ardamax | af2cadaaaa720be13535c0409238c6b7b73e256064ce57c3120f58f32aaf2538 | Triage

Sharing

General

Target

d8cbec4b3e65277a3e0d5379eb741ad0_JaffaCakes118
Size

2.8MB
Sample

240910-w3ftesxhlq
MD5

d8cbec4b3e65277a3e0d5379eb741ad0
SHA1

5f3d45113f3b204de3501f22f0eae991ed392bb1
SHA256

af2cadaaaa720be13535c0409238c6b7b73e256064ce57c3120f58f32aaf2538
SHA512

2299a75241d09cd659111ba5d7ccdaf4a92b43ff93684934261bc2120dece89022fbf7d7bfc98a571677156743095ebc4c6955478058a4195e2018c0fe1a7037
SSDEEP

49152:/Rivo7pW5BOLro1Zj5ajB0IG6xLfPK7/gnizytn7O+kYvAT4QUD0ldgcu:/yhOLkajB31xTK74Cz+kYc4Q2YKc

Score

10^/10

ardamax hawkeye credential_access discovery keylogger persistence spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.gmx.net
Port:
587
Username:
[email protected]
Password:
yk;2]jNfT"&f=YH'/Q_}

Targets

- Target
  
  d8cbec4b3e65277a3e0d5379eb741ad0_JaffaCakes118
- Size
  
  2.8MB
- MD5
  
  d8cbec4b3e65277a3e0d5379eb741ad0
- SHA1
  
  5f3d45113f3b204de3501f22f0eae991ed392bb1
- SHA256
  
  af2cadaaaa720be13535c0409238c6b7b73e256064ce57c3120f58f32aaf2538
- SHA512
  
  2299a75241d09cd659111ba5d7ccdaf4a92b43ff93684934261bc2120dece89022fbf7d7bfc98a571677156743095ebc4c6955478058a4195e2018c0fe1a7037
- SSDEEP
  
  49152:/Rivo7pW5BOLro1Zj5ajB0IG6xLfPK7/gnizytn7O+kYvAT4QUD0ldgcu:/yhOLkajB31xTK74Cz+kYc4Q2YKc
Score

10^/10

ardamax hawkeye discovery keylogger persistence spyware stealer trojan credential_access
- Ardamax
  A keylogger first seen in 2013.
  keylogger stealer ardamax
- HawkEye
  HawkEye is a malware kit that has seen continuous development since at least 2013.
  keylogger trojan stealer spyware hawkeye
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Scripting

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

ardamaxhawkeyediscoverykeyloggerpersistencespywarestealertrojan

behavioral2

ardamaxhawkeyecredential_accessdiscoverykeyloggerpersistencespywarestealertrojan