ammyyadmin | 04dfc2d7d62ce65e75eef08074e860200c815d2f0ca59be184936e56a5a8a228

Analysis

max time kernel
150s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
10/03/2025, 04:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_5d2137ab7f4b088bcd12b404fc729a65.exe
Size

2.6MB
MD5

5d2137ab7f4b088bcd12b404fc729a65
SHA1

1ea77258a21abcacd4bf2532a5cac053d44f9bf3
SHA256

04dfc2d7d62ce65e75eef08074e860200c815d2f0ca59be184936e56a5a8a228
SHA512

6fc608e172d54c3f433190751bce0774cf43ec2d66b1e21a8a5399b25b0535200343792fae062edb4e65e9e79c2b7e27e1d3c367c748cb4bf6486370e2fc8d12
SSDEEP

49152:pyyFFmHLyvVbZWgDDdhV6BcRa5g8BtXxA8D2A79zcOPMrGisNSF+CW:pyyFEHLsVdDDxY5g8/3D2A79zcoUGiE

Score

10^/10

ammyyadmin flawedammyy defense_evasion discovery persistence rat trojan

Malware Config

Signatures

Ammyy Admin
Remote admin tool with various capabilities.
rat ammyyadmin

AmmyyAdmin payload 1 IoCs

resource	yara_rule
behavioral2/files/0x000b000000023c1e-19.dat	family_ammyyadmin

Ammyyadmin family
ammyyadmin
FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy
Flawedammyy family
flawedammyy

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	AA_v3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	FCE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	JaffaCakes118_5d2137ab7f4b088bcd12b404fc729a65.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	Install.exe

Executes dropped EXE 5 IoCs

pid	Process
1860	Install.exe
3052	AA_v3.exe
1236	AA_v3.exe
2000	AA_v3.exe
2204	FCE.exe

Loads dropped DLL 2 IoCs

pid	Process
2204	FCE.exe
2204	FCE.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FCE Start = "C:\\Windows\\SysWOW64\\YRFREX\\FCE.exe"	FCE.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\YRFREX\FCE.002	Install.exe
File created	C:\Windows\SysWOW64\YRFREX\AKV.exe	Install.exe
File opened for modification	C:\Windows\SysWOW64\YRFREX\	FCE.exe
File created	C:\Windows\SysWOW64\YRFREX\FCE.exe	Install.exe
File created	C:\Windows\SysWOW64\YRFREX\FCE.004	Install.exe
File created	C:\Windows\SysWOW64\YRFREX\FCE.001	Install.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FCE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AA_v3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AA_v3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AA_v3.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	AA_v3.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	AA_v3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy	AA_v3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin	AA_v3.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d567366087c6658524c175253a50783763fceb36b	AA_v3.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = e0d8583f447e86fcdf693e9188d93b1f401d91d70571d181f9f5c88a12bcc6f5f2b0ef7e303d51a1d4e09c79ad4b909b68832120ce82d55ca0201a1a8bc2fbfb58d5f340a4240adbe3c0d5	AA_v3.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2204	FCE.exe
2204	FCE.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	2204	FCE.exe
Token: SeIncBasePriorityPrivilege	2204	FCE.exe
Token: SeIncBasePriorityPrivilege	2204	FCE.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2000	AA_v3.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2000	AA_v3.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2204	FCE.exe
2204	FCE.exe
2204	FCE.exe
2204	FCE.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3720 wrote to memory of 1860	3720	JaffaCakes118_5d2137ab7f4b088bcd12b404fc729a65.exe	88
PID 3720 wrote to memory of 1860	3720	JaffaCakes118_5d2137ab7f4b088bcd12b404fc729a65.exe	88
PID 3720 wrote to memory of 1860	3720	JaffaCakes118_5d2137ab7f4b088bcd12b404fc729a65.exe	88
PID 3720 wrote to memory of 3052	3720	JaffaCakes118_5d2137ab7f4b088bcd12b404fc729a65.exe	89
PID 3720 wrote to memory of 3052	3720	JaffaCakes118_5d2137ab7f4b088bcd12b404fc729a65.exe	89
PID 3720 wrote to memory of 3052	3720	JaffaCakes118_5d2137ab7f4b088bcd12b404fc729a65.exe	89
PID 1236 wrote to memory of 2000	1236	AA_v3.exe	91
PID 1236 wrote to memory of 2000	1236	AA_v3.exe	91
PID 1236 wrote to memory of 2000	1236	AA_v3.exe	91
PID 1860 wrote to memory of 2204	1860	Install.exe	92
PID 1860 wrote to memory of 2204	1860	Install.exe	92
PID 1860 wrote to memory of 2204	1860	Install.exe	92
PID 2204 wrote to memory of 2140	2204	FCE.exe	115
PID 2204 wrote to memory of 2140	2204	FCE.exe	115
PID 2204 wrote to memory of 2140	2204	FCE.exe	115

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5d2137ab7f4b088bcd12b404fc729a65.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5d2137ab7f4b088bcd12b404fc729a65.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3720
- C:\Users\Admin\AppData\Local\Temp\Install.exe
  "C:\Users\Admin\AppData\Local\Temp\Install.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1860
- - C:\Windows\SysWOW64\YRFREX\FCE.exe
    "C:\Windows\system32\YRFREX\FCE.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2204
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\YRFREX\FCE.exe > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2140
- C:\Users\Admin\AppData\Local\Temp\AA_v3.exe
  "C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3052

C:\Users\Admin\AppData\Local\Temp\AA_v3.exe
"C:\Users\Admin\AppData\Local\Temp\AA_v3.exe" -service -lunch
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1236
- C:\Users\Admin\AppData\Local\Temp\AA_v3.exe
  "C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\hr

Filesize
22B

MD5
ebb9e8c737c9d851360667c7b4214f50

SHA1
73d074bf851899869c836104267389708db6296c

SHA256
9ee998252ab9e8ca74aa109ee20d66828ae1fd29377c0fab030b65c64f0736d8

SHA512
f5f884a0ef42b1c0a909bf98d9f995d000862598c2d62e423279438e1e500a965d7bba05d9b36253ec175f9b247bd1faf382d4d09755f7b8012765760c756079

Download Submit
C:\ProgramData\AMMYY\hr3

Filesize
75B

MD5
67ea1d18a52df291b321e6ad8ea0728f

SHA1
2b82bded809868323c9a6160a0200b11a69c93df

SHA256
d0c4993c41104c1df53a7246561229bbd1b7d1180f0fe8e917c4f10643b9e373

SHA512
e0e5740a2c5befd5509e0725177b4632109edcfcfb9f466b9c746b1f6f14feb8a8d9f9adf4ffaa5bc8e2b16e29d4ac1ffb3b3a45cec015ade8f388b5c9c5bc70

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
269B

MD5
097a18ed7b31114c7ef39ef06eff02f0

SHA1
276bb5fc8ab72ed3a447dd57be668ace8f75a7c1

SHA256
985b458559939244b777d09d71d6192a13f693b88b046ca904012603a5582812

SHA512
168ef05ddb434dd4003748c7cd6ea9ed5c8280506de4473c3b193fffc314b469e85e2474f919f189c9b7ffb16aa741d75900341a9802dae175ad185e1fea3e96

Download Submit
C:\Users\Admin\AppData\Local\Temp\AA_v3.exe

Filesize
701KB

MD5
18e6fbf3a7799ead04694742028458de

SHA1
cc42326f7cd7d68bb4a5f78e6b9807bb1c92d6d5

SHA256
60797554cc5556d0a2e631d34a599a110b620cfdd2438a049ebe355699f510fa

SHA512
48ad9211e79b1e3f35b191a06d1f19f4c32291c598b21f117c8d6f90bd1ca18ab134d35c726405ab63a233c180e708ea23db2a436f052d763457aed476fb2a87

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe

Filesize
1.9MB

MD5
79444aff79574a760d6f9cde688e3f2c

SHA1
b5af8b39f532e38aa664e6d960cbf4985964991d

SHA256
42eb2018830687708455300456181f48dc4d94d3deb5e923f4bca927aecf8619

SHA512
b79121f60ce67e7e1f2f10a7e77a1e14b338c60ff498a04b194d875401a17ae1feee292529af2acdad4ed0e45c8db1a70897b4af062511bde93b23ce53d69b9a

Download Submit
C:\Windows\SysWOW64\YRFREX\AKV.exe

Filesize
512KB

MD5
b0f608e0e4bb8facdb203bc09c1bfe8e

SHA1
66dd80ae6ba12d4e53fa5141636181094a43f843

SHA256
ebff4f3f37c2fb45e46b0510396ba8b9e5d37261e2969c8097af64d3011b2da3

SHA512
a5bcbe99784802d37c7d46cd15f361d95a9462b0775f577027faf13dcd876ca0c4762f34278b22812c8cc9ea77c8286dc0a1e3694ca553cccb94a5f1c5115644

Download Submit
C:\Windows\SysWOW64\YRFREX\FCE.001

Filesize
78KB

MD5
1b5cf87fb26a702dc4d8e27ee488bfa1

SHA1
2b610b35e67d0622e36d148c3dc0663ac5e70771

SHA256
c03b50588a2ada88110f2da1b5a77f0e1285bb3b8ea3bd285084866752cbd1f0

SHA512
1711f1ba778b6d4e323ab9068ce7bc36adaca779f9946aa0bb25387be2d41abc2adab1791ab7d4ab2091373fd164b7bae3f76b4bb59117e12ef644c8552d9494

Download Submit
C:\Windows\SysWOW64\YRFREX\FCE.002

Filesize
55KB

MD5
14147d1def3a5914f42f6db4d1b442f3

SHA1
7d77f12b6461ce619f718814afdfdfd2965c6279

SHA256
c207b179e7d41aca65a4d07bf2fa073dfa1827131fcf54d260df95466e23bf2d

SHA512
a13128896187b57def7403437f1a50ceb984566e406e8b97b1139eb5b5536ffc079f0e860310d8b02d6cdde0e1178a5a60a2267762f3a92425cc6364f88ed00e

Download Submit
C:\Windows\SysWOW64\YRFREX\FCE.004

Filesize
1KB

MD5
fc6b9892c761428c755d4ecad3942995

SHA1
d510988fe34d4a5a91de8beab4305da542d5eb7b

SHA256
f262738ab9a37a953ef9fa07c763484230db77e4d3de7f83a2b64d9690e52479

SHA512
43dc7d71a371fe81cfaca929774a83bdcf5ed5d59e4f974a7aee82d70894739e31de83581373b944d8572ffec7fd7112041249f69a256ba63e081910e2703d9e

Download Submit
C:\Windows\SysWOW64\YRFREX\FCE.exe

Filesize
1.7MB

MD5
7f9e58f1df8721ed17066d08a769c73a

SHA1
6a7e40c5e6f4901b54692ea17a7baf1cdc578104

SHA256
6a489d019efc8cb791e9c6999fe1ceb4d0d79f0926dca9e138ceb26c52e237d6

SHA512
a47c71aa4aa136ef1167dcc76ab6b72139461b5bb117ec421f2d2078240518b114cf19c1ebd48504655a948d372fba00bbc9e9a126b1f23120148e51beb99082

Download Submit
memory/1860-49-0x0000000000E50000-0x000000000103B000-memory.dmp

Filesize
1.9MB

Download
memory/1860-29-0x0000000000E50000-0x000000000103B000-memory.dmp

Filesize
1.9MB

Download
memory/1860-28-0x0000000000E51000-0x0000000000E52000-memory.dmp

Filesize
4KB

Download
memory/2204-56-0x00000000009C0000-0x00000000009D8000-memory.dmp

Filesize
96KB

Download
memory/3720-30-0x00007FFD70340000-0x00007FFD70CE1000-memory.dmp

Filesize
9.6MB

Download
memory/3720-7-0x000000001C8D0000-0x000000001C91C000-memory.dmp

Filesize
304KB

Download
memory/3720-0-0x00007FFD705F5000-0x00007FFD705F6000-memory.dmp

Filesize
4KB

Download
memory/3720-6-0x000000001BC70000-0x000000001BC78000-memory.dmp

Filesize
32KB

Download
memory/3720-5-0x00007FFD70340000-0x00007FFD70CE1000-memory.dmp

Filesize
9.6MB

Download
memory/3720-4-0x000000001C770000-0x000000001C80C000-memory.dmp

Filesize
624KB

Download
memory/3720-3-0x000000001C150000-0x000000001C61E000-memory.dmp

Filesize
4.8MB

Download
memory/3720-2-0x00007FFD70340000-0x00007FFD70CE1000-memory.dmp

Filesize
9.6MB

Download
memory/3720-1-0x000000001BBC0000-0x000000001BC66000-memory.dmp

Filesize
664KB

Download