General

  • Target

    a81604d0c7b6350b40bd0635ce4328d0_JaffaCakes118

  • Size

    3.5MB

  • Sample

    241127-qt8vysvqb1

  • MD5

    a81604d0c7b6350b40bd0635ce4328d0

  • SHA1

    3622fe4c275e411a46b2554a8a7ee7a2396963aa

  • SHA256

    e8a799c07a4b4beabe65eb402c920a8492b4738d2ff2b41f925912d0c7371c84

  • SHA512

    1f0e960e1b7b6f9d6b8106f0e20e19247d99764095c58a4d37728e1d23b65b264b198452ca8f18365d91ff9315e3c5e09404e436e8d8fbbed12583ac8b332613

  • SSDEEP

    24576:vjX2TdqIQz+gdNvpmeryhm1iXhPD93arPRQQlMErsv3kMQyLU0w8kU7x7vFqWDfD:Qm16nWRPlnrs4dj8pw6YannJWkdoHC

Malware Config

Targets

    • Target

      a81604d0c7b6350b40bd0635ce4328d0_JaffaCakes118

    • Size

      3.5MB

    • MD5

      a81604d0c7b6350b40bd0635ce4328d0

    • SHA1

      3622fe4c275e411a46b2554a8a7ee7a2396963aa

    • SHA256

      e8a799c07a4b4beabe65eb402c920a8492b4738d2ff2b41f925912d0c7371c84

    • SHA512

      1f0e960e1b7b6f9d6b8106f0e20e19247d99764095c58a4d37728e1d23b65b264b198452ca8f18365d91ff9315e3c5e09404e436e8d8fbbed12583ac8b332613

    • SSDEEP

      24576:vjX2TdqIQz+gdNvpmeryhm1iXhPD93arPRQQlMErsv3kMQyLU0w8kU7x7vFqWDfD:Qm16nWRPlnrs4dj8pw6YannJWkdoHC

    • Ardamax

      A keylogger first seen in 2013.

    • Ardamax family

    • Ardamax main executable

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks