Malware Analysis Report

2025-01-23 11:45

Sample ID 241202-xqpq8stlbr
Target b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118
SHA256 8d6878dd7a05b9402efa6824ea82613fa6785187ec878823a387adabc2cd6965
Tags
ammyyadmin flawedammyy discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8d6878dd7a05b9402efa6824ea82613fa6785187ec878823a387adabc2cd6965

Threat Level: Known bad

The file b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

ammyyadmin flawedammyy discovery trojan

Ammyyadmin family

AmmyyAdmin payload

Flawedammyy family

FlawedAmmyy RAT

Checks computer location settings

System Location Discovery: System Language Discovery

Suspicious use of FindShellTrayWindow

Modifies data under HKEY_USERS

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-02 19:03

Signatures

AmmyyAdmin payload

Description Indicator Process Target
N/A N/A N/A N/A

Ammyyadmin family

ammyyadmin

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-02 19:03

Reported

2024-12-02 19:06

Platform

win7-20240903-en

Max time kernel

150s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe"

Signatures

FlawedAmmyy RAT

trojan flawedammyy

Flawedammyy family

flawedammyy

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d567366087c6658524c17525337271bd8a41bb36b C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = 14db2a47616f08270fe4e978859d3848023f2c343f8e97bcbb34cbd8efca2e277b8156c977112400f27d764dc5da10beec003bbe4581d59873ca4e8a59e9cbcc83547b31c121b00c1fd2ae C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe" -service -lunch

C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 rl.ammyy.com udp
NL 188.42.129.148:80 rl.ammyy.com tcp
DE 136.243.104.235:443 tcp

Files

C:\ProgramData\AMMYY\settings3.bin

MD5 097a18ed7b31114c7ef39ef06eff02f0
SHA1 276bb5fc8ab72ed3a447dd57be668ace8f75a7c1
SHA256 985b458559939244b777d09d71d6192a13f693b88b046ca904012603a5582812
SHA512 168ef05ddb434dd4003748c7cd6ea9ed5c8280506de4473c3b193fffc314b469e85e2474f919f189c9b7ffb16aa741d75900341a9802dae175ad185e1fea3e96

C:\ProgramData\AMMYY\hr

MD5 94a0da3bb03a282e67743765f220ec06
SHA1 0486d4a5b704e88fa5f9fc1981eb561bf60490ee
SHA256 227d69ceb461b7c1d06d7ce45e1e3817c4800db9d9820a1f49c42b32e37ff92e
SHA512 4f7e5069c27507976731640eec444d6872a4c1738d34dd37c884e581a7c89af9bf827c850277cb3d60c0707251297f1328e1c919e54b3ff23d6c38f1fd994945

C:\ProgramData\AMMYY\hr3

MD5 2716b8c76ba47cd2d61d5e7f1a7359d9
SHA1 c7f0ebd9f27f2e0d844fcfd63df43167c16eefdb
SHA256 b9e15e5ecb920f8319c37e5bc5350b9e005222eb5d125844740588c97acf25f7
SHA512 80f3a48d7284a6a6d1c4d67d6b924e7ada9361a8eb7d2f660740ba563403078885d2d4037c6b4509936e247fc8de812125e6e72c299f801d6718b8c4328590a8

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-02 19:03

Reported

2024-12-02 19:06

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe"

Signatures

FlawedAmmyy RAT

trojan flawedammyy

Flawedammyy family

flawedammyy

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d567366087c6658524c1752532604add8a41bb36b C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = 30a00d49556e97c8a0cd9fbcfe8861f913ff8e6f1ef4bf532468b4976104d0f1e8ab95c4d4131239d293a9fadf371884909b9242cc3a2c0aae3ecd3bb409b35eab387dd75b7c57c552bd91 C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe" -service -lunch

C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 rl.ammyy.com udp
NL 188.42.129.148:80 rl.ammyy.com tcp
DE 136.243.104.235:443 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 73.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 148.129.42.188.in-addr.arpa udp
US 8.8.8.8:53 235.104.243.136.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 184.154.216.23.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

C:\ProgramData\AMMYY\settings3.bin

MD5 097a18ed7b31114c7ef39ef06eff02f0
SHA1 276bb5fc8ab72ed3a447dd57be668ace8f75a7c1
SHA256 985b458559939244b777d09d71d6192a13f693b88b046ca904012603a5582812
SHA512 168ef05ddb434dd4003748c7cd6ea9ed5c8280506de4473c3b193fffc314b469e85e2474f919f189c9b7ffb16aa741d75900341a9802dae175ad185e1fea3e96

C:\ProgramData\AMMYY\hr

MD5 1a7916c00d109cf550fc6211628b8e69
SHA1 18f8befce1069936b964a90f607c0fae42eb2014
SHA256 b664e0680deb51ff7bd24ea6a37fe8ca61a5f28eabebe94f425b74aca7ba3d23
SHA512 1cb36515e69b95dd1d928c56e1e58a96c9db57dd31147fa1a33bf4c62bff40b2f1d6659ba1cd11194c17b51698c567c1a178729b9264692b3ed393272a6b5dca

C:\ProgramData\AMMYY\hr3

MD5 f95eb921bf7444b31e217bdefbccaecb
SHA1 21ebed7343840b278666b2b226236bc19b9074af
SHA256 b9f138ced554e9e1df438b685fad56df7a370ac6b428b4d945d361d2b4b4b34d
SHA512 40682904f5e74bde50d7f488b741a1dc4f76b78de2523a58c7a71d28e0cbf97b7bcc1d17a2734fe6c155e30094f077486b8f987252e43cfd3770bffc0969b3d4