Malware Analysis Report

2024-10-16 05:08

Sample ID 240824-ta18jsxeme
Target beeec969093ab86761889dc3416fde16_JaffaCakes118
SHA256 52e24fff0caae64471528148c7dbf3d2fbbe85a3aa501a4f13b514d64900ae3f
Tags
ammyyadmin flawedammyy discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

52e24fff0caae64471528148c7dbf3d2fbbe85a3aa501a4f13b514d64900ae3f

Threat Level: Known bad

The file beeec969093ab86761889dc3416fde16_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

ammyyadmin flawedammyy discovery trojan

AmmyyAdmin payload

Ammyyadmin family

FlawedAmmyy RAT

Checks computer location settings

Drops file in System32 directory

Unsigned PE

System Location Discovery: System Language Discovery

Modifies data under HKEY_USERS

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-24 15:52

Signatures

AmmyyAdmin payload

Description Indicator Process Target
N/A N/A N/A N/A

Ammyyadmin family

ammyyadmin

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-24 15:52

Reported

2024-08-24 15:54

Platform

win7-20240729-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe"

Signatures

FlawedAmmyy RAT

trojan flawedammyy

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d567366087c6658524c175253a78c7ca275a9b26b C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = ca1e4869472d7cdf12df07d60237f496ecf9cd874ffe2d19750bb671d546923ea5d65fddddfb538bb7ac605d22a9a775aa962f3eb25213866a89dcb4a916ed5fcfa522ddb02333bea94757 C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe" -service -lunch

C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 rl.ammyy.com udp
NL 188.42.129.148:80 rl.ammyy.com tcp
DE 136.243.104.235:443 tcp

Files

C:\ProgramData\AMMYY\settings3.bin

MD5 2f5e8fc2fab9560d7d2f9f295929b883
SHA1 87644b1431054f73c0fe9aaa77b3ffa3fa6d29a2
SHA256 66c97b75a9b097180197ed4b7b5737b76b16e5e1f426e4999780d640068e6d72
SHA512 0b77560f50823cf523833221d57eb5d149890900199170b30cbad17378a235e9ed8822b0fa6d6095137a37a784ebad15297050b4bcec4e4747a933bb69a38a20

C:\ProgramData\AMMYY\hr

MD5 fc1c572f3058c4f567d0ca59722a77c6
SHA1 81fca4dbac6f74677dd46ff6285844593d1d1baa
SHA256 95a63de870f1bed8899a362bd5c69d7e15cb36156b1e6f12286b4ae34aad6458
SHA512 24731357f96a72ff90142453c7f53bc3cf9b372c0ee1849a66a30ae79497a60b050f45115856cd2c433a89409dc624ec971c122365cf20da6e1db955e69b19c2

C:\ProgramData\AMMYY\hr3

MD5 1ec688c874e0d51d4da627b6eb293135
SHA1 ba4ab7fc2f0949c24e2b828ae1ed6737baa09960
SHA256 a9bd755e9787f54d093d3f85414ff45318328306023566feafc176bc920d0151
SHA512 54dfa810c494bee3a592efec82fdfe989af424653db0c2fc6bbe4e3fddce9a18d5bface521bd4ae1e679e962cdc5dfdfdff000399d0f41a31db38fb77e1978ce

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-24 15:52

Reported

2024-08-24 15:54

Platform

win10v2004-20240802-en

Max time kernel

150s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe"

Signatures

FlawedAmmyy RAT

trojan flawedammyy

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = 09637b6353a99021447b7cdf8f7e3e5064d6c05a4b84c2d06437709b5aea625db01c449eac4bd6ba611f6dc9dba8d2ca0beef4748941da912f9afb1999e877146f3d87082fab4a2ff09328 C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d567366087c6658524c17525314e3fda275a9b26b C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe" -service -lunch

C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 rl.ammyy.com udp
NL 188.42.129.148:80 rl.ammyy.com tcp
DE 136.243.104.235:443 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 148.129.42.188.in-addr.arpa udp
US 8.8.8.8:53 235.104.243.136.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

C:\ProgramData\AMMYY\settings3.bin

MD5 2f5e8fc2fab9560d7d2f9f295929b883
SHA1 87644b1431054f73c0fe9aaa77b3ffa3fa6d29a2
SHA256 66c97b75a9b097180197ed4b7b5737b76b16e5e1f426e4999780d640068e6d72
SHA512 0b77560f50823cf523833221d57eb5d149890900199170b30cbad17378a235e9ed8822b0fa6d6095137a37a784ebad15297050b4bcec4e4747a933bb69a38a20

C:\ProgramData\AMMYY\hr

MD5 3033b6f7898c7ba7522a8e635f4389e3
SHA1 561c206a180e852ab15ba584b15cacfd19477b68
SHA256 4ed073978dc823f51c5ae75e962916a5d993d941044995f193242d54393f789c
SHA512 52984bb1ed785e653cdf0d7129ed96c96632f19017dfc4c6af2c26f6da6eb79797fdc7ace39bb970c6972c62d006036bd065fed5dd361be5da4f0c1061e956d3

C:\ProgramData\AMMYY\hr3

MD5 a327869e9731fbe2c8bed88ed704579a
SHA1 62e9c43da7c0e11359cdf5c0bd863eb0c2410282
SHA256 bf74dd5052dcb1f882cb49cbc6ce9b4f5aabe6323f9c20617ab832915dac04e4
SHA512 d9e1de501e3a2ebbd17d64ad75ed7f31118b0ac1e484d1974cde43fcc87b7ad5a0f1349edcce965cec9c634a24994c4eb804f1262c77d0b4875bd9afbda53ff9