flawedammyy | ba992179336a255b6274e8f7372f741a85305da0b1ee4ce1e5e73d5f3d57e181

Analysis

max time kernel
150s
max time network
142s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
26-06-2024 15:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

128bc5d4a3e25fea59fa6c3f04949257_JaffaCakes118.exe
Size

696KB
MD5

128bc5d4a3e25fea59fa6c3f04949257
SHA1

ad8cea9f27161437365dfba43055fdafcd198268
SHA256

ba992179336a255b6274e8f7372f741a85305da0b1ee4ce1e5e73d5f3d57e181
SHA512

4a544431f298f6d6da4dfbf421fdb05ae308f2bc08c8ba421c2f1e42fce1f67ea1217f3c9eaaa0698ec68b9fbcf29f508e99a3d60c0c9e0b51791edbbb09aaa6
SSDEEP

12288:qqpX2zPf0bvoLsU+FKN0fCskD1RtcnzepMqBCzIgB:TOPMrGL+FKNAe1RtkzepMqBCJB

Score

10^/10

flawedammyy trojan

Malware Config

Signatures

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

128bc5d4a3e25fea59fa6c3f04949257_JaffaCakes118.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\International\Geo\Nation	128bc5d4a3e25fea59fa6c3f04949257_JaffaCakes118.exe

Modifies data under HKEY_USERS 6 IoCs

Processes:

128bc5d4a3e25fea59fa6c3f04949257_JaffaCakes118.exe

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	128bc5d4a3e25fea59fa6c3f04949257_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	128bc5d4a3e25fea59fa6c3f04949257_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	128bc5d4a3e25fea59fa6c3f04949257_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy	128bc5d4a3e25fea59fa6c3f04949257_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d567366087c695f594c16545347627e33a998b26b	128bc5d4a3e25fea59fa6c3f04949257_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = 05d1d1e26b3c538207376b5fdbd59fb868e3d25beb27cc1a41466298cc8c6180fa46725781257613f8dd8e16978cf21dbbf6f57b13351c7257fb523e91a7f77467b3129b	128bc5d4a3e25fea59fa6c3f04949257_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

128bc5d4a3e25fea59fa6c3f04949257_JaffaCakes118.exe

pid	Process
1808	128bc5d4a3e25fea59fa6c3f04949257_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 1 IoCs

Processes:

128bc5d4a3e25fea59fa6c3f04949257_JaffaCakes118.exe

pid	Process
1808	128bc5d4a3e25fea59fa6c3f04949257_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

128bc5d4a3e25fea59fa6c3f04949257_JaffaCakes118.exe

description	pid	Process	procid_target
PID 1560 wrote to memory of 1808	1560	128bc5d4a3e25fea59fa6c3f04949257_JaffaCakes118.exe	29
PID 1560 wrote to memory of 1808	1560	128bc5d4a3e25fea59fa6c3f04949257_JaffaCakes118.exe	29
PID 1560 wrote to memory of 1808	1560	128bc5d4a3e25fea59fa6c3f04949257_JaffaCakes118.exe	29
PID 1560 wrote to memory of 1808	1560	128bc5d4a3e25fea59fa6c3f04949257_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\128bc5d4a3e25fea59fa6c3f04949257_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\128bc5d4a3e25fea59fa6c3f04949257_JaffaCakes118.exe"
1⤵
PID:2112

C:\Users\Admin\AppData\Local\Temp\128bc5d4a3e25fea59fa6c3f04949257_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\128bc5d4a3e25fea59fa6c3f04949257_JaffaCakes118.exe" -service -lunch
1⤵
- Suspicious use of WriteProcessMemory
PID:1560
- C:\Users\Admin\AppData\Local\Temp\128bc5d4a3e25fea59fa6c3f04949257_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\128bc5d4a3e25fea59fa6c3f04949257_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\hr

Filesize
22B

MD5
a412fb23a86981297af5fc172cd82308

SHA1
f95633a2b941d6886d851ab7251244723650229d

SHA256
fe7f2324c6cc504a972f8111aa2b7485da7197d84dc772c84b7ad6aecbf7ac80

SHA512
7fc4aaf8055f50aa06aa09c7a3809221fd7049cf4673f2afc72c8ceef8e71622c1b4e6c627de91001ce1e844c6084374fad388a212d0478412bb035c3d75908f

Download Submit
C:\ProgramData\AMMYY\hr3

Filesize
68B

MD5
d4939b9bcaa5aa08d4aeac2054f90816

SHA1
29e73e6cc6aa1453649845977e4fe51df6ddcabc

SHA256
f4bd2034449585a7c8a3baa23fb34363c23920f544660b64befec5c82546c176

SHA512
b1e4f50a51c78e97cc38d656472b180996215ddfaef4ab9f085c87a54bac12ba9a49cb6c9dfdd48e42e91fe440ad1b410c7837ea2fa1fbb2ed372d962ec5a7b1

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
305B

MD5
33b9c6fa7eae6a1715fa609ced7433f0

SHA1
ace6b06a3f5d8d80a034654e2338fc593de21479

SHA256
c90e68393f8f00ee5fe1c0288152d2b3da12d1c031c940d37d13314b1eb4d2df

SHA512
a8098099ce09f38fd5401f7c8df115bdc92cf7c096003ddc358fd78129323359392d5a3c02aff753c536df45bffbbe47eb235d1a0629fa07cdde00d445d9917c

Download Submit