Malware Analysis Report

2024-10-16 05:07

Sample ID 241007-3zmwwsshla
Target 1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118
SHA256 c06772a670fe75743120be30722d985d2e98d8af909b60ba7faaeb0ee9867646
Tags
ammyyadmin flawedammyy discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c06772a670fe75743120be30722d985d2e98d8af909b60ba7faaeb0ee9867646

Threat Level: Known bad

The file 1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

ammyyadmin flawedammyy discovery trojan

Ammyyadmin family

AmmyyAdmin payload

FlawedAmmyy RAT

Checks computer location settings

Unsigned PE

System Location Discovery: System Language Discovery

Modifies data under HKEY_USERS

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-07 23:57

Signatures

AmmyyAdmin payload

Description Indicator Process Target
N/A N/A N/A N/A

Ammyyadmin family

ammyyadmin

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-07 23:57

Reported

2024-10-08 13:09

Platform

win7-20240903-en

Max time kernel

151s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe"

Signatures

FlawedAmmyy RAT

trojan flawedammyy

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d567366087c6658524c17525317e2ddc5ca46b36b C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = 4f09e0394d5122909f081fd74356f895d1bb8a2e893982c4d0162aa6b71e50b8b36583f8dc54ec2d1ff3f509f99ed9b69fce1735f6392cc5cd8eca2cec35c461e4eca3d212380a9302b954 C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe" -service -lunch

C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 rl.ammyy.com udp
NL 188.42.129.148:80 rl.ammyy.com tcp
DE 136.243.104.235:443 tcp

Files

C:\ProgramData\AMMYY\settings3.bin

MD5 4d4bc796207936f0d1aec10aff4a6fbe
SHA1 d7539cf53098d65dc66d723493d1c1ed105118cb
SHA256 8f2f80489b99fd3c76f347404d4a926999f9b12a17338c76b2d6e4448d80ca1b
SHA512 5d43f0f0dc1494b7473ba2d08b3b3a33f319be74514624c9dc231a61daea773cba12c3a31f6e28c1320ac773c504994dbc94f0c8db30f46a19452cf8f6ceb785

C:\ProgramData\AMMYY\hr

MD5 4c2a6958a7e6ec16701c19aafc2bbddf
SHA1 94da959c6bc59a242385062e62d87eed1a496f53
SHA256 7eeb81d5e52128860cd5488d03575b128caf5ed291d019fe9609f51c3ece5c01
SHA512 173e94ecb8b068a1609c8d6aa411dbb087d455857c281848245da6216ce55ec74a57f3f682cd6fdd0d353702ac3148b35f8271e29fb30cb1b2ee1514310bf24a

C:\ProgramData\AMMYY\hr3

MD5 c0119bdff99c0467624c6bf3583be44a
SHA1 271fadca08fd6e5317d242d7c9cb743ac99e34d7
SHA256 d756f1136380e302008f35d0213ee42cce3beb269e90800bb35e6e75e25b1276
SHA512 629da60fa468cf9f05b29efa3a872e1279d14a64a21a81002eab209101027e18f90957d6be6e4d529f7477eae4028b93694d5b7375fc88d09b98d728df96f59a

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-07 23:57

Reported

2024-10-08 13:09

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe"

Signatures

FlawedAmmyy RAT

trojan flawedammyy

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d567366087c6658524c175253d13d6d32cb46b36b C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = 416f1b93e581e33045a25477da69f0ae9bf209734ee29249806a271302f97fd4811dbe4481908ef142f133759c91f261439cf9ca15923ecd81d85692f06c501fe3d7edf92a72b19efc4ab3 C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe" -service -lunch

C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 rl.ammyy.com udp
NL 188.42.129.148:80 rl.ammyy.com tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.30.10:443 g.bing.com tcp
DE 136.243.104.235:443 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 148.129.42.188.in-addr.arpa udp
US 8.8.8.8:53 10.30.171.150.in-addr.arpa udp
US 8.8.8.8:53 235.104.243.136.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

C:\ProgramData\AMMYY\settings3.bin

MD5 4d4bc796207936f0d1aec10aff4a6fbe
SHA1 d7539cf53098d65dc66d723493d1c1ed105118cb
SHA256 8f2f80489b99fd3c76f347404d4a926999f9b12a17338c76b2d6e4448d80ca1b
SHA512 5d43f0f0dc1494b7473ba2d08b3b3a33f319be74514624c9dc231a61daea773cba12c3a31f6e28c1320ac773c504994dbc94f0c8db30f46a19452cf8f6ceb785

C:\ProgramData\AMMYY\hr

MD5 f47916c9f550120f1475510e7220ccc4
SHA1 46db0747dfcc057f174a67eb985c72fabfb002de
SHA256 b5632a93219f50c3871d50781541ca3300942114865c806ee24588704099d2d4
SHA512 fe6cb3b88c2037ec8240855519518fea74067b8fb075c184d82fd9c29c8526c4fb1c12f6facda410faa2b89333a74a14f2f2b9004fd870c3a6da0332f12c3487

C:\ProgramData\AMMYY\hr3

MD5 9639c332f6e9165b9d1e5161ff4d6209
SHA1 b45fa6aa92be2b4e38da1554e7d791a7f7a4bbe9
SHA256 13614b28f974dfc88dee7042fba6d7b7081b590673a416c45133059d41983545
SHA512 df28a4329e563635c37d5de3ade00cf3e738718bc3d3922583bb19fb3bf44f791cc04ee57c89aa740170b39c2680f5b02e3bc4af73614e7e6fe4462620f79bad