flawedammyy | 6dc66741b8e6b8e338c1abd40209191805b169a808df5ee565623ae926b38521

General

Target

70814c3d05ff00b7cce5328c19b8c1d6_JaffaCakes118.exe
Size

726KB
MD5

70814c3d05ff00b7cce5328c19b8c1d6
SHA1

13b503ee98876554f191a710ccf6c0d37d75daca
SHA256

6dc66741b8e6b8e338c1abd40209191805b169a808df5ee565623ae926b38521
SHA512

7ce5250a46b882d78fba0218d46c794e64dc3673520a54858d244537a116128be7146b3db4bf749c13c2664fc8e2edf8c600faa127e01582c3a52c1045f9a8ab
SSDEEP

12288:3YdNctvsfu2LVBfKf057C9lRt3i5olGJssozsghz:odNikfu2hBfK8ilRty5olGJsseN

Score

10^/10

flawedammyy trojan

Malware Config

Signatures

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

70814c3d05ff00b7cce5328c19b8c1d6_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\International\Geo\Nation	70814c3d05ff00b7cce5328c19b8c1d6_JaffaCakes118.exe

Modifies data under HKEY_USERS 6 IoCs

Processes:

70814c3d05ff00b7cce5328c19b8c1d6_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	70814c3d05ff00b7cce5328c19b8c1d6_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	70814c3d05ff00b7cce5328c19b8c1d6_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy	70814c3d05ff00b7cce5328c19b8c1d6_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d567366087c695f594c16545317ae57e40ef1b26b	70814c3d05ff00b7cce5328c19b8c1d6_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = 4faf5501ba5cea6b7a9f613fce0c16ad999d60e6109cf1e57ab5ea20c0cc072962a7963cbb4a2625fd32a533d22e5bc45fd315d08e6561fc303197513a5f6f460163ccf1	70814c3d05ff00b7cce5328c19b8c1d6_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	70814c3d05ff00b7cce5328c19b8c1d6_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

70814c3d05ff00b7cce5328c19b8c1d6_JaffaCakes118.exe

pid process

1800 70814c3d05ff00b7cce5328c19b8c1d6_JaffaCakes118.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

70814c3d05ff00b7cce5328c19b8c1d6_JaffaCakes118.exe

pid process

1800 70814c3d05ff00b7cce5328c19b8c1d6_JaffaCakes118.exe

pid	process
1800	70814c3d05ff00b7cce5328c19b8c1d6_JaffaCakes118.exe

pid	process
1800	70814c3d05ff00b7cce5328c19b8c1d6_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

70814c3d05ff00b7cce5328c19b8c1d6_JaffaCakes118.exe

description	pid	process	target process
PID 1920 wrote to memory of 1800	1920	70814c3d05ff00b7cce5328c19b8c1d6_JaffaCakes118.exe	70814c3d05ff00b7cce5328c19b8c1d6_JaffaCakes118.exe
PID 1920 wrote to memory of 1800	1920	70814c3d05ff00b7cce5328c19b8c1d6_JaffaCakes118.exe	70814c3d05ff00b7cce5328c19b8c1d6_JaffaCakes118.exe
PID 1920 wrote to memory of 1800	1920	70814c3d05ff00b7cce5328c19b8c1d6_JaffaCakes118.exe	70814c3d05ff00b7cce5328c19b8c1d6_JaffaCakes118.exe
PID 1920 wrote to memory of 1800	1920	70814c3d05ff00b7cce5328c19b8c1d6_JaffaCakes118.exe	70814c3d05ff00b7cce5328c19b8c1d6_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\70814c3d05ff00b7cce5328c19b8c1d6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\70814c3d05ff00b7cce5328c19b8c1d6_JaffaCakes118.exe"
1⤵
PID:1596

C:\Users\Admin\AppData\Local\Temp\70814c3d05ff00b7cce5328c19b8c1d6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\70814c3d05ff00b7cce5328c19b8c1d6_JaffaCakes118.exe" -service -lunch
1⤵
- Suspicious use of WriteProcessMemory
PID:1920

C:\Users\Admin\AppData\Local\Temp\70814c3d05ff00b7cce5328c19b8c1d6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\70814c3d05ff00b7cce5328c19b8c1d6_JaffaCakes118.exe"
2⤵
- Checks computer location settings
- Modifies data under HKEY_USERS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\TEAM9\hr

Filesize
22B

MD5
3dc40c8e54796aa7a13249fdd0f1b850

SHA1
d6396685ccdc608bb8eab855d86ad932e128438e

SHA256
ca8a7e31690bf91e3a83619b7bbfabd90cad10b74199b9cd3fc5afdc53a7a481

SHA512
323cb84013ad113c3eef8b4d2b97a1d774e38eb730d0a9540e036ff19e6d32536e7bd4f24354835982ab4ffd4ba667993bf439974242198f6fc31817adcb98b5

Download Submit
C:\ProgramData\TEAM9\hr3

Filesize
68B

MD5
7cf6b13dc20a33049b491b9cdd6d689b

SHA1
310f7ce75c0aa75fe9f9f13e8b22478429197ab1

SHA256
cbd3c7f7e923145c9e99bdd35886c269a6492b67284f19940f51a0dd3a35cacc

SHA512
3f9e4a287dc94e77f382b2b780b05a82f2b27b2919d23d3c7e1c4b51e47eb0be0ae3348fdef752732c5845676ac83fc4383e5fd4c2136453d89c4bef2b500c4e

Download Submit
C:\ProgramData\TEAM9\settings3.bin

Filesize
271B

MD5
4cb889e527b0d0781a17f6c2dd968129

SHA1
6a6a55cd5604370660f1c1ad1025195169be8978

SHA256
2658cd46dd49335e739cafa31ff2ec63f3315b65ecc171a0f7612713d3ac702b

SHA512
297d2c05d2ac950faeb519d3e7bc56ea9d9fcab65b5dfdbba2720be8eddc8b2d5ead3dc7c122b82d6937be6c2d7bb88872dd7b80961138571245fba381daac3f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads