Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
10-05-2024 09:12
Static task
static1
Behavioral task
behavioral1
Sample
2e640bb223b75771ef70da6caec1a310_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
2e640bb223b75771ef70da6caec1a310_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
2e640bb223b75771ef70da6caec1a310_JaffaCakes118.exe
-
Size
866KB
-
MD5
2e640bb223b75771ef70da6caec1a310
-
SHA1
c54cfee060b84c4dd45a34aea1107eb8dc2f9a0e
-
SHA256
adf27e3889392a97a96e7e7d1fc411d9a3e47f4ce2aa769a6f756ed439532b0b
-
SHA512
12ab7c909f8f41c087d6a75d5b9aff9abc1adcc5a981d2d5d75ef757a6bf362ce9c9f9cb921ef843f959aa2453adde1997488516e670594259bc0355f982b7b6
-
SSDEEP
12288:g0nyfXuIBDtfu7HbKa/x1MMmWvbi//4aOHdWO6miOEhSqvxzx/0JFlsPY1lvbHYK:dny/f9upl6NObKzPp0JX6CkK
Malware Config
Signatures
-
Ammyy Admin
Remote admin tool with various capabilities.
-
AmmyyAdmin payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\ITS\Connect3\Update\AA_v3.exe family_ammyyadmin -
FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
-
Creates new service(s) 2 TTPs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
AA_v3.exeAA_v3.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International\Geo\Nation AA_v3.exe Key value queried \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International\Geo\Nation AA_v3.exe -
Executes dropped EXE 4 IoCs
Processes:
HidRun.exeAA_v3.exeAA_v3.exeAA_v3.exepid process 3024 HidRun.exe 2788 AA_v3.exe 1428 AA_v3.exe 1892 AA_v3.exe -
Loads dropped DLL 6 IoCs
Processes:
2e640bb223b75771ef70da6caec1a310_JaffaCakes118.execmd.exepid process 2364 2e640bb223b75771ef70da6caec1a310_JaffaCakes118.exe 2364 2e640bb223b75771ef70da6caec1a310_JaffaCakes118.exe 2364 2e640bb223b75771ef70da6caec1a310_JaffaCakes118.exe 2364 2e640bb223b75771ef70da6caec1a310_JaffaCakes118.exe 2372 cmd.exe 2372 cmd.exe -
Launches sc.exe 6 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exepid process 2664 sc.exe 1128 sc.exe 2928 sc.exe 2784 sc.exe 2756 sc.exe 2712 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 2452 taskkill.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
AA_v3.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings AA_v3.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 2452 taskkill.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
AA_v3.exepid process 1428 AA_v3.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
AA_v3.exepid process 1428 AA_v3.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2e640bb223b75771ef70da6caec1a310_JaffaCakes118.exeHidRun.execmd.exedescription pid process target process PID 2364 wrote to memory of 3024 2364 2e640bb223b75771ef70da6caec1a310_JaffaCakes118.exe HidRun.exe PID 2364 wrote to memory of 3024 2364 2e640bb223b75771ef70da6caec1a310_JaffaCakes118.exe HidRun.exe PID 2364 wrote to memory of 3024 2364 2e640bb223b75771ef70da6caec1a310_JaffaCakes118.exe HidRun.exe PID 2364 wrote to memory of 3024 2364 2e640bb223b75771ef70da6caec1a310_JaffaCakes118.exe HidRun.exe PID 2364 wrote to memory of 3024 2364 2e640bb223b75771ef70da6caec1a310_JaffaCakes118.exe HidRun.exe PID 2364 wrote to memory of 3024 2364 2e640bb223b75771ef70da6caec1a310_JaffaCakes118.exe HidRun.exe PID 2364 wrote to memory of 3024 2364 2e640bb223b75771ef70da6caec1a310_JaffaCakes118.exe HidRun.exe PID 3024 wrote to memory of 2372 3024 HidRun.exe cmd.exe PID 3024 wrote to memory of 2372 3024 HidRun.exe cmd.exe PID 3024 wrote to memory of 2372 3024 HidRun.exe cmd.exe PID 3024 wrote to memory of 2372 3024 HidRun.exe cmd.exe PID 3024 wrote to memory of 2372 3024 HidRun.exe cmd.exe PID 3024 wrote to memory of 2372 3024 HidRun.exe cmd.exe PID 3024 wrote to memory of 2372 3024 HidRun.exe cmd.exe PID 2372 wrote to memory of 2712 2372 cmd.exe sc.exe PID 2372 wrote to memory of 2712 2372 cmd.exe sc.exe PID 2372 wrote to memory of 2712 2372 cmd.exe sc.exe PID 2372 wrote to memory of 2712 2372 cmd.exe sc.exe PID 2372 wrote to memory of 2712 2372 cmd.exe sc.exe PID 2372 wrote to memory of 2712 2372 cmd.exe sc.exe PID 2372 wrote to memory of 2712 2372 cmd.exe sc.exe PID 2372 wrote to memory of 2664 2372 cmd.exe sc.exe PID 2372 wrote to memory of 2664 2372 cmd.exe sc.exe PID 2372 wrote to memory of 2664 2372 cmd.exe sc.exe PID 2372 wrote to memory of 2664 2372 cmd.exe sc.exe PID 2372 wrote to memory of 2664 2372 cmd.exe sc.exe PID 2372 wrote to memory of 2664 2372 cmd.exe sc.exe PID 2372 wrote to memory of 2664 2372 cmd.exe sc.exe PID 2372 wrote to memory of 2452 2372 cmd.exe taskkill.exe PID 2372 wrote to memory of 2452 2372 cmd.exe taskkill.exe PID 2372 wrote to memory of 2452 2372 cmd.exe taskkill.exe PID 2372 wrote to memory of 2452 2372 cmd.exe taskkill.exe PID 2372 wrote to memory of 2452 2372 cmd.exe taskkill.exe PID 2372 wrote to memory of 2452 2372 cmd.exe taskkill.exe PID 2372 wrote to memory of 2452 2372 cmd.exe taskkill.exe PID 2372 wrote to memory of 1128 2372 cmd.exe sc.exe PID 2372 wrote to memory of 1128 2372 cmd.exe sc.exe PID 2372 wrote to memory of 1128 2372 cmd.exe sc.exe PID 2372 wrote to memory of 1128 2372 cmd.exe sc.exe PID 2372 wrote to memory of 1128 2372 cmd.exe sc.exe PID 2372 wrote to memory of 1128 2372 cmd.exe sc.exe PID 2372 wrote to memory of 1128 2372 cmd.exe sc.exe PID 2372 wrote to memory of 2928 2372 cmd.exe sc.exe PID 2372 wrote to memory of 2928 2372 cmd.exe sc.exe PID 2372 wrote to memory of 2928 2372 cmd.exe sc.exe PID 2372 wrote to memory of 2928 2372 cmd.exe sc.exe PID 2372 wrote to memory of 2928 2372 cmd.exe sc.exe PID 2372 wrote to memory of 2928 2372 cmd.exe sc.exe PID 2372 wrote to memory of 2928 2372 cmd.exe sc.exe PID 2372 wrote to memory of 2784 2372 cmd.exe sc.exe PID 2372 wrote to memory of 2784 2372 cmd.exe sc.exe PID 2372 wrote to memory of 2784 2372 cmd.exe sc.exe PID 2372 wrote to memory of 2784 2372 cmd.exe sc.exe PID 2372 wrote to memory of 2784 2372 cmd.exe sc.exe PID 2372 wrote to memory of 2784 2372 cmd.exe sc.exe PID 2372 wrote to memory of 2784 2372 cmd.exe sc.exe PID 2372 wrote to memory of 2756 2372 cmd.exe sc.exe PID 2372 wrote to memory of 2756 2372 cmd.exe sc.exe PID 2372 wrote to memory of 2756 2372 cmd.exe sc.exe PID 2372 wrote to memory of 2756 2372 cmd.exe sc.exe PID 2372 wrote to memory of 2756 2372 cmd.exe sc.exe PID 2372 wrote to memory of 2756 2372 cmd.exe sc.exe PID 2372 wrote to memory of 2756 2372 cmd.exe sc.exe PID 2372 wrote to memory of 1428 2372 cmd.exe AA_v3.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2e640bb223b75771ef70da6caec1a310_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2e640bb223b75771ef70da6caec1a310_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Users\Admin\AppData\Roaming\ITS\Connect3\Update\HidRun.exe"C:\Users\Admin\AppData\Roaming\ITS\Connect3\Update\HidRun.exe" install.cmd2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\cmd.execmd /c install.cmd3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\sc.exesc stop its.connect34⤵
- Launches sc.exe
PID:2712 -
C:\Windows\SysWOW64\sc.exesc delete its.connect34⤵
- Launches sc.exe
PID:2664 -
C:\Windows\SysWOW64\taskkill.exetaskkill /IM AA_v3.exe /f4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2452 -
C:\Windows\SysWOW64\sc.exesc stop its.connect34⤵
- Launches sc.exe
PID:1128 -
C:\Windows\SysWOW64\sc.exesc delete its.connect34⤵
- Launches sc.exe
PID:2928 -
C:\Windows\SysWOW64\sc.exesc create its.connect3 binpath= "C:\Users\Admin\AppData\Roaming\ITS\Connect3\AA_v3.exe -service" start= auto DisplayName= "Ç⌐Æ¿¥ß.è«¡¡Ñ¬Γ 3"4⤵
- Launches sc.exe
PID:2784 -
C:\Windows\SysWOW64\sc.exesc start its.connect34⤵
- Launches sc.exe
PID:2756 -
C:\Users\Admin\AppData\Roaming\ITS\Connect3\AA_v3.exe"C:\Users\Admin\AppData\Roaming\ITS\Connect3\AA_v3.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1428
-
C:\Users\Admin\AppData\Roaming\ITS\Connect3\AA_v3.exeC:\Users\Admin\AppData\Roaming\ITS\Connect3\AA_v3.exe -service1⤵
- Executes dropped EXE
PID:2788 -
C:\Users\Admin\AppData\Roaming\ITS\Connect3\AA_v3.exe"C:\Users\Admin\AppData\Roaming\ITS\Connect3\AA_v3.exe" -nogui2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1892
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
730KB
MD550ade6bda5064644a438f7f003f4ceef
SHA184a37447873ed3a305c187765adc05a1d83de226
SHA2565c5caf10767f6ec0ae4b7dfadab642e7fcebd581dcfff05b787f435b29a52b35
SHA512a0629e7fbdcdbf24f19ea26ac5b29bdbcf19af2ea2fda94b21d02c6a892a7e7b6aa20ebb0fbdf6a0630da6a84ce3c8e856cacade31f1b867bda2b925973ff87f
-
Filesize
79B
MD59b4d92ac898b7059db26d81b5ef511f7
SHA1e4125c1b06ded24789114e43f231e712ea896083
SHA2566431db3d46e9bd1c7c5a3ff37c49584355a13a3d74f55bf96c399122d88b4a76
SHA51215596f28b9833ed37b4e6f52f4092df4ed187eaddc719f2ad4d6beb72ea7e6a80c7af82d85b8e3048a856bdad7ae5348133913c751506be930cbf361e0fcec10
-
Filesize
1KB
MD5f1fd08cac53f184126deb0fd9bb4a290
SHA1e4fbe312e6a8fb02edfe72022ba439e7c80aa7c2
SHA256a947deb33326a920351ea56f1b00e2e51b21927b394fcf1315ec70e53be0a5ba
SHA5122e588776f417f6f0517d4d7a10d985a7e58c6544107b6101fd2aaf8db684de5abe9eca67592747f261df9e1e66c808fdf44349e7d3175326799dab3c91b2d4b8
-
Filesize
376B
MD556e489815ebdf743b40f477d7c38a518
SHA18f9fff8667e1f64843b35c416a5ec83f54046341
SHA256dae94c47bd56f4fc3a61650b857d6c09bc75c046b130b466d238983c9dd3fac0
SHA5124d6902d763479e369a5188e3debf080b1f510f98f3171bd569a04c9db6cb6ed93b9a74a390e1d1495795b593f15f44958ed5880225aa29dcd7c0b446eeefb63c
-
Filesize
394B
MD5014d958ce32ee63bb1c445d0317a20ab
SHA1acda73cb8d54a8af7a7e5db4a43d9ba0ea888bcd
SHA2563dc3107e01282f3f44e1892eecf69339c67fe1c586d3743138fad6d91046340e
SHA5121e9d636e722073b7d95d09d15994ea6c5035852ee6e371b6ce93c91aec0a0784ba8c55834b05f3413d17a9277ce8075a70219760e5296f24a1d8337e380ed9af
-
Filesize
352KB
MD5687cfbdf9361d6e45a0ef03dea6d2053
SHA1fc2fc06eb280680ad557d2eb5dc2fd00407c716c
SHA256de3cf72c4a70f5725cdf4b5d0a6631ecd37b516c80086f36712e9db9c91e6825
SHA5126123d0007a00babba7fcf44bee8bac1574e19291e6d5c673444403e009bdcf4a1166b6222c31caa13b8dca25b3623c862d837b630c4ffec72d0f52e55bf14b71