Analysis

  • max time kernel
    150s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-06-2024 15:53

General

  • Target

    128bc5d4a3e25fea59fa6c3f04949257_JaffaCakes118.exe

  • Size

    696KB

  • MD5

    128bc5d4a3e25fea59fa6c3f04949257

  • SHA1

    ad8cea9f27161437365dfba43055fdafcd198268

  • SHA256

    ba992179336a255b6274e8f7372f741a85305da0b1ee4ce1e5e73d5f3d57e181

  • SHA512

    4a544431f298f6d6da4dfbf421fdb05ae308f2bc08c8ba421c2f1e42fce1f67ea1217f3c9eaaa0698ec68b9fbcf29f508e99a3d60c0c9e0b51791edbbb09aaa6

  • SSDEEP

    12288:qqpX2zPf0bvoLsU+FKN0fCskD1RtcnzepMqBCzIgB:TOPMrGL+FKNAe1RtkzepMqBCJB

Score
10/10

Malware Config

Signatures

  • FlawedAmmyy RAT

    Remote-access trojan based on leaked code for the Ammyy remote admin software.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies data under HKEY_USERS 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\128bc5d4a3e25fea59fa6c3f04949257_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\128bc5d4a3e25fea59fa6c3f04949257_JaffaCakes118.exe"
    1⤵
      PID:4456
    • C:\Users\Admin\AppData\Local\Temp\128bc5d4a3e25fea59fa6c3f04949257_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\128bc5d4a3e25fea59fa6c3f04949257_JaffaCakes118.exe" -service -lunch
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:3108
      • C:\Users\Admin\AppData\Local\Temp\128bc5d4a3e25fea59fa6c3f04949257_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\128bc5d4a3e25fea59fa6c3f04949257_JaffaCakes118.exe"
        2⤵
        • Checks computer location settings
        • Modifies data under HKEY_USERS
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1572

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\AMMYY\hr

      Filesize

      22B

      MD5

      25a3ea17e16a8d0d69d87255ee5defaf

      SHA1

      1fd64411981c5f7b6e588046310329b680eb5574

      SHA256

      bdbdaf4036bc0c9733be678a553faa0d7ccd5787a7234349b185b0cdb9ffa4d2

      SHA512

      da74101a3411162ba30fe0acfd6c8e4d94ad5f057d8d8d2de872ba23938f1fe222fdcab1036a606ce3b78d04e3fa232c8b6b8069e003f8587824bcbdaf7ad4e4

    • C:\ProgramData\AMMYY\hr3

      Filesize

      68B

      MD5

      32c9c689b4847ccce2d8c4867d5bf6ce

      SHA1

      3440f1967f70ead1059f94a8a695af6baa6eb016

      SHA256

      9a07fb97aae486646816030e4a885775a1ed234075d447b1b08dd5157ee19344

      SHA512

      9aef426c929a932b5e539486430dd57f830ada35f2dcf425f93c8ab6f87daf2c108ddd0ea3ccbcad09a49386eead82b02664bbbbac917f51300388382ddd6303

    • C:\ProgramData\AMMYY\settings3.bin

      Filesize

      305B

      MD5

      33b9c6fa7eae6a1715fa609ced7433f0

      SHA1

      ace6b06a3f5d8d80a034654e2338fc593de21479

      SHA256

      c90e68393f8f00ee5fe1c0288152d2b3da12d1c031c940d37d13314b1eb4d2df

      SHA512

      a8098099ce09f38fd5401f7c8df115bdc92cf7c096003ddc358fd78129323359392d5a3c02aff753c536df45bffbbe47eb235d1a0629fa07cdde00d445d9917c