Analysis Overview
SHA256
f167c098debc24dc5484f0ad474262e1644d94793fdc849620b6d10ccb2c9f63
Threat Level: Known bad
The file 5e7c774dfe97161cb2f235773a52b256_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
AmmyyAdmin payload
Ammyyadmin family
Ammyy Admin
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-29 20:34
Signatures
AmmyyAdmin payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Ammyyadmin family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-29 20:34
Reported
2024-07-29 22:21
Platform
win7-20240704-en
Max time kernel
149s
Max time network
155s
Command Line
Signatures
Ammyy Admin
AmmyyAdmin payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\budha.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5e7c774dfe97161cb2f235773a52b256_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5e7c774dfe97161cb2f235773a52b256_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\budha.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1052 wrote to memory of 2180 | N/A | C:\Users\Admin\AppData\Local\Temp\5e7c774dfe97161cb2f235773a52b256_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\budha.exe |
| PID 1052 wrote to memory of 2180 | N/A | C:\Users\Admin\AppData\Local\Temp\5e7c774dfe97161cb2f235773a52b256_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\budha.exe |
| PID 1052 wrote to memory of 2180 | N/A | C:\Users\Admin\AppData\Local\Temp\5e7c774dfe97161cb2f235773a52b256_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\budha.exe |
| PID 1052 wrote to memory of 2180 | N/A | C:\Users\Admin\AppData\Local\Temp\5e7c774dfe97161cb2f235773a52b256_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\budha.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\5e7c774dfe97161cb2f235773a52b256_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5e7c774dfe97161cb2f235773a52b256_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\budha.exe
"C:\Users\Admin\AppData\Local\Temp\budha.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | maitikio.com | udp |
| US | 8.8.8.8:53 | cry-havok.org | udp |
Files
memory/1052-0-0x0000000000400000-0x000000000040A000-memory.dmp
memory/1052-2-0x00000000004A0000-0x00000000004A1000-memory.dmp
memory/1052-3-0x0000000002770000-0x0000000002B70000-memory.dmp
\Users\Admin\AppData\Local\Temp\budha.exe
| MD5 | 14b8882e6b982eaa2fb22f91275449c2 |
| SHA1 | 0e02370c8529acfbadf28424bf4713a3c8583430 |
| SHA256 | fe474e4a8ac984f166ec45522a33e6dd5ad44fdb61130578e7e78d910f634c10 |
| SHA512 | 19a15bccf849374c978f21e32c7a26f75b12fa33ab07bb12de1ad03bbc29e04598d1b4d23f66761c412b15464098692812184515c2d94605900ebdd6d391c5ef |
memory/1052-7-0x0000000002E50000-0x0000000002E5A000-memory.dmp
memory/2180-12-0x0000000000400000-0x000000000040A000-memory.dmp
memory/1052-11-0x0000000000400000-0x000000000040A000-memory.dmp
memory/2180-14-0x0000000001DA0000-0x0000000001DA1000-memory.dmp
memory/2180-15-0x0000000002710000-0x0000000002B10000-memory.dmp
memory/2180-16-0x0000000000400000-0x000000000040A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-29 20:34
Reported
2024-07-29 22:21
Platform
win10v2004-20240709-en
Max time kernel
144s
Max time network
146s
Command Line
Signatures
Ammyy Admin
AmmyyAdmin payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\5e7c774dfe97161cb2f235773a52b256_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\budha.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5e7c774dfe97161cb2f235773a52b256_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\budha.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 828 wrote to memory of 3732 | N/A | C:\Users\Admin\AppData\Local\Temp\5e7c774dfe97161cb2f235773a52b256_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\budha.exe |
| PID 828 wrote to memory of 3732 | N/A | C:\Users\Admin\AppData\Local\Temp\5e7c774dfe97161cb2f235773a52b256_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\budha.exe |
| PID 828 wrote to memory of 3732 | N/A | C:\Users\Admin\AppData\Local\Temp\5e7c774dfe97161cb2f235773a52b256_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\budha.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\5e7c774dfe97161cb2f235773a52b256_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5e7c774dfe97161cb2f235773a52b256_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\budha.exe
"C:\Users\Admin\AppData\Local\Temp\budha.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | maitikio.com | udp |
| US | 8.8.8.8:53 | cry-havok.org | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | maitikio.com | udp |
| US | 8.8.8.8:53 | cry-havok.org | udp |
| US | 8.8.8.8:53 | cry-havok.org | udp |
| US | 8.8.8.8:53 | maitikio.com | udp |
| US | 8.8.8.8:53 | cry-havok.org | udp |
| US | 8.8.8.8:53 | maitikio.com | udp |
| US | 8.8.8.8:53 | cry-havok.org | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
memory/828-0-0x0000000000400000-0x000000000040A000-memory.dmp
memory/828-1-0x00000000021D0000-0x00000000021D1000-memory.dmp
memory/828-3-0x0000000002530000-0x0000000002930000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\budha.exe
| MD5 | 14b8882e6b982eaa2fb22f91275449c2 |
| SHA1 | 0e02370c8529acfbadf28424bf4713a3c8583430 |
| SHA256 | fe474e4a8ac984f166ec45522a33e6dd5ad44fdb61130578e7e78d910f634c10 |
| SHA512 | 19a15bccf849374c978f21e32c7a26f75b12fa33ab07bb12de1ad03bbc29e04598d1b4d23f66761c412b15464098692812184515c2d94605900ebdd6d391c5ef |
memory/828-12-0x0000000000400000-0x000000000040A000-memory.dmp
memory/3732-13-0x00000000004F0000-0x00000000004F1000-memory.dmp
memory/3732-14-0x00000000025B0000-0x00000000029B0000-memory.dmp
memory/3732-15-0x0000000000400000-0x000000000040A000-memory.dmp