Overview

overview

10

Static

static

3

JaffaCakes...ba.exe

windows7-x64

7

JaffaCakes...ba.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_e0c4fb2fe31227a5da453bb02a589fba

  • Size

    1.2MB

  • Sample

    250120-jmv7ysyqaz

  • MD5

    e0c4fb2fe31227a5da453bb02a589fba

  • SHA1

    ceacc28e9b878549f6db96cf3dad2949373cc9f6

  • SHA256

    abaa95fa3b6678259ec7df1354fc369794699b8319e37f6d3e5ae19adeac7f6c

  • SHA512

    86924b3af055290859d7d29a402ed13c82400028957988a6af12a1e3601568f2c280836f14f75170116f13414899bf5dca5634665fa4e2bf679e94fcc5179103

  • SSDEEP

    24576:B7mblEFT+c35HxdzEiJFq/5U0cxnG0tiZx3ycyGn/A5sjrVuUxK:BSb1WV3giJFq/qZxnGTxXjrVV

Score
10/10
ardamaxdiscoverykeyloggerpersistencestealer

Malware Config

Targets

    • Target

      JaffaCakes118_e0c4fb2fe31227a5da453bb02a589fba

    • Size

      1.2MB

    • MD5

      e0c4fb2fe31227a5da453bb02a589fba

    • SHA1

      ceacc28e9b878549f6db96cf3dad2949373cc9f6

    • SHA256

      abaa95fa3b6678259ec7df1354fc369794699b8319e37f6d3e5ae19adeac7f6c

    • SHA512

      86924b3af055290859d7d29a402ed13c82400028957988a6af12a1e3601568f2c280836f14f75170116f13414899bf5dca5634665fa4e2bf679e94fcc5179103

    • SSDEEP

      24576:B7mblEFT+c35HxdzEiJFq/5U0cxnG0tiZx3ycyGn/A5sjrVuUxK:BSb1WV3giJFq/qZxnGTxXjrVV

    Score
    10/10
    discoverypersistenceardamaxkeyloggerstealer

    • Ardamax

      A keylogger first seen in 2013.

      keyloggerstealerardamax

    • Ardamax family

      ardamax

    • Ardamax main executable

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks