ammyyadmin | d1d27ef37d842143c8e8bea51ec031d10ba471874173a7d7f495c87ebd351118

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
31-05-2024 15:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

876ef346ef6409a1f2171ca9e30b426d_JaffaCakes118.exe
Size

847KB
MD5

876ef346ef6409a1f2171ca9e30b426d
SHA1

abe7af4334b569b05a0bd4d58141f3824e956e9d
SHA256

d1d27ef37d842143c8e8bea51ec031d10ba471874173a7d7f495c87ebd351118
SHA512

cef537e149a56778c466d6724e2d7ed61b81a3c1a8302eafe950b37ab3a5e7582f7d9449719948981c98f28a9e198ab638f2dc82a7c12ca7568c6027dd16749d
SSDEEP

12288:g0nyfXuIBDtfu7HbKa/xArOTb1XL9sG9C6DWEsL0EiUs8HHRPqfz:dny/f9upjL9PCzXgpUTPqfz

Score

10^/10

ammyyadmin flawedammyy evasion execution persistence rat trojan

Malware Config

Signatures

Ammyy Admin
Remote admin tool with various capabilities.
rat ammyyadmin

AmmyyAdmin payload 1 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023385-25.dat	family_ammyyadmin

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	876ef346ef6409a1f2171ca9e30b426d_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	AA_v2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	AA_v2.exe

Executes dropped EXE 4 IoCs

pid	Process
3296	HidRun.exe
4832	AA_v2.exe
3840	AA_v2.exe
5116	AA_v2.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
844	sc.exe
3708	sc.exe
964	sc.exe
4856	sc.exe
2024	sc.exe
1540	sc.exe
1596	sc.exe
3720	sc.exe
4720	sc.exe
1720	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
4212	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4212	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3840	AA_v2.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
3840	AA_v2.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 5104 wrote to memory of 3296	5104	876ef346ef6409a1f2171ca9e30b426d_JaffaCakes118.exe	85
PID 5104 wrote to memory of 3296	5104	876ef346ef6409a1f2171ca9e30b426d_JaffaCakes118.exe	85
PID 5104 wrote to memory of 3296	5104	876ef346ef6409a1f2171ca9e30b426d_JaffaCakes118.exe	85
PID 3296 wrote to memory of 5048	3296	HidRun.exe	87
PID 3296 wrote to memory of 5048	3296	HidRun.exe	87
PID 3296 wrote to memory of 5048	3296	HidRun.exe	87
PID 5048 wrote to memory of 2024	5048	cmd.exe	89
PID 5048 wrote to memory of 2024	5048	cmd.exe	89
PID 5048 wrote to memory of 2024	5048	cmd.exe	89
PID 5048 wrote to memory of 844	5048	cmd.exe	90
PID 5048 wrote to memory of 844	5048	cmd.exe	90
PID 5048 wrote to memory of 844	5048	cmd.exe	90
PID 5048 wrote to memory of 3708	5048	cmd.exe	91
PID 5048 wrote to memory of 3708	5048	cmd.exe	91
PID 5048 wrote to memory of 3708	5048	cmd.exe	91
PID 5048 wrote to memory of 1540	5048	cmd.exe	92
PID 5048 wrote to memory of 1540	5048	cmd.exe	92
PID 5048 wrote to memory of 1540	5048	cmd.exe	92
PID 5048 wrote to memory of 4212	5048	cmd.exe	93
PID 5048 wrote to memory of 4212	5048	cmd.exe	93
PID 5048 wrote to memory of 4212	5048	cmd.exe	93
PID 5048 wrote to memory of 964	5048	cmd.exe	95
PID 5048 wrote to memory of 964	5048	cmd.exe	95
PID 5048 wrote to memory of 964	5048	cmd.exe	95
PID 5048 wrote to memory of 4856	5048	cmd.exe	96
PID 5048 wrote to memory of 4856	5048	cmd.exe	96
PID 5048 wrote to memory of 4856	5048	cmd.exe	96
PID 5048 wrote to memory of 1596	5048	cmd.exe	97
PID 5048 wrote to memory of 1596	5048	cmd.exe	97
PID 5048 wrote to memory of 1596	5048	cmd.exe	97
PID 5048 wrote to memory of 3720	5048	cmd.exe	99
PID 5048 wrote to memory of 3720	5048	cmd.exe	99
PID 5048 wrote to memory of 3720	5048	cmd.exe	99
PID 5048 wrote to memory of 4720	5048	cmd.exe	100
PID 5048 wrote to memory of 4720	5048	cmd.exe	100
PID 5048 wrote to memory of 4720	5048	cmd.exe	100
PID 5048 wrote to memory of 1720	5048	cmd.exe	101
PID 5048 wrote to memory of 1720	5048	cmd.exe	101
PID 5048 wrote to memory of 1720	5048	cmd.exe	101
PID 5048 wrote to memory of 3840	5048	cmd.exe	103
PID 5048 wrote to memory of 3840	5048	cmd.exe	103
PID 5048 wrote to memory of 3840	5048	cmd.exe	103
PID 4832 wrote to memory of 5116	4832	AA_v2.exe	104
PID 4832 wrote to memory of 5116	4832	AA_v2.exe	104
PID 4832 wrote to memory of 5116	4832	AA_v2.exe	104

C:\Users\Admin\AppData\Local\Temp\876ef346ef6409a1f2171ca9e30b426d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\876ef346ef6409a1f2171ca9e30b426d_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5104
- C:\Users\Admin\AppData\Roaming\ITS\Connect2\Update\HidRun.exe
  "C:\Users\Admin\AppData\Roaming\ITS\Connect2\Update\HidRun.exe" install.cmd
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3296
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c install.cmd
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5048
  - - C:\Windows\SysWOW64\sc.exe
      sc stop its.connect
      4⤵
      Launches sc.exe
      PID:2024
  - - C:\Windows\SysWOW64\sc.exe
      sc delete its.connect
      4⤵
      Launches sc.exe
      PID:844
  - - C:\Windows\SysWOW64\sc.exe
      sc stop its.connect2
      4⤵
      Launches sc.exe
      PID:3708
  - - C:\Windows\SysWOW64\sc.exe
      sc delete its.connect2
      4⤵
      Launches sc.exe
      PID:1540
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM AA_v2.exe /f
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4212
  - - C:\Windows\SysWOW64\sc.exe
      sc stop its.connect
      4⤵
      Launches sc.exe
      PID:964
  - - C:\Windows\SysWOW64\sc.exe
      sc delete its.connect
      4⤵
      Launches sc.exe
      PID:4856
  - - C:\Windows\SysWOW64\sc.exe
      sc stop its.connect2
      4⤵
      Launches sc.exe
      PID:1596
  - - C:\Windows\SysWOW64\sc.exe
      sc delete its.connect2
      4⤵
      Launches sc.exe
      PID:3720
  - - C:\Windows\SysWOW64\sc.exe
      sc create its.connect2 binpath= "C:\Users\Admin\AppData\Roaming\ITS\Connect2\AA_v2.exe -service" start= auto DisplayName= "Ç⌐Æ¿¥ß.è«¡¡Ñ¬Γ 2"
      4⤵
      Launches sc.exe
      PID:4720
  - - C:\Windows\SysWOW64\sc.exe
      sc start its.connect2
      4⤵
      Launches sc.exe
      PID:1720
  - - C:\Users\Admin\AppData\Roaming\ITS\Connect2\AA_v2.exe
      "C:\Users\Admin\AppData\Roaming\ITS\Connect2\AA_v2.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:3840

C:\Users\Admin\AppData\Roaming\ITS\Connect2\AA_v2.exe
C:\Users\Admin\AppData\Roaming\ITS\Connect2\AA_v2.exe -service
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4832
- C:\Users\Admin\AppData\Roaming\ITS\Connect2\AA_v2.exe
  "C:\Users\Admin\AppData\Roaming\ITS\Connect2\AA_v2.exe" -nogui
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:5116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ITS\Connect2\Update\AA_v2.exe

Filesize
652KB

MD5
86200517082347f28471a5a7251b2faf

SHA1
3ca8a7ba0b771bee97dc062f71459bd5c7fcabfb

SHA256
81d10d29813533e43980d16b6a6278415b98fde2b68d72846638f93492ba9d31

SHA512
5d248c7cbd2ef85b05ab2c6d9f89e593a8db1da8005c93633ad860ecc447b470636cfc6de0d24614c486b01473b1304d5cd72eb2a130acea97023673f2994e22

Download Submit
C:\Users\Admin\AppData\Roaming\ITS\Connect2\Update\HidRun.exe

Filesize
352KB

MD5
687cfbdf9361d6e45a0ef03dea6d2053

SHA1
fc2fc06eb280680ad557d2eb5dc2fd00407c716c

SHA256
de3cf72c4a70f5725cdf4b5d0a6631ecd37b516c80086f36712e9db9c91e6825

SHA512
6123d0007a00babba7fcf44bee8bac1574e19291e6d5c673444403e009bdcf4a1166b6222c31caa13b8dca25b3623c862d837b630c4ffec72d0f52e55bf14b71

Download Submit
C:\Users\Admin\AppData\Roaming\ITS\Connect2\Update\hr

Filesize
22B

MD5
c967a20d447b738671e8a41ddb1b6afd

SHA1
6fc79b73bd642b42cf8db285eae61c3ba97aa23c

SHA256
a6b5d00a2d4fa82e6c72e077c81bac4dc5b675a2ff73367ddb49e7866a17dee8

SHA512
d5d2d57a9668660e4a8f0e0b47886be0f2998b95957ae166ebb2a95ed09f9712730668a6a4ad78313bbc9fb933d6999e7837c770f42fcc56a9bcd3bd1b6c4270

Download Submit
C:\Users\Admin\AppData\Roaming\ITS\Connect2\Update\install.cmd

Filesize
1KB

MD5
d9b3eb7873a8fd148b9fc328b0df6fdf

SHA1
a668649a75f3ab88e84277d132fb14486889fff4

SHA256
076b45033791056a37dc0b286130a56d5b028824fdb23d0bf672ddce8d9742cc

SHA512
0d0c400ffd824d2eea66d7e5ec87cf9fb92520840b522f7a0f1380e5e7de830a5da93bee2cb101f5ddfa20240bf715487f305bfbbe2c4da4d3552c3b097210a5

Download Submit
C:\Users\Admin\AppData\Roaming\ITS\Connect2\Update\settings.bin

Filesize
129B

MD5
15cc879bd618d0d4c9f9d3acc9e97bf5

SHA1
819e9bca0b501622e9a218dcbc833ee57ad8ffc7

SHA256
da59a5d1926e72ef87292e91880aad66751c1b8c1435b546382c15716f550c73

SHA512
8928d62a1b67e7acfc40c333deaca8d9f83dbf01b4fa658e9c009a5e9301c7d741123d6a2bcac0829759c59f113a9ca5920945cbb62f05702481654568eea599

Download Submit
C:\Users\Admin\AppData\Roaming\ITS\Connect2\Update\settings.rdp

Filesize
376B

MD5
56e489815ebdf743b40f477d7c38a518

SHA1
8f9fff8667e1f64843b35c416a5ec83f54046341

SHA256
dae94c47bd56f4fc3a61650b857d6c09bc75c046b130b466d238983c9dd3fac0

SHA512
4d6902d763479e369a5188e3debf080b1f510f98f3171bd569a04c9db6cb6ed93b9a74a390e1d1495795b593f15f44958ed5880225aa29dcd7c0b446eeefb63c

Download Submit
memory/3296-22-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/3296-23-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download