Analysis

  • max time kernel
    150s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03-10-2024 03:59

General

  • Target

    0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe

  • Size

    704KB

  • MD5

    0dcf6b80de9636e9f2d58825842404ee

  • SHA1

    56197059d0319560d256b067a90b01131cd44733

  • SHA256

    8d6e783c42531ba3a8c823293d399c08f0ef07c007213f40f253aea1ddfc7dfe

  • SHA512

    91bf4a8336420555d31bbd94c079f56575386c2a9659956def2be780c06ba6eb8b04a447c9109d739b081be0fd37248a077ac6381d05af0b54d393053d25a996

  • SSDEEP

    12288:YKHp9fDIItMm2o44sGTdBqWvwD+8ChCbW3XTjY1r1RtH8ePhAU5u0AhpZxAhkg1:YorLkbDEhyW3XS1RtcePKUBATZx81

Malware Config

Signatures

  • FlawedAmmyy RAT

    Remote-access trojan based on leaked code for the Ammyy remote admin software.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:2088
  • C:\Users\Admin\AppData\Local\Temp\0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe" -service -lunch
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2280
    • C:\Users\Admin\AppData\Local\Temp\0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2748

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\AMMYY\hr

    Filesize

    22B

    MD5

    51e021c0eae872178417e222ce50e927

    SHA1

    ae19925367964a0fc4f6dcd822dadb755a5d7b3f

    SHA256

    84c71cefc3d7b5b412d2a8df2303373ae1dbd7b7b1275110c52773fe66a6a4ce

    SHA512

    9d4a058616b56c541152d5f5411cfeed94c62355750cd3c24de057770fe42b8a11f42dcfdaed1d260efb4f9f132ef038435330ebcd5fda51f4417803a0dde74a

  • C:\ProgramData\AMMYY\hr3

    Filesize

    75B

    MD5

    fb764bfed802fd42d538e7c076ce5fb5

    SHA1

    65bae3f2930cb91fc637135f88e89e4730cf4819

    SHA256

    93c19df4cae330bc7e401fe25436d0cf55db0300a32379cec4ea5f59c2bad69d

    SHA512

    6d6fcfbb013b9fa4c2bb06031b5a5bb76c4ba3f45e3736c8be1f1e344ecf5b512769ea3f3d36a28ac5212f040bbcccbf29efcc940ab3ed39134a4528fdeb9566

  • C:\ProgramData\AMMYY\settings3.bin

    Filesize

    305B

    MD5

    e57a0570fc4baf51499bf05f363705df

    SHA1

    41653da3b123392ff4d89ff894a4cc160b80e6e9

    SHA256

    bc9847d6150b46d1fe077f2489c308da53a54c3e003ace56724a721e6e698f75

    SHA512

    aa3b12aaac6427372043cd6ebeb11d9205ce0e1a20258673b8083f776046a2ddedbacdeca9d993a1959a70d074a46352e69f9ec93ca27ecd403a4e7f81002465