ammyyadmin | daaed52990a467051c10ef429b4b4546833ac831ceb1e14e15d3a9d9e1e775ab

General

Target

4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe
Size

746KB
MD5

4384015f0e7a2c6e3738fc2492cc1075
SHA1

0dfa27fc3204ebfa172cd1eb97f798914b006140
SHA256

daaed52990a467051c10ef429b4b4546833ac831ceb1e14e15d3a9d9e1e775ab
SHA512

7131c88d0987142e66d9b7247902e18e7951896998a66f725515f8d8b8b4e24ccffe73b457ccf34dd764297b14cd095e19e0af79cacc5b67c7e4f1ac733b27dd
SSDEEP

12288:8NgEvTkYGzXUMA7PTgM0YOg26y4RtcxcUwhqb3omaY80NP6gL:8XTszE7PTgM0YOgA4RtcbwhsSYFVL

Score

10^/10

ammyyadmin flawedammyy rat trojan

Malware Config

Signatures

Ammyy Admin
Remote admin tool with various capabilities.
rat ammyyadmin

AmmyyAdmin payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2728-0-0x0000000000400000-0x00000000004D4000-memory.dmp	family_ammyyadmin
behavioral1/memory/2952-4-0x0000000000400000-0x00000000004D4000-memory.dmp	family_ammyyadmin
behavioral1/memory/2728-9-0x0000000000400000-0x00000000004D4000-memory.dmp	family_ammyyadmin
behavioral1/memory/2952-8-0x0000000000400000-0x00000000004D4000-memory.dmp	family_ammyyadmin
behavioral1/memory/3024-7-0x0000000000400000-0x00000000004D4000-memory.dmp	family_ammyyadmin

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International\Geo\Nation	4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe

Modifies data under HKEY_USERS 6 IoCs

Processes:

4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy	4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d56736608796e5f5e4c10595307500bda1cf9b26b	4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = c358bd9962e70be3b522ade214763eea857170c06cf93d9a2d6e6d6847d0ae92bcae3b6204345470ad67931130712b9d98ec580e078ae22b6e807063b59750c0fd2a54ee	4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe

pid process

3024 4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe

pid process

3024 4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe

pid	process
3024	4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe

pid	process
3024	4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe

description	pid	process	target process
PID 2952 wrote to memory of 3024	2952	4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe	4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe
PID 2952 wrote to memory of 3024	2952	4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe	4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe
PID 2952 wrote to memory of 3024	2952	4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe	4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe
PID 2952 wrote to memory of 3024	2952	4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe	4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe"
1⤵
PID:2728

C:\Users\Admin\AppData\Local\Temp\4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe" -service -lunch
1⤵
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Users\Admin\AppData\Local\Temp\4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\hr

Filesize
22B

MD5
27f54876434dced9cb1d9b035ce64959

SHA1
3e3e438bc39836369853f4b0d1bb4f0e769fd8b6

SHA256
28f4c8114ce3d2b544e88f1eae21f8a710bbe3665ba08a16e9c79409123707c5

SHA512
b2918a8ba265b758380c9618bff000fecd3674dff381fc61bf75f161734c1e3abe575d7e151ccc5589519baeccffd6f904326960a208f5b5bdd640f75ae86d18

Download Submit
C:\ProgramData\AMMYY\hr3

Filesize
68B

MD5
5ba3d1aea16a5a56ca0e7e2bc8471ff3

SHA1
a62143d52e551948356d540c8a518372d46b3851

SHA256
6550b8e59203ee9e41d56de0655d52871b765bdc98bee8cd10c3ac82cf2499c4

SHA512
92b6a37c7c187edb7fbffdf6039baa8ceb430cc3c77a0b1c392636ce04abfe26389df5cf02588e495439c048bb06c9cd70ef0b607a109f084e974a203941a3ba

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
271B

MD5
714f2508d4227f74b6adacfef73815d8

SHA1
a35c8a796e4453c0c09d011284b806d25bdad04c

SHA256
a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480

SHA512
1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8

Download Submit
memory/2728-0-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/2728-9-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/2952-4-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/2952-5-0x0000000000F40000-0x0000000001014000-memory.dmp

Filesize
848KB

Download
memory/2952-8-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/3024-7-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads