ammyyadmin | 04dfc2d7d62ce65e75eef08074e860200c815d2f0ca59be184936e56a5a8a228

Analysis

max time kernel
150s
max time network
141s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10/03/2025, 04:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_5d2137ab7f4b088bcd12b404fc729a65.exe
Size

2.6MB
MD5

5d2137ab7f4b088bcd12b404fc729a65
SHA1

1ea77258a21abcacd4bf2532a5cac053d44f9bf3
SHA256

04dfc2d7d62ce65e75eef08074e860200c815d2f0ca59be184936e56a5a8a228
SHA512

6fc608e172d54c3f433190751bce0774cf43ec2d66b1e21a8a5399b25b0535200343792fae062edb4e65e9e79c2b7e27e1d3c367c748cb4bf6486370e2fc8d12
SSDEEP

49152:pyyFFmHLyvVbZWgDDdhV6BcRa5g8BtXxA8D2A79zcOPMrGisNSF+CW:pyyFEHLsVdDDxY5g8/3D2A79zcoUGiE

Score

10^/10

ammyyadmin flawedammyy defense_evasion discovery persistence rat trojan

Malware Config

Signatures

Ammyy Admin
Remote admin tool with various capabilities.
rat ammyyadmin

AmmyyAdmin payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0008000000015d7e-16.dat	family_ammyyadmin

Ammyyadmin family
ammyyadmin
FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy
Flawedammyy family
flawedammyy

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\International\Geo\Nation	AA_v3.exe

Executes dropped EXE 5 IoCs

pid	Process
2724	Install.exe
2868	AA_v3.exe
2660	AA_v3.exe
2528	AA_v3.exe
2544	FCE.exe

Loads dropped DLL 3 IoCs

pid	Process
2660	AA_v3.exe
2724	Install.exe
2544	FCE.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FCE Start = "C:\\Windows\\SysWOW64\\YRFREX\\FCE.exe"	FCE.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\YRFREX\FCE.004	Install.exe
File created	C:\Windows\SysWOW64\YRFREX\FCE.001	Install.exe
File created	C:\Windows\SysWOW64\YRFREX\FCE.002	Install.exe
File created	C:\Windows\SysWOW64\YRFREX\AKV.exe	Install.exe
File opened for modification	C:\Windows\SysWOW64\YRFREX\	FCE.exe
File created	C:\Windows\SysWOW64\YRFREX\FCE.exe	Install.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FCE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AA_v3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AA_v3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AA_v3.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	AA_v3.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	AA_v3.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	AA_v3.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy	AA_v3.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d567366087c6658524c17525377ab62763fceb36b	AA_v3.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = bb0b175206bb5c00a9aa133b8b8655eee04c749d0a781c41dbc344412dbeff8135c8e47258729178a94ad47ef2b0815c9d361905e354511b2ea25a35267dc3324ebb1513bf5a77198ef162	AA_v3.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2544	FCE.exe
2544	FCE.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	2544	FCE.exe
Token: SeIncBasePriorityPrivilege	2544	FCE.exe
Token: SeIncBasePriorityPrivilege	2544	FCE.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2528	AA_v3.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2528	AA_v3.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2544	FCE.exe
2544	FCE.exe
2544	FCE.exe
2544	FCE.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 2724	3004	JaffaCakes118_5d2137ab7f4b088bcd12b404fc729a65.exe	30
PID 3004 wrote to memory of 2724	3004	JaffaCakes118_5d2137ab7f4b088bcd12b404fc729a65.exe	30
PID 3004 wrote to memory of 2724	3004	JaffaCakes118_5d2137ab7f4b088bcd12b404fc729a65.exe	30
PID 3004 wrote to memory of 2724	3004	JaffaCakes118_5d2137ab7f4b088bcd12b404fc729a65.exe	30
PID 3004 wrote to memory of 2724	3004	JaffaCakes118_5d2137ab7f4b088bcd12b404fc729a65.exe	30
PID 3004 wrote to memory of 2724	3004	JaffaCakes118_5d2137ab7f4b088bcd12b404fc729a65.exe	30
PID 3004 wrote to memory of 2724	3004	JaffaCakes118_5d2137ab7f4b088bcd12b404fc729a65.exe	30
PID 3004 wrote to memory of 2868	3004	JaffaCakes118_5d2137ab7f4b088bcd12b404fc729a65.exe	31
PID 3004 wrote to memory of 2868	3004	JaffaCakes118_5d2137ab7f4b088bcd12b404fc729a65.exe	31
PID 3004 wrote to memory of 2868	3004	JaffaCakes118_5d2137ab7f4b088bcd12b404fc729a65.exe	31
PID 3004 wrote to memory of 2868	3004	JaffaCakes118_5d2137ab7f4b088bcd12b404fc729a65.exe	31
PID 2660 wrote to memory of 2528	2660	AA_v3.exe	33
PID 2660 wrote to memory of 2528	2660	AA_v3.exe	33
PID 2660 wrote to memory of 2528	2660	AA_v3.exe	33
PID 2660 wrote to memory of 2528	2660	AA_v3.exe	33
PID 2724 wrote to memory of 2544	2724	Install.exe	34
PID 2724 wrote to memory of 2544	2724	Install.exe	34
PID 2724 wrote to memory of 2544	2724	Install.exe	34
PID 2724 wrote to memory of 2544	2724	Install.exe	34
PID 2544 wrote to memory of 1424	2544	FCE.exe	36
PID 2544 wrote to memory of 1424	2544	FCE.exe	36
PID 2544 wrote to memory of 1424	2544	FCE.exe	36
PID 2544 wrote to memory of 1424	2544	FCE.exe	36

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5d2137ab7f4b088bcd12b404fc729a65.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5d2137ab7f4b088bcd12b404fc729a65.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Users\Admin\AppData\Local\Temp\Install.exe
  "C:\Users\Admin\AppData\Local\Temp\Install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\SysWOW64\YRFREX\FCE.exe
    "C:\Windows\system32\YRFREX\FCE.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2544
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\YRFREX\FCE.exe > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1424
- C:\Users\Admin\AppData\Local\Temp\AA_v3.exe
  "C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2868

C:\Users\Admin\AppData\Local\Temp\AA_v3.exe
"C:\Users\Admin\AppData\Local\Temp\AA_v3.exe" -service -lunch
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Users\Admin\AppData\Local\Temp\AA_v3.exe
  "C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\hr

Filesize
22B

MD5
2ba7ce2a2ca7b230191ac902f635efbb

SHA1
f5f58e0238122e724df7de18896a21c72d1f150d

SHA256
b5925aacdaf8f091ef0ed1414bba4826aa3ba7fdf26b6d0f88b87646fb4937e1

SHA512
c9f6190bf3bfead4ca8e5ab017072eea78ab7e2e72304d1283e1f5a0f80a5724fafa49b47c4e48c2b5fc78bdcd3a8b9c4750407f4cd9b75ea767acb8b70a6edb

Download Submit
C:\ProgramData\AMMYY\hr3

Filesize
75B

MD5
2f177f82c8e2e31e1b59166e0d55392f

SHA1
e4d54d15d6acb93ccaa55552bb7aefbba6ac95bd

SHA256
9235345b1dc0e83ce67d30b4a0e5890ff49e8acd91e4e1d7ebbf55a0e54652b9

SHA512
645241e5c02a9e75fab15d1b6a43b5ee0f0fa066442c036634e42ac71ae6fb9faf448576ceb8271327a3c482ef6b60757605dbc2d6390841abdfd59abf6aae1c

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
269B

MD5
097a18ed7b31114c7ef39ef06eff02f0

SHA1
276bb5fc8ab72ed3a447dd57be668ace8f75a7c1

SHA256
985b458559939244b777d09d71d6192a13f693b88b046ca904012603a5582812

SHA512
168ef05ddb434dd4003748c7cd6ea9ed5c8280506de4473c3b193fffc314b469e85e2474f919f189c9b7ffb16aa741d75900341a9802dae175ad185e1fea3e96

Download Submit
C:\Users\Admin\AppData\Local\Temp\AA_v3.exe

Filesize
701KB

MD5
18e6fbf3a7799ead04694742028458de

SHA1
cc42326f7cd7d68bb4a5f78e6b9807bb1c92d6d5

SHA256
60797554cc5556d0a2e631d34a599a110b620cfdd2438a049ebe355699f510fa

SHA512
48ad9211e79b1e3f35b191a06d1f19f4c32291c598b21f117c8d6f90bd1ca18ab134d35c726405ab63a233c180e708ea23db2a436f052d763457aed476fb2a87

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe

Filesize
1.9MB

MD5
79444aff79574a760d6f9cde688e3f2c

SHA1
b5af8b39f532e38aa664e6d960cbf4985964991d

SHA256
42eb2018830687708455300456181f48dc4d94d3deb5e923f4bca927aecf8619

SHA512
b79121f60ce67e7e1f2f10a7e77a1e14b338c60ff498a04b194d875401a17ae1feee292529af2acdad4ed0e45c8db1a70897b4af062511bde93b23ce53d69b9a

Download Submit
C:\Windows\SysWOW64\YRFREX\AKV.exe

Filesize
512KB

MD5
b0f608e0e4bb8facdb203bc09c1bfe8e

SHA1
66dd80ae6ba12d4e53fa5141636181094a43f843

SHA256
ebff4f3f37c2fb45e46b0510396ba8b9e5d37261e2969c8097af64d3011b2da3

SHA512
a5bcbe99784802d37c7d46cd15f361d95a9462b0775f577027faf13dcd876ca0c4762f34278b22812c8cc9ea77c8286dc0a1e3694ca553cccb94a5f1c5115644

Download Submit
C:\Windows\SysWOW64\YRFREX\FCE.001

Filesize
78KB

MD5
1b5cf87fb26a702dc4d8e27ee488bfa1

SHA1
2b610b35e67d0622e36d148c3dc0663ac5e70771

SHA256
c03b50588a2ada88110f2da1b5a77f0e1285bb3b8ea3bd285084866752cbd1f0

SHA512
1711f1ba778b6d4e323ab9068ce7bc36adaca779f9946aa0bb25387be2d41abc2adab1791ab7d4ab2091373fd164b7bae3f76b4bb59117e12ef644c8552d9494

Download Submit
C:\Windows\SysWOW64\YRFREX\FCE.002

Filesize
55KB

MD5
14147d1def3a5914f42f6db4d1b442f3

SHA1
7d77f12b6461ce619f718814afdfdfd2965c6279

SHA256
c207b179e7d41aca65a4d07bf2fa073dfa1827131fcf54d260df95466e23bf2d

SHA512
a13128896187b57def7403437f1a50ceb984566e406e8b97b1139eb5b5536ffc079f0e860310d8b02d6cdde0e1178a5a60a2267762f3a92425cc6364f88ed00e

Download Submit
C:\Windows\SysWOW64\YRFREX\FCE.004

Filesize
1KB

MD5
fc6b9892c761428c755d4ecad3942995

SHA1
d510988fe34d4a5a91de8beab4305da542d5eb7b

SHA256
f262738ab9a37a953ef9fa07c763484230db77e4d3de7f83a2b64d9690e52479

SHA512
43dc7d71a371fe81cfaca929774a83bdcf5ed5d59e4f974a7aee82d70894739e31de83581373b944d8572ffec7fd7112041249f69a256ba63e081910e2703d9e

Download Submit
C:\Windows\SysWOW64\YRFREX\FCE.exe

Filesize
1.7MB

MD5
7f9e58f1df8721ed17066d08a769c73a

SHA1
6a7e40c5e6f4901b54692ea17a7baf1cdc578104

SHA256
6a489d019efc8cb791e9c6999fe1ceb4d0d79f0926dca9e138ceb26c52e237d6

SHA512
a47c71aa4aa136ef1167dcc76ab6b72139461b5bb117ec421f2d2078240518b114cf19c1ebd48504655a948d372fba00bbc9e9a126b1f23120148e51beb99082

Download Submit
memory/2544-45-0x00000000002A0000-0x00000000002B8000-memory.dmp

Filesize
96KB

Download
memory/2724-24-0x0000000001010000-0x00000000011FB000-memory.dmp

Filesize
1.9MB

Download
memory/2724-22-0x0000000001010000-0x00000000011FB000-memory.dmp

Filesize
1.9MB

Download
memory/2724-11-0x0000000001011000-0x0000000001012000-memory.dmp

Filesize
4KB

Download
memory/2724-36-0x0000000001010000-0x00000000011FB000-memory.dmp

Filesize
1.9MB

Download
memory/3004-3-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp

Filesize
9.6MB

Download
memory/3004-25-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp

Filesize
9.6MB

Download
memory/3004-0-0x000007FEF5D2E000-0x000007FEF5D2F000-memory.dmp

Filesize
4KB

Download
memory/3004-2-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp

Filesize
9.6MB

Download
memory/3004-1-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp

Filesize
9.6MB

Download