Analysis Overview
SHA256
47fc82320114cf2d2536acb931dc4dd8f83237b344b130780752c705af1a0e61
Threat Level: Known bad
The file b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
AmmyyAdmin payload
Ammyyadmin family
Flawedammyy family
FlawedAmmyy RAT
Checks computer location settings
Drops file in System32 directory
Unsigned PE
System Location Discovery: System Language Discovery
Modifies data under HKEY_USERS
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-29 22:22
Signatures
AmmyyAdmin payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Ammyyadmin family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-29 22:22
Reported
2024-11-29 22:24
Platform
win7-20240903-en
Max time kernel
150s
Max time network
142s
Command Line
Signatures
FlawedAmmyy RAT
Flawedammyy family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d567366087c6658524c17525327248917e51db36b | C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = 335fcaa3bdcd80a9a18f4dcc8e237863b9cdc2556f3512968a3d12613e1064610bedb09442e7f366bfe37e5b17b3cd37407e570627eec590f9e6b4ca013fa9cecd5c90146af90a8ef29210 | C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin | C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy | C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1628 wrote to memory of 2072 | N/A | C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe |
| PID 1628 wrote to memory of 2072 | N/A | C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe |
| PID 1628 wrote to memory of 2072 | N/A | C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe |
| PID 1628 wrote to memory of 2072 | N/A | C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe" -service -lunch
C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rl.ammyy.com | udp |
| NL | 188.42.129.148:80 | rl.ammyy.com | tcp |
| DE | 136.243.104.235:443 | tcp |
Files
C:\ProgramData\AMMYY\settings3.bin
| MD5 | c4f363e5d5033a0ba0209333d56c4bff |
| SHA1 | 954dc745edf1e351bc233eebbe5a1c640d6ab92b |
| SHA256 | 47a20a1e931485993579d3fb6f7f7389bcefc99c0354fcd3a76d42e564ab8882 |
| SHA512 | 35c0e50a3854fe5ee87699587ce9d6dac9581f8031ccfad9ecdedc220fdf8378926104c7a3579420d1fd2c0b1d5c651b322d53d27189608ef76c3c54bde3a69f |
C:\ProgramData\AMMYY\hr
| MD5 | 79d9d8ed1e636584bf1bc77b90e6d070 |
| SHA1 | d440fe40c0d8f9815f6a336b7195b73e477f5ca9 |
| SHA256 | 33d637faaaa8dd224251089f8fde5549948430037a365a89c1250ceec7a8c38d |
| SHA512 | b9f9c87ac753d5e8a990116d002efa7f75a387dece0f1286d359348039c307fc43c770e4bc361ac8f1ce047fb9a2861f7aee9d826b520e9ca2746af7a20e15e8 |
C:\ProgramData\AMMYY\hr3
| MD5 | 928aa062b4ef5f6805f93b51a6a111ae |
| SHA1 | d7b19a9c6d109e7e0539f3f9e4847723c363e4f1 |
| SHA256 | 87078723147b0d25f6343e86b0fc30d1c9e219640fb5279214cd94c4b6722681 |
| SHA512 | a904aeac60844e53e914afbbb1494aa1c0009fb71c92ede567f33c99bf980040aea36243fece4fcae3e9fa70781084e785c93a2e688260b56f59b289252b1988 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-29 22:22
Reported
2024-11-29 22:24
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
142s
Command Line
Signatures
FlawedAmmyy RAT
Flawedammyy family
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 | C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE | C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies | C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 | C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin | C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin | C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Ammyy | C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d567366087c6658524c1752535e9c2816e51db36b | C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = d88d65561c89acfefb6c0c6d37a039eaf72debdc3cd30d2b196fef60b391126eb5750a679d9117743588d8e87611288ac7136f863c44ca527dda91db6beb384782fb2fcc8ce44eb28e3f5b | C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 116 wrote to memory of 2676 | N/A | C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe |
| PID 116 wrote to memory of 2676 | N/A | C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe |
| PID 116 wrote to memory of 2676 | N/A | C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe" -service -lunch
C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rl.ammyy.com | udp |
| NL | 188.42.129.148:80 | rl.ammyy.com | tcp |
| DE | 136.243.104.235:443 | tcp | |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 148.129.42.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.104.243.136.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
C:\ProgramData\AMMYY\settings3.bin
| MD5 | c4f363e5d5033a0ba0209333d56c4bff |
| SHA1 | 954dc745edf1e351bc233eebbe5a1c640d6ab92b |
| SHA256 | 47a20a1e931485993579d3fb6f7f7389bcefc99c0354fcd3a76d42e564ab8882 |
| SHA512 | 35c0e50a3854fe5ee87699587ce9d6dac9581f8031ccfad9ecdedc220fdf8378926104c7a3579420d1fd2c0b1d5c651b322d53d27189608ef76c3c54bde3a69f |
C:\ProgramData\AMMYY\hr
| MD5 | 2e9cbfc9eabda2e9bf4097ef48d56dc6 |
| SHA1 | 4a5211e761e0f5d14b05fbbb97f066ed84323208 |
| SHA256 | 04450be5d6f755f6c28ef75ba47c7c2c143ecb732167e75827350a46abad37df |
| SHA512 | 237a3c67de3a9cd418f13825f94cef319e837f670dd333f05f3fc30100739f9ff1ee718de9270299a9e48c0c2afe7055b0fbe3a19e9d27b3ac41f5cac920171a |
C:\ProgramData\AMMYY\hr3
| MD5 | 15b00e79c1f7f7b303136c34f000f132 |
| SHA1 | d486a22584754417434a256faf246721a64e9a37 |
| SHA256 | 57abcf31bd6687d79641a21753474dd3170d845fbd99723a45c378a2153e788e |
| SHA512 | b48eecaecd88af33b591527cfe232c8a85476efcd0eb033e2a3671c4c975fb6083b83c90bbc6e543f2a1e0805fe64e87fcaaa1e606afb10d505b1bd48ce39123 |