ardamax

Sharing

Copy URL

Twitter E-mail

General

Target

1b8b79bcda60d12bad101dc29068a8cc_JaffaCakes118
Size

1.2MB
Sample

241007-fctplazhkb
MD5

1b8b79bcda60d12bad101dc29068a8cc
SHA1

46ee835e66600c79ec4b4c77f902e8e1dbf5b3d2
SHA256

dcf17478f68747f86b700d851264b320ee6da328e5727dca1b31d442a3732fc0
SHA512

e82afb1c7fa39fc2836dc53e9ffeba90dc0cadc8a860803519bc07615fd7cb2d9a80a00a0f73795ec246411c9f203a59521b35fccdd1dfb24145ba2b9a1e38b8
SSDEEP

24576:K7e/4tGpv7GPE7dupqi5K3syLPOm5spsBHpY2/v8HOK8lM905WqWTWOKCdIG9rWD:K704tBg0pqi5K3ZjO+HpYN18lMSDsW0a

Score

10^/10

Malware Config

Targets

- Target
  
  ChipF2/COMCTL32.OCX
- Size
  
  594KB
- MD5
  
  eb5f811c1f78005b3c147599a0cccf51
- SHA1
  
  19e8153569d1379634ba9d12e84dc35b10faf689
- SHA256
  
  bf4147f8a12bec3d54e3ef941475e29d852a1876117c6ce88f47b882ef6d4a03
- SHA512
  
  2eeed9e02c2fbff39c021340a8fa10417a47e243ae2d6d5a54e3e69114dccb402f2d836500c6d771ff971cf0070def3004f3e828a9e7686ef0e1457e1583ecec
- SSDEEP
  
  12288:0kec4KwGf99MSOeMkeXrnhIcVthDGn2mwCyP9tDCcrcJIVul+:0k6nTSXJI4l+
Score

3^/10

discovery
behavioral1 behavioral2
- Target
  
  ChipF2/ChipF2.exe
- Size
  
  912KB
- MD5
  
  cb41e78b64e9459e5f4fc83ce12c6c0d
- SHA1
  
  be412bff1a4a949898744247a470a060057f20dc
- SHA256
  
  548008daee9a511e6832db60ba4f3b6f91aefaec15954afccb7bfef961e10f5a
- SHA512
  
  a38f96a4a2ec6cb8f39c28a0633d6f50aa9ddcc343ee725d9564cac6eb8aa661eb52d8b3ca6df80da7abb890c3ba5b14b0542621ff0b7a93a54d9db2c212480e
- SSDEEP
  
  24576:Zg7m3eylqgxejMherIK1dxgPCdTz+I6uW62UJSn+YPV7KZeVCNstGi:peylpxejMherIK1dxgPCdTz+I6uW62UG
Score

4^/10

discovery
behavioral3 behavioral4
- Target
  
  ChipF2/Comdlg32.ocx
- Size
  
  194KB
- MD5
  
  6785b09fc2d286f88944718acee94b52
- SHA1
  
  4c975eb844e2f886f158520d109340c60df3e021
- SHA256
  
  9ac63dcf5a2437ed43cb143479ec4a810915017d8eb138a7fede88867e2a8121
- SHA512
  
  46a536f0a7515a041d44d6ff736428d589724109ecb7e22ad71662c1073d823906f8d1c89efe4bf7bea9a035721e939845349628b566786384b26187495bf206
- SSDEEP
  
  3072:uTc9k21jfZZHhCMLvARkFRCJBiB/aulJrwo2CocrJbQN6N2TRqESd3:uTAP9LRFR+qJ0oDxQRHK
Score

3^/10

discovery
behavioral5 behavioral6
- Target
  
  ChipF2/Hook.dll
- Size
  
  44KB
- MD5
  
  1a78589157e4f49e3191360c7b4e781c
- SHA1
  
  e3aa4708f9c062e3f64964ffb2c9de2429394639
- SHA256
  
  f8dc0c3372ded6a26201b41b5cef09e1df57a6c39467c4bc75f07d3eaf54f037
- SHA512
  
  35cd195b6e4feae0753c698899d984295639a7ae0aa024c2b4a21995967ea395516ca1025d904ace3adf3f8112aae981e6aa9f8263010b69a499378158d1b063
- SSDEEP
  
  768:8AzP/joXQKNVTTWojxJoqbs1cq4VvUd0xzuYZoUl:8ADbKTTNxJoqw563fog
Score

3^/10

discovery
behavioral7 behavioral8
- Target
  
  ChipF2/Install.exe
- Size
  
  567KB
- MD5
  
  8aab1cda67f5a739ccf4b770b9c252bc
- SHA1
  
  e1944e75a61572e0868746908025132c7d496ddc
- SHA256
  
  8ff446f870cb449b04c9f354c5a9b492b3edc916c650e52318a24c11f80444bd
- SHA512
  
  6c156dbedf6659f36dc084ca2a4282212062b1afe561288b069b3c33fa7c80520cc714b6cdcf96cde244190b90d4033b29dc3c4d473e9de437869a0b7f0a1fd9
- SSDEEP
  
  12288:xE6AVFSQnlAc1oA7musIaxY+xYDlyR1qUMFrXu+2lhLa6f5d8fpmebz1:oVtppnanIUMFrulR/5dqR
Score

10^/10

ardamax discovery keylogger persistence stealer
- Ardamax
  A keylogger first seen in 2013.
  keylogger stealer ardamax
- Ardamax main executable
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops file in System32 directory
behavioral10 behavioral9

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Targets

Ardamax main executable

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks installed software on the system

Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10