ammyyadmin | 0b168b35821896e78a88efec428547e4959fc45981ce54b72cf8734403b31974

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11-05-2024 07:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

336948862bcd646d816c57c66115d835_JaffaCakes118.exe
Size

994KB
MD5

336948862bcd646d816c57c66115d835
SHA1

45fdc37da7dbfd68e81ebba09f3b55490e6b1142
SHA256

0b168b35821896e78a88efec428547e4959fc45981ce54b72cf8734403b31974
SHA512

20577fde9851538e167d0f7a777ebd4b9a6c94aee6c5635e12cbd0e6980577a8541df47aa6e9a0c87ab7f93337801efc139486b29b87e0090e667854220aa1af
SSDEEP

24576:4MjPJ5g9KVGrdNikfu2hBfK8ilRty5olGJsxl:dJ5gEKNikf3hBfUiWxl

Score

10^/10

ammyyadmin rat

Malware Config

Signatures

Ammyy Admin
Remote admin tool with various capabilities.
rat ammyyadmin

AmmyyAdmin payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\budha.exe	family_ammyyadmin

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

336948862bcd646d816c57c66115d835_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	336948862bcd646d816c57c66115d835_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

Processes:

budha.exe

pid process

1224 budha.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1224	budha.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

336948862bcd646d816c57c66115d835_JaffaCakes118.exe

description	pid	process	target process
PID 2972 wrote to memory of 1224	2972	336948862bcd646d816c57c66115d835_JaffaCakes118.exe	budha.exe
PID 2972 wrote to memory of 1224	2972	336948862bcd646d816c57c66115d835_JaffaCakes118.exe	budha.exe
PID 2972 wrote to memory of 1224	2972	336948862bcd646d816c57c66115d835_JaffaCakes118.exe	budha.exe

C:\Users\Admin\AppData\Local\Temp\336948862bcd646d816c57c66115d835_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\336948862bcd646d816c57c66115d835_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2972

C:\Users\Admin\AppData\Local\Temp\budha.exe
"C:\Users\Admin\AppData\Local\Temp\budha.exe"
2⤵
- Executes dropped EXE
PID:1224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\budha.exe

Filesize
994KB

MD5
3691f90ee594032e524e7ec4a3d85650

SHA1
645be77f4aa394a49d7ca0d23b49e7184cfb0fcc

SHA256
f00f862e543a5c89c786e2627dc82d9d61c27d3144b5b073bc77c581021a7e52

SHA512
3d8e0f37a2d6bc5466e65d19c40c407e1c9cc5b3b0f598de1cf4c6c5c2f76c5048b2d2cccb8b22aa9e60e129cf39d04317e9ce95a585e1a26276c5e422fe8a5c

Download Submit
memory/1224-11-0x00007FFEB6290000-0x00007FFEB6485000-memory.dmp

Filesize
2.0MB

Download
memory/1224-12-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1224-14-0x00007FFEB6290000-0x00007FFEB6485000-memory.dmp

Filesize
2.0MB

Download
memory/2972-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2972-2-0x00007FFEB6290000-0x00007FFEB6485000-memory.dmp

Filesize
2.0MB

Download
memory/2972-10-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download