ardamax | ee64d1234fd5c8f05c78cc5ad1346afb3f6bad6afbe41ec098d840d234bb901c | Triage

Sharing

General

Target

JaffaCakes118_f9ddd1cf1e115ede06017b4bfed1ba4a
Size

480KB
Sample

250214-t548pavjfv
MD5

f9ddd1cf1e115ede06017b4bfed1ba4a
SHA1

725e0171af11c6e20087df193ecef8abceef8535
SHA256

ee64d1234fd5c8f05c78cc5ad1346afb3f6bad6afbe41ec098d840d234bb901c
SHA512

ef0f0b4cee22f58acc75e3a316004b2cb38b8b5784cf58d194eff858cd386361fe15679eb35e4347d5d267c9f7ac60647be4ab1b965b2d19ea98930a9d98a563
SSDEEP

12288:4zBjB3PQTB8B2+ExnNd8fLrWWGqJlRe1NVEq8OrbRU6Z9fj:8BjBfXen3aLrWWGURo6qRlU6Z97

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Targets

- Target
  
  JaffaCakes118_f9ddd1cf1e115ede06017b4bfed1ba4a
- Size
  
  480KB
- MD5
  
  f9ddd1cf1e115ede06017b4bfed1ba4a
- SHA1
  
  725e0171af11c6e20087df193ecef8abceef8535
- SHA256
  
  ee64d1234fd5c8f05c78cc5ad1346afb3f6bad6afbe41ec098d840d234bb901c
- SHA512
  
  ef0f0b4cee22f58acc75e3a316004b2cb38b8b5784cf58d194eff858cd386361fe15679eb35e4347d5d267c9f7ac60647be4ab1b965b2d19ea98930a9d98a563
- SSDEEP
  
  12288:4zBjB3PQTB8B2+ExnNd8fLrWWGqJlRe1NVEq8OrbRU6Z9fj:8BjBfXen3aLrWWGURo6qRlU6Z97
Score

10^/10

ardamax discovery keylogger persistence stealer
- Ardamax
  A keylogger first seen in 2013.
  keylogger stealer ardamax
- Ardamax family
  ardamax
- Ardamax main executable
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

ardamaxdiscoverykeyloggerpersistencestealer

behavioral2

ardamaxdiscoverykeyloggerpersistencestealer