Malware Analysis Report

2025-01-23 11:46

Sample ID 241215-n8p1aatkgx
Target f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118
SHA256 5512c8b42e96b051ad12fbab36689d10860d807f258a6bc1c77b4b110db5bb8e
Tags
upx ammyyadmin flawedammyy discovery rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5512c8b42e96b051ad12fbab36689d10860d807f258a6bc1c77b4b110db5bb8e

Threat Level: Known bad

The file f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

upx ammyyadmin flawedammyy discovery rat trojan

AmmyyAdmin payload

FlawedAmmyy RAT

Ammyy Admin

Ammyyadmin family

Flawedammyy family

Checks computer location settings

Drops file in System32 directory

UPX packed file

System Location Discovery: System Language Discovery

Unsigned PE

Modifies system certificate store

Suspicious use of SendNotifyMessage

Modifies data under HKEY_USERS

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-15 12:04

Signatures

AmmyyAdmin payload

Description Indicator Process Target
N/A N/A N/A N/A

Ammyyadmin family

ammyyadmin

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-15 12:04

Reported

2024-12-15 12:06

Platform

win7-20240903-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe"

Signatures

Ammyy Admin

rat ammyyadmin

AmmyyAdmin payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Ammyyadmin family

ammyyadmin

FlawedAmmyy RAT

trojan flawedammyy

Flawedammyy family

flawedammyy

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\34B6AF881B9D738561FC099B83DF3A01 C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\34B6AF881B9D738561FC099B83DF3A01 C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{938E8C25-2583-4F91-A636-4D8D208AB044}\WpadDecisionTime = 60caeb79e94edb01 C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-96-df-d6-e6-fd\WpadDecisionTime = 60caeb79e94edb01 C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-96-df-d6-e6-fd\WpadDecision = "0" C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{938E8C25-2583-4F91-A636-4D8D208AB044} C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{938E8C25-2583-4F91-A636-4D8D208AB044}\WpadNetworkName = "Network 3" C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-96-df-d6-e6-fd C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00a5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{938E8C25-2583-4F91-A636-4D8D208AB044}\WpadDecisionReason = "1" C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{938E8C25-2583-4F91-A636-4D8D208AB044}\WpadDecision = "0" C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe" -service -lunch

C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 rl.ammyy.com udp
NL 188.42.129.148:80 rl.ammyy.com tcp
US 8.8.8.8:53 www.ammyy.com udp
DE 136.243.18.118:80 www.ammyy.com tcp
DE 136.243.18.118:443 www.ammyy.com tcp
US 8.8.8.8:53 r11.o.lencr.org udp
GB 184.50.112.234:80 r11.o.lencr.org tcp

Files

memory/2828-0-0x0000000000400000-0x0000000000497000-memory.dmp

memory/3064-3-0x0000000000400000-0x0000000000497000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.log

MD5 c4a69303c2fac4209b7a7d38db75711f
SHA1 31abf3aa0e81b85977acbdfeeebbe861dae4f8da
SHA256 4a0e95105aa7234922fd93abc61131121665222bdc4d7e86a7fd01722522a3b6
SHA512 2858a3dec4395b69b8b1d43a7ee16511e2c6128789ef70e0774c56488eaed65cff7aa4e05526e2b6e70e926ff782c12dfb3362e208775514576f20d0c6a2eaa0

C:\ProgramData\AMMYY\settings.bin

MD5 090bba5cbe9cd62189310f633f14d686
SHA1 0ce1d78aace04650b0c592665686a89412c1771c
SHA256 7bc48188bbd0ad1b7ac10257e6a8fc5327f2ccfd56402a4353f6d8ef26eb0ff8
SHA512 846781bdb4d8902963f1859077c8db4c763fdd4ca28f0be83b95c20d324b5db030f312fc3d4f959dc05ca4f41ef872a49d123195494b16440e16ebcc5edb31a7

memory/2740-7-0x0000000000400000-0x0000000000497000-memory.dmp

memory/3064-9-0x0000000000400000-0x0000000000497000-memory.dmp

memory/2828-10-0x0000000000400000-0x0000000000497000-memory.dmp

memory/2740-21-0x0000000000400000-0x0000000000497000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-15 12:04

Reported

2024-12-15 12:06

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe"

Signatures

Ammyy Admin

rat ammyyadmin

AmmyyAdmin payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Ammyyadmin family

ammyyadmin

FlawedAmmyy RAT

trojan flawedammyy

Flawedammyy family

flawedammyy

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\34B6AF881B9D738561FC099B83DF3A01 C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\34B6AF881B9D738561FC099B83DF3A01 C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe" -service -lunch

C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 rl.ammyy.com udp
NL 188.42.129.148:80 rl.ammyy.com tcp
US 8.8.8.8:53 www.ammyy.com udp
DE 136.243.18.118:80 www.ammyy.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 148.129.42.188.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
DE 136.243.18.118:443 www.ammyy.com tcp
US 8.8.8.8:53 r11.o.lencr.org udp
GB 2.22.144.149:80 r11.o.lencr.org tcp
US 8.8.8.8:53 118.18.243.136.in-addr.arpa udp
US 8.8.8.8:53 61.45.26.184.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 64.179.15.23.in-addr.arpa udp

Files

memory/3744-0-0x0000000000400000-0x0000000000497000-memory.dmp

memory/3608-4-0x0000000000400000-0x0000000000497000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\f3ea0b41143e7afc6221f42f2503653c_JaffaCakes118.log

MD5 5fad1c15df96b22438cfa772f2efe9aa
SHA1 da4133747737d41bc82fca37a372cca2c3419c13
SHA256 c1820c2b5aa0f08f56db54a99c21bf9c91093c5e17c208daf0c8522822b795ad
SHA512 751fa0016d5d25e566921a005c3744189410508b594f001918f853f14de35e80f658f775d0661e48a9ba5ef711b053fd2b3042ed39fdcd1cc2051d6ad94954a5

C:\ProgramData\AMMYY\settings.bin

MD5 090bba5cbe9cd62189310f633f14d686
SHA1 0ce1d78aace04650b0c592665686a89412c1771c
SHA256 7bc48188bbd0ad1b7ac10257e6a8fc5327f2ccfd56402a4353f6d8ef26eb0ff8
SHA512 846781bdb4d8902963f1859077c8db4c763fdd4ca28f0be83b95c20d324b5db030f312fc3d4f959dc05ca4f41ef872a49d123195494b16440e16ebcc5edb31a7

memory/3744-5-0x0000000000400000-0x0000000000497000-memory.dmp

memory/212-19-0x0000000000400000-0x0000000000497000-memory.dmp