Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03-10-2024 03:59
Behavioral task
behavioral1
Sample
0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe
-
Size
704KB
-
MD5
0dcf6b80de9636e9f2d58825842404ee
-
SHA1
56197059d0319560d256b067a90b01131cd44733
-
SHA256
8d6e783c42531ba3a8c823293d399c08f0ef07c007213f40f253aea1ddfc7dfe
-
SHA512
91bf4a8336420555d31bbd94c079f56575386c2a9659956def2be780c06ba6eb8b04a447c9109d739b081be0fd37248a077ac6381d05af0b54d393053d25a996
-
SSDEEP
12288:YKHp9fDIItMm2o44sGTdBqWvwD+8ChCbW3XTjY1r1RtH8ePhAU5u0AhpZxAhkg1:YorLkbDEhyW3XS1RtcePKUBATZx81
Malware Config
Signatures
-
FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\International\Geo\Nation 0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe -
Modifies data under HKEY_USERS 6 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = 9850c87bcdf4fb72143997c883e890fbe473b0911ae5f92336cefeba74e58be2589d9bb1c7f7ee63d80bec0a35c844869b8b8a655f034eed142b436c464e236937c5ee3579a9ee88ba19b1 0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin 0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE 0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy 0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d567366087c6658524c175253f73473ad004ab36b 0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2748 0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 2748 0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2280 wrote to memory of 2748 2280 0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe 31 PID 2280 wrote to memory of 2748 2280 0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe 31 PID 2280 wrote to memory of 2748 2280 0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe 31 PID 2280 wrote to memory of 2748 2280 0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
PID:2088
-
C:\Users\Admin\AppData\Local\Temp\0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe" -service -lunch1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Users\Admin\AppData\Local\Temp\0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2748
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
22B
MD551e021c0eae872178417e222ce50e927
SHA1ae19925367964a0fc4f6dcd822dadb755a5d7b3f
SHA25684c71cefc3d7b5b412d2a8df2303373ae1dbd7b7b1275110c52773fe66a6a4ce
SHA5129d4a058616b56c541152d5f5411cfeed94c62355750cd3c24de057770fe42b8a11f42dcfdaed1d260efb4f9f132ef038435330ebcd5fda51f4417803a0dde74a
-
Filesize
75B
MD5fb764bfed802fd42d538e7c076ce5fb5
SHA165bae3f2930cb91fc637135f88e89e4730cf4819
SHA25693c19df4cae330bc7e401fe25436d0cf55db0300a32379cec4ea5f59c2bad69d
SHA5126d6fcfbb013b9fa4c2bb06031b5a5bb76c4ba3f45e3736c8be1f1e344ecf5b512769ea3f3d36a28ac5212f040bbcccbf29efcc940ab3ed39134a4528fdeb9566
-
Filesize
305B
MD5e57a0570fc4baf51499bf05f363705df
SHA141653da3b123392ff4d89ff894a4cc160b80e6e9
SHA256bc9847d6150b46d1fe077f2489c308da53a54c3e003ace56724a721e6e698f75
SHA512aa3b12aaac6427372043cd6ebeb11d9205ce0e1a20258673b8083f776046a2ddedbacdeca9d993a1959a70d074a46352e69f9ec93ca27ecd403a4e7f81002465