ammyyadmin | 9d578cc34fb1b3ac70db2bf01e2e7a5cc72b5b3eefd0850a12d6d5b4b0b7934e

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
12-06-2024 16:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a149f27217432d2a63dfa2d6d293a308_JaffaCakes118.exe
Size

1012KB
MD5

a149f27217432d2a63dfa2d6d293a308
SHA1

0ef90d761cec39515c5b56a286576a4b5d212661
SHA256

9d578cc34fb1b3ac70db2bf01e2e7a5cc72b5b3eefd0850a12d6d5b4b0b7934e
SHA512

183268f0051e5132ef0769169f2ba3655a99624cf2d9b90df7a14bbc1f5e04897a1038787ab53cf2f1230f1f04a025b20920777f1dee9fb9a685febde8a24224
SSDEEP

24576:+MjPJ5g9KVGrdNikfu2hBfK8ilRty5olGJsxu:7J5gEKNikf3hBfUiWxu

Score

10^/10

ammyyadmin rat upx

Malware Config

Signatures

Ammyy Admin
Remote admin tool with various capabilities.
rat ammyyadmin

AmmyyAdmin payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000500000000b309-5.dat	family_ammyyadmin

Executes dropped EXE 1 IoCs

pid	Process
2152	budha.exe

Loads dropped DLL 1 IoCs

pid	Process
2460	a149f27217432d2a63dfa2d6d293a308_JaffaCakes118.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2460-0-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/files/0x000500000000b309-5.dat	upx
behavioral1/memory/2152-11-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/2460-10-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/2152-14-0x0000000000400000-0x0000000000410000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2460 wrote to memory of 2152	2460	a149f27217432d2a63dfa2d6d293a308_JaffaCakes118.exe	28
PID 2460 wrote to memory of 2152	2460	a149f27217432d2a63dfa2d6d293a308_JaffaCakes118.exe	28
PID 2460 wrote to memory of 2152	2460	a149f27217432d2a63dfa2d6d293a308_JaffaCakes118.exe	28
PID 2460 wrote to memory of 2152	2460	a149f27217432d2a63dfa2d6d293a308_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\a149f27217432d2a63dfa2d6d293a308_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a149f27217432d2a63dfa2d6d293a308_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Users\Admin\AppData\Local\Temp\budha.exe
  "C:\Users\Admin\AppData\Local\Temp\budha.exe"
  2⤵
  - Executes dropped EXE
  PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\budha.exe

Filesize
1012KB

MD5
108f863fa98b3734d4b254328ea1c317

SHA1
04d4cf9fcf1ab1494016abf4e55760b103d67c5e

SHA256
d856c1f90c5c48d161a7bf803ae7f4098589bf544a12221532f8e3406c59a0eb

SHA512
780742f80b21490d0e47152960da9cbe9f1a95844697432cea29918590aa75edf764e4a4cad48bb5d71e444d9e505e944f09c32c408d34694329e57249194c75

Download Submit
memory/2152-11-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2152-13-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/2152-14-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2460-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2460-2-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/2460-4-0x0000000002AC0000-0x0000000002EC0000-memory.dmp

Filesize
4.0MB

Download
memory/2460-7-0x00000000034A0000-0x00000000034B0000-memory.dmp

Filesize
64KB

Download
memory/2460-10-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download