Extracted

• • Target

    JaffaCakes118_aaa3c4c38bd5f1088db6553c3401dc79

  • Size

    2.1MB

  • MD5

    aaa3c4c38bd5f1088db6553c3401dc79

  • SHA1

    061993f5d8b8eca381474640c2d2b3e8b8cac8bf

  • SHA256

    df8e7ef1fe0b61acbd6c72c509d322ad3998c67308b2dc04e4015b6d160d3fa2

  • SHA512

    1b10403cc07ecb4ab4df4bb2e90f0aaa25b9eb6273533c309abc547b29a9d1a3c3f230f5ffca33457a0c7912f5d6b4a590e2fe741e232ce4c73c52c966449613

  • SSDEEP

    12288:0Rq28oax930xPLD0K/uzSm1/ZLBHkt0/N8/wyDT4wA7Nm3CYvY0:0Uyaz0xPhaz3HkT/p4wimI0

  Score

  10^/10

  ardamaxdiscoverykeyloggerpersistencestealer

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax

  • Ardamax family

    ardamax

  • Ardamax main executable

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Drops file in System32 directory

  behavioral1behavioral2