Extracted

• • Target

    JaffaCakes118_fd3a94b720df16090866c318effce5d3

  • Size

    1.5MB

  • MD5

    fd3a94b720df16090866c318effce5d3

  • SHA1

    85b4a422897773c0c8c47af7a19099f085a4630d

  • SHA256

    63da1d367f7e8262e239e75197a10d1d52404d0ba6a249ca7ad750b3144b1bb2

  • SHA512

    64d1f440570572038dfbbd64b3ddaf022aaec4a4907888387fd811522c547d9a56624bdc489e889dcb3a41e075f506964bfd0be3d97c1002e4943b76a52a5dfd

  • SSDEEP

    49152:+oTe3SP16xgQsaHGxjqoWp26ZNiF1r/JzZPvG:e26xgQqtqo82EiFN/JtvG

  Score

  10^/10

  ardamaxdiscoverykeyloggerpersistencestealerupxsalitybackdoordefense_evasionprivilege_escalationtrojan

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax

  • Ardamax family

    ardamax

  • Ardamax main executable

  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality

  • Sality family

    sality

  • UAC bypass

    defense_evasiontrojan

  • Windows security bypass

    defense_evasiontrojan

  • Disables RegEdit via registry modification

    defense_evasion

  • Disables Task Manager via registry modification

    defense_evasion

  • Downloads MZ/PE file

  • Modifies Windows Firewall

    defense_evasion

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Executes dropped EXE

  • Loads dropped DLL

  • Windows security modification

    defense_evasiontrojan

  • Adds Run key to start application

    persistence

  • Checks whether UAC is enabled

    defense_evasiontrojan

  • AutoIT Executable

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral1behavioral2