flawedammyy | 3727d712e619a7c1de57a4987614cc11f08cdcf9ddb6d798a52b30b7f3ddfdf4

General

Target

f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe
Size

720KB
MD5

3d545a30c97699a5b44fd85b40d05016
SHA1

93432f2a5b5352cc94d3c4f196f60245f7efda6d
SHA256

f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3
SHA512

453fe53dd79d7bc478cad9c74e9f86c30f522faa0b28b27ad0782afda2193e465a5d0d326f9aad235c106065d44a4c9d1a43bc24414fce5ebb1e104c0df1c317
SSDEEP

12288:qzJUxbtiiTHRJuEkQO7EwC2ZwFRtAdRXRryd+sq1zngB:q9oNTHRz/O7rT6FRteRXR2IsqqB

Score

10^/10

flawedammyy trojan

Malware Config

Signatures

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy	f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin	f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d56736608796d5b5b4e1552533471d7e74e53b26b	f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = 23525c86b6bc7f5411dad6484656c819bf6432c12dde3e5eb0edf9ed8d6f44ca43e75b5daa6d4edb778f0ec9f69b583c3d474635e9b8bfd483fd9954774e262d08d8224c	f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
920	f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
920	f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3900 wrote to memory of 920	3900	f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe	91
PID 3900 wrote to memory of 920	3900	f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe	91
PID 3900 wrote to memory of 920	3900	f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe	91

C:\Users\Admin\AppData\Local\Temp\f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe
"C:\Users\Admin\AppData\Local\Temp\f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe"
1⤵
PID:1944

C:\Users\Admin\AppData\Local\Temp\f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe
"C:\Users\Admin\AppData\Local\Temp\f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe" -service -lunch
1⤵
- Suspicious use of WriteProcessMemory
PID:3900
- C:\Users\Admin\AppData\Local\Temp\f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe
  "C:\Users\Admin\AppData\Local\Temp\f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:920

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\hr

Filesize
22B

MD5
c9c74efe3c7fe90d1868e617a20b7176

SHA1
730de0dd805ce28b57cb5fdb409a9845294cf6f0

SHA256
4c49b0b5f69ea7ccb12b8703b43d6ee2fa3af4da53a472c84bbb76bd677c3692

SHA512
738bf5c51e823c251a9cb5cf09de74c9b20dac194fc40e8f430dc6e066fc9e9c74e79efc09289c9a77b07485a2b94667ff543fb1cc9d12b512fd19dd9285d902

Download Submit
C:\ProgramData\AMMYY\hr3

Filesize
68B

MD5
6d097b256f5fd1ff28671ecee11de775

SHA1
620e416e8519422a368663ad4d933ea78817b2d8

SHA256
1d0162cb1c2491a1df90a898d141c97aa457eda6c41ddbf98cfcd8fb120f1574

SHA512
dcbe4664e21ff13eaa9c18558d84fbe5bb135c86efabef7532bcee3053e3fb79b74d9b44e88b9e3220303281d179f25a372513ae0fd5090bd1ae682f2493c390

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
307B

MD5
4b1262396ed78b0aee884df3c46b46f0

SHA1
1eca767c92e65da3f72fed57bf44be41906b62b0

SHA256
3b916abde3f50bdc3dc54191f6955f84889d922b2d27f52acc9c0a407817fa67

SHA512
62d368c439209db7fdba6336d88809ca7a3368e5e5f8da54ed1e2c4c93662ae5bde2935daebd8707b767c1fabaf29a5ba08b450a96225a8afaf19f5bc155f8eb

Download Submit

Analysis

Sharing