flawedammyy | 51112c067bd5c87a44698ec80bf9873160eee16b2d7c9775786e41724a06ecd7

Analysis

max time kernel
152s
max time network
154s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
15/07/2024, 19:19 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dll/UzakYardim.exe
Size

740KB
MD5

10a524d7ac94678ae286b065421647db
SHA1

b538e3f113817c8237419310ef47817d1d961fa9
SHA256

55daa062650d42e0feabc5ae1c3e4a7f68d4f8a3c69be375a0abc7bf3e1efad4
SHA512

928b0e712e604a5ba9580ff6ecadbdf77e2fda6847b11366ce929281ae8e5e3a633073ff07176989ddcb5f8387c6f7c061729af99b61a23a319ddeb7d63ace1b
SSDEEP

12288:pUYpJqMH2OwlaUPcWWw5XZV8f64RteVpN5ETMasTjmgvPi:ZpJJWOwlaUPcWWwRZb4Rt+N5WMasHDy

Score

10^/10

flawedammyy trojan

Malware Config

Signatures

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\International\Geo\Nation	UzakYardim.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	UzakYardim.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	UzakYardim.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	UzakYardim.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy	UzakYardim.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d567366087c695f594c16545377b10733a489b26b	UzakYardim.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = bbb8e3bc0d01c41a4925f2142e3aad5d83f5eacabc12289b6ce4fcfe8be1cee67a83910ea94b6f76e52419186b47a52a2f9405cdd2cc7aaf450b64052ba63771c7df36ac	UzakYardim.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2380	UzakYardim.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2380	UzakYardim.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 2380	2196	UzakYardim.exe	30
PID 2196 wrote to memory of 2380	2196	UzakYardim.exe	30
PID 2196 wrote to memory of 2380	2196	UzakYardim.exe	30
PID 2196 wrote to memory of 2380	2196	UzakYardim.exe	30

C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe
"C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe"
1⤵
PID:2256

C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe
"C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe" -service -lunch
1⤵
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe
  "C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe"
  2⤵
  - Checks computer location settings
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2380

Network

DNS

rl.ammyy.com

UzakYardim.exe

Remote address:

8.8.8.8:53

Request

rl.ammyy.com

IN A

Response

rl.ammyy.com

IN A

188.42.129.148
POST

http://rl.ammyy.com/

UzakYardim.exe

Remote address:

188.42.129.148:80

Request

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: rl.ammyy.com
Content-Length: 183
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Mon, 15 Jul 2024 19:20:14 GMT
Server: Apache
X-Powered-By: PHP/5.4.16
Content-Length: 138
Content-Type: text/html

188.42.129.148:80

http://rl.ammyy.com/

http

UzakYardim.exe

869 B
446 B
12
4

HTTP Request

POST http://rl.ammyy.com/

HTTP Response

200
136.243.104.235:443

https

UzakYardim.exe

560 B
340 B
11
8

8.8.8.8:53

rl.ammyy.com

dns

UzakYardim.exe

58 B
74 B
1
1

DNS Request

rl.ammyy.com

DNS Response

188.42.129.148

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\hr

Filesize
22B

MD5
dfaff2922250c8e4e1506e4d24ba6620

SHA1
d4c7966829651c29fa96fef350c15c614a34b254

SHA256
b5f4167eda254f578ec71eb759f076192f0b02d25d666ec1c02bb9080ce3c388

SHA512
6debbb4f6e37a19df7c4bc678d3cd012454c898a1c9e7eae1aeb0e67e3ab0f1604a424d37e2d6c9d56d408382d4bce125abf9c0dfe775428718712b84de55b3a

Download Submit
C:\ProgramData\AMMYY\hr3

Filesize
68B

MD5
2f8f62f8a024bf15e957352e05d4590c

SHA1
2a51a3720f30d21673150dba4f10c505d091fb92

SHA256
5ba99f32dafefb12f8b96065a4e5ff08cef2b1b2782d457f87d610f0b61516c8

SHA512
d4ad8c839dfd907e5f3d6d1ff6c2b4ed3b9e64b669c2d544db73c566a4564e7402af67444ba01ad7a6b0186bf5ae81c5af8001722fec8678ffa76a9b9c3d5660

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
331B

MD5
c5b80443bc31f2f5c1d2e384c3b82961

SHA1
445a99fa06484d216276b9284eedf25483780216

SHA256
cc8225e7412000f34a92f118af842d585d575498f36fe772dedad9f88c1fe5ad

SHA512
eae9247b9a1abbf8822ce65dbfd2db9b59a57367c7885614b89b8608688753e0c71fc8c955eb1493ef4dd7ba952760ff3476e05d9c177fb40661765a9e408d97

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.