Analysis

  • max time kernel
    150s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-10-2024 03:59

General

  • Target

    0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe

  • Size

    704KB

  • MD5

    0dcf6b80de9636e9f2d58825842404ee

  • SHA1

    56197059d0319560d256b067a90b01131cd44733

  • SHA256

    8d6e783c42531ba3a8c823293d399c08f0ef07c007213f40f253aea1ddfc7dfe

  • SHA512

    91bf4a8336420555d31bbd94c079f56575386c2a9659956def2be780c06ba6eb8b04a447c9109d739b081be0fd37248a077ac6381d05af0b54d393053d25a996

  • SSDEEP

    12288:YKHp9fDIItMm2o44sGTdBqWvwD+8ChCbW3XTjY1r1RtH8ePhAU5u0AhpZxAhkg1:YorLkbDEhyW3XS1RtcePKUBATZx81

Malware Config

Signatures

  • FlawedAmmyy RAT

    Remote-access trojan based on leaked code for the Ammyy remote admin software.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:4320
  • C:\Users\Admin\AppData\Local\Temp\0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe" -service -lunch
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2420
    • C:\Users\Admin\AppData\Local\Temp\0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1152

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\AMMYY\hr

    Filesize

    22B

    MD5

    8352ac3fd99dfbf88696e82b6a8f9b73

    SHA1

    3478e9fae1134bdcb746af6f68003d903ed9c230

    SHA256

    0ae23cb1624774d1a87adab495fbb21a889307bf1e77b7da515fc03bca72a7b2

    SHA512

    d19df87cc0d7da7e690f2b778d410978fc192b595bd64ec8c0b79fdc360154e70dbc9163fe85ac951fdea4a0ab6deb0a1be8522648878bbb63a7451959cc6151

  • C:\ProgramData\AMMYY\hr3

    Filesize

    75B

    MD5

    d7b220d30166d66262abf9b7572b4e6e

    SHA1

    1331b52444d8250a0f6d51ca06780d19dbc7fccb

    SHA256

    29db91def7c8ec84dc5a0af97b23986ceeb991b56a7fc9a9335bd36a6a4023e1

    SHA512

    e5fc78a6843962b79c7da1569edaf514d92b9a8757c65d4169b96c6b6c8e6c45fad95052bf782b03d622edfdefbe1d20ffbef827b1790786c9937cae8097028b

  • C:\ProgramData\AMMYY\settings3.bin

    Filesize

    305B

    MD5

    e57a0570fc4baf51499bf05f363705df

    SHA1

    41653da3b123392ff4d89ff894a4cc160b80e6e9

    SHA256

    bc9847d6150b46d1fe077f2489c308da53a54c3e003ace56724a721e6e698f75

    SHA512

    aa3b12aaac6427372043cd6ebeb11d9205ce0e1a20258673b8083f776046a2ddedbacdeca9d993a1959a70d074a46352e69f9ec93ca27ecd403a4e7f81002465