General

  • Target

    a791021f9f08803dd8fe1b7929645e5b_JaffaCakes118

  • Size

    2.0MB

  • Sample

    241127-na2lesxpbr

  • MD5

    a791021f9f08803dd8fe1b7929645e5b

  • SHA1

    2e242194f3c0e48202be24217df7b68a885be688

  • SHA256

    ba4544516d049bac33dc73c85310f8ca3f78d7c0580f1ab4cf2f2e6014470401

  • SHA512

    f54eebb6e7ce20c5575209981db218e1e4c641a0a0a99cbb152acda0b2b8f0c2d32cf5785ba1de45b8fc6cfa1ee29f631e39748f44df4767a53f1abefe698bfe

  • SSDEEP

    49152:yoTXykbXtSwmx9pVoP4AfR9y1aDhFYqDQwD1D4M+CP6iGhIS7UjI1p:etw2VoQAfR9Fdn5hnGhIWUjI1

Malware Config

Targets

    • Target

      a791021f9f08803dd8fe1b7929645e5b_JaffaCakes118

    • Size

      2.0MB

    • MD5

      a791021f9f08803dd8fe1b7929645e5b

    • SHA1

      2e242194f3c0e48202be24217df7b68a885be688

    • SHA256

      ba4544516d049bac33dc73c85310f8ca3f78d7c0580f1ab4cf2f2e6014470401

    • SHA512

      f54eebb6e7ce20c5575209981db218e1e4c641a0a0a99cbb152acda0b2b8f0c2d32cf5785ba1de45b8fc6cfa1ee29f631e39748f44df4767a53f1abefe698bfe

    • SSDEEP

      49152:yoTXykbXtSwmx9pVoP4AfR9y1aDhFYqDQwD1D4M+CP6iGhIS7UjI1p:etw2VoQAfR9Fdn5hnGhIWUjI1

    • Ardamax

      A keylogger first seen in 2013.

    • Ardamax family

    • Ardamax main executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks