ammyyadmin | daaed52990a467051c10ef429b4b4546833ac831ceb1e14e15d3a9d9e1e775ab

General

Target

4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe
Size

746KB
MD5

4384015f0e7a2c6e3738fc2492cc1075
SHA1

0dfa27fc3204ebfa172cd1eb97f798914b006140
SHA256

daaed52990a467051c10ef429b4b4546833ac831ceb1e14e15d3a9d9e1e775ab
SHA512

7131c88d0987142e66d9b7247902e18e7951896998a66f725515f8d8b8b4e24ccffe73b457ccf34dd764297b14cd095e19e0af79cacc5b67c7e4f1ac733b27dd
SSDEEP

12288:8NgEvTkYGzXUMA7PTgM0YOg26y4RtcxcUwhqb3omaY80NP6gL:8XTszE7PTgM0YOgA4RtcbwhsSYFVL

Score

10^/10

AmmyyAdmin payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1588-0-0x0000000000400000-0x00000000004D4000-memory.dmp	family_ammyyadmin
behavioral2/memory/1588-6-0x0000000000400000-0x00000000004D4000-memory.dmp	family_ammyyadmin
behavioral2/memory/4108-5-0x0000000000400000-0x00000000004D4000-memory.dmp	family_ammyyadmin

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy

Drops file in System32 directory 4 IoCs

Processes:

4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe

Modifies data under HKEY_USERS 9 IoCs

Processes:

4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy	4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin	4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d56736608796d5b5b4e155253d365be371df9b26b	4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = 9535a2cd514f1a969572942d681c179d96d9f2dfc425dbaad506f70fcddd3b4a809036a1ce85ded300792874fc7b4b49712356f88631753d5ce45c209bd0f61c79812801	4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe

pid process

216 4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe

pid process

216 4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe

pid	process
216	4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe

pid	process
216	4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe

description	pid	process	target process
PID 4108 wrote to memory of 216	4108	4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe	4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe
PID 4108 wrote to memory of 216	4108	4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe	4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe
PID 4108 wrote to memory of 216	4108	4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe	4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe"
1⤵
PID:1588

C:\Users\Admin\AppData\Local\Temp\4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4384015f0e7a2c6e3738fc2492cc1075_JaffaCakes118.exe" -service -lunch
1⤵
- Suspicious use of WriteProcessMemory
PID:4108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1340 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8
1⤵
PID:1616

C:\ProgramData\AMMYY\hr

Filesize
22B

MD5
d661eb9f8d31d580710e8e2e76d9a22e

SHA1
22bcc4d5e883c4eefc8fa6a5e029b838b69009d5

SHA256
e969950c5e449851b6ed56d187fd3b7225614a27f2f3e854188fc3635a92e6f4

SHA512
dfd56347cdb320c41685e3a5bc44901452dd2d6c311213ddcf608048540238abebba3bc79ec24e5364626fe51b561057fda7a984b9040bdeb79bde8e5f99ad82

Download Submit
C:\ProgramData\AMMYY\hr3

Filesize
68B

MD5
9acaba3d652a41c94eeb6bd9c19d6a79

SHA1
577be3517698f5bff89d4103b4a1f28fef5e7678

SHA256
bbbd08f62c80aeaf81c07831aca29c7dd47796a54b9d2419f75f4092528983e6

SHA512
e101e244ae80245371839c874b9e16c3e66ddca35b51da4f69501d1b4f90ae261d2a7a724146523e92d4dc0edb92513ebd0ea7799ed71e6add153bd752eca16a

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
271B

MD5
714f2508d4227f74b6adacfef73815d8

SHA1
a35c8a796e4453c0c09d011284b806d25bdad04c

SHA256
a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480

SHA512
1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8

Download Submit
memory/1588-0-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/1588-6-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/4108-5-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download