ammyyadmin | d1d27ef37d842143c8e8bea51ec031d10ba471874173a7d7f495c87ebd351118

Analysis

max time kernel
150s
max time network
155s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
31-05-2024 15:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

876ef346ef6409a1f2171ca9e30b426d_JaffaCakes118.exe
Size

847KB
MD5

876ef346ef6409a1f2171ca9e30b426d
SHA1

abe7af4334b569b05a0bd4d58141f3824e956e9d
SHA256

d1d27ef37d842143c8e8bea51ec031d10ba471874173a7d7f495c87ebd351118
SHA512

cef537e149a56778c466d6724e2d7ed61b81a3c1a8302eafe950b37ab3a5e7582f7d9449719948981c98f28a9e198ab638f2dc82a7c12ca7568c6027dd16749d
SSDEEP

12288:g0nyfXuIBDtfu7HbKa/xArOTb1XL9sG9C6DWEsL0EiUs8HHRPqfz:dny/f9upjL9PCzXgpUTPqfz

Score

10^/10

ammyyadmin flawedammyy evasion execution persistence rat trojan

Malware Config

Signatures

Ammyy Admin
Remote admin tool with various capabilities.
rat ammyyadmin

AmmyyAdmin payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000015c2f-31.dat	family_ammyyadmin

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\International\Geo\Nation	AA_v2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\International\Geo\Nation	AA_v2.exe

Executes dropped EXE 4 IoCs

pid	Process
2460	HidRun.exe
1168	AA_v2.exe
1616	AA_v2.exe
1108	AA_v2.exe

Loads dropped DLL 6 IoCs

pid	Process
2820	876ef346ef6409a1f2171ca9e30b426d_JaffaCakes118.exe
2820	876ef346ef6409a1f2171ca9e30b426d_JaffaCakes118.exe
2820	876ef346ef6409a1f2171ca9e30b426d_JaffaCakes118.exe
2820	876ef346ef6409a1f2171ca9e30b426d_JaffaCakes118.exe
1540	cmd.exe
1540	cmd.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1192	sc.exe
964	sc.exe
2172	sc.exe
1412	sc.exe
1424	sc.exe
2288	sc.exe
2404	sc.exe
2856	sc.exe
2988	sc.exe
2096	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
324	taskkill.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	AA_v2.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	324	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1616	AA_v2.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1616	AA_v2.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 2460	2820	876ef346ef6409a1f2171ca9e30b426d_JaffaCakes118.exe	28
PID 2820 wrote to memory of 2460	2820	876ef346ef6409a1f2171ca9e30b426d_JaffaCakes118.exe	28
PID 2820 wrote to memory of 2460	2820	876ef346ef6409a1f2171ca9e30b426d_JaffaCakes118.exe	28
PID 2820 wrote to memory of 2460	2820	876ef346ef6409a1f2171ca9e30b426d_JaffaCakes118.exe	28
PID 2820 wrote to memory of 2460	2820	876ef346ef6409a1f2171ca9e30b426d_JaffaCakes118.exe	28
PID 2820 wrote to memory of 2460	2820	876ef346ef6409a1f2171ca9e30b426d_JaffaCakes118.exe	28
PID 2820 wrote to memory of 2460	2820	876ef346ef6409a1f2171ca9e30b426d_JaffaCakes118.exe	28
PID 2460 wrote to memory of 1540	2460	HidRun.exe	29
PID 2460 wrote to memory of 1540	2460	HidRun.exe	29
PID 2460 wrote to memory of 1540	2460	HidRun.exe	29
PID 2460 wrote to memory of 1540	2460	HidRun.exe	29
PID 2460 wrote to memory of 1540	2460	HidRun.exe	29
PID 2460 wrote to memory of 1540	2460	HidRun.exe	29
PID 2460 wrote to memory of 1540	2460	HidRun.exe	29
PID 1540 wrote to memory of 2404	1540	cmd.exe	32
PID 1540 wrote to memory of 2404	1540	cmd.exe	32
PID 1540 wrote to memory of 2404	1540	cmd.exe	32
PID 1540 wrote to memory of 2404	1540	cmd.exe	32
PID 1540 wrote to memory of 2404	1540	cmd.exe	32
PID 1540 wrote to memory of 2404	1540	cmd.exe	32
PID 1540 wrote to memory of 2404	1540	cmd.exe	32
PID 1540 wrote to memory of 2856	1540	cmd.exe	33
PID 1540 wrote to memory of 2856	1540	cmd.exe	33
PID 1540 wrote to memory of 2856	1540	cmd.exe	33
PID 1540 wrote to memory of 2856	1540	cmd.exe	33
PID 1540 wrote to memory of 2856	1540	cmd.exe	33
PID 1540 wrote to memory of 2856	1540	cmd.exe	33
PID 1540 wrote to memory of 2856	1540	cmd.exe	33
PID 1540 wrote to memory of 2988	1540	cmd.exe	34
PID 1540 wrote to memory of 2988	1540	cmd.exe	34
PID 1540 wrote to memory of 2988	1540	cmd.exe	34
PID 1540 wrote to memory of 2988	1540	cmd.exe	34
PID 1540 wrote to memory of 2988	1540	cmd.exe	34
PID 1540 wrote to memory of 2988	1540	cmd.exe	34
PID 1540 wrote to memory of 2988	1540	cmd.exe	34
PID 1540 wrote to memory of 2096	1540	cmd.exe	35
PID 1540 wrote to memory of 2096	1540	cmd.exe	35
PID 1540 wrote to memory of 2096	1540	cmd.exe	35
PID 1540 wrote to memory of 2096	1540	cmd.exe	35
PID 1540 wrote to memory of 2096	1540	cmd.exe	35
PID 1540 wrote to memory of 2096	1540	cmd.exe	35
PID 1540 wrote to memory of 2096	1540	cmd.exe	35
PID 1540 wrote to memory of 324	1540	cmd.exe	36
PID 1540 wrote to memory of 324	1540	cmd.exe	36
PID 1540 wrote to memory of 324	1540	cmd.exe	36
PID 1540 wrote to memory of 324	1540	cmd.exe	36
PID 1540 wrote to memory of 324	1540	cmd.exe	36
PID 1540 wrote to memory of 324	1540	cmd.exe	36
PID 1540 wrote to memory of 324	1540	cmd.exe	36
PID 1540 wrote to memory of 1192	1540	cmd.exe	38
PID 1540 wrote to memory of 1192	1540	cmd.exe	38
PID 1540 wrote to memory of 1192	1540	cmd.exe	38
PID 1540 wrote to memory of 1192	1540	cmd.exe	38
PID 1540 wrote to memory of 1192	1540	cmd.exe	38
PID 1540 wrote to memory of 1192	1540	cmd.exe	38
PID 1540 wrote to memory of 1192	1540	cmd.exe	38
PID 1540 wrote to memory of 1412	1540	cmd.exe	39
PID 1540 wrote to memory of 1412	1540	cmd.exe	39
PID 1540 wrote to memory of 1412	1540	cmd.exe	39
PID 1540 wrote to memory of 1412	1540	cmd.exe	39
PID 1540 wrote to memory of 1412	1540	cmd.exe	39
PID 1540 wrote to memory of 1412	1540	cmd.exe	39
PID 1540 wrote to memory of 1412	1540	cmd.exe	39
PID 1540 wrote to memory of 964	1540	cmd.exe	40

C:\Users\Admin\AppData\Local\Temp\876ef346ef6409a1f2171ca9e30b426d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\876ef346ef6409a1f2171ca9e30b426d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Users\Admin\AppData\Roaming\ITS\Connect2\Update\HidRun.exe
  "C:\Users\Admin\AppData\Roaming\ITS\Connect2\Update\HidRun.exe" install.cmd
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c install.cmd
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1540
  - - C:\Windows\SysWOW64\sc.exe
      sc stop its.connect
      4⤵
      Launches sc.exe
      PID:2404
  - - C:\Windows\SysWOW64\sc.exe
      sc delete its.connect
      4⤵
      Launches sc.exe
      PID:2856
  - - C:\Windows\SysWOW64\sc.exe
      sc stop its.connect2
      4⤵
      Launches sc.exe
      PID:2988
  - - C:\Windows\SysWOW64\sc.exe
      sc delete its.connect2
      4⤵
      Launches sc.exe
      PID:2096
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM AA_v2.exe /f
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:324
  - - C:\Windows\SysWOW64\sc.exe
      sc stop its.connect
      4⤵
      Launches sc.exe
      PID:1192
  - - C:\Windows\SysWOW64\sc.exe
      sc delete its.connect
      4⤵
      Launches sc.exe
      PID:1412
  - - C:\Windows\SysWOW64\sc.exe
      sc stop its.connect2
      4⤵
      Launches sc.exe
      PID:964
  - - C:\Windows\SysWOW64\sc.exe
      sc delete its.connect2
      4⤵
      Launches sc.exe
      PID:1424
  - - C:\Windows\SysWOW64\sc.exe
      sc create its.connect2 binpath= "C:\Users\Admin\AppData\Roaming\ITS\Connect2\AA_v2.exe -service" start= auto DisplayName= "Ç⌐Æ¿¥ß.è«¡¡Ñ¬Γ 2"
      4⤵
      Launches sc.exe
      PID:2172
  - - C:\Windows\SysWOW64\sc.exe
      sc start its.connect2
      4⤵
      Launches sc.exe
      PID:2288
  - - C:\Users\Admin\AppData\Roaming\ITS\Connect2\AA_v2.exe
      "C:\Users\Admin\AppData\Roaming\ITS\Connect2\AA_v2.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:1616

C:\Users\Admin\AppData\Roaming\ITS\Connect2\AA_v2.exe
C:\Users\Admin\AppData\Roaming\ITS\Connect2\AA_v2.exe -service
1⤵
- Executes dropped EXE
PID:1168
- C:\Users\Admin\AppData\Roaming\ITS\Connect2\AA_v2.exe
  "C:\Users\Admin\AppData\Roaming\ITS\Connect2\AA_v2.exe" -nogui
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  PID:1108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ITS\Connect2\Update\AA_v2.exe

Filesize
652KB

MD5
86200517082347f28471a5a7251b2faf

SHA1
3ca8a7ba0b771bee97dc062f71459bd5c7fcabfb

SHA256
81d10d29813533e43980d16b6a6278415b98fde2b68d72846638f93492ba9d31

SHA512
5d248c7cbd2ef85b05ab2c6d9f89e593a8db1da8005c93633ad860ecc447b470636cfc6de0d24614c486b01473b1304d5cd72eb2a130acea97023673f2994e22

Download Submit
C:\Users\Admin\AppData\Roaming\ITS\Connect2\Update\HidRun.exe

Filesize
352KB

MD5
687cfbdf9361d6e45a0ef03dea6d2053

SHA1
fc2fc06eb280680ad557d2eb5dc2fd00407c716c

SHA256
de3cf72c4a70f5725cdf4b5d0a6631ecd37b516c80086f36712e9db9c91e6825

SHA512
6123d0007a00babba7fcf44bee8bac1574e19291e6d5c673444403e009bdcf4a1166b6222c31caa13b8dca25b3623c862d837b630c4ffec72d0f52e55bf14b71

Download Submit
C:\Users\Admin\AppData\Roaming\ITS\Connect2\Update\hr

Filesize
22B

MD5
c967a20d447b738671e8a41ddb1b6afd

SHA1
6fc79b73bd642b42cf8db285eae61c3ba97aa23c

SHA256
a6b5d00a2d4fa82e6c72e077c81bac4dc5b675a2ff73367ddb49e7866a17dee8

SHA512
d5d2d57a9668660e4a8f0e0b47886be0f2998b95957ae166ebb2a95ed09f9712730668a6a4ad78313bbc9fb933d6999e7837c770f42fcc56a9bcd3bd1b6c4270

Download Submit
C:\Users\Admin\AppData\Roaming\ITS\Connect2\Update\install.cmd

Filesize
1KB

MD5
d9b3eb7873a8fd148b9fc328b0df6fdf

SHA1
a668649a75f3ab88e84277d132fb14486889fff4

SHA256
076b45033791056a37dc0b286130a56d5b028824fdb23d0bf672ddce8d9742cc

SHA512
0d0c400ffd824d2eea66d7e5ec87cf9fb92520840b522f7a0f1380e5e7de830a5da93bee2cb101f5ddfa20240bf715487f305bfbbe2c4da4d3552c3b097210a5

Download Submit
C:\Users\Admin\AppData\Roaming\ITS\Connect2\Update\settings.bin

Filesize
129B

MD5
15cc879bd618d0d4c9f9d3acc9e97bf5

SHA1
819e9bca0b501622e9a218dcbc833ee57ad8ffc7

SHA256
da59a5d1926e72ef87292e91880aad66751c1b8c1435b546382c15716f550c73

SHA512
8928d62a1b67e7acfc40c333deaca8d9f83dbf01b4fa658e9c009a5e9301c7d741123d6a2bcac0829759c59f113a9ca5920945cbb62f05702481654568eea599

Download Submit
C:\Users\Admin\AppData\Roaming\ITS\Connect2\Update\settings.rdp

Filesize
376B

MD5
56e489815ebdf743b40f477d7c38a518

SHA1
8f9fff8667e1f64843b35c416a5ec83f54046341

SHA256
dae94c47bd56f4fc3a61650b857d6c09bc75c046b130b466d238983c9dd3fac0

SHA512
4d6902d763479e369a5188e3debf080b1f510f98f3171bd569a04c9db6cb6ed93b9a74a390e1d1495795b593f15f44958ed5880225aa29dcd7c0b446eeefb63c

Download Submit
memory/2460-28-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2460-30-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download