flawedammyy | ce53586b70d395f8b3a56a6afc23bed0296e2aa53914fd2e4f229c4dac9ac9c9

General

Target

b2d7dd7195b34c26e5faf1fcf10b653e_JaffaCakes118.exe
Size

748KB
MD5

b2d7dd7195b34c26e5faf1fcf10b653e
SHA1

c17ad78a2ae96ad1c04d4d853f2614ecb9966729
SHA256

ce53586b70d395f8b3a56a6afc23bed0296e2aa53914fd2e4f229c4dac9ac9c9
SHA512

f55f9bad73f919d55562037004bdad9b550fe90fcafb71faffd65a1dc58ab49116801b4fe1f5e648e8ea9a983cfde1ffe31ee46258460cbeb46ed9b9a1ef7ad9
SSDEEP

12288:/VFUEuNmwvGrw9i0aTGRGicBckyyFRtWY1i3FTsvOVVigG:PUEUUw9RaTNicBrPFRtJ1iVTsCfG

Score

10^/10

flawedammyy trojan

Malware Config

Signatures

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b2d7dd7195b34c26e5faf1fcf10b653e_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Control Panel\International\Geo\Nation	b2d7dd7195b34c26e5faf1fcf10b653e_JaffaCakes118.exe

Modifies data under HKEY_USERS 6 IoCs

Processes:

b2d7dd7195b34c26e5faf1fcf10b653e_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	b2d7dd7195b34c26e5faf1fcf10b653e_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy	b2d7dd7195b34c26e5faf1fcf10b653e_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d567366087c695f594c165453570abe9299e0b26b	b2d7dd7195b34c26e5faf1fcf10b653e_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = a31f6720ecb8a5697895a0beba15500d922326ba58eeb10dacb309d426f3685a3849866a975c752a690927e01cd0d52e88275c4cdd617d49cb3371c80a9e1f9a125394c1	b2d7dd7195b34c26e5faf1fcf10b653e_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	b2d7dd7195b34c26e5faf1fcf10b653e_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	b2d7dd7195b34c26e5faf1fcf10b653e_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

b2d7dd7195b34c26e5faf1fcf10b653e_JaffaCakes118.exe

pid process

636 b2d7dd7195b34c26e5faf1fcf10b653e_JaffaCakes118.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

b2d7dd7195b34c26e5faf1fcf10b653e_JaffaCakes118.exe

pid process

636 b2d7dd7195b34c26e5faf1fcf10b653e_JaffaCakes118.exe

pid	process
636	b2d7dd7195b34c26e5faf1fcf10b653e_JaffaCakes118.exe

pid	process
636	b2d7dd7195b34c26e5faf1fcf10b653e_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

b2d7dd7195b34c26e5faf1fcf10b653e_JaffaCakes118.exe

description	pid	process	target process
PID 2200 wrote to memory of 636	2200	b2d7dd7195b34c26e5faf1fcf10b653e_JaffaCakes118.exe	b2d7dd7195b34c26e5faf1fcf10b653e_JaffaCakes118.exe
PID 2200 wrote to memory of 636	2200	b2d7dd7195b34c26e5faf1fcf10b653e_JaffaCakes118.exe	b2d7dd7195b34c26e5faf1fcf10b653e_JaffaCakes118.exe
PID 2200 wrote to memory of 636	2200	b2d7dd7195b34c26e5faf1fcf10b653e_JaffaCakes118.exe	b2d7dd7195b34c26e5faf1fcf10b653e_JaffaCakes118.exe
PID 2200 wrote to memory of 636	2200	b2d7dd7195b34c26e5faf1fcf10b653e_JaffaCakes118.exe	b2d7dd7195b34c26e5faf1fcf10b653e_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\b2d7dd7195b34c26e5faf1fcf10b653e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b2d7dd7195b34c26e5faf1fcf10b653e_JaffaCakes118.exe"
1⤵
PID:1556

C:\Users\Admin\AppData\Local\Temp\b2d7dd7195b34c26e5faf1fcf10b653e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b2d7dd7195b34c26e5faf1fcf10b653e_JaffaCakes118.exe" -service -lunch
1⤵
- Suspicious use of WriteProcessMemory
PID:2200

C:\Users\Admin\AppData\Local\Temp\b2d7dd7195b34c26e5faf1fcf10b653e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b2d7dd7195b34c26e5faf1fcf10b653e_JaffaCakes118.exe"
2⤵
- Checks computer location settings
- Modifies data under HKEY_USERS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\hr

Filesize
22B

MD5
645a44d42a3d17db8d1929d66dc8656b

SHA1
815e8e5177dcae3b32b5d33bb7907851edf4a527

SHA256
facbd20e714dc193cee97fbd26b56af00bc181ebf0f0c4ef5907dd5080702d1c

SHA512
93f8b2e41644abd988113f6b7377ee06dd771c3db64938ce7bf24e1111574e0ee5f3d8ec64062877a99a50741f066a735355071e56534a8b594834ad14c16ebd

Download Submit
C:\ProgramData\AMMYY\hr3

Filesize
68B

MD5
e33f9ef6f5c979df7e844a17c2a9a16c

SHA1
43a3221b02dcfc9ef3fd226e7d77e8ca5be31b24

SHA256
f412de4b2f36fbb12bde182b90e164e93f5f33c10729c015772eba1cd0b874aa

SHA512
7a29d9ba6d6dcd36a6896a7df9387e51e6267a65112c491b3af4e570ef67a8fd1d104ac36da6f1965bde1ac41ffe38979492f12e4364e82cd54e6521c721e8bc

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
271B

MD5
714f2508d4227f74b6adacfef73815d8

SHA1
a35c8a796e4453c0c09d011284b806d25bdad04c

SHA256
a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480

SHA512
1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads