flawedammyy | 83cff801ac8079dac80397faa70de6945d45f233296af3fc920cad7786248eaa

General

Target

8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe
Size

651KB
MD5

8209e8a107f543d85a5121c2d6a275d5
SHA1

c317c6da070436bf5b34f953f0ba89a3c447be81
SHA256

83cff801ac8079dac80397faa70de6945d45f233296af3fc920cad7786248eaa
SHA512

c043e692be3a9533b98335c08eb3701ddbb74022569c91213792ac6592fe6ca0fcaebf1138299bb16f9d1636329e9f5d0c85b069cd8b925d7f440d4249bcfc82
SSDEEP

12288:FaAXOKLSwaIN5U8xvFoRQMEoO2rx8ikfRtjIe9rtv8zl6wiegC:reK+waI8JRQMEJ2rufRtse9rtv8zlri2

Score

10^/10

flawedammyy discovery trojan

Malware Config

Signatures

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3774859476-2260090144-3466365324-1000\Control Panel\International\Geo\Nation	8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe

Drops file in System32 directory 12 IoCs

Processes:

8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A82946818BB0433A7DC1AFD2189B16AF	8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A82946818BB0433A7DC1AFD2189B16AF	8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe

Modifies data under HKEY_USERS 9 IoCs

Processes:

8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe

description	pid	process
Token: SeBackupPrivilege	3088	8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe
Token: SeRestorePrivilege	3088	8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe
Token: SeBackupPrivilege	3088	8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe
Token: SeRestorePrivilege	3088	8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe
Token: SeBackupPrivilege	3088	8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe
Token: SeRestorePrivilege	3088	8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe
Token: SeBackupPrivilege	3088	8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe
Token: SeRestorePrivilege	3088	8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe
Token: SeBackupPrivilege	3088	8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe
Token: SeRestorePrivilege	3088	8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe
Token: SeBackupPrivilege	3088	8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe
Token: SeRestorePrivilege	3088	8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe
Token: SeBackupPrivilege	3088	8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe
Token: SeRestorePrivilege	3088	8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe
Token: SeBackupPrivilege	3088	8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe
Token: SeRestorePrivilege	3088	8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe
Token: SeBackupPrivilege	3088	8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe
Token: SeRestorePrivilege	3088	8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe
Token: SeBackupPrivilege	3088	8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe
Token: SeRestorePrivilege	3088	8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe
Token: SeBackupPrivilege	3088	8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe
Token: SeRestorePrivilege	3088	8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe
Token: SeBackupPrivilege	3088	8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe
Token: SeRestorePrivilege	3088	8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe
Token: SeBackupPrivilege	3088	8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe
Token: SeRestorePrivilege	3088	8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe
Token: SeBackupPrivilege	3088	8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe
Token: SeRestorePrivilege	3088	8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe
Token: SeBackupPrivilege	3088	8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe
Token: SeRestorePrivilege	3088	8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe
Token: SeBackupPrivilege	3088	8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe
Token: SeRestorePrivilege	3088	8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe
Token: SeBackupPrivilege	3088	8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe
Token: SeRestorePrivilege	3088	8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe
Token: SeBackupPrivilege	3088	8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe
Token: SeRestorePrivilege	3088	8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe
Token: SeBackupPrivilege	3088	8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe
Token: SeRestorePrivilege	3088	8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe
Token: SeBackupPrivilege	3088	8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe
Token: SeRestorePrivilege	3088	8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe
Token: SeBackupPrivilege	3088	8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe
Token: SeRestorePrivilege	3088	8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe
Token: SeBackupPrivilege	3088	8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe
Token: SeRestorePrivilege	3088	8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe
Token: SeBackupPrivilege	3088	8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe
Token: SeRestorePrivilege	3088	8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe
Token: SeBackupPrivilege	3088	8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe
Token: SeRestorePrivilege	3088	8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe

pid process

3088 8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe

pid process

3088 8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe

pid	process
3088	8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe

pid	process
3088	8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe

description	pid	process	target process
PID 1844 wrote to memory of 3088	1844	8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe	8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe
PID 1844 wrote to memory of 3088	1844	8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe	8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe
PID 1844 wrote to memory of 3088	1844	8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe	8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:400

C:\Users\Admin\AppData\Local\Temp\8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe" -service -lunch
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1844

C:\Users\Admin\AppData\Local\Temp\8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8209e8a107f543d85a5121c2d6a275d5_JaffaCakes118.exe"
2⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\settings.bin

Filesize
76B

MD5
090bba5cbe9cd62189310f633f14d686

SHA1
0ce1d78aace04650b0c592665686a89412c1771c

SHA256
7bc48188bbd0ad1b7ac10257e6a8fc5327f2ccfd56402a4353f6d8ef26eb0ff8

SHA512
846781bdb4d8902963f1859077c8db4c763fdd4ca28f0be83b95c20d324b5db030f312fc3d4f959dc05ca4f41ef872a49d123195494b16440e16ebcc5edb31a7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads