flawedammyy | 1fce98b97b44385c9d6d685781ca3bfe7b0afc666305db3546d83eaac73e5f28

Analysis

max time kernel
121s
max time network
126s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
12-05-2024 18:09

Target

3b69f9251541d2ec23ca85c913d3680e_JaffaCakes118.exe
Size

768KB
MD5

3b69f9251541d2ec23ca85c913d3680e
SHA1

edb3c5a5acf0cd22546a60de111497833917cff6
SHA256

1fce98b97b44385c9d6d685781ca3bfe7b0afc666305db3546d83eaac73e5f28
SHA512

e2c775ea9c7b6e5010bd9c1a122cd26b285dba65451a0507e4e90bc130588c0cb783bcc780fda8d72351acc17966cb0b13dae774c7856b36d4bf64944d679c50
SSDEEP

12288:XXe1Z2fJipMHEgSeA6M7kmchJGvRuORtcE9qTpy+Yg0HkV+dgI:HtkmHEgSewkmchJGsORtn9qT8+Yg03eI

Score

10^/10

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

3b69f9251541d2ec23ca85c913d3680e_JaffaCakes118.exe

pid process

1964 3b69f9251541d2ec23ca85c913d3680e_JaffaCakes118.exe

pid	process
1964	3b69f9251541d2ec23ca85c913d3680e_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

3b69f9251541d2ec23ca85c913d3680e_JaffaCakes118.exe

description	pid	process	target process
PID 2116 wrote to memory of 1964	2116	3b69f9251541d2ec23ca85c913d3680e_JaffaCakes118.exe	3b69f9251541d2ec23ca85c913d3680e_JaffaCakes118.exe
PID 2116 wrote to memory of 1964	2116	3b69f9251541d2ec23ca85c913d3680e_JaffaCakes118.exe	3b69f9251541d2ec23ca85c913d3680e_JaffaCakes118.exe
PID 2116 wrote to memory of 1964	2116	3b69f9251541d2ec23ca85c913d3680e_JaffaCakes118.exe	3b69f9251541d2ec23ca85c913d3680e_JaffaCakes118.exe
PID 2116 wrote to memory of 1964	2116	3b69f9251541d2ec23ca85c913d3680e_JaffaCakes118.exe	3b69f9251541d2ec23ca85c913d3680e_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\3b69f9251541d2ec23ca85c913d3680e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3b69f9251541d2ec23ca85c913d3680e_JaffaCakes118.exe"
1⤵
PID:3048

C:\Users\Admin\AppData\Local\Temp\3b69f9251541d2ec23ca85c913d3680e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3b69f9251541d2ec23ca85c913d3680e_JaffaCakes118.exe" -service -lunch
1⤵
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Users\Admin\AppData\Local\Temp\3b69f9251541d2ec23ca85c913d3680e_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\3b69f9251541d2ec23ca85c913d3680e_JaffaCakes118.exe"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1964

C:\ProgramData\AMMYY\settings3.bin

Filesize
316B

MD5
fa1d93786decbf5548a774fc29dfbf90

SHA1
427fc450342fd8313b39435a13a6fbceed54b2c3

SHA256
e14690ac32f466641a675e4814aae977b6cae8f6c5d18a07e9764cf37ca2f6e4

SHA512
3ee27dd032163ab79749b12697e380366dcb43150443a9cac9a0bfa6440255c22fabaa940d1d425e9194d327e96ff5b97fe7354f1593157d4475e1b035a7310b

Download Submit