ammyyadmin | b57d1c18a44424fbbd72c3900fe76399bc3bc043c9047679c564b849ccf9d178

Analysis

max time kernel
144s
max time network
149s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
17-06-2024 07:39

Target

b76fc4e16b94851d924c545879908884_JaffaCakes118.exe
Size

994KB
MD5

b76fc4e16b94851d924c545879908884
SHA1

027cb41944ff7c79356f771d6be597561d490299
SHA256

b57d1c18a44424fbbd72c3900fe76399bc3bc043c9047679c564b849ccf9d178
SHA512

fca42de8b2a5ac4cbaabce8810eeff68a61abf902b9fe446c0d386d0d2da82d93ac943a92c3898c5a66fbb92f8566236e03bfbd38274c550186c0767fc4aaef2
SSDEEP

24576:4MjPJ5g9KVGrdNikfu2hBfK8ilRty5olGJsxF:dJ5gEKNikf3hBfUiWxF

Score

10^/10

ammyyadmin rat

AmmyyAdmin payload 1 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\budha.exe	family_ammyyadmin

Executes dropped EXE 1 IoCs

Processes:

budha.exe

pid process

2560 budha.exe
Loads dropped DLL 1 IoCs

Processes:

b76fc4e16b94851d924c545879908884_JaffaCakes118.exe

pid process

2104 b76fc4e16b94851d924c545879908884_JaffaCakes118.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2560	budha.exe

pid	process
2104	b76fc4e16b94851d924c545879908884_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

b76fc4e16b94851d924c545879908884_JaffaCakes118.exe

description	pid	process	target process
PID 2104 wrote to memory of 2560	2104	b76fc4e16b94851d924c545879908884_JaffaCakes118.exe	budha.exe
PID 2104 wrote to memory of 2560	2104	b76fc4e16b94851d924c545879908884_JaffaCakes118.exe	budha.exe
PID 2104 wrote to memory of 2560	2104	b76fc4e16b94851d924c545879908884_JaffaCakes118.exe	budha.exe
PID 2104 wrote to memory of 2560	2104	b76fc4e16b94851d924c545879908884_JaffaCakes118.exe	budha.exe

C:\Users\Admin\AppData\Local\Temp\budha.exe
"C:\Users\Admin\AppData\Local\Temp\budha.exe"
2⤵
- Executes dropped EXE
PID:2560

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

\Users\Admin\AppData\Local\Temp\budha.exe

Filesize
994KB

MD5
251460c3e810afed1c9bb1cba0953188

SHA1
7235eb3ab9e75e37fdd80025006329c631eef620

SHA256
f053fa5d2ebb6241d297b87960a983d76500fa384c1bae2e427f4fc62ad7ff35

SHA512
d76525bad74e78917353e97c91d86f4628acebe14ee4de49ded9dd2edaf16e974f68aeb33c8663ae72e87ba99f5378803254fd2db3285062a417024b19b796b8

Download Submit
memory/2104-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2104-1-0x0000000001EC0000-0x0000000001EC1000-memory.dmp

Filesize
4KB

Download
memory/2104-4-0x0000000002B80000-0x0000000002F80000-memory.dmp

Filesize
4.0MB

Download
memory/2104-9-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2560-11-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2560-14-0x0000000002B90000-0x0000000002F90000-memory.dmp

Filesize
4.0MB

Download
memory/2560-13-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2560-15-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download