General

  • Target

    JaffaCakes118_c1afd5d05b62a7b9fbbdf7935775c5c8

  • Size

    1.3MB

  • Sample

    250208-lmvmjaxlh1

  • MD5

    c1afd5d05b62a7b9fbbdf7935775c5c8

  • SHA1

    641c7c01c6b93b72d761748a16c0fd416889fe40

  • SHA256

    11f5b5ebfc2f25bf32e675728d4faa069311cefb66825f32106adf237d70a2e7

  • SHA512

    5cd2d62ecbcc31f607e4139ea69a9a3d778d8f9f93e35eb9d3f669f1ea8a4f695fa6312090a502dc39353cdc143dfb8739fd6af8e745e3888e731041a7865992

  • SSDEEP

    24576:bswyOQUyohQ9BO7Qtj6VUBYaff0Lo0Udkw/J8nPXJUF/8zhYWf:bpJQUt+UQtjOU2aff0c0Udkwnqm2

Malware Config

Targets

    • Target

      JaffaCakes118_c1afd5d05b62a7b9fbbdf7935775c5c8

    • Size

      1.3MB

    • MD5

      c1afd5d05b62a7b9fbbdf7935775c5c8

    • SHA1

      641c7c01c6b93b72d761748a16c0fd416889fe40

    • SHA256

      11f5b5ebfc2f25bf32e675728d4faa069311cefb66825f32106adf237d70a2e7

    • SHA512

      5cd2d62ecbcc31f607e4139ea69a9a3d778d8f9f93e35eb9d3f669f1ea8a4f695fa6312090a502dc39353cdc143dfb8739fd6af8e745e3888e731041a7865992

    • SSDEEP

      24576:bswyOQUyohQ9BO7Qtj6VUBYaff0Lo0Udkw/J8nPXJUF/8zhYWf:bpJQUt+UQtjOU2aff0c0Udkwnqm2

    • Ardamax

      A keylogger first seen in 2013.

    • Ardamax family

    • Ardamax main executable

    • Adds policy Run key to start application

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks