Analysis Overview
SHA256
9eb5ff781349981303805f00b97afb2a4ef551ba2906a1544332642d71713cae
Threat Level: Known bad
The file fd99965cd59febc027fce1ab22f3ae0f_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
AmmyyAdmin payload
Ammyyadmin family
FlawedAmmyy RAT
Checks computer location settings
Drops file in System32 directory
System Location Discovery: System Language Discovery
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-29 02:13
Signatures
AmmyyAdmin payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Ammyyadmin family
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-29 02:13
Reported
2024-09-29 02:16
Platform
win10v2004-20240802-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
FlawedAmmyy RAT
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Ammyy | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d567366087c6658524c1752538909970c5d4db36b | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = 559b791e332ed51fbc4fa3f0f5c4eb2b69b4c87d99a606eb0865d6fca1c742f79da2d70ac85f3b8754f57170f1827ad0b8276ec08f1c1e9d3c4efd1dc73492753f033770f431d840b72f4d | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4584 wrote to memory of 2148 | N/A | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe |
| PID 4584 wrote to memory of 2148 | N/A | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe |
| PID 4584 wrote to memory of 2148 | N/A | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\AA_v3.exe
"C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"
C:\Users\Admin\AppData\Local\Temp\AA_v3.exe
"C:\Users\Admin\AppData\Local\Temp\AA_v3.exe" -service -lunch
C:\Users\Admin\AppData\Local\Temp\AA_v3.exe
"C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rl.ammyy.com | udp |
| NL | 188.42.129.148:80 | rl.ammyy.com | tcp |
| DE | 136.243.104.235:443 | tcp | |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 148.129.42.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.104.243.136.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
Files
C:\ProgramData\AMMYY\settings3.bin
| MD5 | 714f2508d4227f74b6adacfef73815d8 |
| SHA1 | a35c8a796e4453c0c09d011284b806d25bdad04c |
| SHA256 | a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480 |
| SHA512 | 1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8 |
C:\ProgramData\AMMYY\hr
| MD5 | 172a19a29b92d08d82593a2c31cedf35 |
| SHA1 | 2c02568bffb9c15d4050b783533099c56ab7403f |
| SHA256 | 877160dd2f787a48bfe5b888806160bcc9331cc18ac1fa821191d28ae4f2e529 |
| SHA512 | 9f47d8308878cb33192aafa5b8af044760668b48ce26745ee95346b6ce128770d580ce4530bb5436b81489db524661fecbd7d41f876daaf26f55b6584b40676f |
C:\ProgramData\AMMYY\hr3
| MD5 | cd9ecb47170bd426f2e11493b0fd870f |
| SHA1 | 966d75638e3ec7d6342b5e80da410cd06f7e8a45 |
| SHA256 | 9edf6e3690717e2dca9a52a4115ed6f992a29c9c404e6a351515a4dce22691f6 |
| SHA512 | 70e2cb86c6458f6bb0ec4936b89f7715ba50ac4cb4b9807fd6e4604d044727e7374a1a82bcbd780d7f98af92c0bcd36c522c27305b35813f19903f62746adde7 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-29 02:13
Reported
2024-09-29 02:16
Platform
win7-20240903-en
Max time kernel
150s
Max time network
146s
Command Line
Signatures
FlawedAmmyy RAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d567366087c6658524c175253b71463715d4db36b | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = c6ba57b6abf8c602055f052bf63cf1d7d453ff512ea4de487df76c564cd22cb40d94a1591a0d8c86fbdb0a521110a8ecabd1c346a056b7b0942f031f8b7a153da1245be9f7aea3ff80fe33 | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2812 wrote to memory of 2716 | N/A | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe |
| PID 2812 wrote to memory of 2716 | N/A | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe |
| PID 2812 wrote to memory of 2716 | N/A | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe |
| PID 2812 wrote to memory of 2716 | N/A | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\AA_v3.exe
"C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"
C:\Users\Admin\AppData\Local\Temp\AA_v3.exe
"C:\Users\Admin\AppData\Local\Temp\AA_v3.exe" -service -lunch
C:\Users\Admin\AppData\Local\Temp\AA_v3.exe
"C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rl.ammyy.com | udp |
| NL | 188.42.129.148:80 | rl.ammyy.com | tcp |
| DE | 136.243.104.235:443 | tcp |
Files
C:\ProgramData\AMMYY\settings3.bin
| MD5 | 714f2508d4227f74b6adacfef73815d8 |
| SHA1 | a35c8a796e4453c0c09d011284b806d25bdad04c |
| SHA256 | a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480 |
| SHA512 | 1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8 |
C:\ProgramData\AMMYY\hr
| MD5 | f87a823e0b89ee47ba7c55311181c528 |
| SHA1 | f41e8fd1ae3c7aa693d65682993617d91662d664 |
| SHA256 | 1c19ef43a0f60d50c4ee5d7feeb1e81a58e55a5a9575c566c33886e648e74967 |
| SHA512 | f974851206adb40ffe13710c6c4ac4360dad21f97a7ad0f17fbfab683ddb3779cbb17b288ff460e567510cfb3ff47e6463bbefa99e7995e7f08ba7143165f116 |
C:\ProgramData\AMMYY\hr3
| MD5 | 5f5e6f655d164781a48714c117244c26 |
| SHA1 | 690f07212bafb7ed11b3c65a61014094014b1b29 |
| SHA256 | b397503d4df31f3f6392213f84b54a2c0eaf5d9b1fcc471e4e6539636c3fba3d |
| SHA512 | fda21c391bfd5351bc7f3ec66b6811c19fe2709b6c6f6cecfe32c2c73f978a205651f1f15a6f87f2505d122a0df5f2d64da482b267467bf68f46eefd8386be39 |