flawedammyy | 52e24fff0caae64471528148c7dbf3d2fbbe85a3aa501a4f13b514d64900ae3f

General

Target

beeec969093ab86761889dc3416fde16_JaffaCakes118.exe
Size

748KB
MD5

beeec969093ab86761889dc3416fde16
SHA1

37347e3ba9ff8b712a988664d6de0a65976de059
SHA256

52e24fff0caae64471528148c7dbf3d2fbbe85a3aa501a4f13b514d64900ae3f
SHA512

645a281ab605dca21a8bf06d75094130311aa6bcf62496755be34dc6747d4a4155464a6c6c9e6550a18a92b615a8c93acb61771dfb4afcd8cad06133f72d2860
SSDEEP

12288:/VFUEuNmwvGrw9i0aTGRGicBckyyFRtWY1i3FTsvOVV/gK:PUEUUw9RaTNicBrPFRtJ1iVTsCIK

Score

10^/10

flawedammyy discovery trojan

Malware Config

Signatures

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\Geo\Nation	beeec969093ab86761889dc3416fde16_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beeec969093ab86761889dc3416fde16_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beeec969093ab86761889dc3416fde16_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beeec969093ab86761889dc3416fde16_JaffaCakes118.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	beeec969093ab86761889dc3416fde16_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy	beeec969093ab86761889dc3416fde16_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d567366087c6658524c175253a78c7ca275a9b26b	beeec969093ab86761889dc3416fde16_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = ca1e4869472d7cdf12df07d60237f496ecf9cd874ffe2d19750bb671d546923ea5d65fddddfb538bb7ac605d22a9a775aa962f3eb25213866a89dcb4a916ed5fcfa522ddb02333bea94757	beeec969093ab86761889dc3416fde16_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	beeec969093ab86761889dc3416fde16_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	beeec969093ab86761889dc3416fde16_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3060	beeec969093ab86761889dc3416fde16_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
3060	beeec969093ab86761889dc3416fde16_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 3060	2960	beeec969093ab86761889dc3416fde16_JaffaCakes118.exe	30
PID 2960 wrote to memory of 3060	2960	beeec969093ab86761889dc3416fde16_JaffaCakes118.exe	30
PID 2960 wrote to memory of 3060	2960	beeec969093ab86761889dc3416fde16_JaffaCakes118.exe	30
PID 2960 wrote to memory of 3060	2960	beeec969093ab86761889dc3416fde16_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:1936

C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe" -service -lunch
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\hr

Filesize
22B

MD5
fc1c572f3058c4f567d0ca59722a77c6

SHA1
81fca4dbac6f74677dd46ff6285844593d1d1baa

SHA256
95a63de870f1bed8899a362bd5c69d7e15cb36156b1e6f12286b4ae34aad6458

SHA512
24731357f96a72ff90142453c7f53bc3cf9b372c0ee1849a66a30ae79497a60b050f45115856cd2c433a89409dc624ec971c122365cf20da6e1db955e69b19c2

Download Submit
C:\ProgramData\AMMYY\hr3

Filesize
75B

MD5
1ec688c874e0d51d4da627b6eb293135

SHA1
ba4ab7fc2f0949c24e2b828ae1ed6737baa09960

SHA256
a9bd755e9787f54d093d3f85414ff45318328306023566feafc176bc920d0151

SHA512
54dfa810c494bee3a592efec82fdfe989af424653db0c2fc6bbe4e3fddce9a18d5bface521bd4ae1e679e962cdc5dfdfdff000399d0f41a31db38fb77e1978ce

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
451B

MD5
2f5e8fc2fab9560d7d2f9f295929b883

SHA1
87644b1431054f73c0fe9aaa77b3ffa3fa6d29a2

SHA256
66c97b75a9b097180197ed4b7b5737b76b16e5e1f426e4999780d640068e6d72

SHA512
0b77560f50823cf523833221d57eb5d149890900199170b30cbad17378a235e9ed8822b0fa6d6095137a37a784ebad15297050b4bcec4e4747a933bb69a38a20

Download Submit

Analysis

Sharing