flawedammyy | 8d6e783c42531ba3a8c823293d399c08f0ef07c007213f40f253aea1ddfc7dfe

General

Target

0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe
Size

704KB
MD5

0dcf6b80de9636e9f2d58825842404ee
SHA1

56197059d0319560d256b067a90b01131cd44733
SHA256

8d6e783c42531ba3a8c823293d399c08f0ef07c007213f40f253aea1ddfc7dfe
SHA512

91bf4a8336420555d31bbd94c079f56575386c2a9659956def2be780c06ba6eb8b04a447c9109d739b081be0fd37248a077ac6381d05af0b54d393053d25a996
SSDEEP

12288:YKHp9fDIItMm2o44sGTdBqWvwD+8ChCbW3XTjY1r1RtH8ePhAU5u0AhpZxAhkg1:YorLkbDEhyW3XS1RtcePKUBATZx81

Score

10^/10

flawedammyy discovery trojan

Malware Config

Signatures

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\International\Geo\Nation	0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe

Modifies data under HKEY_USERS 6 IoCs

Processes:

0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = 9850c87bcdf4fb72143997c883e890fbe473b0911ae5f92336cefeba74e58be2589d9bb1c7f7ee63d80bec0a35c844869b8b8a655f034eed142b436c464e236937c5ee3579a9ee88ba19b1	0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy	0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d567366087c6658524c175253f73473ad004ab36b	0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe

pid process

2748 0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe

pid process

2748 0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe

pid	process
2748	0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe

pid	process
2748	0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe

description	pid	process	target process
PID 2280 wrote to memory of 2748	2280	0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe	0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe
PID 2280 wrote to memory of 2748	2280	0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe	0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe
PID 2280 wrote to memory of 2748	2280	0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe	0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe
PID 2280 wrote to memory of 2748	2280	0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe	0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2088

C:\Users\Admin\AppData\Local\Temp\0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe" -service -lunch
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Users\Admin\AppData\Local\Temp\0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\hr

Filesize
22B

MD5
51e021c0eae872178417e222ce50e927

SHA1
ae19925367964a0fc4f6dcd822dadb755a5d7b3f

SHA256
84c71cefc3d7b5b412d2a8df2303373ae1dbd7b7b1275110c52773fe66a6a4ce

SHA512
9d4a058616b56c541152d5f5411cfeed94c62355750cd3c24de057770fe42b8a11f42dcfdaed1d260efb4f9f132ef038435330ebcd5fda51f4417803a0dde74a

Download Submit
C:\ProgramData\AMMYY\hr3

Filesize
75B

MD5
fb764bfed802fd42d538e7c076ce5fb5

SHA1
65bae3f2930cb91fc637135f88e89e4730cf4819

SHA256
93c19df4cae330bc7e401fe25436d0cf55db0300a32379cec4ea5f59c2bad69d

SHA512
6d6fcfbb013b9fa4c2bb06031b5a5bb76c4ba3f45e3736c8be1f1e344ecf5b512769ea3f3d36a28ac5212f040bbcccbf29efcc940ab3ed39134a4528fdeb9566

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
305B

MD5
e57a0570fc4baf51499bf05f363705df

SHA1
41653da3b123392ff4d89ff894a4cc160b80e6e9

SHA256
bc9847d6150b46d1fe077f2489c308da53a54c3e003ace56724a721e6e698f75

SHA512
aa3b12aaac6427372043cd6ebeb11d9205ce0e1a20258673b8083f776046a2ddedbacdeca9d993a1959a70d074a46352e69f9ec93ca27ecd403a4e7f81002465

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads