flawedammyy | 60797554cc5556d0a2e631d34a599a110b620cfdd2438a049ebe355699f510fa

Analysis

max time kernel
150s
max time network
142s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
28-06-2024 05:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18e6fbf3a7799ead04694742028458de_JaffaCakes118.exe
Size

701KB
MD5

18e6fbf3a7799ead04694742028458de
SHA1

cc42326f7cd7d68bb4a5f78e6b9807bb1c92d6d5
SHA256

60797554cc5556d0a2e631d34a599a110b620cfdd2438a049ebe355699f510fa
SHA512

48ad9211e79b1e3f35b191a06d1f19f4c32291c598b21f117c8d6f90bd1ca18ab134d35c726405ab63a233c180e708ea23db2a436f052d763457aed476fb2a87
SSDEEP

12288:hqpX2zPf0bvoLsU+FKN0fCskD1RtcnzepMqBCz3gI:cOPMrGL+FKNAe1RtkzepMqBCkI

Score

10^/10

flawedammyy trojan

Malware Config

Signatures

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\International\Geo\Nation	18e6fbf3a7799ead04694742028458de_JaffaCakes118.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	18e6fbf3a7799ead04694742028458de_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	18e6fbf3a7799ead04694742028458de_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	18e6fbf3a7799ead04694742028458de_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy	18e6fbf3a7799ead04694742028458de_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d567366087c695f594c165453174b1ecd5196b26b	18e6fbf3a7799ead04694742028458de_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = 4f2805734cbe9a49160b48a0451e22c5dd598926b7774a6174579ad02b7cbbaf34636489d6ff3ea2360e4b6dbc39cc4a0892b176a6e9dee9f183cb365e4b6f32d9df1d9a	18e6fbf3a7799ead04694742028458de_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1652	18e6fbf3a7799ead04694742028458de_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1652	18e6fbf3a7799ead04694742028458de_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 1652	1956	18e6fbf3a7799ead04694742028458de_JaffaCakes118.exe	29
PID 1956 wrote to memory of 1652	1956	18e6fbf3a7799ead04694742028458de_JaffaCakes118.exe	29
PID 1956 wrote to memory of 1652	1956	18e6fbf3a7799ead04694742028458de_JaffaCakes118.exe	29
PID 1956 wrote to memory of 1652	1956	18e6fbf3a7799ead04694742028458de_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\18e6fbf3a7799ead04694742028458de_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\18e6fbf3a7799ead04694742028458de_JaffaCakes118.exe"
1⤵
PID:2740

C:\Users\Admin\AppData\Local\Temp\18e6fbf3a7799ead04694742028458de_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\18e6fbf3a7799ead04694742028458de_JaffaCakes118.exe" -service -lunch
1⤵
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Users\Admin\AppData\Local\Temp\18e6fbf3a7799ead04694742028458de_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\18e6fbf3a7799ead04694742028458de_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\hr

Filesize
22B

MD5
9cdf2e00cb107cffd4f51245e1340e81

SHA1
516347a83875d56399ecf8d1a4bfdb690569fc79

SHA256
5044b309fe31d813d856a5e8856e21f4c65142b11f65d9283a040c3f02bdc0c7

SHA512
055f367b17e4395ee1c520959962771663d2b889963aacf9db69460711e2b1c8c246694073ea00078b5242f6718894a581c2809147e1df2315b9c6955afcb761

Download Submit
C:\ProgramData\AMMYY\hr3

Filesize
68B

MD5
3bdeabac8d1a77a7e317c705b818830d

SHA1
16adcd1f03bbd639b2c6cc0b0f5f1b1f31849538

SHA256
56e3d052754957074962edde05600207b876cff7be92e4fb17fedae73c52840a

SHA512
2bddcffe14fe2d950b9c5f5ec8f9ff3d871d959c85752f4f6ffbd128e79724fe30076cd56ab73bec5b975cc7734c174c2d76268b0b9b7171448b99e030bc04df

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
269B

MD5
097a18ed7b31114c7ef39ef06eff02f0

SHA1
276bb5fc8ab72ed3a447dd57be668ace8f75a7c1

SHA256
985b458559939244b777d09d71d6192a13f693b88b046ca904012603a5582812

SHA512
168ef05ddb434dd4003748c7cd6ea9ed5c8280506de4473c3b193fffc314b469e85e2474f919f189c9b7ffb16aa741d75900341a9802dae175ad185e1fea3e96

Download Submit