Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
14-05-2024 23:17
Behavioral task
behavioral1
Sample
4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe
-
Size
746KB
-
MD5
4384015f0e7a2c6e3738fc2492cc1075
-
SHA1
0dfa27fc3204ebfa172cd1eb97f798914b006140
-
SHA256
daaed52990a467051c10ef429b4b4546833ac831ceb1e14e15d3a9d9e1e775ab
-
SHA512
7131c88d0987142e66d9b7247902e18e7951896998a66f725515f8d8b8b4e24ccffe73b457ccf34dd764297b14cd095e19e0af79cacc5b67c7e4f1ac733b27dd
-
SSDEEP
12288:8NgEvTkYGzXUMA7PTgM0YOg26y4RtcxcUwhqb3omaY80NP6gL:8XTszE7PTgM0YOgA4RtcbwhsSYFVL
Malware Config
Signatures
-
Ammyy Admin
Remote admin tool with various capabilities.
-
AmmyyAdmin payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2728-0-0x0000000000400000-0x00000000004D4000-memory.dmp family_ammyyadmin behavioral1/memory/2952-4-0x0000000000400000-0x00000000004D4000-memory.dmp family_ammyyadmin behavioral1/memory/2728-9-0x0000000000400000-0x00000000004D4000-memory.dmp family_ammyyadmin behavioral1/memory/2952-8-0x0000000000400000-0x00000000004D4000-memory.dmp family_ammyyadmin behavioral1/memory/3024-7-0x0000000000400000-0x00000000004D4000-memory.dmp family_ammyyadmin -
FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International\Geo\Nation 4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe -
Modifies data under HKEY_USERS 6 IoCs
Processes:
4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy 4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d56736608796e5f5e4c10595307500bda1cf9b26b 4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = c358bd9962e70be3b522ade214763eea857170c06cf93d9a2d6e6d6847d0ae92bcae3b6204345470ad67931130712b9d98ec580e078ae22b6e807063b59750c0fd2a54ee 4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin 4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE 4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exepid process 3024 4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exepid process 3024 4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exedescription pid process target process PID 2952 wrote to memory of 3024 2952 4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe 4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe PID 2952 wrote to memory of 3024 2952 4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe 4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe PID 2952 wrote to memory of 3024 2952 4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe 4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe PID 2952 wrote to memory of 3024 2952 4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe 4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe"1⤵PID:2728
-
C:\Users\Admin\AppData\Local\Temp\4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe" -service -lunch1⤵
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Users\Admin\AppData\Local\Temp\4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Modifies data under HKEY_USERS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3024
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
22B
MD527f54876434dced9cb1d9b035ce64959
SHA13e3e438bc39836369853f4b0d1bb4f0e769fd8b6
SHA25628f4c8114ce3d2b544e88f1eae21f8a710bbe3665ba08a16e9c79409123707c5
SHA512b2918a8ba265b758380c9618bff000fecd3674dff381fc61bf75f161734c1e3abe575d7e151ccc5589519baeccffd6f904326960a208f5b5bdd640f75ae86d18
-
Filesize
68B
MD55ba3d1aea16a5a56ca0e7e2bc8471ff3
SHA1a62143d52e551948356d540c8a518372d46b3851
SHA2566550b8e59203ee9e41d56de0655d52871b765bdc98bee8cd10c3ac82cf2499c4
SHA51292b6a37c7c187edb7fbffdf6039baa8ceb430cc3c77a0b1c392636ce04abfe26389df5cf02588e495439c048bb06c9cd70ef0b607a109f084e974a203941a3ba
-
Filesize
271B
MD5714f2508d4227f74b6adacfef73815d8
SHA1a35c8a796e4453c0c09d011284b806d25bdad04c
SHA256a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480
SHA5121171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8