flawedammyy | 60797554cc5556d0a2e631d34a599a110b620cfdd2438a049ebe355699f510fa

Analysis

max time kernel
153s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 05:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18e6fbf3a7799ead04694742028458de_JaffaCakes118.exe
Size

701KB
MD5

18e6fbf3a7799ead04694742028458de
SHA1

cc42326f7cd7d68bb4a5f78e6b9807bb1c92d6d5
SHA256

60797554cc5556d0a2e631d34a599a110b620cfdd2438a049ebe355699f510fa
SHA512

48ad9211e79b1e3f35b191a06d1f19f4c32291c598b21f117c8d6f90bd1ca18ab134d35c726405ab63a233c180e708ea23db2a436f052d763457aed476fb2a87
SSDEEP

12288:hqpX2zPf0bvoLsU+FKN0fCskD1RtcnzepMqBCz3gI:cOPMrGL+FKNAe1RtkzepMqBCkI

Score

10^/10

flawedammyy trojan

Malware Config

Signatures

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

18e6fbf3a7799ead04694742028458de_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	18e6fbf3a7799ead04694742028458de_JaffaCakes118.exe

Modifies data under HKEY_USERS 6 IoCs

Processes:

18e6fbf3a7799ead04694742028458de_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	18e6fbf3a7799ead04694742028458de_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	18e6fbf3a7799ead04694742028458de_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy	18e6fbf3a7799ead04694742028458de_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin	18e6fbf3a7799ead04694742028458de_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d56736608796d5b5b4e1552535ef521395296b26b	18e6fbf3a7799ead04694742028458de_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = d83a9433a7cf5d24d594c916e1d8318e421d568348f36aca1aacde0e22945b371ec1dfa7a1d6afba9a9040d6623eaba642c38e5d3a69db68f7640c6b5febb18d4c11a052	18e6fbf3a7799ead04694742028458de_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

18e6fbf3a7799ead04694742028458de_JaffaCakes118.exe

pid process

5036 18e6fbf3a7799ead04694742028458de_JaffaCakes118.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

18e6fbf3a7799ead04694742028458de_JaffaCakes118.exe

pid process

5036 18e6fbf3a7799ead04694742028458de_JaffaCakes118.exe

pid	process
5036	18e6fbf3a7799ead04694742028458de_JaffaCakes118.exe

pid	process
5036	18e6fbf3a7799ead04694742028458de_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

18e6fbf3a7799ead04694742028458de_JaffaCakes118.exe

description	pid	process	target process
PID 4688 wrote to memory of 5036	4688	18e6fbf3a7799ead04694742028458de_JaffaCakes118.exe	18e6fbf3a7799ead04694742028458de_JaffaCakes118.exe
PID 4688 wrote to memory of 5036	4688	18e6fbf3a7799ead04694742028458de_JaffaCakes118.exe	18e6fbf3a7799ead04694742028458de_JaffaCakes118.exe
PID 4688 wrote to memory of 5036	4688	18e6fbf3a7799ead04694742028458de_JaffaCakes118.exe	18e6fbf3a7799ead04694742028458de_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\18e6fbf3a7799ead04694742028458de_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\18e6fbf3a7799ead04694742028458de_JaffaCakes118.exe"
1⤵
PID:3936

C:\Users\Admin\AppData\Local\Temp\18e6fbf3a7799ead04694742028458de_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\18e6fbf3a7799ead04694742028458de_JaffaCakes118.exe" -service -lunch
1⤵
- Suspicious use of WriteProcessMemory
PID:4688

C:\Users\Admin\AppData\Local\Temp\18e6fbf3a7799ead04694742028458de_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\18e6fbf3a7799ead04694742028458de_JaffaCakes118.exe"
2⤵
- Checks computer location settings
- Modifies data under HKEY_USERS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1412 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:8
1⤵
PID:1508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\hr

Filesize
22B

MD5
1b05f8873336676a8acfd7b74f07ba6e

SHA1
f20d770bc792411ecfc4cee3e845740fb186b3bb

SHA256
9c43bad2f12472f5a13a9244c2e08721f36cae329a2c8c744041ab3f4e9cc5f1

SHA512
ca0a1571ce8c8bcba756a0be8575b22f42002fe3f2f52bea6b1861ffaf4cde48c3a29c430009332c8601e7923a7939dc87856135df40e8888e4b8002e4c85517

Download Submit
C:\ProgramData\AMMYY\hr3

Filesize
68B

MD5
feaa6dab5c9275d15e4c642908b5ce87

SHA1
0df6283ed5b30dd6afce9feefb009fc42f16a4b6

SHA256
0eb6494889dcb144dc3a91ae93238e3a14ee2b604edd1d98ea8673daea683bc1

SHA512
90b8e67fc9a5e9aa6984b9844fcdba39221088a5134b81e78640ead5852409e5dfc0a778cb55e093e0477a89d9896e169b1bf9fb84400024bdf5b2f46ed9d528

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
269B

MD5
097a18ed7b31114c7ef39ef06eff02f0

SHA1
276bb5fc8ab72ed3a447dd57be668ace8f75a7c1

SHA256
985b458559939244b777d09d71d6192a13f693b88b046ca904012603a5582812

SHA512
168ef05ddb434dd4003748c7cd6ea9ed5c8280506de4473c3b193fffc314b469e85e2474f919f189c9b7ffb16aa741d75900341a9802dae175ad185e1fea3e96

Download Submit