ammyyadmin | adf27e3889392a97a96e7e7d1fc411d9a3e47f4ce2aa769a6f756ed439532b0b

General

Target

2e640bb223b75771ef70da6caec1a310_JaffaCakes118.exe
Size

866KB
MD5

2e640bb223b75771ef70da6caec1a310
SHA1

c54cfee060b84c4dd45a34aea1107eb8dc2f9a0e
SHA256

adf27e3889392a97a96e7e7d1fc411d9a3e47f4ce2aa769a6f756ed439532b0b
SHA512

12ab7c909f8f41c087d6a75d5b9aff9abc1adcc5a981d2d5d75ef757a6bf362ce9c9f9cb921ef843f959aa2453adde1997488516e670594259bc0355f982b7b6
SSDEEP

12288:g0nyfXuIBDtfu7HbKa/x1MMmWvbi//4aOHdWO6miOEhSqvxzx/0JFlsPY1lvbHYK:dny/f9upl6NObKzPp0JX6CkK

Score

10^/10

ammyyadmin flawedammyy evasion execution persistence rat trojan

Malware Config

Signatures

Ammyy Admin
Remote admin tool with various capabilities.
rat ammyyadmin

AmmyyAdmin payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\ITS\Connect3\Update\AA_v3.exe	family_ammyyadmin

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AA_v3.exeAA_v3.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International\Geo\Nation	AA_v3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International\Geo\Nation	AA_v3.exe

Executes dropped EXE 4 IoCs

Processes:

HidRun.exeAA_v3.exeAA_v3.exeAA_v3.exe

pid process

3024 HidRun.exe
2788 AA_v3.exe
1428 AA_v3.exe
1892 AA_v3.exe

pid	process
3024	HidRun.exe
2788	AA_v3.exe
1428	AA_v3.exe
1892	AA_v3.exe

Loads dropped DLL 6 IoCs

Processes:

2e640bb223b75771ef70da6caec1a310_JaffaCakes118.execmd.exe

pid	process
2364	2e640bb223b75771ef70da6caec1a310_JaffaCakes118.exe
2364	2e640bb223b75771ef70da6caec1a310_JaffaCakes118.exe
2364	2e640bb223b75771ef70da6caec1a310_JaffaCakes118.exe
2364	2e640bb223b75771ef70da6caec1a310_JaffaCakes118.exe
2372	cmd.exe
2372	cmd.exe

Launches sc.exe 6 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exe

pid process

2664 sc.exe
1128 sc.exe
2928 sc.exe
2784 sc.exe
2756 sc.exe
2712 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2452 taskkill.exe
Modifies data under HKEY_USERS 1 IoCs

Processes:

AA_v3.exe

description ioc process

Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings AA_v3.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 2452 taskkill.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AA_v3.exe

pid process

1428 AA_v3.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

AA_v3.exe

pid process

1428 AA_v3.exe

pid	process
2664	sc.exe
1128	sc.exe
2928	sc.exe
2784	sc.exe
2756	sc.exe
2712	sc.exe

pid	process
2452	taskkill.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	AA_v3.exe

description	pid	process
Token: SeDebugPrivilege	2452	taskkill.exe

pid	process
1428	AA_v3.exe

pid	process
1428	AA_v3.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2e640bb223b75771ef70da6caec1a310_JaffaCakes118.exeHidRun.execmd.exe

description	pid	process	target process
PID 2364 wrote to memory of 3024	2364	2e640bb223b75771ef70da6caec1a310_JaffaCakes118.exe	HidRun.exe
PID 2364 wrote to memory of 3024	2364	2e640bb223b75771ef70da6caec1a310_JaffaCakes118.exe	HidRun.exe
PID 2364 wrote to memory of 3024	2364	2e640bb223b75771ef70da6caec1a310_JaffaCakes118.exe	HidRun.exe
PID 2364 wrote to memory of 3024	2364	2e640bb223b75771ef70da6caec1a310_JaffaCakes118.exe	HidRun.exe
PID 2364 wrote to memory of 3024	2364	2e640bb223b75771ef70da6caec1a310_JaffaCakes118.exe	HidRun.exe
PID 2364 wrote to memory of 3024	2364	2e640bb223b75771ef70da6caec1a310_JaffaCakes118.exe	HidRun.exe
PID 2364 wrote to memory of 3024	2364	2e640bb223b75771ef70da6caec1a310_JaffaCakes118.exe	HidRun.exe
PID 3024 wrote to memory of 2372	3024	HidRun.exe	cmd.exe
PID 3024 wrote to memory of 2372	3024	HidRun.exe	cmd.exe
PID 3024 wrote to memory of 2372	3024	HidRun.exe	cmd.exe
PID 3024 wrote to memory of 2372	3024	HidRun.exe	cmd.exe
PID 3024 wrote to memory of 2372	3024	HidRun.exe	cmd.exe
PID 3024 wrote to memory of 2372	3024	HidRun.exe	cmd.exe
PID 3024 wrote to memory of 2372	3024	HidRun.exe	cmd.exe
PID 2372 wrote to memory of 2712	2372	cmd.exe	sc.exe
PID 2372 wrote to memory of 2712	2372	cmd.exe	sc.exe
PID 2372 wrote to memory of 2712	2372	cmd.exe	sc.exe
PID 2372 wrote to memory of 2712	2372	cmd.exe	sc.exe
PID 2372 wrote to memory of 2712	2372	cmd.exe	sc.exe
PID 2372 wrote to memory of 2712	2372	cmd.exe	sc.exe
PID 2372 wrote to memory of 2712	2372	cmd.exe	sc.exe
PID 2372 wrote to memory of 2664	2372	cmd.exe	sc.exe
PID 2372 wrote to memory of 2664	2372	cmd.exe	sc.exe
PID 2372 wrote to memory of 2664	2372	cmd.exe	sc.exe
PID 2372 wrote to memory of 2664	2372	cmd.exe	sc.exe
PID 2372 wrote to memory of 2664	2372	cmd.exe	sc.exe
PID 2372 wrote to memory of 2664	2372	cmd.exe	sc.exe
PID 2372 wrote to memory of 2664	2372	cmd.exe	sc.exe
PID 2372 wrote to memory of 2452	2372	cmd.exe	taskkill.exe
PID 2372 wrote to memory of 2452	2372	cmd.exe	taskkill.exe
PID 2372 wrote to memory of 2452	2372	cmd.exe	taskkill.exe
PID 2372 wrote to memory of 2452	2372	cmd.exe	taskkill.exe
PID 2372 wrote to memory of 2452	2372	cmd.exe	taskkill.exe
PID 2372 wrote to memory of 2452	2372	cmd.exe	taskkill.exe
PID 2372 wrote to memory of 2452	2372	cmd.exe	taskkill.exe
PID 2372 wrote to memory of 1128	2372	cmd.exe	sc.exe
PID 2372 wrote to memory of 1128	2372	cmd.exe	sc.exe
PID 2372 wrote to memory of 1128	2372	cmd.exe	sc.exe
PID 2372 wrote to memory of 1128	2372	cmd.exe	sc.exe
PID 2372 wrote to memory of 1128	2372	cmd.exe	sc.exe
PID 2372 wrote to memory of 1128	2372	cmd.exe	sc.exe
PID 2372 wrote to memory of 1128	2372	cmd.exe	sc.exe
PID 2372 wrote to memory of 2928	2372	cmd.exe	sc.exe
PID 2372 wrote to memory of 2928	2372	cmd.exe	sc.exe
PID 2372 wrote to memory of 2928	2372	cmd.exe	sc.exe
PID 2372 wrote to memory of 2928	2372	cmd.exe	sc.exe
PID 2372 wrote to memory of 2928	2372	cmd.exe	sc.exe
PID 2372 wrote to memory of 2928	2372	cmd.exe	sc.exe
PID 2372 wrote to memory of 2928	2372	cmd.exe	sc.exe
PID 2372 wrote to memory of 2784	2372	cmd.exe	sc.exe
PID 2372 wrote to memory of 2784	2372	cmd.exe	sc.exe
PID 2372 wrote to memory of 2784	2372	cmd.exe	sc.exe
PID 2372 wrote to memory of 2784	2372	cmd.exe	sc.exe
PID 2372 wrote to memory of 2784	2372	cmd.exe	sc.exe
PID 2372 wrote to memory of 2784	2372	cmd.exe	sc.exe
PID 2372 wrote to memory of 2784	2372	cmd.exe	sc.exe
PID 2372 wrote to memory of 2756	2372	cmd.exe	sc.exe
PID 2372 wrote to memory of 2756	2372	cmd.exe	sc.exe
PID 2372 wrote to memory of 2756	2372	cmd.exe	sc.exe
PID 2372 wrote to memory of 2756	2372	cmd.exe	sc.exe
PID 2372 wrote to memory of 2756	2372	cmd.exe	sc.exe
PID 2372 wrote to memory of 2756	2372	cmd.exe	sc.exe
PID 2372 wrote to memory of 2756	2372	cmd.exe	sc.exe
PID 2372 wrote to memory of 1428	2372	cmd.exe	AA_v3.exe

C:\Users\Admin\AppData\Local\Temp\2e640bb223b75771ef70da6caec1a310_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2e640bb223b75771ef70da6caec1a310_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Users\Admin\AppData\Roaming\ITS\Connect3\Update\HidRun.exe
  "C:\Users\Admin\AppData\Roaming\ITS\Connect3\Update\HidRun.exe" install.cmd
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c install.cmd
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2372
  - - C:\Windows\SysWOW64\sc.exe
      sc stop its.connect3
      4⤵
      Launches sc.exe
      PID:2712
  - - C:\Windows\SysWOW64\sc.exe
      sc delete its.connect3
      4⤵
      Launches sc.exe
      PID:2664
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM AA_v3.exe /f
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2452
  - - C:\Windows\SysWOW64\sc.exe
      sc stop its.connect3
      4⤵
      Launches sc.exe
      PID:1128
  - - C:\Windows\SysWOW64\sc.exe
      sc delete its.connect3
      4⤵
      Launches sc.exe
      PID:2928
  - - C:\Windows\SysWOW64\sc.exe
      sc create its.connect3 binpath= "C:\Users\Admin\AppData\Roaming\ITS\Connect3\AA_v3.exe -service" start= auto DisplayName= "Ç⌐Æ¿¥ß.è«¡¡Ñ¬Γ 3"
      4⤵
      Launches sc.exe
      PID:2784
  - - C:\Windows\SysWOW64\sc.exe
      sc start its.connect3
      4⤵
      Launches sc.exe
      PID:2756
  - - C:\Users\Admin\AppData\Roaming\ITS\Connect3\AA_v3.exe
      "C:\Users\Admin\AppData\Roaming\ITS\Connect3\AA_v3.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:1428

C:\Users\Admin\AppData\Roaming\ITS\Connect3\AA_v3.exe
C:\Users\Admin\AppData\Roaming\ITS\Connect3\AA_v3.exe -service
1⤵
- Executes dropped EXE
PID:2788
- C:\Users\Admin\AppData\Roaming\ITS\Connect3\AA_v3.exe
  "C:\Users\Admin\AppData\Roaming\ITS\Connect3\AA_v3.exe" -nogui
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  PID:1892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

2

T1569

Service Execution

2

T1569.002

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ITS\Connect3\Update\AA_v3.exe

Filesize
730KB

MD5
50ade6bda5064644a438f7f003f4ceef

SHA1
84a37447873ed3a305c187765adc05a1d83de226

SHA256
5c5caf10767f6ec0ae4b7dfadab642e7fcebd581dcfff05b787f435b29a52b35

SHA512
a0629e7fbdcdbf24f19ea26ac5b29bdbcf19af2ea2fda94b21d02c6a892a7e7b6aa20ebb0fbdf6a0630da6a84ce3c8e856cacade31f1b867bda2b925973ff87f

Download Submit
C:\Users\Admin\AppData\Roaming\ITS\Connect3\Update\hr3

Filesize
79B

MD5
9b4d92ac898b7059db26d81b5ef511f7

SHA1
e4125c1b06ded24789114e43f231e712ea896083

SHA256
6431db3d46e9bd1c7c5a3ff37c49584355a13a3d74f55bf96c399122d88b4a76

SHA512
15596f28b9833ed37b4e6f52f4092df4ed187eaddc719f2ad4d6beb72ea7e6a80c7af82d85b8e3048a856bdad7ae5348133913c751506be930cbf361e0fcec10

Download Submit
C:\Users\Admin\AppData\Roaming\ITS\Connect3\Update\install.cmd

Filesize
1KB

MD5
f1fd08cac53f184126deb0fd9bb4a290

SHA1
e4fbe312e6a8fb02edfe72022ba439e7c80aa7c2

SHA256
a947deb33326a920351ea56f1b00e2e51b21927b394fcf1315ec70e53be0a5ba

SHA512
2e588776f417f6f0517d4d7a10d985a7e58c6544107b6101fd2aaf8db684de5abe9eca67592747f261df9e1e66c808fdf44349e7d3175326799dab3c91b2d4b8

Download Submit
C:\Users\Admin\AppData\Roaming\ITS\Connect3\Update\settings.rdp

Filesize
376B

MD5
56e489815ebdf743b40f477d7c38a518

SHA1
8f9fff8667e1f64843b35c416a5ec83f54046341

SHA256
dae94c47bd56f4fc3a61650b857d6c09bc75c046b130b466d238983c9dd3fac0

SHA512
4d6902d763479e369a5188e3debf080b1f510f98f3171bd569a04c9db6cb6ed93b9a74a390e1d1495795b593f15f44958ed5880225aa29dcd7c0b446eeefb63c

Download Submit
C:\Users\Admin\AppData\Roaming\ITS\Connect3\Update\settings3.bin

Filesize
394B

MD5
014d958ce32ee63bb1c445d0317a20ab

SHA1
acda73cb8d54a8af7a7e5db4a43d9ba0ea888bcd

SHA256
3dc3107e01282f3f44e1892eecf69339c67fe1c586d3743138fad6d91046340e

SHA512
1e9d636e722073b7d95d09d15994ea6c5035852ee6e371b6ce93c91aec0a0784ba8c55834b05f3413d17a9277ce8075a70219760e5296f24a1d8337e380ed9af

Download Submit
\Users\Admin\AppData\Roaming\ITS\Connect3\Update\HidRun.exe

Filesize
352KB

MD5
687cfbdf9361d6e45a0ef03dea6d2053

SHA1
fc2fc06eb280680ad557d2eb5dc2fd00407c716c

SHA256
de3cf72c4a70f5725cdf4b5d0a6631ecd37b516c80086f36712e9db9c91e6825

SHA512
6123d0007a00babba7fcf44bee8bac1574e19291e6d5c673444403e009bdcf4a1166b6222c31caa13b8dca25b3623c862d837b630c4ffec72d0f52e55bf14b71

Download Submit
memory/3024-28-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/3024-30-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads