Extracted

• • Target

    98ace29e8bb6404dcc645efd782b5fe3_JaffaCakes118

  • Size

    1.6MB

  • MD5

    98ace29e8bb6404dcc645efd782b5fe3

  • SHA1

    f842537bf61da8e77426e6d6b2e612bf30cd270b

  • SHA256

    7d3d3adc082cc7503ba98ce176b48cdf22ffe1a300974b4fddcd1671a0caf7c0

  • SHA512

    0140df4ca5c25cb9eb071f7a3004c74eeb0e303ad0558f44eb5879695123f2e153857fad8b1c90b8c74d6a82bb48ac311ff7f0b8bcedb650945c5c9ed17c52dd

  • SSDEEP

    49152:Q3tTmJEOHNNoWhfIbRbOc/JEd5u3ihcIYy:QgJEU6BKds3il

  Score

  10^/10

  ardamaxdefense_evasiondiscoverykeyloggerpersistencestealersalitybackdoorevasionprivilege_escalationtrojanupx

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax

  • Ardamax main executable

  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality

  • UAC bypass

    evasiontrojan

  • Windows security bypass

    evasiontrojan

  • Disables RegEdit via registry modification

    evasion

  • Disables Task Manager via registry modification

    evasion

  • Modifies Windows Firewall

    evasion

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Executes dropped EXE

  • Loads dropped DLL

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Windows security modification

    evasiontrojan

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Checks whether UAC is enabled

    evasiontrojan

  • Indicator Removal: File Deletion

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion

  • Drops file in System32 directory

  behavioral1behavioral2