Overview

overview

10

Static

static

3

ce24e3f6a7...18.exe

windows7-x64

9

ce24e3f6a7...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118

  • Size

    1.2MB

  • Sample

    240905-3e8b4atfrl

  • MD5

    ce24e3f6a77491b84dab3c0a6b0203a1

  • SHA1

    070cc99e68a501a6a37ba6155ef2623015dd8967

  • SHA256

    48a16449873f16df73c4468805415769a863062802fdcb30568bf5bb2170bf17

  • SHA512

    7ac4c6496a7d4e522df0664a285bf32303a83f342cebda50cb75ddc23d8d3ac8cd75a5f74aa5ca95920e62cc1a9fd6f8ace385461564dd2c3eb5640956a9d1fd

  • SSDEEP

    24576:7JLMxzpMJbMfUJqhQLklSRvfd8lgDy+BaxZEyr+tE0:2zmJbQU+QwSNlvy+BEnr+tP

Score
10/10
ammyyadmindefense_evasiondiscoveryevasionexecutionpersistenceprivilege_escalationrat

Malware Config

Targets

    • Target

      ce24e3f6a77491b84dab3c0a6b0203a1_JaffaCakes118

    • Size

      1.2MB

    • MD5

      ce24e3f6a77491b84dab3c0a6b0203a1

    • SHA1

      070cc99e68a501a6a37ba6155ef2623015dd8967

    • SHA256

      48a16449873f16df73c4468805415769a863062802fdcb30568bf5bb2170bf17

    • SHA512

      7ac4c6496a7d4e522df0664a285bf32303a83f342cebda50cb75ddc23d8d3ac8cd75a5f74aa5ca95920e62cc1a9fd6f8ace385461564dd2c3eb5640956a9d1fd

    • SSDEEP

      24576:7JLMxzpMJbMfUJqhQLklSRvfd8lgDy+BaxZEyr+tE0:2zmJbQU+QwSNlvy+BEnr+tP

    Score
    10/10
    defense_evasiondiscoveryevasionexecutionpersistenceprivilege_escalationammyyadminrat

    • Ammyy Admin

      Remote admin tool with various capabilities.

      ratammyyadmin

    • AmmyyAdmin payload

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Creates new service(s)

      persistenceexecution

    • Modifies Windows Firewall

      evasion

    • Sets service image path in registry

      persistence

    • Stops running service(s)

      evasionexecution

    • Executes dropped EXE

    • Loads dropped DLL

    • Password Policy Discovery

      Attempt to access detailed information about the password policy used within an enterprise network.

      discovery

    • Hide Artifacts: Hidden Users

      defense_evasion
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

2
T1569

Service Execution

2
T1569.002

Persistence

Account Manipulation

1
T1098

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Account Manipulation

1
T1098

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Hide Artifacts

1
T1564

Hidden Users

1
T1564.002

Impair Defenses

2
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Credential Access

Discovery

Password Policy Discovery

1
T1201

Permission Groups Discovery

1
T1069

Local Groups

1
T1069.001

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1
T1489

Tasks