Malware Analysis Report

2024-10-16 05:10

Sample ID 240729-zctjdatdnc
Target 5e7c774dfe97161cb2f235773a52b256_JaffaCakes118
SHA256 f167c098debc24dc5484f0ad474262e1644d94793fdc849620b6d10ccb2c9f63
Tags
ammyyadmin discovery rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f167c098debc24dc5484f0ad474262e1644d94793fdc849620b6d10ccb2c9f63

Threat Level: Known bad

The file 5e7c774dfe97161cb2f235773a52b256_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

ammyyadmin discovery rat

AmmyyAdmin payload

Ammyyadmin family

Ammyy Admin

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-29 20:34

Signatures

AmmyyAdmin payload

Description Indicator Process Target
N/A N/A N/A N/A

Ammyyadmin family

ammyyadmin

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-29 20:34

Reported

2024-07-29 22:21

Platform

win7-20240704-en

Max time kernel

149s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5e7c774dfe97161cb2f235773a52b256_JaffaCakes118.exe"

Signatures

Ammyy Admin

rat ammyyadmin

AmmyyAdmin payload

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\budha.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e7c774dfe97161cb2f235773a52b256_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5e7c774dfe97161cb2f235773a52b256_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\budha.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5e7c774dfe97161cb2f235773a52b256_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\5e7c774dfe97161cb2f235773a52b256_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\budha.exe

"C:\Users\Admin\AppData\Local\Temp\budha.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 maitikio.com udp
US 8.8.8.8:53 cry-havok.org udp

Files

memory/1052-0-0x0000000000400000-0x000000000040A000-memory.dmp

memory/1052-2-0x00000000004A0000-0x00000000004A1000-memory.dmp

memory/1052-3-0x0000000002770000-0x0000000002B70000-memory.dmp

\Users\Admin\AppData\Local\Temp\budha.exe

MD5 14b8882e6b982eaa2fb22f91275449c2
SHA1 0e02370c8529acfbadf28424bf4713a3c8583430
SHA256 fe474e4a8ac984f166ec45522a33e6dd5ad44fdb61130578e7e78d910f634c10
SHA512 19a15bccf849374c978f21e32c7a26f75b12fa33ab07bb12de1ad03bbc29e04598d1b4d23f66761c412b15464098692812184515c2d94605900ebdd6d391c5ef

memory/1052-7-0x0000000002E50000-0x0000000002E5A000-memory.dmp

memory/2180-12-0x0000000000400000-0x000000000040A000-memory.dmp

memory/1052-11-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2180-14-0x0000000001DA0000-0x0000000001DA1000-memory.dmp

memory/2180-15-0x0000000002710000-0x0000000002B10000-memory.dmp

memory/2180-16-0x0000000000400000-0x000000000040A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-29 20:34

Reported

2024-07-29 22:21

Platform

win10v2004-20240709-en

Max time kernel

144s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5e7c774dfe97161cb2f235773a52b256_JaffaCakes118.exe"

Signatures

Ammyy Admin

rat ammyyadmin

AmmyyAdmin payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5e7c774dfe97161cb2f235773a52b256_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\budha.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5e7c774dfe97161cb2f235773a52b256_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\budha.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5e7c774dfe97161cb2f235773a52b256_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\5e7c774dfe97161cb2f235773a52b256_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\budha.exe

"C:\Users\Admin\AppData\Local\Temp\budha.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 maitikio.com udp
US 8.8.8.8:53 cry-havok.org udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 maitikio.com udp
US 8.8.8.8:53 cry-havok.org udp
US 8.8.8.8:53 cry-havok.org udp
US 8.8.8.8:53 maitikio.com udp
US 8.8.8.8:53 cry-havok.org udp
US 8.8.8.8:53 maitikio.com udp
US 8.8.8.8:53 cry-havok.org udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/828-0-0x0000000000400000-0x000000000040A000-memory.dmp

memory/828-1-0x00000000021D0000-0x00000000021D1000-memory.dmp

memory/828-3-0x0000000002530000-0x0000000002930000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\budha.exe

MD5 14b8882e6b982eaa2fb22f91275449c2
SHA1 0e02370c8529acfbadf28424bf4713a3c8583430
SHA256 fe474e4a8ac984f166ec45522a33e6dd5ad44fdb61130578e7e78d910f634c10
SHA512 19a15bccf849374c978f21e32c7a26f75b12fa33ab07bb12de1ad03bbc29e04598d1b4d23f66761c412b15464098692812184515c2d94605900ebdd6d391c5ef

memory/828-12-0x0000000000400000-0x000000000040A000-memory.dmp

memory/3732-13-0x00000000004F0000-0x00000000004F1000-memory.dmp

memory/3732-14-0x00000000025B0000-0x00000000029B0000-memory.dmp

memory/3732-15-0x0000000000400000-0x000000000040A000-memory.dmp