ammyyadmin | 23aed4c0d4a9fbe7a448bd67cb0bf2b00fd8e7a6d07065d122d210ddb9a59579

General

Target

JaffaCakes118_8bc6564e0b71b72620a05107bd944932.exe
Size

322KB
MD5

8bc6564e0b71b72620a05107bd944932
SHA1

822d1dd4ff04afc8fd08081ac3f837bed3b51405
SHA256

23aed4c0d4a9fbe7a448bd67cb0bf2b00fd8e7a6d07065d122d210ddb9a59579
SHA512

3a3b1dc823464dfd7ea75fcf338af78d1754214ce069f5ab9ab0e38a55655d55405d287a0880ed61809896f963b1687c227c3e149b1f97d8e4adfe515a39267a
SSDEEP

6144:lstGihDu2vLdLuzYk7D0EJJd6VjxIa65yPR4FV6ljQYxYLhBQTpNOas8w8plH:lsMihDu2vGj7eIa6GQ8GYxY1BXaPr/

Score

10^/10

ammyyadmin flawedammyy discovery rat trojan upx

Malware Config

Signatures

Ammyy Admin
Remote admin tool with various capabilities.
rat ammyyadmin

AmmyyAdmin payload 3 IoCs

resource	yara_rule
behavioral1/memory/2116-6-0x0000000000400000-0x00000000004BE000-memory.dmp	family_ammyyadmin
behavioral1/memory/2600-10-0x0000000000400000-0x00000000004BE000-memory.dmp	family_ammyyadmin
behavioral1/memory/2216-16-0x0000000000400000-0x00000000004BE000-memory.dmp	family_ammyyadmin

Ammyyadmin family
ammyyadmin
FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy
Flawedammyy family
flawedammyy

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Control Panel\International\Geo\Nation	JaffaCakes118_8bc6564e0b71b72620a05107bd944932.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2600-0-0x0000000000400000-0x00000000004BE000-memory.dmp	upx
behavioral1/memory/2116-4-0x0000000000400000-0x00000000004BE000-memory.dmp	upx
behavioral1/memory/2116-6-0x0000000000400000-0x00000000004BE000-memory.dmp	upx
behavioral1/memory/2600-10-0x0000000000400000-0x00000000004BE000-memory.dmp	upx
behavioral1/memory/2216-16-0x0000000000400000-0x00000000004BE000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8bc6564e0b71b72620a05107bd944932.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8bc6564e0b71b72620a05107bd944932.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8bc6564e0b71b72620a05107bd944932.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = 340766af637172c67dd6e3309b9724d01889fdb733501e95d8d24567bb5e21d622a941182f35a85084b244e0935c9a7b170f2c53247900bd3419c095446217407766ec0e4c444cdc6d04f4	JaffaCakes118_8bc6564e0b71b72620a05107bd944932.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	JaffaCakes118_8bc6564e0b71b72620a05107bd944932.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	JaffaCakes118_8bc6564e0b71b72620a05107bd944932.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	JaffaCakes118_8bc6564e0b71b72620a05107bd944932.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy	JaffaCakes118_8bc6564e0b71b72620a05107bd944932.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d567366087c6658524c175253674a38b498ffb36b	JaffaCakes118_8bc6564e0b71b72620a05107bd944932.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2216	JaffaCakes118_8bc6564e0b71b72620a05107bd944932.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2216	JaffaCakes118_8bc6564e0b71b72620a05107bd944932.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 2216	2116	JaffaCakes118_8bc6564e0b71b72620a05107bd944932.exe	31
PID 2116 wrote to memory of 2216	2116	JaffaCakes118_8bc6564e0b71b72620a05107bd944932.exe	31
PID 2116 wrote to memory of 2216	2116	JaffaCakes118_8bc6564e0b71b72620a05107bd944932.exe	31
PID 2116 wrote to memory of 2216	2116	JaffaCakes118_8bc6564e0b71b72620a05107bd944932.exe	31

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8bc6564e0b71b72620a05107bd944932.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8bc6564e0b71b72620a05107bd944932.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2600

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8bc6564e0b71b72620a05107bd944932.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8bc6564e0b71b72620a05107bd944932.exe" -service -lunch
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8bc6564e0b71b72620a05107bd944932.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8bc6564e0b71b72620a05107bd944932.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\hr

Filesize
22B

MD5
83026aebccb2dd719ec8a5893b8e2c2c

SHA1
ca8ef2ac30f533d0b2fc0e90d14e1d695bbef588

SHA256
787d30e5c97e31d1317d91765912f2642b06b0889d2cfd7f95065ad0e65d42c8

SHA512
d98a19eb09c0353a81fb7d40c6c41eb99109b221eacbb7b534be9a44bf8697adab9a9f92ea40f06fc1ca7e68d86b2b2387de1be2b20841ed27f520d7de085b9f

Download Submit
C:\ProgramData\AMMYY\hr3

Filesize
75B

MD5
d450a5796315ea2553c0194adff8b084

SHA1
51dc107fb663c05baf42b44c73d73e3556434b44

SHA256
c286196396bbfa21d82e295a5cc4aa47b8526d05dc7e6f5d726a18603d61f8aa

SHA512
0d1f6675c7073bce5062b84a494cbefb1541a13fea4d6cac5f8c6f66c16746705d901ed5b884f14812c0aae3e5fe04f6378437b5964e9cc46f2f1ba38b27cc2b

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
269B

MD5
097a18ed7b31114c7ef39ef06eff02f0

SHA1
276bb5fc8ab72ed3a447dd57be668ace8f75a7c1

SHA256
985b458559939244b777d09d71d6192a13f693b88b046ca904012603a5582812

SHA512
168ef05ddb434dd4003748c7cd6ea9ed5c8280506de4473c3b193fffc314b469e85e2474f919f189c9b7ffb16aa741d75900341a9802dae175ad185e1fea3e96

Download Submit
memory/2116-4-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2116-6-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2216-16-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2600-0-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2600-10-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download

Analysis

Sharing