Overview

overview

10

Static

static

3

HotFix.exe.lnk

windows7-x64

6

HotFix.exe.lnk

windows10-2004-x64

3

Osmanlı Bot.exe

windows7-x64

10

Osmanlı Bot.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_07f384339dd2333a6dd89b56deb1dd13

  • Size

    1.2MB

  • Sample

    250121-2ahefatpbt

  • MD5

    07f384339dd2333a6dd89b56deb1dd13

  • SHA1

    ac9e95d17bb1b5d208c47c485e1fdb5d93ef0c7e

  • SHA256

    2fd3c770bdee0f5366bea593f5215cfc10c2642278e91bd7a0eae247d32930a4

  • SHA512

    846a8f1f0151374dd5d86fcfd8d8402eb3970a36b3225b2f1c70a3a1505b89fd7010f1ec6baa7e6b540832e88ffbb6b2a5ccd839b4bdcb7392a06496b8c454f8

  • SSDEEP

    24576:5KEfKOjQTdTjN06FOZ9cyZHy2dfimRce5HTrI4XS29lKjX:5KEiO8TF1LGy2FimKe5HT+2/KjX

Score
10/10
ardamaxdiscoverykeyloggerpersistencestealer

Malware Config

Targets

    • Target

      HotFix.exe.lnk

    • Size

      640B

    • MD5

      8ddf7a8cde3dab39ebd22a4613d63423

    • SHA1

      6629bb61d341100b7f083e9142d90b41a66ca8d1

    • SHA256

      7a0ffced07fbe5824c74ebbf09b7cb288657cc801a751423420a7d7671df7474

    • SHA512

      5896379c928d19c5f497e5c5ba8e2f8cdff2c44e5f15d878d19144ff5b21f338a701919b0e11ec99cbbd341ed8aef639131bd9904f713fc66c89a2f0d88cb0c6

    Score
    6/10

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1behavioral2

    • Target

      Osmanlı Bot.exe

    • Size

      1.3MB

    • MD5

      fe010d3bbb86067e66f3233bbbe6cbdb

    • SHA1

      2b151b91a955d32a4d68b2a90586c741e09d28fc

    • SHA256

      c45d51e25dc9bd378e997a242c0e0b8dc3f0bac67fe8d12cd5d18f7786e8ccc4

    • SHA512

      8bf65b5672da1c63dac4f2dd19e6001bc78536f920b529fc420cf4584665098d80c1da26b47ebd5c4e7e6010419d90d4c6a822df51d8783b98dfde76d870818b

    • SSDEEP

      24576:CzwTT6O/SmlZ547pkSOG/hqemVh9ruez8cm8Lzw+0nXCaOQxMfN92Q6QAf:Cz+TRidOGJZm8Lc++0nSa7xG92Q6QA

    Score
    10/10
    ardamaxdiscoverykeyloggerpersistencestealer

    • Ardamax

      A keylogger first seen in 2013.

      keyloggerstealerardamax

    • Ardamax family

      ardamax

    • Ardamax main executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Drops file in System32 directory

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks