ammyyadmin | 76f7f817f2dc5037e33f9941efb136b96fec2ba19e6da21aeb7ca36f8be95389

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
07-05-2024 09:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

201edd53b6970f4cd5349e70dede8a55_JaffaCakes118.exe
Size

994KB
MD5

201edd53b6970f4cd5349e70dede8a55
SHA1

05b9a7da60c577df586662601fbc51f79ec53890
SHA256

76f7f817f2dc5037e33f9941efb136b96fec2ba19e6da21aeb7ca36f8be95389
SHA512

3620ed96a26f25d0a2ccb4ad293654b6b7ad4b746397c4ef9bd7d91f770ecceda21ca653769eb9f441915360fc151e5ed27dabbe02552afb812b86becb2170ca
SSDEEP

24576:4MjPJ5g9KVGrdNikfu2hBfK8ilRty5olGJsxb:dJ5gEKNikf3hBfUiWxb

Score

10^/10

ammyyadmin rat

Malware Config

Signatures

Ammyy Admin
Remote admin tool with various capabilities.
rat ammyyadmin

AmmyyAdmin payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000d000000012336-5.dat	family_ammyyadmin

Executes dropped EXE 1 IoCs

pid	Process
3024	budha.exe

Loads dropped DLL 1 IoCs

pid	Process
2480	201edd53b6970f4cd5349e70dede8a55_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 3024	2480	201edd53b6970f4cd5349e70dede8a55_JaffaCakes118.exe	28
PID 2480 wrote to memory of 3024	2480	201edd53b6970f4cd5349e70dede8a55_JaffaCakes118.exe	28
PID 2480 wrote to memory of 3024	2480	201edd53b6970f4cd5349e70dede8a55_JaffaCakes118.exe	28
PID 2480 wrote to memory of 3024	2480	201edd53b6970f4cd5349e70dede8a55_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\201edd53b6970f4cd5349e70dede8a55_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\201edd53b6970f4cd5349e70dede8a55_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Users\Admin\AppData\Local\Temp\budha.exe
  "C:\Users\Admin\AppData\Local\Temp\budha.exe"
  2⤵
  - Executes dropped EXE
  PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\budha.exe

Filesize
994KB

MD5
9a2be36f45981687764858c0ebdbb3f0

SHA1
8f5d9a970a1ac552313b5f17663a59c48afceee5

SHA256
71d2f58fa5f73912025636955b77cfebe04927ef4ce3a92ee2602711d34343ce

SHA512
b23bfd713bdc50ad463442262522e425eab34c45b168228460c46b1d5c42d54b9144b7909e2541df3a5b3430f7673073b6e35fa339a7d92129b6bebf50b748fd

Download Submit
memory/2480-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2480-3-0x0000000002BE0000-0x0000000002FE0000-memory.dmp

Filesize
4.0MB

Download
memory/2480-2-0x0000000001E20000-0x0000000001E21000-memory.dmp

Filesize
4KB

Download
memory/2480-7-0x0000000001E10000-0x0000000001E1A000-memory.dmp

Filesize
40KB

Download
memory/2480-11-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3024-12-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3024-15-0x0000000002B40000-0x0000000002F40000-memory.dmp

Filesize
4.0MB

Download
memory/3024-14-0x0000000001E80000-0x0000000001E81000-memory.dmp

Filesize
4KB

Download
memory/3024-16-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download