ardamax | e804c0afa8afb3d105f357404754da00022838fd6f4448882563a6b47c3e8d7d | Triage

Sharing

General

Target

e517afd343ddd555669637cb9b4cd5bc_JaffaCakes118
Size

1.4MB
Sample

241212-g44vbaxmhk
MD5

e517afd343ddd555669637cb9b4cd5bc
SHA1

c64b7c9eb2782f0276c692837f9ac6f1db6bb2ea
SHA256

e804c0afa8afb3d105f357404754da00022838fd6f4448882563a6b47c3e8d7d
SHA512

e34edf4c0cdf66c20c1d9b16adfa2ff72da85ec9d6e9f75a49301c292d5f50031ca4597892b9e7f982ca7ff5e3cc6f74a02d08c9685e72d9905114558220b751
SSDEEP

24576:RbPT8/ofB0D0BqKzbt57zI3PRI9L9K0jsXNTllFLfHkNtqNdCAm6tr:R7T8/iB0v4t5X0PqF9PwdhDjHCVW

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Targets

- Target
  
  e517afd343ddd555669637cb9b4cd5bc_JaffaCakes118
- Size
  
  1.4MB
- MD5
  
  e517afd343ddd555669637cb9b4cd5bc
- SHA1
  
  c64b7c9eb2782f0276c692837f9ac6f1db6bb2ea
- SHA256
  
  e804c0afa8afb3d105f357404754da00022838fd6f4448882563a6b47c3e8d7d
- SHA512
  
  e34edf4c0cdf66c20c1d9b16adfa2ff72da85ec9d6e9f75a49301c292d5f50031ca4597892b9e7f982ca7ff5e3cc6f74a02d08c9685e72d9905114558220b751
- SSDEEP
  
  24576:RbPT8/ofB0D0BqKzbt57zI3PRI9L9K0jsXNTllFLfHkNtqNdCAm6tr:R7T8/iB0v4t5X0PqF9PwdhDjHCVW
Score

10^/10

ardamax discovery keylogger persistence stealer
- Ardamax
  A keylogger first seen in 2013.
  keylogger stealer ardamax
- Ardamax family
  ardamax
- Ardamax main executable
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

ardamaxdiscoverykeyloggerpersistencestealer

behavioral2

ardamaxdiscoverykeyloggerpersistencestealer