Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
10-05-2024 09:12
Static task
static1
Behavioral task
behavioral1
Sample
2e640bb223b75771ef70da6caec1a310_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
2e640bb223b75771ef70da6caec1a310_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
2e640bb223b75771ef70da6caec1a310_JaffaCakes118.exe
-
Size
866KB
-
MD5
2e640bb223b75771ef70da6caec1a310
-
SHA1
c54cfee060b84c4dd45a34aea1107eb8dc2f9a0e
-
SHA256
adf27e3889392a97a96e7e7d1fc411d9a3e47f4ce2aa769a6f756ed439532b0b
-
SHA512
12ab7c909f8f41c087d6a75d5b9aff9abc1adcc5a981d2d5d75ef757a6bf362ce9c9f9cb921ef843f959aa2453adde1997488516e670594259bc0355f982b7b6
-
SSDEEP
12288:g0nyfXuIBDtfu7HbKa/x1MMmWvbi//4aOHdWO6miOEhSqvxzx/0JFlsPY1lvbHYK:dny/f9upl6NObKzPp0JX6CkK
Malware Config
Signatures
-
Ammyy Admin
Remote admin tool with various capabilities.
-
AmmyyAdmin payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\ITS\Connect3\Update\AA_v3.exe family_ammyyadmin -
FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
-
Creates new service(s) 2 TTPs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2e640bb223b75771ef70da6caec1a310_JaffaCakes118.exeAA_v3.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation 2e640bb223b75771ef70da6caec1a310_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation AA_v3.exe -
Executes dropped EXE 4 IoCs
Processes:
HidRun.exeAA_v3.exeAA_v3.exeAA_v3.exepid process 4848 HidRun.exe 4576 AA_v3.exe 3376 AA_v3.exe 4068 AA_v3.exe -
Drops file in System32 directory 4 IoCs
Processes:
AA_v3.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 AA_v3.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE AA_v3.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies AA_v3.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 AA_v3.exe -
Launches sc.exe 6 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exepid process 4568 sc.exe 1480 sc.exe 1816 sc.exe 4444 sc.exe 1768 sc.exe 5076 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 3248 taskkill.exe -
Modifies data under HKEY_USERS 3 IoCs
Processes:
AA_v3.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix AA_v3.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" AA_v3.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" AA_v3.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 3248 taskkill.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
AA_v3.exepid process 3376 AA_v3.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
AA_v3.exepid process 3376 AA_v3.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
2e640bb223b75771ef70da6caec1a310_JaffaCakes118.exeHidRun.execmd.exeAA_v3.exedescription pid process target process PID 1060 wrote to memory of 4848 1060 2e640bb223b75771ef70da6caec1a310_JaffaCakes118.exe HidRun.exe PID 1060 wrote to memory of 4848 1060 2e640bb223b75771ef70da6caec1a310_JaffaCakes118.exe HidRun.exe PID 1060 wrote to memory of 4848 1060 2e640bb223b75771ef70da6caec1a310_JaffaCakes118.exe HidRun.exe PID 4848 wrote to memory of 3988 4848 HidRun.exe cmd.exe PID 4848 wrote to memory of 3988 4848 HidRun.exe cmd.exe PID 4848 wrote to memory of 3988 4848 HidRun.exe cmd.exe PID 3988 wrote to memory of 4568 3988 cmd.exe sc.exe PID 3988 wrote to memory of 4568 3988 cmd.exe sc.exe PID 3988 wrote to memory of 4568 3988 cmd.exe sc.exe PID 3988 wrote to memory of 1480 3988 cmd.exe sc.exe PID 3988 wrote to memory of 1480 3988 cmd.exe sc.exe PID 3988 wrote to memory of 1480 3988 cmd.exe sc.exe PID 3988 wrote to memory of 3248 3988 cmd.exe taskkill.exe PID 3988 wrote to memory of 3248 3988 cmd.exe taskkill.exe PID 3988 wrote to memory of 3248 3988 cmd.exe taskkill.exe PID 3988 wrote to memory of 1816 3988 cmd.exe sc.exe PID 3988 wrote to memory of 1816 3988 cmd.exe sc.exe PID 3988 wrote to memory of 1816 3988 cmd.exe sc.exe PID 3988 wrote to memory of 4444 3988 cmd.exe sc.exe PID 3988 wrote to memory of 4444 3988 cmd.exe sc.exe PID 3988 wrote to memory of 4444 3988 cmd.exe sc.exe PID 3988 wrote to memory of 1768 3988 cmd.exe sc.exe PID 3988 wrote to memory of 1768 3988 cmd.exe sc.exe PID 3988 wrote to memory of 1768 3988 cmd.exe sc.exe PID 3988 wrote to memory of 5076 3988 cmd.exe sc.exe PID 3988 wrote to memory of 5076 3988 cmd.exe sc.exe PID 3988 wrote to memory of 5076 3988 cmd.exe sc.exe PID 3988 wrote to memory of 3376 3988 cmd.exe AA_v3.exe PID 3988 wrote to memory of 3376 3988 cmd.exe AA_v3.exe PID 3988 wrote to memory of 3376 3988 cmd.exe AA_v3.exe PID 4576 wrote to memory of 4068 4576 AA_v3.exe AA_v3.exe PID 4576 wrote to memory of 4068 4576 AA_v3.exe AA_v3.exe PID 4576 wrote to memory of 4068 4576 AA_v3.exe AA_v3.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2e640bb223b75771ef70da6caec1a310_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2e640bb223b75771ef70da6caec1a310_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Users\Admin\AppData\Roaming\ITS\Connect3\Update\HidRun.exe"C:\Users\Admin\AppData\Roaming\ITS\Connect3\Update\HidRun.exe" install.cmd2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c install.cmd3⤵
- Suspicious use of WriteProcessMemory
PID:3988 -
C:\Windows\SysWOW64\sc.exesc stop its.connect34⤵
- Launches sc.exe
PID:4568
-
-
C:\Windows\SysWOW64\sc.exesc delete its.connect34⤵
- Launches sc.exe
PID:1480
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM AA_v3.exe /f4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3248
-
-
C:\Windows\SysWOW64\sc.exesc stop its.connect34⤵
- Launches sc.exe
PID:1816
-
-
C:\Windows\SysWOW64\sc.exesc delete its.connect34⤵
- Launches sc.exe
PID:4444
-
-
C:\Windows\SysWOW64\sc.exesc create its.connect3 binpath= "C:\Users\Admin\AppData\Roaming\ITS\Connect3\AA_v3.exe -service" start= auto DisplayName= "Ç⌐Æ¿¥ß.è«¡¡Ñ¬Γ 3"4⤵
- Launches sc.exe
PID:1768
-
-
C:\Windows\SysWOW64\sc.exesc start its.connect34⤵
- Launches sc.exe
PID:5076
-
-
C:\Users\Admin\AppData\Roaming\ITS\Connect3\AA_v3.exe"C:\Users\Admin\AppData\Roaming\ITS\Connect3\AA_v3.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3376
-
-
-
-
C:\Users\Admin\AppData\Roaming\ITS\Connect3\AA_v3.exeC:\Users\Admin\AppData\Roaming\ITS\Connect3\AA_v3.exe -service1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Users\Admin\AppData\Roaming\ITS\Connect3\AA_v3.exe"C:\Users\Admin\AppData\Roaming\ITS\Connect3\AA_v3.exe" -nogui2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4068
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
730KB
MD550ade6bda5064644a438f7f003f4ceef
SHA184a37447873ed3a305c187765adc05a1d83de226
SHA2565c5caf10767f6ec0ae4b7dfadab642e7fcebd581dcfff05b787f435b29a52b35
SHA512a0629e7fbdcdbf24f19ea26ac5b29bdbcf19af2ea2fda94b21d02c6a892a7e7b6aa20ebb0fbdf6a0630da6a84ce3c8e856cacade31f1b867bda2b925973ff87f
-
Filesize
352KB
MD5687cfbdf9361d6e45a0ef03dea6d2053
SHA1fc2fc06eb280680ad557d2eb5dc2fd00407c716c
SHA256de3cf72c4a70f5725cdf4b5d0a6631ecd37b516c80086f36712e9db9c91e6825
SHA5126123d0007a00babba7fcf44bee8bac1574e19291e6d5c673444403e009bdcf4a1166b6222c31caa13b8dca25b3623c862d837b630c4ffec72d0f52e55bf14b71
-
Filesize
79B
MD59b4d92ac898b7059db26d81b5ef511f7
SHA1e4125c1b06ded24789114e43f231e712ea896083
SHA2566431db3d46e9bd1c7c5a3ff37c49584355a13a3d74f55bf96c399122d88b4a76
SHA51215596f28b9833ed37b4e6f52f4092df4ed187eaddc719f2ad4d6beb72ea7e6a80c7af82d85b8e3048a856bdad7ae5348133913c751506be930cbf361e0fcec10
-
Filesize
1KB
MD5f1fd08cac53f184126deb0fd9bb4a290
SHA1e4fbe312e6a8fb02edfe72022ba439e7c80aa7c2
SHA256a947deb33326a920351ea56f1b00e2e51b21927b394fcf1315ec70e53be0a5ba
SHA5122e588776f417f6f0517d4d7a10d985a7e58c6544107b6101fd2aaf8db684de5abe9eca67592747f261df9e1e66c808fdf44349e7d3175326799dab3c91b2d4b8
-
Filesize
376B
MD556e489815ebdf743b40f477d7c38a518
SHA18f9fff8667e1f64843b35c416a5ec83f54046341
SHA256dae94c47bd56f4fc3a61650b857d6c09bc75c046b130b466d238983c9dd3fac0
SHA5124d6902d763479e369a5188e3debf080b1f510f98f3171bd569a04c9db6cb6ed93b9a74a390e1d1495795b593f15f44958ed5880225aa29dcd7c0b446eeefb63c
-
Filesize
394B
MD5014d958ce32ee63bb1c445d0317a20ab
SHA1acda73cb8d54a8af7a7e5db4a43d9ba0ea888bcd
SHA2563dc3107e01282f3f44e1892eecf69339c67fe1c586d3743138fad6d91046340e
SHA5121e9d636e722073b7d95d09d15994ea6c5035852ee6e371b6ce93c91aec0a0784ba8c55834b05f3413d17a9277ce8075a70219760e5296f24a1d8337e380ed9af