ardamax | 6dc3e06732fd9fe6b6f1f094ca99a57f4dbe75554eea4d4bb4b1bf13e967cd7e | Triage

Sharing

General

Target

JaffaCakes118_21704f45d350146eceb6bc788bae4219
Size

648KB
Sample

250223-t55jfstrw7
MD5

21704f45d350146eceb6bc788bae4219
SHA1

3e15c2bc07e088190ec282843fbdc4fa333aedc4
SHA256

6dc3e06732fd9fe6b6f1f094ca99a57f4dbe75554eea4d4bb4b1bf13e967cd7e
SHA512

4acacba15464d16605e0f552b48b248dc3cb7d74e77c5b3efc0047323396d7e349f16992334aff7492568c0c445c8a8a2496ed801e80b0545b7b57c9ef972d44
SSDEEP

12288:gFlERKFl9X8fSCLhGV9qaC+sHYZEGIkWxDdarPTZ0pLNCFSIR8Cmqp0F:NRUX8fZAV9q6C6WxJaxZFSo8Go

Score

10^/10

ardamax defense_evasion discovery keylogger persistence stealer

Malware Config

Targets

- Target
  
  JaffaCakes118_21704f45d350146eceb6bc788bae4219
- Size
  
  648KB
- MD5
  
  21704f45d350146eceb6bc788bae4219
- SHA1
  
  3e15c2bc07e088190ec282843fbdc4fa333aedc4
- SHA256
  
  6dc3e06732fd9fe6b6f1f094ca99a57f4dbe75554eea4d4bb4b1bf13e967cd7e
- SHA512
  
  4acacba15464d16605e0f552b48b248dc3cb7d74e77c5b3efc0047323396d7e349f16992334aff7492568c0c445c8a8a2496ed801e80b0545b7b57c9ef972d44
- SSDEEP
  
  12288:gFlERKFl9X8fSCLhGV9qaC+sHYZEGIkWxDdarPTZ0pLNCFSIR8Cmqp0F:NRUX8fZAV9q6C6WxJaxZFSo8Go
Score

10^/10

ardamax defense_evasion discovery keylogger persistence stealer
- Ardamax
  A keylogger first seen in 2013.
  keylogger stealer ardamax
- Ardamax family
  ardamax
- Ardamax main executable
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Indicator Removal

File Deletion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

ardamaxdefense_evasiondiscoverykeyloggerpersistencestealer

behavioral2

ardamaxdefense_evasiondiscoverykeyloggerpersistencestealer