flawedammyy | e20af79980e1d2d6949568bc1bf87ae49e8021fd21b1e2a5ea955e16811bca03

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03-06-2024 06:28

Target

90d39fd043453158860a828b8fafffb8_JaffaCakes118.exe
Size

768KB
MD5

90d39fd043453158860a828b8fafffb8
SHA1

c5ece138878282ff1cbc68dfdf442bd937d0fbd1
SHA256

e20af79980e1d2d6949568bc1bf87ae49e8021fd21b1e2a5ea955e16811bca03
SHA512

499b16a0ef5bbf1852a308598214de180988e68462df6530389355a4190ab6fd4887efa4d2f962af44356caf5a70e24eb7a4260fd139eac3dbd3b4eb20b9cb09
SSDEEP

12288:vgby1pKmZmjrWinaxABtyZPyoOOORtfWV5gk3VP0nkVgugn:Ay1pVmjrWivBtyZPy2ORt+V5ggVP0t7n

Score

10^/10

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

90d39fd043453158860a828b8fafffb8_JaffaCakes118.exe

pid process

2944 90d39fd043453158860a828b8fafffb8_JaffaCakes118.exe

pid	process
2944	90d39fd043453158860a828b8fafffb8_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

90d39fd043453158860a828b8fafffb8_JaffaCakes118.exe

description	pid	process	target process
PID 2836 wrote to memory of 2944	2836	90d39fd043453158860a828b8fafffb8_JaffaCakes118.exe	90d39fd043453158860a828b8fafffb8_JaffaCakes118.exe
PID 2836 wrote to memory of 2944	2836	90d39fd043453158860a828b8fafffb8_JaffaCakes118.exe	90d39fd043453158860a828b8fafffb8_JaffaCakes118.exe
PID 2836 wrote to memory of 2944	2836	90d39fd043453158860a828b8fafffb8_JaffaCakes118.exe	90d39fd043453158860a828b8fafffb8_JaffaCakes118.exe
PID 2836 wrote to memory of 2944	2836	90d39fd043453158860a828b8fafffb8_JaffaCakes118.exe	90d39fd043453158860a828b8fafffb8_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\90d39fd043453158860a828b8fafffb8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\90d39fd043453158860a828b8fafffb8_JaffaCakes118.exe"
1⤵
PID:1460

C:\Users\Admin\AppData\Local\Temp\90d39fd043453158860a828b8fafffb8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\90d39fd043453158860a828b8fafffb8_JaffaCakes118.exe" -service -lunch
1⤵
- Suspicious use of WriteProcessMemory
PID:2836
- C:\Users\Admin\AppData\Local\Temp\90d39fd043453158860a828b8fafffb8_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\90d39fd043453158860a828b8fafffb8_JaffaCakes118.exe"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2944

C:\ProgramData\AMMYY\settings3.bin

Filesize
292B

MD5
690bf924346af769f37d2bff6c6e661b

SHA1
0d755f12830c4e4da0e53887ae5320b710e221f2

SHA256
5122dddc30e1564fe13debefdbc0b498fe1dcd8f2c6b7fdfab904ed374340f03

SHA512
06383b95e28c47bc732248529e2f7111f135ed5181a6a45087c26f8973c3c1368353f87068ac9d3c9e4790ada9c33cd1f106c218d591dd8e44927890cb317a88

Download Submit