General
-
Target
2d37ea2c6cf72bd33a80e84f3cd55960_JaffaCakes118
-
Size
894KB
-
Sample
241009-jay33sxhlb
-
MD5
2d37ea2c6cf72bd33a80e84f3cd55960
-
SHA1
f0572065fa9fa03904fd3f85f3e8b8a8dc8986ae
-
SHA256
f4e3e14a56ab60fab5dd044a620af578cf7dd3579a82a7b72e574c87a792e0a5
-
SHA512
6d6cdef13d5bd20d6f387bc130e13c498bb71da01146eb1645e4d0e0125a07f8d0518b9fef9760ac1653343c1c66778268209e055bd598dcb0a88c29d36fb7d9
-
SSDEEP
24576:8NZaOH+kbCr/c4+9hm7r1Rt4MmylZDV6A:8aOHnCbc39hgr53DR
Malware Config
Targets
-
-
Target
2d37ea2c6cf72bd33a80e84f3cd55960_JaffaCakes118
-
Size
894KB
-
MD5
2d37ea2c6cf72bd33a80e84f3cd55960
-
SHA1
f0572065fa9fa03904fd3f85f3e8b8a8dc8986ae
-
SHA256
f4e3e14a56ab60fab5dd044a620af578cf7dd3579a82a7b72e574c87a792e0a5
-
SHA512
6d6cdef13d5bd20d6f387bc130e13c498bb71da01146eb1645e4d0e0125a07f8d0518b9fef9760ac1653343c1c66778268209e055bd598dcb0a88c29d36fb7d9
-
SSDEEP
24576:8NZaOH+kbCr/c4+9hm7r1Rt4MmylZDV6A:8aOHnCbc39hgr53DR
Score10/10-
Ammyy Admin
Remote admin tool with various capabilities.
-
AmmyyAdmin payload
-
FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
-
Modifies WinLogon for persistence
-
Modifies visiblity of hidden/system files in Explorer
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
4