General
-
Target
JaffaCakes118_8e00e54479d218e50a55e497c2600948
-
Size
2.4MB
-
Sample
250204-ak7crsznhm
-
MD5
8e00e54479d218e50a55e497c2600948
-
SHA1
01f2b7b68083770c037110ec4fd19dc84d03ef75
-
SHA256
7bfb50d5f82d0f807e5e179d0cf44d65068451d95e217b8b68fc3c4372995236
-
SHA512
e55ea16c60955ca20acef6da518fa428d2dd804f975c8bf3a63fc610cba5a37ac437135ce496e8889982d2584cfee38c6d705b9498cc9a80b3d13f4a0ab5459e
-
SSDEEP
49152:BiwHJXlGV+KUipeLzAFSirQAQK828oy4/w7OdYVhh78MTMeHn:BiCJ6NFrFSiroK828o07cYRKin
Malware Config
Targets
-
-
Target
JaffaCakes118_8e00e54479d218e50a55e497c2600948
-
Size
2.4MB
-
MD5
8e00e54479d218e50a55e497c2600948
-
SHA1
01f2b7b68083770c037110ec4fd19dc84d03ef75
-
SHA256
7bfb50d5f82d0f807e5e179d0cf44d65068451d95e217b8b68fc3c4372995236
-
SHA512
e55ea16c60955ca20acef6da518fa428d2dd804f975c8bf3a63fc610cba5a37ac437135ce496e8889982d2584cfee38c6d705b9498cc9a80b3d13f4a0ab5459e
-
SSDEEP
49152:BiwHJXlGV+KUipeLzAFSirQAQK828oy4/w7OdYVhh78MTMeHn:BiCJ6NFrFSiroK828o07cYRKin
Score10/10-
Ardamax
A keylogger first seen in 2013.
-
Ardamax family
-
Ardamax main executable
-
Drops file in Drivers directory
-
Manipulates Digital Signatures
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
3Subvert Trust Controls
2Install Root Certificate
1SIP and Trust Provider Hijacking
1