Analysis
-
max time kernel
150s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
03-10-2024 03:59
Behavioral task
behavioral1
Sample
0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe
-
Size
704KB
-
MD5
0dcf6b80de9636e9f2d58825842404ee
-
SHA1
56197059d0319560d256b067a90b01131cd44733
-
SHA256
8d6e783c42531ba3a8c823293d399c08f0ef07c007213f40f253aea1ddfc7dfe
-
SHA512
91bf4a8336420555d31bbd94c079f56575386c2a9659956def2be780c06ba6eb8b04a447c9109d739b081be0fd37248a077ac6381d05af0b54d393053d25a996
-
SSDEEP
12288:YKHp9fDIItMm2o44sGTdBqWvwD+8ChCbW3XTjY1r1RtH8ePhAU5u0AhpZxAhkg1:YorLkbDEhyW3XS1RtcePKUBATZx81
Malware Config
Signatures
-
FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation 0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe -
Modifies data under HKEY_USERS 6 IoCs
Processes:
0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy 0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin 0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d567366087c6658524c175253287a57ad004ab36b 0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = b9604cbad1e7573879d6e3309b9724d01889fdb733501e95d8d24567bb5e21d622a941182f35a85084b244e0935c9a7b170f2c5300af3c83c84ff336d610fe89af82e8c4c99f9da59793c6 0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin 0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE 0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exepid process 1152 0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exepid process 1152 0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exedescription pid process target process PID 2420 wrote to memory of 1152 2420 0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe 0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe PID 2420 wrote to memory of 1152 2420 0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe 0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe PID 2420 wrote to memory of 1152 2420 0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe 0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
PID:4320
-
C:\Users\Admin\AppData\Local\Temp\0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe" -service -lunch1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Users\Admin\AppData\Local\Temp\0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1152
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
22B
MD58352ac3fd99dfbf88696e82b6a8f9b73
SHA13478e9fae1134bdcb746af6f68003d903ed9c230
SHA2560ae23cb1624774d1a87adab495fbb21a889307bf1e77b7da515fc03bca72a7b2
SHA512d19df87cc0d7da7e690f2b778d410978fc192b595bd64ec8c0b79fdc360154e70dbc9163fe85ac951fdea4a0ab6deb0a1be8522648878bbb63a7451959cc6151
-
Filesize
75B
MD5d7b220d30166d66262abf9b7572b4e6e
SHA11331b52444d8250a0f6d51ca06780d19dbc7fccb
SHA25629db91def7c8ec84dc5a0af97b23986ceeb991b56a7fc9a9335bd36a6a4023e1
SHA512e5fc78a6843962b79c7da1569edaf514d92b9a8757c65d4169b96c6b6c8e6c45fad95052bf782b03d622edfdefbe1d20ffbef827b1790786c9937cae8097028b
-
Filesize
305B
MD5e57a0570fc4baf51499bf05f363705df
SHA141653da3b123392ff4d89ff894a4cc160b80e6e9
SHA256bc9847d6150b46d1fe077f2489c308da53a54c3e003ace56724a721e6e698f75
SHA512aa3b12aaac6427372043cd6ebeb11d9205ce0e1a20258673b8083f776046a2ddedbacdeca9d993a1959a70d074a46352e69f9ec93ca27ecd403a4e7f81002465