General

  • Target

    a1ebd31cca0808cef68bb396c1c1c56d_JaffaCakes118

  • Size

    1.8MB

  • Sample

    241126-pl3tasxmbp

  • MD5

    a1ebd31cca0808cef68bb396c1c1c56d

  • SHA1

    00405eaed613be4e596c203913ba2b7f880e94c8

  • SHA256

    e787ef308f760af58ff6611390c0de24b3e62f71f7012326c2a04679223a2c88

  • SHA512

    eac9f9bc05713a0ba533b8b9e4131b415ffa87e2eebb7af4abe158af2bb9f6e5a73f547383aad82826477a6716ab7ce33db4c499f90361cbec3c903a3394eced

  • SSDEEP

    49152:xQcXy/RF6ZWpmcYbZtxPsxc6iFyVkaner:xQcXyNpmZbZty+/0kIer

Malware Config

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.drivehq.com
  • Port:
    21
  • Username:
    slslasher

Targets

    • Target

      a1ebd31cca0808cef68bb396c1c1c56d_JaffaCakes118

    • Size

      1.8MB

    • MD5

      a1ebd31cca0808cef68bb396c1c1c56d

    • SHA1

      00405eaed613be4e596c203913ba2b7f880e94c8

    • SHA256

      e787ef308f760af58ff6611390c0de24b3e62f71f7012326c2a04679223a2c88

    • SHA512

      eac9f9bc05713a0ba533b8b9e4131b415ffa87e2eebb7af4abe158af2bb9f6e5a73f547383aad82826477a6716ab7ce33db4c499f90361cbec3c903a3394eced

    • SSDEEP

      49152:xQcXy/RF6ZWpmcYbZtxPsxc6iFyVkaner:xQcXyNpmZbZty+/0kIer

    • Ardamax

      A keylogger first seen in 2013.

    • Ardamax family

    • Ardamax main executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks