flawedammyy | 52e24fff0caae64471528148c7dbf3d2fbbe85a3aa501a4f13b514d64900ae3f

General

Target

beeec969093ab86761889dc3416fde16_JaffaCakes118.exe
Size

748KB
MD5

beeec969093ab86761889dc3416fde16
SHA1

37347e3ba9ff8b712a988664d6de0a65976de059
SHA256

52e24fff0caae64471528148c7dbf3d2fbbe85a3aa501a4f13b514d64900ae3f
SHA512

645a281ab605dca21a8bf06d75094130311aa6bcf62496755be34dc6747d4a4155464a6c6c9e6550a18a92b615a8c93acb61771dfb4afcd8cad06133f72d2860
SSDEEP

12288:/VFUEuNmwvGrw9i0aTGRGicBckyyFRtWY1i3FTsvOVV/gK:PUEUUw9RaTNicBrPFRtJ1iVTsCIK

Score

10^/10

flawedammyy discovery trojan

Malware Config

Signatures

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	beeec969093ab86761889dc3416fde16_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	beeec969093ab86761889dc3416fde16_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	beeec969093ab86761889dc3416fde16_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	beeec969093ab86761889dc3416fde16_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beeec969093ab86761889dc3416fde16_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beeec969093ab86761889dc3416fde16_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beeec969093ab86761889dc3416fde16_JaffaCakes118.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	beeec969093ab86761889dc3416fde16_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	beeec969093ab86761889dc3416fde16_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy	beeec969093ab86761889dc3416fde16_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin	beeec969093ab86761889dc3416fde16_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = 09637b6353a99021447b7cdf8f7e3e5064d6c05a4b84c2d06437709b5aea625db01c449eac4bd6ba611f6dc9dba8d2ca0beef4748941da912f9afb1999e877146f3d87082fab4a2ff09328	beeec969093ab86761889dc3416fde16_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	beeec969093ab86761889dc3416fde16_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	beeec969093ab86761889dc3416fde16_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	beeec969093ab86761889dc3416fde16_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d567366087c6658524c17525314e3fda275a9b26b	beeec969093ab86761889dc3416fde16_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1168	beeec969093ab86761889dc3416fde16_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1168	beeec969093ab86761889dc3416fde16_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4632 wrote to memory of 1168	4632	beeec969093ab86761889dc3416fde16_JaffaCakes118.exe	85
PID 4632 wrote to memory of 1168	4632	beeec969093ab86761889dc3416fde16_JaffaCakes118.exe	85
PID 4632 wrote to memory of 1168	4632	beeec969093ab86761889dc3416fde16_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2228

C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe" -service -lunch
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4632
- C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\beeec969093ab86761889dc3416fde16_JaffaCakes118.exe"
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\hr

Filesize
22B

MD5
3033b6f7898c7ba7522a8e635f4389e3

SHA1
561c206a180e852ab15ba584b15cacfd19477b68

SHA256
4ed073978dc823f51c5ae75e962916a5d993d941044995f193242d54393f789c

SHA512
52984bb1ed785e653cdf0d7129ed96c96632f19017dfc4c6af2c26f6da6eb79797fdc7ace39bb970c6972c62d006036bd065fed5dd361be5da4f0c1061e956d3

Download Submit
C:\ProgramData\AMMYY\hr3

Filesize
75B

MD5
a327869e9731fbe2c8bed88ed704579a

SHA1
62e9c43da7c0e11359cdf5c0bd863eb0c2410282

SHA256
bf74dd5052dcb1f882cb49cbc6ce9b4f5aabe6323f9c20617ab832915dac04e4

SHA512
d9e1de501e3a2ebbd17d64ad75ed7f31118b0ac1e484d1974cde43fcc87b7ad5a0f1349edcce965cec9c634a24994c4eb804f1262c77d0b4875bd9afbda53ff9

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
451B

MD5
2f5e8fc2fab9560d7d2f9f295929b883

SHA1
87644b1431054f73c0fe9aaa77b3ffa3fa6d29a2

SHA256
66c97b75a9b097180197ed4b7b5737b76b16e5e1f426e4999780d640068e6d72

SHA512
0b77560f50823cf523833221d57eb5d149890900199170b30cbad17378a235e9ed8822b0fa6d6095137a37a784ebad15297050b4bcec4e4747a933bb69a38a20

Download Submit

Analysis

Sharing