Analysis Overview
SHA256
8d6878dd7a05b9402efa6824ea82613fa6785187ec878823a387adabc2cd6965
Threat Level: Known bad
The file b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Ammyyadmin family
AmmyyAdmin payload
Flawedammyy family
FlawedAmmyy RAT
Checks computer location settings
System Location Discovery: System Language Discovery
Suspicious use of FindShellTrayWindow
Modifies data under HKEY_USERS
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-02 19:03
Signatures
AmmyyAdmin payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Ammyyadmin family
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-02 19:03
Reported
2024-12-02 19:06
Platform
win7-20240903-en
Max time kernel
150s
Max time network
140s
Command Line
Signatures
FlawedAmmyy RAT
Flawedammyy family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d567366087c6658524c17525337271bd8a41bb36b | C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = 14db2a47616f08270fe4e978859d3848023f2c343f8e97bcbb34cbd8efca2e277b8156c977112400f27d764dc5da10beec003bbe4581d59873ca4e8a59e9cbcc83547b31c121b00c1fd2ae | C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin | C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy | C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2396 wrote to memory of 2412 | N/A | C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe |
| PID 2396 wrote to memory of 2412 | N/A | C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe |
| PID 2396 wrote to memory of 2412 | N/A | C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe |
| PID 2396 wrote to memory of 2412 | N/A | C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe" -service -lunch
C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rl.ammyy.com | udp |
| NL | 188.42.129.148:80 | rl.ammyy.com | tcp |
| DE | 136.243.104.235:443 | tcp |
Files
C:\ProgramData\AMMYY\settings3.bin
| MD5 | 097a18ed7b31114c7ef39ef06eff02f0 |
| SHA1 | 276bb5fc8ab72ed3a447dd57be668ace8f75a7c1 |
| SHA256 | 985b458559939244b777d09d71d6192a13f693b88b046ca904012603a5582812 |
| SHA512 | 168ef05ddb434dd4003748c7cd6ea9ed5c8280506de4473c3b193fffc314b469e85e2474f919f189c9b7ffb16aa741d75900341a9802dae175ad185e1fea3e96 |
C:\ProgramData\AMMYY\hr
| MD5 | 94a0da3bb03a282e67743765f220ec06 |
| SHA1 | 0486d4a5b704e88fa5f9fc1981eb561bf60490ee |
| SHA256 | 227d69ceb461b7c1d06d7ce45e1e3817c4800db9d9820a1f49c42b32e37ff92e |
| SHA512 | 4f7e5069c27507976731640eec444d6872a4c1738d34dd37c884e581a7c89af9bf827c850277cb3d60c0707251297f1328e1c919e54b3ff23d6c38f1fd994945 |
C:\ProgramData\AMMYY\hr3
| MD5 | 2716b8c76ba47cd2d61d5e7f1a7359d9 |
| SHA1 | c7f0ebd9f27f2e0d844fcfd63df43167c16eefdb |
| SHA256 | b9e15e5ecb920f8319c37e5bc5350b9e005222eb5d125844740588c97acf25f7 |
| SHA512 | 80f3a48d7284a6a6d1c4d67d6b924e7ada9361a8eb7d2f660740ba563403078885d2d4037c6b4509936e247fc8de812125e6e72c299f801d6718b8c4328590a8 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-02 19:03
Reported
2024-12-02 19:06
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
143s
Command Line
Signatures
FlawedAmmyy RAT
Flawedammyy family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin | C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Ammyy | C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin | C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d567366087c6658524c1752532604add8a41bb36b | C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = 30a00d49556e97c8a0cd9fbcfe8861f913ff8e6f1ef4bf532468b4976104d0f1e8ab95c4d4131239d293a9fadf371884909b9242cc3a2c0aae3ecd3bb409b35eab387dd75b7c57c552bd91 | C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4620 wrote to memory of 3672 | N/A | C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe |
| PID 4620 wrote to memory of 3672 | N/A | C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe |
| PID 4620 wrote to memory of 3672 | N/A | C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe" -service -lunch
C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rl.ammyy.com | udp |
| NL | 188.42.129.148:80 | rl.ammyy.com | tcp |
| DE | 136.243.104.235:443 | tcp | |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 148.129.42.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.104.243.136.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 184.154.216.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
C:\ProgramData\AMMYY\settings3.bin
| MD5 | 097a18ed7b31114c7ef39ef06eff02f0 |
| SHA1 | 276bb5fc8ab72ed3a447dd57be668ace8f75a7c1 |
| SHA256 | 985b458559939244b777d09d71d6192a13f693b88b046ca904012603a5582812 |
| SHA512 | 168ef05ddb434dd4003748c7cd6ea9ed5c8280506de4473c3b193fffc314b469e85e2474f919f189c9b7ffb16aa741d75900341a9802dae175ad185e1fea3e96 |
C:\ProgramData\AMMYY\hr
| MD5 | 1a7916c00d109cf550fc6211628b8e69 |
| SHA1 | 18f8befce1069936b964a90f607c0fae42eb2014 |
| SHA256 | b664e0680deb51ff7bd24ea6a37fe8ca61a5f28eabebe94f425b74aca7ba3d23 |
| SHA512 | 1cb36515e69b95dd1d928c56e1e58a96c9db57dd31147fa1a33bf4c62bff40b2f1d6659ba1cd11194c17b51698c567c1a178729b9264692b3ed393272a6b5dca |
C:\ProgramData\AMMYY\hr3
| MD5 | f95eb921bf7444b31e217bdefbccaecb |
| SHA1 | 21ebed7343840b278666b2b226236bc19b9074af |
| SHA256 | b9f138ced554e9e1df438b685fad56df7a370ac6b428b4d945d361d2b4b4b34d |
| SHA512 | 40682904f5e74bde50d7f488b741a1dc4f76b78de2523a58c7a71d28e0cbf97b7bcc1d17a2734fe6c155e30094f077486b8f987252e43cfd3770bffc0969b3d4 |