Analysis

  • max time kernel
    121s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    12-05-2024 18:09

General

  • Target

    3b69f9251541d2ec23ca85c913d3680e_JaffaCakes118.exe

  • Size

    768KB

  • MD5

    3b69f9251541d2ec23ca85c913d3680e

  • SHA1

    edb3c5a5acf0cd22546a60de111497833917cff6

  • SHA256

    1fce98b97b44385c9d6d685781ca3bfe7b0afc666305db3546d83eaac73e5f28

  • SHA512

    e2c775ea9c7b6e5010bd9c1a122cd26b285dba65451a0507e4e90bc130588c0cb783bcc780fda8d72351acc17966cb0b13dae774c7856b36d4bf64944d679c50

  • SSDEEP

    12288:XXe1Z2fJipMHEgSeA6M7kmchJGvRuORtcE9qTpy+Yg0HkV+dgI:HtkmHEgSewkmchJGsORtn9qT8+Yg03eI

Score
10/10

Malware Config

Signatures

  • FlawedAmmyy RAT

    Remote-access trojan based on leaked code for the Ammyy remote admin software.

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3b69f9251541d2ec23ca85c913d3680e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3b69f9251541d2ec23ca85c913d3680e_JaffaCakes118.exe"
    1⤵
      PID:3048
    • C:\Users\Admin\AppData\Local\Temp\3b69f9251541d2ec23ca85c913d3680e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\3b69f9251541d2ec23ca85c913d3680e_JaffaCakes118.exe" -service -lunch
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2116
      • C:\Users\Admin\AppData\Local\Temp\3b69f9251541d2ec23ca85c913d3680e_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\3b69f9251541d2ec23ca85c913d3680e_JaffaCakes118.exe"
        2⤵
        • Suspicious behavior: GetForegroundWindowSpam
        PID:1964

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\AMMYY\settings3.bin

      Filesize

      316B

      MD5

      fa1d93786decbf5548a774fc29dfbf90

      SHA1

      427fc450342fd8313b39435a13a6fbceed54b2c3

      SHA256

      e14690ac32f466641a675e4814aae977b6cae8f6c5d18a07e9764cf37ca2f6e4

      SHA512

      3ee27dd032163ab79749b12697e380366dcb43150443a9cac9a0bfa6440255c22fabaa940d1d425e9194d327e96ff5b97fe7354f1593157d4475e1b035a7310b