ardamax | a97c5efc61f35a22fa05e9c730ca0d3af93242e24dbeac768191e86f66eef220 | Triage

Submit
Reports

Overview

overview

Static

static

3

JaffaCakes...27.exe

windows7-x64

JaffaCakes...27.exe

windows10-2004-x64

Sharing

General

Target

JaffaCakes118_aaf4e8fe62a649f972b3c84f7580fb27
Size

571KB
Sample

250206-n61c8stqfx
MD5

aaf4e8fe62a649f972b3c84f7580fb27
SHA1

87a14c937a2b0b8c5554c4a91acc7884e9fa4b9c
SHA256

a97c5efc61f35a22fa05e9c730ca0d3af93242e24dbeac768191e86f66eef220
SHA512

26c5ffed5e9dbf3b9c4350a5529dd8b52b5efcdc99832f4b8b949f0329175ec867611d455c0a49c150c32300043117c26fe452c8238dc0ce056424787212c3b6
SSDEEP

12288:5l0/jEepRqOSiCmQOm7ruKZmNCWGZYKpna65YQ+:47E8RqckmLKLd+

Score

10^/10

ardamax discovery keylogger persistence stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

JaffaCakes118_aaf4e8fe62a649f972b3c84f7580fb27.exe

Resource

win7-20240903-en

ardamax discovery keylogger persistence stealer

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

JaffaCakes118_aaf4e8fe62a649f972b3c84f7580fb27.exe

Resource

win10v2004-20250129-en

ardamax discovery keylogger persistence stealer

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Targets

- Target
  
  JaffaCakes118_aaf4e8fe62a649f972b3c84f7580fb27
- Size
  
  571KB
- MD5
  
  aaf4e8fe62a649f972b3c84f7580fb27
- SHA1
  
  87a14c937a2b0b8c5554c4a91acc7884e9fa4b9c
- SHA256
  
  a97c5efc61f35a22fa05e9c730ca0d3af93242e24dbeac768191e86f66eef220
- SHA512
  
  26c5ffed5e9dbf3b9c4350a5529dd8b52b5efcdc99832f4b8b949f0329175ec867611d455c0a49c150c32300043117c26fe452c8238dc0ce056424787212c3b6
- SSDEEP
  
  12288:5l0/jEepRqOSiCmQOm7ruKZmNCWGZYKpna65YQ+:47E8RqckmLKLd+
Score

10^/10

ardamax discovery keylogger persistence stealer
- Ardamax
  A keylogger first seen in 2013.
  keylogger stealer ardamax
- Ardamax family
  ardamax
- Ardamax main executable
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

ardamaxdiscoverykeyloggerpersistencestealer

behavioral2

ardamaxdiscoverykeyloggerpersistencestealer

© 2018-2025

Terms | Privacy