Analysis

  • max time kernel
    150s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    14-05-2024 23:17

General

  • Target

    4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe

  • Size

    746KB

  • MD5

    4384015f0e7a2c6e3738fc2492cc1075

  • SHA1

    0dfa27fc3204ebfa172cd1eb97f798914b006140

  • SHA256

    daaed52990a467051c10ef429b4b4546833ac831ceb1e14e15d3a9d9e1e775ab

  • SHA512

    7131c88d0987142e66d9b7247902e18e7951896998a66f725515f8d8b8b4e24ccffe73b457ccf34dd764297b14cd095e19e0af79cacc5b67c7e4f1ac733b27dd

  • SSDEEP

    12288:8NgEvTkYGzXUMA7PTgM0YOg26y4RtcxcUwhqb3omaY80NP6gL:8XTszE7PTgM0YOgA4RtcbwhsSYFVL

Malware Config

Signatures

  • Ammyy Admin

    Remote admin tool with various capabilities.

  • AmmyyAdmin payload 5 IoCs
  • FlawedAmmyy RAT

    Remote-access trojan based on leaked code for the Ammyy remote admin software.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies data under HKEY_USERS 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe"
    1⤵
      PID:2728
    • C:\Users\Admin\AppData\Local\Temp\4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe" -service -lunch
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2952
      • C:\Users\Admin\AppData\Local\Temp\4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe"
        2⤵
        • Checks computer location settings
        • Modifies data under HKEY_USERS
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3024

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\AMMYY\hr

      Filesize

      22B

      MD5

      27f54876434dced9cb1d9b035ce64959

      SHA1

      3e3e438bc39836369853f4b0d1bb4f0e769fd8b6

      SHA256

      28f4c8114ce3d2b544e88f1eae21f8a710bbe3665ba08a16e9c79409123707c5

      SHA512

      b2918a8ba265b758380c9618bff000fecd3674dff381fc61bf75f161734c1e3abe575d7e151ccc5589519baeccffd6f904326960a208f5b5bdd640f75ae86d18

    • C:\ProgramData\AMMYY\hr3

      Filesize

      68B

      MD5

      5ba3d1aea16a5a56ca0e7e2bc8471ff3

      SHA1

      a62143d52e551948356d540c8a518372d46b3851

      SHA256

      6550b8e59203ee9e41d56de0655d52871b765bdc98bee8cd10c3ac82cf2499c4

      SHA512

      92b6a37c7c187edb7fbffdf6039baa8ceb430cc3c77a0b1c392636ce04abfe26389df5cf02588e495439c048bb06c9cd70ef0b607a109f084e974a203941a3ba

    • C:\ProgramData\AMMYY\settings3.bin

      Filesize

      271B

      MD5

      714f2508d4227f74b6adacfef73815d8

      SHA1

      a35c8a796e4453c0c09d011284b806d25bdad04c

      SHA256

      a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480

      SHA512

      1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8

    • memory/2728-0-0x0000000000400000-0x00000000004D4000-memory.dmp

      Filesize

      848KB

    • memory/2728-9-0x0000000000400000-0x00000000004D4000-memory.dmp

      Filesize

      848KB

    • memory/2952-4-0x0000000000400000-0x00000000004D4000-memory.dmp

      Filesize

      848KB

    • memory/2952-5-0x0000000000F40000-0x0000000001014000-memory.dmp

      Filesize

      848KB

    • memory/2952-8-0x0000000000400000-0x00000000004D4000-memory.dmp

      Filesize

      848KB

    • memory/3024-7-0x0000000000400000-0x00000000004D4000-memory.dmp

      Filesize

      848KB