ardamax | e431b75c0bd037c606750cd881af0f40e044c4d61046b0e4228e192977de0d95 | Triage

Submit
Reports

Overview

overview

Static

static

3

JaffaCakes...39.exe

windows7-x64

JaffaCakes...39.exe

windows10-2004-x64

Sharing

General

Target

JaffaCakes118_7bfb2c93930062c414a78fbf14c03d39
Size

631KB
Sample

250202-mm98nazlfn
MD5

7bfb2c93930062c414a78fbf14c03d39
SHA1

dc2312e981f8b675788c7d5af0db1fad63edef7f
SHA256

e431b75c0bd037c606750cd881af0f40e044c4d61046b0e4228e192977de0d95
SHA512

0666bcc76cb4e697a63124207983736c9c77386b6b9e5b674904547c9062feaa3bea8bac8d9d4c305ac5e569e1fdc7e391cd5d43860bd2d207ae3044f077fcf6
SSDEEP

12288:M3TdtLW5WIj1YSSdFMsBSXyMzBUWb9lx/9AgHLo8OW+rBg:2Dsj1dEbBcJ9nPx/igrp+m

Score

10^/10

ardamax defense_evasion discovery keylogger persistence stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

JaffaCakes118_7bfb2c93930062c414a78fbf14c03d39.exe

Resource

win7-20241010-en

ardamax defense_evasion discovery keylogger persistence stealer

windows7-x64

21 signatures

150 seconds

Behavioral task

behavioral2

Sample

JaffaCakes118_7bfb2c93930062c414a78fbf14c03d39.exe

Resource

win10v2004-20250129-en

ardamax defense_evasion discovery keylogger persistence stealer

windows10-2004-x64

19 signatures

150 seconds

Malware Config

Targets

- Target
  
  JaffaCakes118_7bfb2c93930062c414a78fbf14c03d39
- Size
  
  631KB
- MD5
  
  7bfb2c93930062c414a78fbf14c03d39
- SHA1
  
  dc2312e981f8b675788c7d5af0db1fad63edef7f
- SHA256
  
  e431b75c0bd037c606750cd881af0f40e044c4d61046b0e4228e192977de0d95
- SHA512
  
  0666bcc76cb4e697a63124207983736c9c77386b6b9e5b674904547c9062feaa3bea8bac8d9d4c305ac5e569e1fdc7e391cd5d43860bd2d207ae3044f077fcf6
- SSDEEP
  
  12288:M3TdtLW5WIj1YSSdFMsBSXyMzBUWb9lx/9AgHLo8OW+rBg:2Dsj1dEbBcJ9nPx/igrp+m
Score

10^/10

ardamax defense_evasion discovery keylogger persistence stealer
- Ardamax
  A keylogger first seen in 2013.
  keylogger stealer ardamax
- Ardamax family
  ardamax
- Ardamax main executable
- Modifies WinLogon for persistence
  persistence
- Disables RegEdit via registry modification
  defense_evasion
- Disables Task Manager via registry modification
  defense_evasion
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

ardamaxdefense_evasiondiscoverykeyloggerpersistencestealer

behavioral2

ardamaxdefense_evasiondiscoverykeyloggerpersistencestealer

© 2018-2025

Terms | Privacy