General
-
Target
JaffaCakes118_68f180bde7ad57b3ecc8757eef844776
-
Size
902KB
-
Sample
250102-3rxq5azqav
-
MD5
68f180bde7ad57b3ecc8757eef844776
-
SHA1
b03bdf97255160caf5476456885225a18949cf1e
-
SHA256
d103edf4484da98b0989977c686aff42c4e43dc125a3d10cfcd5a4260440b41c
-
SHA512
938add3b7d576273088c59c2a1aab27a5fbc1f5e87fad6407a4ae608f4ff4bb08892ff0d97486324405461f6b5b3f173a4f0444ba82d661cdee5b4f9f20c2e91
-
SSDEEP
12288:A3TdtLW5WIj1YSSdFxBvBSXyMzBUWb9lx/9AgHLo8OW+rB:6Dsj1dEBBcJ9nPx/igrp+
Malware Config
Targets
-
-
Target
JaffaCakes118_68f180bde7ad57b3ecc8757eef844776
-
Size
902KB
-
MD5
68f180bde7ad57b3ecc8757eef844776
-
SHA1
b03bdf97255160caf5476456885225a18949cf1e
-
SHA256
d103edf4484da98b0989977c686aff42c4e43dc125a3d10cfcd5a4260440b41c
-
SHA512
938add3b7d576273088c59c2a1aab27a5fbc1f5e87fad6407a4ae608f4ff4bb08892ff0d97486324405461f6b5b3f173a4f0444ba82d661cdee5b4f9f20c2e91
-
SSDEEP
12288:A3TdtLW5WIj1YSSdFxBvBSXyMzBUWb9lx/9AgHLo8OW+rB:6Dsj1dEBBcJ9nPx/igrp+
Score10/10-
Ardamax
A keylogger first seen in 2013.
-
Ardamax family
-
Ardamax main executable
-
Modifies WinLogon for persistence
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
ASPack v2.12-2.42
Detects executables packed with ASPack v2.12-2.42
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Modify Registry
3Subvert Trust Controls
1Install Root Certificate
1