ammyyadmin | 23aed4c0d4a9fbe7a448bd67cb0bf2b00fd8e7a6d07065d122d210ddb9a59579

General

Target

JaffaCakes118_8bc6564e0b71b72620a05107bd944932.exe
Size

322KB
MD5

8bc6564e0b71b72620a05107bd944932
SHA1

822d1dd4ff04afc8fd08081ac3f837bed3b51405
SHA256

23aed4c0d4a9fbe7a448bd67cb0bf2b00fd8e7a6d07065d122d210ddb9a59579
SHA512

3a3b1dc823464dfd7ea75fcf338af78d1754214ce069f5ab9ab0e38a55655d55405d287a0880ed61809896f963b1687c227c3e149b1f97d8e4adfe515a39267a
SSDEEP

6144:lstGihDu2vLdLuzYk7D0EJJd6VjxIa65yPR4FV6ljQYxYLhBQTpNOas8w8plH:lsMihDu2vGj7eIa6GQ8GYxY1BXaPr/

Score

10^/10

ammyyadmin flawedammyy discovery rat trojan upx

Malware Config

Signatures

Ammyy Admin
Remote admin tool with various capabilities.
rat ammyyadmin

AmmyyAdmin payload 3 IoCs

resource	yara_rule
behavioral2/memory/5964-5-0x0000000000400000-0x00000000004BE000-memory.dmp	family_ammyyadmin
behavioral2/memory/1952-8-0x0000000000400000-0x00000000004BE000-memory.dmp	family_ammyyadmin
behavioral2/memory/3628-14-0x0000000000400000-0x00000000004BE000-memory.dmp	family_ammyyadmin

Ammyyadmin family
ammyyadmin
FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy
Flawedammyy family
flawedammyy

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	JaffaCakes118_8bc6564e0b71b72620a05107bd944932.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1952-0-0x0000000000400000-0x00000000004BE000-memory.dmp	upx
behavioral2/memory/5964-5-0x0000000000400000-0x00000000004BE000-memory.dmp	upx
behavioral2/memory/1952-8-0x0000000000400000-0x00000000004BE000-memory.dmp	upx
behavioral2/memory/3628-14-0x0000000000400000-0x00000000004BE000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8bc6564e0b71b72620a05107bd944932.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8bc6564e0b71b72620a05107bd944932.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8bc6564e0b71b72620a05107bd944932.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	JaffaCakes118_8bc6564e0b71b72620a05107bd944932.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	JaffaCakes118_8bc6564e0b71b72620a05107bd944932.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy	JaffaCakes118_8bc6564e0b71b72620a05107bd944932.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin	JaffaCakes118_8bc6564e0b71b72620a05107bd944932.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d567366087c6658524c1752531336a35b98ffb36b	JaffaCakes118_8bc6564e0b71b72620a05107bd944932.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = 48079f6612c8613f6096cf8fbc0316f2dfc133471cad43cfd2c50f1243de9f0d6fa431528fc766aecb5480d5829b14d5b7d6150e26ee0ac2484deda52da02cede531db0da9004520f3e8c1	JaffaCakes118_8bc6564e0b71b72620a05107bd944932.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3628	JaffaCakes118_8bc6564e0b71b72620a05107bd944932.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
3628	JaffaCakes118_8bc6564e0b71b72620a05107bd944932.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5964 wrote to memory of 3628	5964	JaffaCakes118_8bc6564e0b71b72620a05107bd944932.exe	87
PID 5964 wrote to memory of 3628	5964	JaffaCakes118_8bc6564e0b71b72620a05107bd944932.exe	87
PID 5964 wrote to memory of 3628	5964	JaffaCakes118_8bc6564e0b71b72620a05107bd944932.exe	87

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8bc6564e0b71b72620a05107bd944932.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8bc6564e0b71b72620a05107bd944932.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:1952

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8bc6564e0b71b72620a05107bd944932.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8bc6564e0b71b72620a05107bd944932.exe" -service -lunch
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5964
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8bc6564e0b71b72620a05107bd944932.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8bc6564e0b71b72620a05107bd944932.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\hr

Filesize
22B

MD5
6f2380eabf238586db74b1570f305c59

SHA1
96601a8f8e239c0aa05f4a95babacbcf5725f50a

SHA256
87e01ecba33913eb2c0a92bcf2a29765944018a6b1a8370cc1224a427cb08f3a

SHA512
dfb774726af3887b0ec4897b8825c2564e453ddbe954e8fd809af0c75a7d87cb4fc3d855158a09e74ef69bc8fa831e8880c2c7d9cae2c77ff7c7674ad91834ff

Download Submit
C:\ProgramData\AMMYY\hr3

Filesize
75B

MD5
0d141c80348411a5ab58a1e38f3505aa

SHA1
222863b54181e701a4cde83db23ce033a0a360ea

SHA256
ad09dbd444b79cf83c3363c3b78ce49f2af0adf4d43622cca776f29699950437

SHA512
f6637224be2586174176c13f51d8cfae5f833a6ff0aad15f4479fd649389fa4b4c9dc79c368a9a783fdf5d80896e564f42fa25d9cb8281f13c4b052d53bec2c7

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
269B

MD5
097a18ed7b31114c7ef39ef06eff02f0

SHA1
276bb5fc8ab72ed3a447dd57be668ace8f75a7c1

SHA256
985b458559939244b777d09d71d6192a13f693b88b046ca904012603a5582812

SHA512
168ef05ddb434dd4003748c7cd6ea9ed5c8280506de4473c3b193fffc314b469e85e2474f919f189c9b7ffb16aa741d75900341a9802dae175ad185e1fea3e96

Download Submit
memory/1952-0-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/1952-8-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/3628-14-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/5964-5-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download

Analysis

Sharing