ardamax | 96bd4ce2033976a257a79cad48bbf8d217eff40dfca04c1c7ec145e79db5aaaf | Triage

Submit
Reports

Overview

overview

Static

static

3

d4f7ac86ac...18.exe

windows7-x64

d4f7ac86ac...18.exe

windows10-2004-x64

Sharing

General

Target

d4f7ac86ac572454315130a0ed616fff_JaffaCakes118
Size

1.1MB
Sample

240908-w9d86s1app
MD5

d4f7ac86ac572454315130a0ed616fff
SHA1

d66709c9083ee4bc0f563ab08193527d080194ed
SHA256

96bd4ce2033976a257a79cad48bbf8d217eff40dfca04c1c7ec145e79db5aaaf
SHA512

435eef70a5818574e139e104f3082f0fc8d16d3994cdee9a8ae258d33ab049ef326d90af5fb4bad27727d3ab78038dfb9c213c50a5693f10b7efdc8d76cf4edb
SSDEEP

24576:ROfVkHfxVtfx+qI+iMNa73L+TL84qc6Xx6:RONIyTjMN2LlTXx

Score

10^/10

ardamax discovery keylogger persistence stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

d4f7ac86ac572454315130a0ed616fff_JaffaCakes118.exe

Resource

win7-20240704-en

ardamax discovery keylogger persistence stealer

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

d4f7ac86ac572454315130a0ed616fff_JaffaCakes118.exe

Resource

win10v2004-20240802-en

ardamax discovery keylogger persistence stealer

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Targets

- Target
  
  d4f7ac86ac572454315130a0ed616fff_JaffaCakes118
- Size
  
  1.1MB
- MD5
  
  d4f7ac86ac572454315130a0ed616fff
- SHA1
  
  d66709c9083ee4bc0f563ab08193527d080194ed
- SHA256
  
  96bd4ce2033976a257a79cad48bbf8d217eff40dfca04c1c7ec145e79db5aaaf
- SHA512
  
  435eef70a5818574e139e104f3082f0fc8d16d3994cdee9a8ae258d33ab049ef326d90af5fb4bad27727d3ab78038dfb9c213c50a5693f10b7efdc8d76cf4edb
- SSDEEP
  
  24576:ROfVkHfxVtfx+qI+iMNa73L+TL84qc6Xx6:RONIyTjMN2LlTXx
Score

10^/10

ardamax discovery keylogger persistence stealer
- Ardamax
  A keylogger first seen in 2013.
  keylogger stealer ardamax
- Ardamax main executable
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

ardamaxdiscoverykeyloggerpersistencestealer

behavioral2

ardamaxdiscoverykeyloggerpersistencestealer

© 2018-2025

Terms | Privacy