ammyyadmin | 12aa4dd205e8d1c639d73aa0874372a8ef68fc990cdcc037906ef19f0da6b0de

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
19-05-2024 05:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

58be834ed5fc94a3cf22582fbacd3b74_JaffaCakes118.exe
Size

993KB
MD5

58be834ed5fc94a3cf22582fbacd3b74
SHA1

9a25679d6e688a75146427d64943732d696bc27a
SHA256

12aa4dd205e8d1c639d73aa0874372a8ef68fc990cdcc037906ef19f0da6b0de
SHA512

94c72a35651b59ff3cf6dc0335565d5e9bdb2f35d539a1fb397564e93d78698f4ddcef59b11387420f8445318a3f1063eefaa402bfdd2074320964200d5bbf7d
SSDEEP

24576:4MjPJ5g9KVGrdNikfu2hBfK8ilRty5olGJsxT:dJ5gEKNikf3hBfUiWxT

Score

10^/10

ammyyadmin rat

Malware Config

Signatures

Ammyy Admin
Remote admin tool with various capabilities.
rat ammyyadmin

AmmyyAdmin payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000f00000001227e-5.dat	family_ammyyadmin

Executes dropped EXE 1 IoCs

pid	Process
3044	budha.exe

Loads dropped DLL 1 IoCs

pid	Process
3016	58be834ed5fc94a3cf22582fbacd3b74_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 3044	3016	58be834ed5fc94a3cf22582fbacd3b74_JaffaCakes118.exe	28
PID 3016 wrote to memory of 3044	3016	58be834ed5fc94a3cf22582fbacd3b74_JaffaCakes118.exe	28
PID 3016 wrote to memory of 3044	3016	58be834ed5fc94a3cf22582fbacd3b74_JaffaCakes118.exe	28
PID 3016 wrote to memory of 3044	3016	58be834ed5fc94a3cf22582fbacd3b74_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\58be834ed5fc94a3cf22582fbacd3b74_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58be834ed5fc94a3cf22582fbacd3b74_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Users\Admin\AppData\Local\Temp\budha.exe
  "C:\Users\Admin\AppData\Local\Temp\budha.exe"
  2⤵
  - Executes dropped EXE
  PID:3044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\budha.exe

Filesize
994KB

MD5
6305e40941af9883060505d680ebfa07

SHA1
d2b3b83e934d1d5442dd211f05972970555fea96

SHA256
6466fdeb6b27aa3f662731da94e7de1beb53e7b11775a1ad586d7333862c487f

SHA512
483c42529ed87c86adecfe1ba4ab1390dbbe22cfaa046b20f201125f3a7513b4a45b8986962b91657006d1fbb739246eae8d9d3cfe56bd90de102ccca45a7007

Download Submit
memory/3016-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3016-1-0x0000000001FA0000-0x0000000001FA1000-memory.dmp

Filesize
4KB

Download
memory/3016-3-0x0000000002B60000-0x0000000002F60000-memory.dmp

Filesize
4.0MB

Download
memory/3016-7-0x0000000003060000-0x000000000306A000-memory.dmp

Filesize
40KB

Download
memory/3016-12-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3044-10-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3044-15-0x0000000002B80000-0x0000000002F80000-memory.dmp

Filesize
4.0MB

Download
memory/3044-13-0x0000000001DC0000-0x0000000001DC1000-memory.dmp

Filesize
4KB

Download
memory/3044-16-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download