Analysis Overview
SHA256
52e24fff0caae64471528148c7dbf3d2fbbe85a3aa501a4f13b514d64900ae3f
Threat Level: Known bad
The file beeec969093ab86761889dc3416fde16_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
AmmyyAdmin payload
Ammyyadmin family
FlawedAmmyy RAT
Checks computer location settings
Drops file in System32 directory
Unsigned PE
System Location Discovery: System Language Discovery
Modifies data under HKEY_USERS
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-24 15:52
Signatures
AmmyyAdmin payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Ammyyadmin family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-24 15:52
Reported
2024-08-24 15:54
Platform
win7-20240729-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
FlawedAmmyy RAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy | C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d567366087c6658524c175253a78c7ca275a9b26b | C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = ca1e4869472d7cdf12df07d60237f496ecf9cd874ffe2d19750bb671d546923ea5d65fddddfb538bb7ac605d22a9a775aa962f3eb25213866a89dcb4a916ed5fcfa522ddb02333bea94757 | C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin | C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2960 wrote to memory of 3060 | N/A | C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe |
| PID 2960 wrote to memory of 3060 | N/A | C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe |
| PID 2960 wrote to memory of 3060 | N/A | C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe |
| PID 2960 wrote to memory of 3060 | N/A | C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe" -service -lunch
C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rl.ammyy.com | udp |
| NL | 188.42.129.148:80 | rl.ammyy.com | tcp |
| DE | 136.243.104.235:443 | tcp |
Files
C:\ProgramData\AMMYY\settings3.bin
| MD5 | 2f5e8fc2fab9560d7d2f9f295929b883 |
| SHA1 | 87644b1431054f73c0fe9aaa77b3ffa3fa6d29a2 |
| SHA256 | 66c97b75a9b097180197ed4b7b5737b76b16e5e1f426e4999780d640068e6d72 |
| SHA512 | 0b77560f50823cf523833221d57eb5d149890900199170b30cbad17378a235e9ed8822b0fa6d6095137a37a784ebad15297050b4bcec4e4747a933bb69a38a20 |
C:\ProgramData\AMMYY\hr
| MD5 | fc1c572f3058c4f567d0ca59722a77c6 |
| SHA1 | 81fca4dbac6f74677dd46ff6285844593d1d1baa |
| SHA256 | 95a63de870f1bed8899a362bd5c69d7e15cb36156b1e6f12286b4ae34aad6458 |
| SHA512 | 24731357f96a72ff90142453c7f53bc3cf9b372c0ee1849a66a30ae79497a60b050f45115856cd2c433a89409dc624ec971c122365cf20da6e1db955e69b19c2 |
C:\ProgramData\AMMYY\hr3
| MD5 | 1ec688c874e0d51d4da627b6eb293135 |
| SHA1 | ba4ab7fc2f0949c24e2b828ae1ed6737baa09960 |
| SHA256 | a9bd755e9787f54d093d3f85414ff45318328306023566feafc176bc920d0151 |
| SHA512 | 54dfa810c494bee3a592efec82fdfe989af424653db0c2fc6bbe4e3fddce9a18d5bface521bd4ae1e679e962cdc5dfdfdff000399d0f41a31db38fb77e1978ce |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-24 15:52
Reported
2024-08-24 15:54
Platform
win10v2004-20240802-en
Max time kernel
150s
Max time network
135s
Command Line
Signatures
FlawedAmmyy RAT
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 | C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE | C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies | C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 | C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Ammyy | C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin | C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = 09637b6353a99021447b7cdf8f7e3e5064d6c05a4b84c2d06437709b5aea625db01c449eac4bd6ba611f6dc9dba8d2ca0beef4748941da912f9afb1999e877146f3d87082fab4a2ff09328 | C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin | C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d567366087c6658524c17525314e3fda275a9b26b | C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4632 wrote to memory of 1168 | N/A | C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe |
| PID 4632 wrote to memory of 1168 | N/A | C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe |
| PID 4632 wrote to memory of 1168 | N/A | C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe" -service -lunch
C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rl.ammyy.com | udp |
| NL | 188.42.129.148:80 | rl.ammyy.com | tcp |
| DE | 136.243.104.235:443 | tcp | |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 148.129.42.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.104.243.136.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
C:\ProgramData\AMMYY\settings3.bin
| MD5 | 2f5e8fc2fab9560d7d2f9f295929b883 |
| SHA1 | 87644b1431054f73c0fe9aaa77b3ffa3fa6d29a2 |
| SHA256 | 66c97b75a9b097180197ed4b7b5737b76b16e5e1f426e4999780d640068e6d72 |
| SHA512 | 0b77560f50823cf523833221d57eb5d149890900199170b30cbad17378a235e9ed8822b0fa6d6095137a37a784ebad15297050b4bcec4e4747a933bb69a38a20 |
C:\ProgramData\AMMYY\hr
| MD5 | 3033b6f7898c7ba7522a8e635f4389e3 |
| SHA1 | 561c206a180e852ab15ba584b15cacfd19477b68 |
| SHA256 | 4ed073978dc823f51c5ae75e962916a5d993d941044995f193242d54393f789c |
| SHA512 | 52984bb1ed785e653cdf0d7129ed96c96632f19017dfc4c6af2c26f6da6eb79797fdc7ace39bb970c6972c62d006036bd065fed5dd361be5da4f0c1061e956d3 |
C:\ProgramData\AMMYY\hr3
| MD5 | a327869e9731fbe2c8bed88ed704579a |
| SHA1 | 62e9c43da7c0e11359cdf5c0bd863eb0c2410282 |
| SHA256 | bf74dd5052dcb1f882cb49cbc6ce9b4f5aabe6323f9c20617ab832915dac04e4 |
| SHA512 | d9e1de501e3a2ebbd17d64ad75ed7f31118b0ac1e484d1974cde43fcc87b7ad5a0f1349edcce965cec9c634a24994c4eb804f1262c77d0b4875bd9afbda53ff9 |