Overview

overview

10

Static

static

3

JaffaCakes...40.exe

windows7-x64

10

JaffaCakes...40.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_17a427946a42858cb79e83fa6cc30140

  • Size

    860KB

  • Sample

    250123-qna2qssnen

  • MD5

    17a427946a42858cb79e83fa6cc30140

  • SHA1

    40961292519afe020b7db6573f1bb02690cc7448

  • SHA256

    d9d77004855a304157bcbcbf25fe28cdf72b46a588850dea16cbf7ce77c9279f

  • SHA512

    1375bc4992bd230ce431bbed08f06b4cb40870dac208af79c07d7f22503184c0eadef9a9a3ca6bf243df9c38bc20be4c79dc2100c91130552fcf4744b62c3976

  • SSDEEP

    24576:QCRSrKNLMRSE5wWNxf2t/M6HMwUp7Pbo2ea6m:QCRmgeuWNOk6HMwOSm

Score
10/10
ardamaxdiscoverykeyloggerpersistencestealer

Malware Config

Targets

    • Target

      JaffaCakes118_17a427946a42858cb79e83fa6cc30140

    • Size

      860KB

    • MD5

      17a427946a42858cb79e83fa6cc30140

    • SHA1

      40961292519afe020b7db6573f1bb02690cc7448

    • SHA256

      d9d77004855a304157bcbcbf25fe28cdf72b46a588850dea16cbf7ce77c9279f

    • SHA512

      1375bc4992bd230ce431bbed08f06b4cb40870dac208af79c07d7f22503184c0eadef9a9a3ca6bf243df9c38bc20be4c79dc2100c91130552fcf4744b62c3976

    • SSDEEP

      24576:QCRSrKNLMRSE5wWNxf2t/M6HMwUp7Pbo2ea6m:QCRmgeuWNOk6HMwOSm

    Score
    10/10
    ardamaxdiscoverykeyloggerpersistencestealer

    • Ardamax

      A keylogger first seen in 2013.

      keyloggerstealerardamax

    • Ardamax family

      ardamax

    • Ardamax main executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks