ardamax | d2e17a3181e5836192c6d3099e9ae8031b37a252e92052cb5681f44c2abce7fd | Triage

Submit
Reports

Overview

overview

Static

static

3

76a5c091ea...18.exe

windows7-x64

76a5c091ea...18.exe

windows10-2004-x64

Sharing

General

Target

76a5c091eadb2f7fa5b4c37f58cd636c_JaffaCakes118
Size

1017KB
Sample

241028-adj9nawapd
MD5

76a5c091eadb2f7fa5b4c37f58cd636c
SHA1

371a471f04fdfb6c5971488767591ac83cad3c1b
SHA256

d2e17a3181e5836192c6d3099e9ae8031b37a252e92052cb5681f44c2abce7fd
SHA512

54dae260ccdecc8d9c89529e4eea5145aa7eeb467973f99d36e204bed48068f134fdab17f267f1faa03ec40cf7a18b6be353c6a565c1f07d3f8cfbca1d65ca2a
SSDEEP

12288:aIcFPM260CRFAIePtDaTqVEBT4xtp0lh4TDCZhFF7EYv2rhfOZ2ccoy6wfQxbixh:XcVcDslyqVCqt+46zzlvfly/Ma0JInhf

Score

10^/10

ardamax discovery keylogger persistence stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

76a5c091eadb2f7fa5b4c37f58cd636c_JaffaCakes118.exe

Resource

win7-20240903-en

ardamax discovery keylogger persistence stealer

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

76a5c091eadb2f7fa5b4c37f58cd636c_JaffaCakes118.exe

Resource

win10v2004-20241007-en

ardamax discovery keylogger persistence stealer

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Targets

- Target
  
  76a5c091eadb2f7fa5b4c37f58cd636c_JaffaCakes118
- Size
  
  1017KB
- MD5
  
  76a5c091eadb2f7fa5b4c37f58cd636c
- SHA1
  
  371a471f04fdfb6c5971488767591ac83cad3c1b
- SHA256
  
  d2e17a3181e5836192c6d3099e9ae8031b37a252e92052cb5681f44c2abce7fd
- SHA512
  
  54dae260ccdecc8d9c89529e4eea5145aa7eeb467973f99d36e204bed48068f134fdab17f267f1faa03ec40cf7a18b6be353c6a565c1f07d3f8cfbca1d65ca2a
- SSDEEP
  
  12288:aIcFPM260CRFAIePtDaTqVEBT4xtp0lh4TDCZhFF7EYv2rhfOZ2ccoy6wfQxbixh:XcVcDslyqVCqt+46zzlvfly/Ma0JInhf
Score

10^/10

ardamax discovery keylogger persistence stealer
- Ardamax
  A keylogger first seen in 2013.
  keylogger stealer ardamax
- Ardamax family
  ardamax
- Ardamax main executable
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

ardamaxdiscoverykeyloggerpersistencestealer

behavioral2

ardamaxdiscoverykeyloggerpersistencestealer

© 2018-2025

Terms | Privacy