ammyyadmin | 24cfb8ae19e48d2d2b073d76f7e1a25303c8f5daaf67d1e264e11a6d0a56fedf

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
12-06-2024 23:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2f6c0f94d4457d400aab3d0616ec51e_JaffaCakes118.exe
Size

1012KB
MD5

a2f6c0f94d4457d400aab3d0616ec51e
SHA1

b06bcc2a30e2cd3b5fb91dd4e542938c98f2d311
SHA256

24cfb8ae19e48d2d2b073d76f7e1a25303c8f5daaf67d1e264e11a6d0a56fedf
SHA512

956671f8dc9f63099211c590ca9c76f61c5671ce89629f7599d5c64172366a967113e992540584fd037bf89e1e09dc2045e1ec80e7c01cf0e60e4ece189a031b
SSDEEP

24576:+MjPJ5g9KVGrdNikfu2hBfK8ilRty5olGJsxX:7J5gEKNikf3hBfUiWxX

Score

10^/10

ammyyadmin rat upx

Malware Config

Signatures

Ammyy Admin
Remote admin tool with various capabilities.
rat ammyyadmin

AmmyyAdmin payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001224b-8.dat	family_ammyyadmin

Executes dropped EXE 1 IoCs

pid	Process
2992	budha.exe

Loads dropped DLL 1 IoCs

pid	Process
2900	a2f6c0f94d4457d400aab3d0616ec51e_JaffaCakes118.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2900-0-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/files/0x000c00000001224b-8.dat	upx
behavioral1/memory/2992-10-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/2900-9-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/2992-14-0x0000000000400000-0x0000000000410000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2900 wrote to memory of 2992	2900	a2f6c0f94d4457d400aab3d0616ec51e_JaffaCakes118.exe	28
PID 2900 wrote to memory of 2992	2900	a2f6c0f94d4457d400aab3d0616ec51e_JaffaCakes118.exe	28
PID 2900 wrote to memory of 2992	2900	a2f6c0f94d4457d400aab3d0616ec51e_JaffaCakes118.exe	28
PID 2900 wrote to memory of 2992	2900	a2f6c0f94d4457d400aab3d0616ec51e_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\a2f6c0f94d4457d400aab3d0616ec51e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a2f6c0f94d4457d400aab3d0616ec51e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2900
- C:\Users\Admin\AppData\Local\Temp\budha.exe
  "C:\Users\Admin\AppData\Local\Temp\budha.exe"
  2⤵
  - Executes dropped EXE
  PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\budha.exe

Filesize
1012KB

MD5
294a6744d1664597bd8fd52410bf7054

SHA1
557aa0bf38af1dbb246cd7a54e9d1de82d2bd5eb

SHA256
15ab8bc7f2349647935f0950a5a259a82b6ebdef24d0b3b4d400c7fcf8ce43bb

SHA512
646a3b892eb666963c8871f4a3a74e3280202c0b83638b0eb7240d56fa1d53bda2edeeeda81d3d06f85d36915c357bf468ef9d5dfbf50f83f1adf3592c3f7d9b

Download Submit
memory/2900-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2900-2-0x0000000001E60000-0x0000000001E61000-memory.dmp

Filesize
4KB

Download
memory/2900-3-0x0000000002B20000-0x0000000002F20000-memory.dmp

Filesize
4.0MB

Download
memory/2900-9-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2992-10-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2992-13-0x0000000002B60000-0x0000000002F60000-memory.dmp

Filesize
4.0MB

Download
memory/2992-12-0x0000000001DA0000-0x0000000001DA1000-memory.dmp

Filesize
4KB

Download
memory/2992-14-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download