Analysis
-
max time kernel
150s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
26-06-2024 15:53
Behavioral task
behavioral1
Sample
128bc5d4a3e25fea59fa6c3f04949257_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
128bc5d4a3e25fea59fa6c3f04949257_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
128bc5d4a3e25fea59fa6c3f04949257_JaffaCakes118.exe
-
Size
696KB
-
MD5
128bc5d4a3e25fea59fa6c3f04949257
-
SHA1
ad8cea9f27161437365dfba43055fdafcd198268
-
SHA256
ba992179336a255b6274e8f7372f741a85305da0b1ee4ce1e5e73d5f3d57e181
-
SHA512
4a544431f298f6d6da4dfbf421fdb05ae308f2bc08c8ba421c2f1e42fce1f67ea1217f3c9eaaa0698ec68b9fbcf29f508e99a3d60c0c9e0b51791edbbb09aaa6
-
SSDEEP
12288:qqpX2zPf0bvoLsU+FKN0fCskD1RtcnzepMqBCzIgB:TOPMrGL+FKNAe1RtkzepMqBCJB
Malware Config
Signatures
-
FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation 128bc5d4a3e25fea59fa6c3f04949257_JaffaCakes118.exe -
Modifies data under HKEY_USERS 6 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin 128bc5d4a3e25fea59fa6c3f04949257_JaffaCakes118.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE 128bc5d4a3e25fea59fa6c3f04949257_JaffaCakes118.exe Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy 128bc5d4a3e25fea59fa6c3f04949257_JaffaCakes118.exe Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin 128bc5d4a3e25fea59fa6c3f04949257_JaffaCakes118.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d567366087c69585c401452531fcebe33a998b26b 128bc5d4a3e25fea59fa6c3f04949257_JaffaCakes118.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = cd5418f7addbb0451574edb9eda393375356b85ee36f2b1d3b90145d92d7317528c4a853170c8088d67613772fe5404058836c102c105e79e4a4515382aae4c29b9c86eb 128bc5d4a3e25fea59fa6c3f04949257_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1572 128bc5d4a3e25fea59fa6c3f04949257_JaffaCakes118.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 1572 128bc5d4a3e25fea59fa6c3f04949257_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3108 wrote to memory of 1572 3108 128bc5d4a3e25fea59fa6c3f04949257_JaffaCakes118.exe 84 PID 3108 wrote to memory of 1572 3108 128bc5d4a3e25fea59fa6c3f04949257_JaffaCakes118.exe 84 PID 3108 wrote to memory of 1572 3108 128bc5d4a3e25fea59fa6c3f04949257_JaffaCakes118.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\128bc5d4a3e25fea59fa6c3f04949257_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\128bc5d4a3e25fea59fa6c3f04949257_JaffaCakes118.exe"1⤵PID:4456
-
C:\Users\Admin\AppData\Local\Temp\128bc5d4a3e25fea59fa6c3f04949257_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\128bc5d4a3e25fea59fa6c3f04949257_JaffaCakes118.exe" -service -lunch1⤵
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Users\Admin\AppData\Local\Temp\128bc5d4a3e25fea59fa6c3f04949257_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\128bc5d4a3e25fea59fa6c3f04949257_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Modifies data under HKEY_USERS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1572
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
22B
MD525a3ea17e16a8d0d69d87255ee5defaf
SHA11fd64411981c5f7b6e588046310329b680eb5574
SHA256bdbdaf4036bc0c9733be678a553faa0d7ccd5787a7234349b185b0cdb9ffa4d2
SHA512da74101a3411162ba30fe0acfd6c8e4d94ad5f057d8d8d2de872ba23938f1fe222fdcab1036a606ce3b78d04e3fa232c8b6b8069e003f8587824bcbdaf7ad4e4
-
Filesize
68B
MD532c9c689b4847ccce2d8c4867d5bf6ce
SHA13440f1967f70ead1059f94a8a695af6baa6eb016
SHA2569a07fb97aae486646816030e4a885775a1ed234075d447b1b08dd5157ee19344
SHA5129aef426c929a932b5e539486430dd57f830ada35f2dcf425f93c8ab6f87daf2c108ddd0ea3ccbcad09a49386eead82b02664bbbbac917f51300388382ddd6303
-
Filesize
305B
MD533b9c6fa7eae6a1715fa609ced7433f0
SHA1ace6b06a3f5d8d80a034654e2338fc593de21479
SHA256c90e68393f8f00ee5fe1c0288152d2b3da12d1c031c940d37d13314b1eb4d2df
SHA512a8098099ce09f38fd5401f7c8df115bdc92cf7c096003ddc358fd78129323359392d5a3c02aff753c536df45bffbbe47eb235d1a0629fa07cdde00d445d9917c