:d0NzTFeoTgwR17lrWy4iGiEA0NkXYPp1aZM23+JOp++ufdAOouY0MCNZYTjaMLoQ:d0pTFeoTtT5rWy4iGiSkqeytJO81dYZw

    • Ardamax

      A keylogger first seen in 2013.

    • Ardamax main executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks