Overview
overview
10Static
static
107086b71e01...18.exe
windows7-x64
77086b71e01...18.exe
windows10-2004-x64
7$PLUGINSDI...sh.dll
windows7-x64
3$PLUGINSDI...sh.dll
windows10-2004-x64
3$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3PBWS32.dll
windows7-x64
3PBWS32.dll
windows10-2004-x64
3baro.exe
windows7-x64
1baro.exe
windows10-2004-x64
1dll/FreeImage.dll
windows7-x64
3dll/FreeImage.dll
windows10-2004-x64
3dll/Interop.WIA.dll
windows7-x64
1dll/Interop.WIA.dll
windows10-2004-x64
1dll/PdfSharp.dll
windows7-x64
1dll/PdfSharp.dll
windows10-2004-x64
1dll/RegAsm.exe
windows7-x64
1dll/RegAsm.exe
windows10-2004-x64
1dll/SDD_TW...ER.dll
windows7-x64
1dll/SDD_TW...ER.dll
windows10-2004-x64
1dll/Saraff.Twain.dll
windows7-x64
1dll/Saraff.Twain.dll
windows10-2004-x64
1dll/System...ng.dll
windows7-x64
1dll/System...ng.dll
windows10-2004-x64
1dll/UzakYardim.exe
windows7-x64
10dll/UzakYardim.exe
windows10-2004-x64
10dll/WinSCP.exe
windows7-x64
6dll/WinSCP.exe
windows10-2004-x64
7dll/WinSCP.exe
windows7-x64
6dll/WinSCP.exe
windows10-2004-x64
7Analysis
-
max time kernel
160s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
25-05-2024 02:04
Behavioral task
behavioral1
Sample
7086b71e012a95a8cacea869c0faa921_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
7086b71e012a95a8cacea869c0faa921_JaffaCakes118.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/AdvSplash.dll
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/AdvSplash.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win7-20240419-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
PBWS32.dll
Resource
win7-20240508-en
Behavioral task
behavioral10
Sample
PBWS32.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral11
Sample
baro.exe
Resource
win7-20240215-en
Behavioral task
behavioral12
Sample
baro.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral13
Sample
dll/FreeImage.dll
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
dll/FreeImage.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
dll/Interop.WIA.dll
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
dll/Interop.WIA.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral17
Sample
dll/PdfSharp.dll
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
dll/PdfSharp.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
dll/RegAsm.exe
Resource
win7-20240508-en
Behavioral task
behavioral20
Sample
dll/RegAsm.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral21
Sample
dll/SDD_TWAIN_SCANNER.dll
Resource
win7-20240419-en
Behavioral task
behavioral22
Sample
dll/SDD_TWAIN_SCANNER.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral23
Sample
dll/Saraff.Twain.dll
Resource
win7-20240221-en
Behavioral task
behavioral24
Sample
dll/Saraff.Twain.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral25
Sample
dll/System.Drawing.dll
Resource
win7-20240508-en
Behavioral task
behavioral26
Sample
dll/System.Drawing.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral27
Sample
dll/UzakYardim.exe
Resource
win7-20240221-en
Behavioral task
behavioral28
Sample
dll/UzakYardim.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral29
Sample
dll/WinSCP.exe
Resource
win7-20231129-en
Behavioral task
behavioral30
Sample
dll/WinSCP.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral31
Sample
dll/WinSCP.exe
Resource
win7-20240508-en
Behavioral task
behavioral32
Sample
dll/WinSCP.exe
Resource
win10v2004-20240426-en
General
-
Target
dll/UzakYardim.exe
-
Size
740KB
-
MD5
10a524d7ac94678ae286b065421647db
-
SHA1
b538e3f113817c8237419310ef47817d1d961fa9
-
SHA256
55daa062650d42e0feabc5ae1c3e4a7f68d4f8a3c69be375a0abc7bf3e1efad4
-
SHA512
928b0e712e604a5ba9580ff6ecadbdf77e2fda6847b11366ce929281ae8e5e3a633073ff07176989ddcb5f8387c6f7c061729af99b61a23a319ddeb7d63ace1b
-
SSDEEP
12288:pUYpJqMH2OwlaUPcWWw5XZV8f64RteVpN5ETMasTjmgvPi:ZpJJWOwlaUPcWWwRZb4Rt+N5WMasHDy
Malware Config
Signatures
-
FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
-
Drops file in System32 directory 4 IoCs
Processes:
UzakYardim.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE UzakYardim.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies UzakYardim.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 UzakYardim.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 UzakYardim.exe -
Modifies data under HKEY_USERS 9 IoCs
Processes:
UzakYardim.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" UzakYardim.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" UzakYardim.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin UzakYardim.exe Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy UzakYardim.exe Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin UzakYardim.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = 3c4275956e084c551f51359ac4598ada24323bb371a316aebe0f57d6ac29bdd81f479d0566a7042bd557cb35436cec6843032c713784344f87ba74a3f044e3a40755c0c6 UzakYardim.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix UzakYardim.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d56736608796d5b5b4e1552534c49e12c00f1b26b UzakYardim.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE UzakYardim.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
UzakYardim.exepid process 1052 UzakYardim.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
UzakYardim.exepid process 1052 UzakYardim.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
UzakYardim.exedescription pid process target process PID 1616 wrote to memory of 1052 1616 UzakYardim.exe UzakYardim.exe PID 1616 wrote to memory of 1052 1616 UzakYardim.exe UzakYardim.exe PID 1616 wrote to memory of 1052 1616 UzakYardim.exe UzakYardim.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe"C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe"1⤵PID:4424
-
C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe"C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe" -service -lunch1⤵
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe"C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1052
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1424 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:81⤵PID:872
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
22B
MD553f437f6a449644487197166b978ef92
SHA14114ef8c4cd50d6cc217f1b501faa3c16a4b4322
SHA256aa1bf51d7e152eb77ef5a29f2fc15db0839889b030c509d24981b4bece24bb82
SHA512c8bae2df7d50985d9918b088e9053f7ba1050e68a843ad84e87ddcd6cecc8ca86e12b1b351b6730cd8319bfd8c3a62883c1183674e2af5d503cf337c043954ad
-
Filesize
68B
MD506de8f37317bf933f058ac060d267a4a
SHA1e607f94f33a3a3506a5aa0caef9ab797f6fa4edb
SHA2564e83c71bfecc11a9b189a9adc1edf6ceb1d0e203ea4e66b111fa1aaf4c3fc687
SHA512c9305e3bcbe585598bcedf76aa03861c69e861713f2f9c9c60742e7ad42a697453158a66d6bdedf0ee35cd6cc778a6e96b0f278e9d69f33db12c9f96c3850559
-
Filesize
331B
MD5c5b80443bc31f2f5c1d2e384c3b82961
SHA1445a99fa06484d216276b9284eedf25483780216
SHA256cc8225e7412000f34a92f118af842d585d575498f36fe772dedad9f88c1fe5ad
SHA512eae9247b9a1abbf8822ce65dbfd2db9b59a57367c7885614b89b8608688753e0c71fc8c955eb1493ef4dd7ba952760ff3476e05d9c177fb40661765a9e408d97