Malware Analysis Report

2025-01-23 11:51

Sample ID 241129-2aba5ayrez
Target b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118
SHA256 47fc82320114cf2d2536acb931dc4dd8f83237b344b130780752c705af1a0e61
Tags
ammyyadmin flawedammyy discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

47fc82320114cf2d2536acb931dc4dd8f83237b344b130780752c705af1a0e61

Threat Level: Known bad

The file b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

ammyyadmin flawedammyy discovery trojan

AmmyyAdmin payload

Ammyyadmin family

Flawedammyy family

FlawedAmmyy RAT

Checks computer location settings

Drops file in System32 directory

Unsigned PE

System Location Discovery: System Language Discovery

Modifies data under HKEY_USERS

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-29 22:22

Signatures

AmmyyAdmin payload

Description Indicator Process Target
N/A N/A N/A N/A

Ammyyadmin family

ammyyadmin

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-29 22:22

Reported

2024-11-29 22:24

Platform

win7-20240903-en

Max time kernel

150s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe"

Signatures

FlawedAmmyy RAT

trojan flawedammyy

Flawedammyy family

flawedammyy

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d567366087c6658524c17525327248917e51db36b C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = 335fcaa3bdcd80a9a18f4dcc8e237863b9cdc2556f3512968a3d12613e1064610bedb09442e7f366bfe37e5b17b3cd37407e570627eec590f9e6b4ca013fa9cecd5c90146af90a8ef29210 C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe" -service -lunch

C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 rl.ammyy.com udp
NL 188.42.129.148:80 rl.ammyy.com tcp
DE 136.243.104.235:443 tcp

Files

C:\ProgramData\AMMYY\settings3.bin

MD5 c4f363e5d5033a0ba0209333d56c4bff
SHA1 954dc745edf1e351bc233eebbe5a1c640d6ab92b
SHA256 47a20a1e931485993579d3fb6f7f7389bcefc99c0354fcd3a76d42e564ab8882
SHA512 35c0e50a3854fe5ee87699587ce9d6dac9581f8031ccfad9ecdedc220fdf8378926104c7a3579420d1fd2c0b1d5c651b322d53d27189608ef76c3c54bde3a69f

C:\ProgramData\AMMYY\hr

MD5 79d9d8ed1e636584bf1bc77b90e6d070
SHA1 d440fe40c0d8f9815f6a336b7195b73e477f5ca9
SHA256 33d637faaaa8dd224251089f8fde5549948430037a365a89c1250ceec7a8c38d
SHA512 b9f9c87ac753d5e8a990116d002efa7f75a387dece0f1286d359348039c307fc43c770e4bc361ac8f1ce047fb9a2861f7aee9d826b520e9ca2746af7a20e15e8

C:\ProgramData\AMMYY\hr3

MD5 928aa062b4ef5f6805f93b51a6a111ae
SHA1 d7b19a9c6d109e7e0539f3f9e4847723c363e4f1
SHA256 87078723147b0d25f6343e86b0fc30d1c9e219640fb5279214cd94c4b6722681
SHA512 a904aeac60844e53e914afbbb1494aa1c0009fb71c92ede567f33c99bf980040aea36243fece4fcae3e9fa70781084e785c93a2e688260b56f59b289252b1988

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-29 22:22

Reported

2024-11-29 22:24

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe"

Signatures

FlawedAmmyy RAT

trojan flawedammyy

Flawedammyy family

flawedammyy

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d567366087c6658524c1752535e9c2816e51db36b C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = d88d65561c89acfefb6c0c6d37a039eaf72debdc3cd30d2b196fef60b391126eb5750a679d9117743588d8e87611288ac7136f863c44ca527dda91db6beb384782fb2fcc8ce44eb28e3f5b C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe" -service -lunch

C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b3cd481ab5d2cba65b0318df5a6ed582_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 rl.ammyy.com udp
NL 188.42.129.148:80 rl.ammyy.com tcp
DE 136.243.104.235:443 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 148.129.42.188.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 235.104.243.136.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

C:\ProgramData\AMMYY\settings3.bin

MD5 c4f363e5d5033a0ba0209333d56c4bff
SHA1 954dc745edf1e351bc233eebbe5a1c640d6ab92b
SHA256 47a20a1e931485993579d3fb6f7f7389bcefc99c0354fcd3a76d42e564ab8882
SHA512 35c0e50a3854fe5ee87699587ce9d6dac9581f8031ccfad9ecdedc220fdf8378926104c7a3579420d1fd2c0b1d5c651b322d53d27189608ef76c3c54bde3a69f

C:\ProgramData\AMMYY\hr

MD5 2e9cbfc9eabda2e9bf4097ef48d56dc6
SHA1 4a5211e761e0f5d14b05fbbb97f066ed84323208
SHA256 04450be5d6f755f6c28ef75ba47c7c2c143ecb732167e75827350a46abad37df
SHA512 237a3c67de3a9cd418f13825f94cef319e837f670dd333f05f3fc30100739f9ff1ee718de9270299a9e48c0c2afe7055b0fbe3a19e9d27b3ac41f5cac920171a

C:\ProgramData\AMMYY\hr3

MD5 15b00e79c1f7f7b303136c34f000f132
SHA1 d486a22584754417434a256faf246721a64e9a37
SHA256 57abcf31bd6687d79641a21753474dd3170d845fbd99723a45c378a2153e788e
SHA512 b48eecaecd88af33b591527cfe232c8a85476efcd0eb033e2a3671c4c975fb6083b83c90bbc6e543f2a1e0805fe64e87fcaaa1e606afb10d505b1bd48ce39123