Overview

overview

10

Static

static

3

Install.exe

windows7-x64

10

Install.exe

windows10-2004-x64

10

xFire.exe

windows7-x64

3

xFire.exe

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    bb30e803849068c644c9d90c475b63b9_JaffaCakes118

  • Size

    1.2MB

  • Sample

    241203-cbtrestng1

  • MD5

    bb30e803849068c644c9d90c475b63b9

  • SHA1

    02a176ab43a351b9ba2dc19cd7eb3b5522a0881f

  • SHA256

    99e10e5b9cb36d1c54816ef6ce4359663b47c110a194d3498f23deb53916ca0d

  • SHA512

    975a4acba9dd7a9be484081c2b628d537ef0ff5020ac8607629ebf81733fb22149e1d757a9b2f7ed01b11f41884b4998516afd839224966e99b831ce39f0ba0f

  • SSDEEP

    24576:x2iFgTlNy7voh3LWS3+4PZu8te4XNUTAkssZEgY7PkZ7yzVXL9LtnWU:x2iGTlNy8RLZ/PZ9tyUQZiPkZmzNLnnz

Score
10/10
ardamaxdefense_evasiondiscoverykeyloggerpersistencestealer

Malware Config

Targets

    • Target

      Install.exe

    • Size

      1.1MB

    • MD5

      ade23339d6c324d78c73ffc160db7095

    • SHA1

      5bb57a3e4fa5f89987de193069e613684d20c17c

    • SHA256

      4e4e83cec2a9816b3aa530d8f6cc58ba7433dd437265fcc67b0925859b295732

    • SHA512

      b7615ab01b1bec22fa0e488b50287cfe0d8f698bd8f83823825a2740421baf0359773d9d3b622f4f2e4bc4c8c04da6a6faf9dd65e6539416ef98c91e83480399

    • SSDEEP

      24576:MSE1TN+ewFToPILS5Jh6iUkieaaUpTRksTBqyI7PWZcygx0r9Mt6g:MSYTTwywLWD6ivirtnBqPWZzgWr06

    Score
    10/10
    ardamaxdefense_evasiondiscoverykeyloggerpersistencestealer

    • Ardamax

      A keylogger first seen in 2013.

      keyloggerstealerardamax

    • Ardamax family

      ardamax

    • Ardamax main executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

      defense_evasion

    • Drops file in System32 directory

    behavioral1behavioral2

    • Target

      xFire.exe

    • Size

      536KB

    • MD5

      34bf62f4c02887b3cd14a9c544453b3c

    • SHA1

      4f7e75966250feb111f6eef46f1430b0d7215443

    • SHA256

      75a80f7c5069cd46ff67a5a3806ed8ba81a83cbeab3d7b3db02cd4101d693888

    • SHA512

      2ac97e52cf388b44a3311b5f130c3188684a05db8ed4ad3eedb7d3758b2ccd5ff2f083c2d18332076b9a3b92abc5ac1e3bacc372f2abd8041a76aff605952279

    • SSDEEP

      3072:7BxC6V1Lp4YMoMq4DQUC7pCslWg6BcafQf1WiFozuhs+BvvP+sBfcRFa5Ku//Ko1:7PJBNPfgKOiK4Kr9Ss3sPC

    Score
    3/10
    discovery
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks