ammyyadmin | adf27e3889392a97a96e7e7d1fc411d9a3e47f4ce2aa769a6f756ed439532b0b | Triage

Sharing

General

Target

2e640bb223b75771ef70da6caec1a310_JaffaCakes118
Size

866KB
Sample

240510-k5999sed3w
MD5

2e640bb223b75771ef70da6caec1a310
SHA1

c54cfee060b84c4dd45a34aea1107eb8dc2f9a0e
SHA256

adf27e3889392a97a96e7e7d1fc411d9a3e47f4ce2aa769a6f756ed439532b0b
SHA512

12ab7c909f8f41c087d6a75d5b9aff9abc1adcc5a981d2d5d75ef757a6bf362ce9c9f9cb921ef843f959aa2453adde1997488516e670594259bc0355f982b7b6
SSDEEP

12288:g0nyfXuIBDtfu7HbKa/x1MMmWvbi//4aOHdWO6miOEhSqvxzx/0JFlsPY1lvbHYK:dny/f9upl6NObKzPp0JX6CkK

Score

10^/10

ammyyadmin flawedammyy evasion execution persistence rat trojan

Malware Config

Targets

- Target
  
  2e640bb223b75771ef70da6caec1a310_JaffaCakes118
- Size
  
  866KB
- MD5
  
  2e640bb223b75771ef70da6caec1a310
- SHA1
  
  c54cfee060b84c4dd45a34aea1107eb8dc2f9a0e
- SHA256
  
  adf27e3889392a97a96e7e7d1fc411d9a3e47f4ce2aa769a6f756ed439532b0b
- SHA512
  
  12ab7c909f8f41c087d6a75d5b9aff9abc1adcc5a981d2d5d75ef757a6bf362ce9c9f9cb921ef843f959aa2453adde1997488516e670594259bc0355f982b7b6
- SSDEEP
  
  12288:g0nyfXuIBDtfu7HbKa/x1MMmWvbi//4aOHdWO6miOEhSqvxzx/0JFlsPY1lvbHYK:dny/f9upl6NObKzPp0JX6CkK
Score

10^/10

ammyyadmin flawedammyy evasion execution persistence rat trojan
- Ammyy Admin
  Remote admin tool with various capabilities.
  rat ammyyadmin
- AmmyyAdmin payload
- FlawedAmmyy RAT
  Remote-access trojan based on leaked code for the Ammyy remote admin software.
  trojan flawedammyy
- Creates new service(s)
  persistence execution
- Stops running service(s)
  evasion execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

Service Execution

Persistence

Create or Modify System Process

Windows Service

Privilege Escalation

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

ammyyadminflawedammyyevasionexecutionpersistencerattrojan

behavioral2

ammyyadminflawedammyyevasionexecutionpersistencerattrojan