Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    12-10-2024 13:08

General

  • Target

    3a2e6d51b199bb631eea59c8cac27902_JaffaCakes118.exe

  • Size

    768KB

  • MD5

    3a2e6d51b199bb631eea59c8cac27902

  • SHA1

    18dc174c9a25f5dcf1777cfeed0e97b5c5f7eb4c

  • SHA256

    bca57f1b02cb2521fbcbb1f36f99dc2e47ec6df6bc88f24ec000b96c0f032592

  • SHA512

    662c75d6964317b8bb7d451a543f3da28e134d22dd558f677c3d357e413e243efe775a6ba562071257d07e8318569bd751d08100f5353b9821ed7d2bccefc6d5

  • SSDEEP

    12288:jXe1Z2fJipMHEgSeA6M7kmchJGvRuORtcE9qTpy+Yg0HkV+UgWRDkj9tyTEAjRc0:ztkmHEgSewkmchJGsORtn9qT8+Yg03ZU

Malware Config

Signatures

  • FlawedAmmyy RAT

    Remote-access trojan based on leaked code for the Ammyy remote admin software.

  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 4 IoCs
  • Drops file in System32 directory 5 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3a2e6d51b199bb631eea59c8cac27902_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3a2e6d51b199bb631eea59c8cac27902_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:1096
  • C:\Users\Admin\AppData\Local\Temp\3a2e6d51b199bb631eea59c8cac27902_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3a2e6d51b199bb631eea59c8cac27902_JaffaCakes118.exe" -service -lunch
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2536
    • C:\Users\Admin\AppData\Local\Temp\3a2e6d51b199bb631eea59c8cac27902_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\3a2e6d51b199bb631eea59c8cac27902_JaffaCakes118.exe"
      2⤵
      • Checks computer location settings
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Modifies system certificate store
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1476
      • C:\Windows\system32\rundll32.exe
        rundll32.exe "C:\ProgramData\AMMYY\aa_nts.dll",run
        3⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2732

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\AMMYY\aa_nts.dll

    Filesize

    902KB

    MD5

    480a66902e6e7cdafaa6711e8697ff8c

    SHA1

    6ac730962e7c1dba9e2ecc5733a506544f3c8d11

    SHA256

    7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5

    SHA512

    7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5

  • C:\ProgramData\AMMYY\aa_nts.log

    Filesize

    4KB

    MD5

    7e31cc9f66e960abee2beeed5a96d108

    SHA1

    1a73fa249b60186d75c1a6239732b5711de1c6f1

    SHA256

    6b6983036aa2d3ebd9ea43317a2f7cb7c175ec0f2b1ebf04fc446cfe8a0b0bd7

    SHA512

    cd7ea5cbc2f4f7f918697e41a97ef1124ed34ec90682c6826e1f6c1c3fa9060d40f2996b1e43735ce99de9c26aae9a367c561666ab0c78a986e4b29a9386b1f2

  • C:\ProgramData\AMMYY\aa_nts.msg

    Filesize

    45B

    MD5

    f5d867c23b8cac17baecc8cd2ac118b9

    SHA1

    ab0da5d10496611ae18f28822c32507aa531dfc4

    SHA256

    52ebeac5f05e8e12afb680e5e291b41a440cc7dbb812fddd075b6f7586c4fd2b

    SHA512

    1a067037fb1a8f6782681902e6dc391e399c5caf3e430bdacc30d2cd36985d4eff72359d676e7799dbac3f2f58f697181934a67af18a366cb58a69e6f56e837d

  • C:\ProgramData\AMMYY\settings3.bin

    Filesize

    316B

    MD5

    b76abe6342b5f0f93ed93ebe3ecf3d58

    SHA1

    1584113b9bb8f75a2fb2e50f55b9d4aa0da809a5

    SHA256

    0dc6df67d820bc53f90333843bbe182466530f83bd86d9f440a772bf51daf414

    SHA512

    058897103b6bafe76d419deca68ff2e83c09cbd8e5a96063d0f0ca73d23bbe2748cc1fdfac2140af89d5ad0e9637bc2ad9901824eeb0ea2079f99b266ecf51d8

  • memory/2732-21-0x0000000064200000-0x00000000642EE000-memory.dmp

    Filesize

    952KB

  • memory/2732-42-0x0000000064200000-0x00000000642EE000-memory.dmp

    Filesize

    952KB

  • memory/2732-61-0x0000000064200000-0x00000000642EE000-memory.dmp

    Filesize

    952KB

  • memory/2732-77-0x0000000064200000-0x00000000642EE000-memory.dmp

    Filesize

    952KB

  • memory/2732-90-0x0000000064200000-0x00000000642EE000-memory.dmp

    Filesize

    952KB

  • memory/2732-106-0x0000000064200000-0x00000000642EE000-memory.dmp

    Filesize

    952KB

  • memory/2732-123-0x0000000064200000-0x00000000642EE000-memory.dmp

    Filesize

    952KB

  • memory/2732-139-0x0000000064200000-0x00000000642EE000-memory.dmp

    Filesize

    952KB