Analysis Overview
SHA256
c06772a670fe75743120be30722d985d2e98d8af909b60ba7faaeb0ee9867646
Threat Level: Known bad
The file 1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Ammyyadmin family
AmmyyAdmin payload
FlawedAmmyy RAT
Checks computer location settings
Unsigned PE
System Location Discovery: System Language Discovery
Modifies data under HKEY_USERS
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-07 23:57
Signatures
AmmyyAdmin payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Ammyyadmin family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-07 23:57
Reported
2024-10-08 13:09
Platform
win7-20240903-en
Max time kernel
151s
Max time network
150s
Command Line
Signatures
FlawedAmmyy RAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Ammyy | C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin | C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d567366087c6658524c17525317e2ddc5ca46b36b | C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = 4f09e0394d5122909f081fd74356f895d1bb8a2e893982c4d0162aa6b71e50b8b36583f8dc54ec2d1ff3f509f99ed9b69fce1735f6392cc5cd8eca2cec35c461e4eca3d212380a9302b954 | C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin | C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2812 wrote to memory of 2840 | N/A | C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe |
| PID 2812 wrote to memory of 2840 | N/A | C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe |
| PID 2812 wrote to memory of 2840 | N/A | C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe |
| PID 2812 wrote to memory of 2840 | N/A | C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe" -service -lunch
C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rl.ammyy.com | udp |
| NL | 188.42.129.148:80 | rl.ammyy.com | tcp |
| DE | 136.243.104.235:443 | tcp |
Files
C:\ProgramData\AMMYY\settings3.bin
| MD5 | 4d4bc796207936f0d1aec10aff4a6fbe |
| SHA1 | d7539cf53098d65dc66d723493d1c1ed105118cb |
| SHA256 | 8f2f80489b99fd3c76f347404d4a926999f9b12a17338c76b2d6e4448d80ca1b |
| SHA512 | 5d43f0f0dc1494b7473ba2d08b3b3a33f319be74514624c9dc231a61daea773cba12c3a31f6e28c1320ac773c504994dbc94f0c8db30f46a19452cf8f6ceb785 |
C:\ProgramData\AMMYY\hr
| MD5 | 4c2a6958a7e6ec16701c19aafc2bbddf |
| SHA1 | 94da959c6bc59a242385062e62d87eed1a496f53 |
| SHA256 | 7eeb81d5e52128860cd5488d03575b128caf5ed291d019fe9609f51c3ece5c01 |
| SHA512 | 173e94ecb8b068a1609c8d6aa411dbb087d455857c281848245da6216ce55ec74a57f3f682cd6fdd0d353702ac3148b35f8271e29fb30cb1b2ee1514310bf24a |
C:\ProgramData\AMMYY\hr3
| MD5 | c0119bdff99c0467624c6bf3583be44a |
| SHA1 | 271fadca08fd6e5317d242d7c9cb743ac99e34d7 |
| SHA256 | d756f1136380e302008f35d0213ee42cce3beb269e90800bb35e6e75e25b1276 |
| SHA512 | 629da60fa468cf9f05b29efa3a872e1279d14a64a21a81002eab209101027e18f90957d6be6e4d529f7477eae4028b93694d5b7375fc88d09b98d728df96f59a |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-07 23:57
Reported
2024-10-08 13:09
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
131s
Command Line
Signatures
FlawedAmmyy RAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin | C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Ammyy | C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin | C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d567366087c6658524c175253d13d6d32cb46b36b | C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = 416f1b93e581e33045a25477da69f0ae9bf209734ee29249806a271302f97fd4811dbe4481908ef142f133759c91f261439cf9ca15923ecd81d85692f06c501fe3d7edf92a72b19efc4ab3 | C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2388 wrote to memory of 2992 | N/A | C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe |
| PID 2388 wrote to memory of 2992 | N/A | C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe |
| PID 2388 wrote to memory of 2992 | N/A | C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe" -service -lunch
C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1e874df2ee8682a263ced01f36abc5b5_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rl.ammyy.com | udp |
| NL | 188.42.129.148:80 | rl.ammyy.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.30.10:443 | g.bing.com | tcp |
| DE | 136.243.104.235:443 | tcp | |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 148.129.42.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.30.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.104.243.136.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
Files
C:\ProgramData\AMMYY\settings3.bin
| MD5 | 4d4bc796207936f0d1aec10aff4a6fbe |
| SHA1 | d7539cf53098d65dc66d723493d1c1ed105118cb |
| SHA256 | 8f2f80489b99fd3c76f347404d4a926999f9b12a17338c76b2d6e4448d80ca1b |
| SHA512 | 5d43f0f0dc1494b7473ba2d08b3b3a33f319be74514624c9dc231a61daea773cba12c3a31f6e28c1320ac773c504994dbc94f0c8db30f46a19452cf8f6ceb785 |
C:\ProgramData\AMMYY\hr
| MD5 | f47916c9f550120f1475510e7220ccc4 |
| SHA1 | 46db0747dfcc057f174a67eb985c72fabfb002de |
| SHA256 | b5632a93219f50c3871d50781541ca3300942114865c806ee24588704099d2d4 |
| SHA512 | fe6cb3b88c2037ec8240855519518fea74067b8fb075c184d82fd9c29c8526c4fb1c12f6facda410faa2b89333a74a14f2f2b9004fd870c3a6da0332f12c3487 |
C:\ProgramData\AMMYY\hr3
| MD5 | 9639c332f6e9165b9d1e5161ff4d6209 |
| SHA1 | b45fa6aa92be2b4e38da1554e7d791a7f7a4bbe9 |
| SHA256 | 13614b28f974dfc88dee7042fba6d7b7081b590673a416c45133059d41983545 |
| SHA512 | df28a4329e563635c37d5de3ade00cf3e738718bc3d3922583bb19fb3bf44f791cc04ee57c89aa740170b39c2680f5b02e3bc4af73614e7e6fe4462620f79bad |