ardamax | 2ebaf3995b8b37633d1edc430400babf4003a089af6a426a6cedbe3317c506d4 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

3

badade515d...18.exe

windows7-x64

badade515d...18.exe

windows10-2004-x64

Sharing

General

Target

badade515d65ee31fbf921b3d762520e_JaffaCakes118
Size

1.4MB
Sample

240823-jdm5zssajd
MD5

badade515d65ee31fbf921b3d762520e
SHA1

5c40c00004934de7611b485a640997e140ea0672
SHA256

2ebaf3995b8b37633d1edc430400babf4003a089af6a426a6cedbe3317c506d4
SHA512

8a6fedde89261af311dc55c74f66d3e3716b3ca9bd5d6ad766dd48aea22ec158f08bdf29c5a99746c4f30033a72e385b718918d19e72d910f8bee31ac2f80346
SSDEEP

24576:C61riDJ3Xx8QtA1ibr2cHrOqZnHyfAfNhCQJkz3S7ih3+DxDlQgTBqk3l:C0u3zzigSENkyr+hOdDlQNO

Score

10^/10

ardamax discovery keylogger persistence stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

badade515d65ee31fbf921b3d762520e_JaffaCakes118.exe

Resource

win7-20240708-en

ardamax discovery keylogger persistence stealer

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

badade515d65ee31fbf921b3d762520e_JaffaCakes118.exe

Resource

win10v2004-20240802-en

ardamax discovery keylogger persistence stealer

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Targets

- Target
  
  badade515d65ee31fbf921b3d762520e_JaffaCakes118
- Size
  
  1.4MB
- MD5
  
  badade515d65ee31fbf921b3d762520e
- SHA1
  
  5c40c00004934de7611b485a640997e140ea0672
- SHA256
  
  2ebaf3995b8b37633d1edc430400babf4003a089af6a426a6cedbe3317c506d4
- SHA512
  
  8a6fedde89261af311dc55c74f66d3e3716b3ca9bd5d6ad766dd48aea22ec158f08bdf29c5a99746c4f30033a72e385b718918d19e72d910f8bee31ac2f80346
- SSDEEP
  
  24576:C61riDJ3Xx8QtA1ibr2cHrOqZnHyfAfNhCQJkz3S7ih3+DxDlQgTBqk3l:C0u3zzigSENkyr+hOdDlQNO
Score

10^/10

ardamax discovery keylogger persistence stealer
- Ardamax
  A keylogger first seen in 2013.
  keylogger stealer ardamax
- Ardamax main executable
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

ardamaxdiscoverykeyloggerpersistencestealer

behavioral2

ardamaxdiscoverykeyloggerpersistencestealer

© 2018-2025

Terms | Privacy