flawedammyy | ce53586b70d395f8b3a56a6afc23bed0296e2aa53914fd2e4f229c4dac9ac9c9

General

Target

b2d7dd7195b34c26e5faf1fcf10b653e_JaffaCakes118.exe
Size

748KB
MD5

b2d7dd7195b34c26e5faf1fcf10b653e
SHA1

c17ad78a2ae96ad1c04d4d853f2614ecb9966729
SHA256

ce53586b70d395f8b3a56a6afc23bed0296e2aa53914fd2e4f229c4dac9ac9c9
SHA512

f55f9bad73f919d55562037004bdad9b550fe90fcafb71faffd65a1dc58ab49116801b4fe1f5e648e8ea9a983cfde1ffe31ee46258460cbeb46ed9b9a1ef7ad9
SSDEEP

12288:/VFUEuNmwvGrw9i0aTGRGicBckyyFRtWY1i3FTsvOVVigG:PUEUUw9RaTNicBrPFRtJ1iVTsCfG

Score

10^/10

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	b2d7dd7195b34c26e5faf1fcf10b653e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	b2d7dd7195b34c26e5faf1fcf10b653e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	b2d7dd7195b34c26e5faf1fcf10b653e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	b2d7dd7195b34c26e5faf1fcf10b653e_JaffaCakes118.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin	b2d7dd7195b34c26e5faf1fcf10b653e_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d567366087c69585c40145253f333179599e0b26b	b2d7dd7195b34c26e5faf1fcf10b653e_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	b2d7dd7195b34c26e5faf1fcf10b653e_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy	b2d7dd7195b34c26e5faf1fcf10b653e_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	b2d7dd7195b34c26e5faf1fcf10b653e_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	b2d7dd7195b34c26e5faf1fcf10b653e_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = 5e650283ee2a445d17a8e497736d84390dca6b082443a1ed30a1038238b3376585258a6c336c2562b92625ca8d9e6b20f9a859fc7ee7d26eca3008c2c3a3ff942ff8f061	b2d7dd7195b34c26e5faf1fcf10b653e_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	b2d7dd7195b34c26e5faf1fcf10b653e_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	b2d7dd7195b34c26e5faf1fcf10b653e_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1276	b2d7dd7195b34c26e5faf1fcf10b653e_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1276	b2d7dd7195b34c26e5faf1fcf10b653e_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3220 wrote to memory of 1276	3220	b2d7dd7195b34c26e5faf1fcf10b653e_JaffaCakes118.exe	90
PID 3220 wrote to memory of 1276	3220	b2d7dd7195b34c26e5faf1fcf10b653e_JaffaCakes118.exe	90
PID 3220 wrote to memory of 1276	3220	b2d7dd7195b34c26e5faf1fcf10b653e_JaffaCakes118.exe	90

C:\Users\Admin\AppData\Local\Temp\b2d7dd7195b34c26e5faf1fcf10b653e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b2d7dd7195b34c26e5faf1fcf10b653e_JaffaCakes118.exe"
1⤵
PID:4780

C:\Users\Admin\AppData\Local\Temp\b2d7dd7195b34c26e5faf1fcf10b653e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b2d7dd7195b34c26e5faf1fcf10b653e_JaffaCakes118.exe" -service -lunch
1⤵
- Suspicious use of WriteProcessMemory
PID:3220
- C:\Users\Admin\AppData\Local\Temp\b2d7dd7195b34c26e5faf1fcf10b653e_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\b2d7dd7195b34c26e5faf1fcf10b653e_JaffaCakes118.exe"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4108,i,12594301322143882025,16832588342008839449,262144 --variations-seed-version --mojo-platform-channel-handle=4296 /prefetch:8
1⤵
PID:880

C:\ProgramData\AMMYY\hr

Filesize
22B

MD5
76bf70007082674981653f923690fcbf

SHA1
3cf4d7f2efeaec54fdcbe1bac2ff946866457659

SHA256
420e6d9973f846a93297a879558f4653a05d72b30cb6034af7976da5e95bc1be

SHA512
4b93df505fe3ea01a37f4895118e26f106a628032b54faea8b5798292ea9e61da48ee1f6c5d1addaab8ed5f07d6c3940a198e35df86670f6830c2b058999297c

Download Submit
C:\ProgramData\AMMYY\hr3

Filesize
68B

MD5
45dbe29fc8090ae938d78554b49b68ed

SHA1
5d9d06d71f4e56652cbc8a682fe95cd4068841bf

SHA256
642e7768344f75d283ffefa846bc4c17158ac51c0a6713921de2c0c2ff7f4efc

SHA512
5b168a378274bc3084791f5e64b8faa9c4fcbd007cca9276061d3690d3e8c412e308c485055e8c99dadf623aa95d7876bf77df51f6c3671a7d1c37bffe552155

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
271B

MD5
714f2508d4227f74b6adacfef73815d8

SHA1
a35c8a796e4453c0c09d011284b806d25bdad04c

SHA256
a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480

SHA512
1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8

Download Submit