Extracted

• • Target

    94de2cedfe695207af61088717072278_JaffaCakes118

  • Size

    899KB

  • MD5

    94de2cedfe695207af61088717072278

  • SHA1

    0f9b8e42a8f45e9ad5f39c61a5d9003e86752952

  • SHA256

    1c30756c44979b327355331e9d9a7f422fe02069ea986919beab5e9080c08b2d

  • SHA512

    6d1ff630536a10e8fec811f85f3b108f5c2ef071e4bd03fd79dd5017882e0a0ac8645ae6558946b3681d2b2e9b52e4a611b410db4d3103e082e8c8dbe475c5b4

  • SSDEEP

    24576:3ZiM8O3U7QqA+oQqS8blWo1YGirtZ7Ekwyzs:3ZiM8OvqAEd8blB1YGyEyQ

  Score

  10^/10

  discoveryardamaxkeyloggerpersistencestealer

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax

  • Ardamax main executable

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Maps connected drives based on registry

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory

  behavioral1behavioral2