flawedammyy | 6dc66741b8e6b8e338c1abd40209191805b169a808df5ee565623ae926b38521

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2024 01:56

Target

70814c3d05ff00b7cce5328c19b8c1d6_JaffaCakes118.exe
Size

726KB
MD5

70814c3d05ff00b7cce5328c19b8c1d6
SHA1

13b503ee98876554f191a710ccf6c0d37d75daca
SHA256

6dc66741b8e6b8e338c1abd40209191805b169a808df5ee565623ae926b38521
SHA512

7ce5250a46b882d78fba0218d46c794e64dc3673520a54858d244537a116128be7146b3db4bf749c13c2664fc8e2edf8c600faa127e01582c3a52c1045f9a8ab
SSDEEP

12288:3YdNctvsfu2LVBfKf057C9lRt3i5olGJssozsghz:odNikfu2hBfK8ilRty5olGJsseN

Score

10^/10

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	70814c3d05ff00b7cce5328c19b8c1d6_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	70814c3d05ff00b7cce5328c19b8c1d6_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	70814c3d05ff00b7cce5328c19b8c1d6_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	70814c3d05ff00b7cce5328c19b8c1d6_JaffaCakes118.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	70814c3d05ff00b7cce5328c19b8c1d6_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	70814c3d05ff00b7cce5328c19b8c1d6_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	70814c3d05ff00b7cce5328c19b8c1d6_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy	70814c3d05ff00b7cce5328c19b8c1d6_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	70814c3d05ff00b7cce5328c19b8c1d6_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	70814c3d05ff00b7cce5328c19b8c1d6_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin	70814c3d05ff00b7cce5328c19b8c1d6_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d567366087c69585c40145253775cb9e40ef1b26b	70814c3d05ff00b7cce5328c19b8c1d6_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = bbd81f3e40c55a5b22a0377f74e34ebe9101290f5b793ba5f36b421c16d895104ae69e88e180c51a6c119f835173d6d6a899f94e610125034bcad75c003ae70e1ed668a2	70814c3d05ff00b7cce5328c19b8c1d6_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4036	70814c3d05ff00b7cce5328c19b8c1d6_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
4036	70814c3d05ff00b7cce5328c19b8c1d6_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4208 wrote to memory of 4036	4208	70814c3d05ff00b7cce5328c19b8c1d6_JaffaCakes118.exe	85
PID 4208 wrote to memory of 4036	4208	70814c3d05ff00b7cce5328c19b8c1d6_JaffaCakes118.exe	85
PID 4208 wrote to memory of 4036	4208	70814c3d05ff00b7cce5328c19b8c1d6_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\70814c3d05ff00b7cce5328c19b8c1d6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\70814c3d05ff00b7cce5328c19b8c1d6_JaffaCakes118.exe"
1⤵
PID:2128

C:\Users\Admin\AppData\Local\Temp\70814c3d05ff00b7cce5328c19b8c1d6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\70814c3d05ff00b7cce5328c19b8c1d6_JaffaCakes118.exe" -service -lunch
1⤵
- Suspicious use of WriteProcessMemory
PID:4208
- C:\Users\Admin\AppData\Local\Temp\70814c3d05ff00b7cce5328c19b8c1d6_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\70814c3d05ff00b7cce5328c19b8c1d6_JaffaCakes118.exe"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4036

C:\ProgramData\TEAM9\hr

Filesize
22B

MD5
dbd223aaec50c9c01ea0b41114df7046

SHA1
c0a18feb2d416bac71bbf742064341c8ed1c8ae1

SHA256
799e08079fca8ff9e87fa6abec999b53433e289af62911329cce6c5e4e92e52a

SHA512
0eff94b6beeba9ae33f66e793e2c4f509f4085760d26434cd8603be3a17d0f95cb6957eff8fe90e96543a175d3abcfec70d5fb511a58c086680b4ead3d04be86

Download Submit
C:\ProgramData\TEAM9\hr3

Filesize
68B

MD5
4764906e8c749ce37ce74195962ee739

SHA1
704326509b4ad36e5a73ff4b647cbfb66207f16c

SHA256
09a1a1d7b265f920eae61bef95d99cad80d74bf565feaf859b6f7ec274bc3a1b

SHA512
115dee9746a499e0b3e56bf5de9508c7e9e18ab3ddf64dedac79b18a210e73a6fd673d2d1597cf2e8c51d6cadff234a8b94b41080ba83b4c3eaee5c94e706680

Download Submit
C:\ProgramData\TEAM9\settings3.bin

Filesize
271B

MD5
4cb889e527b0d0781a17f6c2dd968129

SHA1
6a6a55cd5604370660f1c1ad1025195169be8978

SHA256
2658cd46dd49335e739cafa31ff2ec63f3315b65ecc171a0f7612713d3ac702b

SHA512
297d2c05d2ac950faeb519d3e7bc56ea9d9fcab65b5dfdbba2720be8eddc8b2d5ead3dc7c122b82d6937be6c2d7bb88872dd7b80961138571245fba381daac3f

Download Submit