ardamax | cab442620da60810693db1b7b638872e8b9c6d6da95a47e4720f6992b2859e98 | Triage

Sharing

General

Target

JaffaCakes118_7be3ff55bf3bb39b132474013d0d9b89
Size

504KB
Sample

250202-mfn2vaxmcx
MD5

7be3ff55bf3bb39b132474013d0d9b89
SHA1

ef45a43e3436f48bb6273b005778448d62c17ffa
SHA256

cab442620da60810693db1b7b638872e8b9c6d6da95a47e4720f6992b2859e98
SHA512

c7b3f93297a3c1034bcb2d8fe3962746289853c196d56866b7e1d67e56d5870a8935a373acaeb1694a3ca67f0fa333cb7966eb4d4c8e6358cd2213ff03d85bde
SSDEEP

12288:8nQeD68whMUVzfb3vsw4qbByUPv3pCwxMdARNNDd/cB:tvMSfsw4sNX3LydSDdcB

Score

10^/10

ardamax defense_evasion discovery keylogger persistence stealer

Malware Config

Targets

- Target
  
  JaffaCakes118_7be3ff55bf3bb39b132474013d0d9b89
- Size
  
  504KB
- MD5
  
  7be3ff55bf3bb39b132474013d0d9b89
- SHA1
  
  ef45a43e3436f48bb6273b005778448d62c17ffa
- SHA256
  
  cab442620da60810693db1b7b638872e8b9c6d6da95a47e4720f6992b2859e98
- SHA512
  
  c7b3f93297a3c1034bcb2d8fe3962746289853c196d56866b7e1d67e56d5870a8935a373acaeb1694a3ca67f0fa333cb7966eb4d4c8e6358cd2213ff03d85bde
- SSDEEP
  
  12288:8nQeD68whMUVzfb3vsw4qbByUPv3pCwxMdARNNDd/cB:tvMSfsw4sNX3LydSDdcB
Score

10^/10

ardamax defense_evasion discovery keylogger persistence stealer
- Ardamax
  A keylogger first seen in 2013.
  keylogger stealer ardamax
- Ardamax family
  ardamax
- Ardamax main executable
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Indicator Removal

File Deletion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

ardamaxdefense_evasiondiscoverykeyloggerpersistencestealer

behavioral2

ardamaxdefense_evasiondiscoverykeyloggerpersistencestealer