ardamax

General

Target

b99694c22b3e6197dc85b9436ed9a99e_JaffaCakes118
Size

3.3MB
Sample

240823-acmndsxckn
MD5

b99694c22b3e6197dc85b9436ed9a99e
SHA1

bb898b096a8ca41f956c5cc3a80a752d13be81f9
SHA256

b241291eb130d4bdfca61e6f30f643d9f738636cd4e19360d3f1df175258c57d
SHA512

0d2be5cc7b716e99bce83fbef08d541d90cf5af54c113bd4e8db0cb191cef5c84aa378135ae101d28598f95749da55c41c99795c0a1629fdbb706bbbd317a00a
SSDEEP

98304:xkOxXFplha82mMgawxCnEA3zpMPX2iAN7ppUJrqhg0QJZtS72j4B:xH8gxYnEA1MPtY7XUJR0utOF

Score

10^/10

Malware Config

Targets

- Target
  
  AegisDll64.dll
- Size
  
  94KB
- MD5
  
  9b881ac9ba206b3ba1e98912c400c2f7
- SHA1
  
  c8227506a822ef4881fbb932a12565241005048a
- SHA256
  
  e2bbddd980a281f6af699de7048a318cc48d8084aa3e671d0c8e3b2c31108de7
- SHA512
  
  3b93580dcdeb5d585dc46a471f6f4326e4fe8e6e3143488280d714ca78842048baed51ec31defd6ca3544847f5819cd9db5adf16997d89ddbe4512d44ec9dd62
- SSDEEP
  
  1536:XtmybCE+hTh8g15sXaFpzkoRoXJOfzY8NBVfSBwjLlL+:XtZbb+lh8gEXaFpzDoXyEoBVfSBSLc
Score

1^/10
behavioral1 behavioral2
- Target
  
  G-Force.v3.exe
- Size
  
  2.2MB
- MD5
  
  db5d584b4e7805ae925ab8fd906fc793
- SHA1
  
  e9b52ff4267c016b947594b7c4b92199b26a0ea3
- SHA256
  
  2c427d26f27921f352705fdaeaeae2b8b2e3d35e781bc812a3d464d1b113d170
- SHA512
  
  479ddbcde88755e237fd8255b7b7009dbc7dfa2cc5a0ebed6856fd08b16033c7852c5f8a8be8bcf299c550afba75b9f3208f4b8464a0281f007fb2ae14fc89ee
- SSDEEP
  
  49152:uz+TTOELWGYemn7zFkGklMt/ZROnLdPrSPreU6e5+4uNof9vg5TRZXZN:uNELWGQFpklGKnLd2Prj6ephf96TRZpN
Score

10^/10

ardamax defense_evasion discovery keylogger persistence stealer
- Ardamax
  A keylogger first seen in 2013.
  keylogger stealer ardamax
- Ardamax main executable
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
- Drops file in System32 directory
behavioral3 behavioral4
- Target
  
  Install.dll
- Size
  
  1.2MB
- MD5
  
  202354c4e56d92e8284a656d8125881a
- SHA1
  
  b7309fda1b10984d24dde01e1d4f13bcc75ec3db
- SHA256
  
  565926a75b0340e6fe22c1c10b138e239a44e5057d229cdcfdf89c3e3c468b73
- SHA512
  
  0ae307189419c1514b223b004a87047a4edfbe55e10eea8466b0c3a4e282ae42d13b1ee12cb6e4ae14d3af85b1596c3df2d1a23b079a369db4588fd593f05fb0
- SSDEEP
  
  24576:HzwTT6+f4d17AE0gOmNrFqXw9j8GY5TteUKcwYJ2Fr/MdiiDl2BwoWxfhgcAelMV:Hz+TT2178mFFqXZtBRZJ2FbMdBZpm82y
Score

10^/10

ardamax defense_evasion discovery keylogger persistence stealer
- Ardamax
  A keylogger first seen in 2013.
  keylogger stealer ardamax
- Ardamax main executable
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
- Drops file in System32 directory
behavioral5 behavioral6