Malware Analysis Report

2024-10-16 05:07

Sample ID 240929-cnw3bayeqe
Target fd99965cd59febc027fce1ab22f3ae0f_JaffaCakes118
SHA256 9eb5ff781349981303805f00b97afb2a4ef551ba2906a1544332642d71713cae
Tags
flawedammyy discovery trojan ammyyadmin
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9eb5ff781349981303805f00b97afb2a4ef551ba2906a1544332642d71713cae

Threat Level: Known bad

The file fd99965cd59febc027fce1ab22f3ae0f_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

flawedammyy discovery trojan ammyyadmin

AmmyyAdmin payload

Ammyyadmin family

FlawedAmmyy RAT

Checks computer location settings

Drops file in System32 directory

System Location Discovery: System Language Discovery

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-29 02:13

Signatures

AmmyyAdmin payload

Description Indicator Process Target
N/A N/A N/A N/A

Ammyyadmin family

ammyyadmin

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-29 02:13

Reported

2024-09-29 02:16

Platform

win10v2004-20240802-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"

Signatures

FlawedAmmyy RAT

trojan flawedammyy

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d567366087c6658524c1752538909970c5d4db36b C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = 559b791e332ed51fbc4fa3f0f5c4eb2b69b4c87d99a606eb0865d6fca1c742f79da2d70ac85f3b8754f57170f1827ad0b8276ec08f1c1e9d3c4efd1dc73492753f033770f431d840b72f4d C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4584 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\AA_v3.exe C:\Users\Admin\AppData\Local\Temp\AA_v3.exe
PID 4584 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\AA_v3.exe C:\Users\Admin\AppData\Local\Temp\AA_v3.exe
PID 4584 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\AA_v3.exe C:\Users\Admin\AppData\Local\Temp\AA_v3.exe

Processes

C:\Users\Admin\AppData\Local\Temp\AA_v3.exe

"C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"

C:\Users\Admin\AppData\Local\Temp\AA_v3.exe

"C:\Users\Admin\AppData\Local\Temp\AA_v3.exe" -service -lunch

C:\Users\Admin\AppData\Local\Temp\AA_v3.exe

"C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 rl.ammyy.com udp
NL 188.42.129.148:80 rl.ammyy.com tcp
DE 136.243.104.235:443 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 148.129.42.188.in-addr.arpa udp
US 8.8.8.8:53 235.104.243.136.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp

Files

C:\ProgramData\AMMYY\settings3.bin

MD5 714f2508d4227f74b6adacfef73815d8
SHA1 a35c8a796e4453c0c09d011284b806d25bdad04c
SHA256 a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480
SHA512 1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8

C:\ProgramData\AMMYY\hr

MD5 172a19a29b92d08d82593a2c31cedf35
SHA1 2c02568bffb9c15d4050b783533099c56ab7403f
SHA256 877160dd2f787a48bfe5b888806160bcc9331cc18ac1fa821191d28ae4f2e529
SHA512 9f47d8308878cb33192aafa5b8af044760668b48ce26745ee95346b6ce128770d580ce4530bb5436b81489db524661fecbd7d41f876daaf26f55b6584b40676f

C:\ProgramData\AMMYY\hr3

MD5 cd9ecb47170bd426f2e11493b0fd870f
SHA1 966d75638e3ec7d6342b5e80da410cd06f7e8a45
SHA256 9edf6e3690717e2dca9a52a4115ed6f992a29c9c404e6a351515a4dce22691f6
SHA512 70e2cb86c6458f6bb0ec4936b89f7715ba50ac4cb4b9807fd6e4604d044727e7374a1a82bcbd780d7f98af92c0bcd36c522c27305b35813f19903f62746adde7

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-29 02:13

Reported

2024-09-29 02:16

Platform

win7-20240903-en

Max time kernel

150s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"

Signatures

FlawedAmmyy RAT

trojan flawedammyy

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d567366087c6658524c175253b71463715d4db36b C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = c6ba57b6abf8c602055f052bf63cf1d7d453ff512ea4de487df76c564cd22cb40d94a1591a0d8c86fbdb0a521110a8ecabd1c346a056b7b0942f031f8b7a153da1245be9f7aea3ff80fe33 C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\AA_v3.exe

"C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"

C:\Users\Admin\AppData\Local\Temp\AA_v3.exe

"C:\Users\Admin\AppData\Local\Temp\AA_v3.exe" -service -lunch

C:\Users\Admin\AppData\Local\Temp\AA_v3.exe

"C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 rl.ammyy.com udp
NL 188.42.129.148:80 rl.ammyy.com tcp
DE 136.243.104.235:443 tcp

Files

C:\ProgramData\AMMYY\settings3.bin

MD5 714f2508d4227f74b6adacfef73815d8
SHA1 a35c8a796e4453c0c09d011284b806d25bdad04c
SHA256 a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480
SHA512 1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8

C:\ProgramData\AMMYY\hr

MD5 f87a823e0b89ee47ba7c55311181c528
SHA1 f41e8fd1ae3c7aa693d65682993617d91662d664
SHA256 1c19ef43a0f60d50c4ee5d7feeb1e81a58e55a5a9575c566c33886e648e74967
SHA512 f974851206adb40ffe13710c6c4ac4360dad21f97a7ad0f17fbfab683ddb3779cbb17b288ff460e567510cfb3ff47e6463bbefa99e7995e7f08ba7143165f116

C:\ProgramData\AMMYY\hr3

MD5 5f5e6f655d164781a48714c117244c26
SHA1 690f07212bafb7ed11b3c65a61014094014b1b29
SHA256 b397503d4df31f3f6392213f84b54a2c0eaf5d9b1fcc471e4e6539636c3fba3d
SHA512 fda21c391bfd5351bc7f3ec66b6811c19fe2709b6c6f6cecfe32c2c73f978a205651f1f15a6f87f2505d122a0df5f2d64da482b267467bf68f46eefd8386be39