General

  • Target

    JaffaCakes118_0e01e1fecfa020ae172f23e80b5060cb

  • Size

    693KB

  • Sample

    250605-dxlhlsdk8v

  • MD5

    0e01e1fecfa020ae172f23e80b5060cb

  • SHA1

    3116a59959fb58922e5fd6a45c446afb1dfe0c4c

  • SHA256

    8bc539cd0daef6a28f75ccad130e570ec44f8fb4d8a3bb6a1a0f84848a098cb5

  • SHA512

    8ef144302949413a397b96dc7ea971bec94dd3a133fea91d9051a221d7ee89cba21c4eec86f9f534d69969e9406b5da7434c4365e4631b33ed90ce4ebc2d8a06

  • SSDEEP

    12288:e3TdtLW5WIj1YSSdFxsBSXyMzBUWb9lx/9AgHLo8OW+rBA3Tdt7:oDsj1dEcBcJ9nPx/igrp+0D7

Malware Config

Targets

    • Target

      JaffaCakes118_0e01e1fecfa020ae172f23e80b5060cb

    • Size

      693KB

    • MD5

      0e01e1fecfa020ae172f23e80b5060cb

    • SHA1

      3116a59959fb58922e5fd6a45c446afb1dfe0c4c

    • SHA256

      8bc539cd0daef6a28f75ccad130e570ec44f8fb4d8a3bb6a1a0f84848a098cb5

    • SHA512

      8ef144302949413a397b96dc7ea971bec94dd3a133fea91d9051a221d7ee89cba21c4eec86f9f534d69969e9406b5da7434c4365e4631b33ed90ce4ebc2d8a06

    • SSDEEP

      12288:e3TdtLW5WIj1YSSdFxsBSXyMzBUWb9lx/9AgHLo8OW+rBA3Tdt7:oDsj1dEcBcJ9nPx/igrp+0D7

    • Ardamax

      A keylogger first seen in 2013.

    • Ardamax family

    • Ardamax main executable

    • Modifies WinLogon for persistence

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Executes dropped EXE

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v16

Tasks