ardamax | 53962a3c6a28fbd75623a96400965ae0998dcad817e94c3b40b1c8a911bc5892 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

3

cbe444d1e9...18.exe

windows7-x64

cbe444d1e9...18.exe

windows10-2004-x64

Sharing

General

Target

cbe444d1e93deec155c6a31523d639ee_JaffaCakes118
Size

487KB
Sample

240830-3t6rtatell
MD5

cbe444d1e93deec155c6a31523d639ee
SHA1

bb28e3bd88c2d7fd6388b849f403565f64bd42c7
SHA256

53962a3c6a28fbd75623a96400965ae0998dcad817e94c3b40b1c8a911bc5892
SHA512

f93bc94ab04ddc98f0ab43d736495d8661fab163cf3dcdfaba35bde93ebb8b7c6dbf55b81fc716567148fc4a92b6dee2740112aa24f5a13ee0d238c9d4fe0bac
SSDEEP

12288:DnXPOzYUHgO7F8NTKdIRacC86sBE6znNlkZyZzM0:zWkogyeTA20kEKNKsM0

Score

10^/10

ardamax discovery keylogger persistence stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

cbe444d1e93deec155c6a31523d639ee_JaffaCakes118.exe

Resource

win7-20240708-en

ardamax discovery keylogger persistence stealer

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

cbe444d1e93deec155c6a31523d639ee_JaffaCakes118.exe

Resource

win10v2004-20240802-en

ardamax discovery keylogger persistence stealer

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Targets

- Target
  
  cbe444d1e93deec155c6a31523d639ee_JaffaCakes118
- Size
  
  487KB
- MD5
  
  cbe444d1e93deec155c6a31523d639ee
- SHA1
  
  bb28e3bd88c2d7fd6388b849f403565f64bd42c7
- SHA256
  
  53962a3c6a28fbd75623a96400965ae0998dcad817e94c3b40b1c8a911bc5892
- SHA512
  
  f93bc94ab04ddc98f0ab43d736495d8661fab163cf3dcdfaba35bde93ebb8b7c6dbf55b81fc716567148fc4a92b6dee2740112aa24f5a13ee0d238c9d4fe0bac
- SSDEEP
  
  12288:DnXPOzYUHgO7F8NTKdIRacC86sBE6znNlkZyZzM0:zWkogyeTA20kEKNKsM0
Score

10^/10

ardamax discovery keylogger persistence stealer
- Ardamax
  A keylogger first seen in 2013.
  keylogger stealer ardamax
- Ardamax main executable
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

ardamaxdiscoverykeyloggerpersistencestealer

behavioral2

ardamaxdiscoverykeyloggerpersistencestealer

© 2018-2025

Terms | Privacy