flawedammyy | 8d6e783c42531ba3a8c823293d399c08f0ef07c007213f40f253aea1ddfc7dfe

General

Target

0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe
Size

704KB
MD5

0dcf6b80de9636e9f2d58825842404ee
SHA1

56197059d0319560d256b067a90b01131cd44733
SHA256

8d6e783c42531ba3a8c823293d399c08f0ef07c007213f40f253aea1ddfc7dfe
SHA512

91bf4a8336420555d31bbd94c079f56575386c2a9659956def2be780c06ba6eb8b04a447c9109d739b081be0fd37248a077ac6381d05af0b54d393053d25a996
SSDEEP

12288:YKHp9fDIItMm2o44sGTdBqWvwD+8ChCbW3XTjY1r1RtH8ePhAU5u0AhpZxAhkg1:YorLkbDEhyW3XS1RtcePKUBATZx81

Score

10^/10

flawedammyy discovery trojan

Malware Config

Signatures

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe

Modifies data under HKEY_USERS 6 IoCs

Processes:

0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy	0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin	0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d567366087c6658524c175253287a57ad004ab36b	0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = b9604cbad1e7573879d6e3309b9724d01889fdb733501e95d8d24567bb5e21d622a941182f35a85084b244e0935c9a7b170f2c5300af3c83c84ff336d610fe89af82e8c4c99f9da59793c6	0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe

pid process

1152 0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe

pid process

1152 0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe

pid	process
1152	0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe

pid	process
1152	0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe

description	pid	process	target process
PID 2420 wrote to memory of 1152	2420	0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe	0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe
PID 2420 wrote to memory of 1152	2420	0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe	0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe
PID 2420 wrote to memory of 1152	2420	0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe	0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4320

C:\Users\Admin\AppData\Local\Temp\0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe" -service -lunch
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Users\Admin\AppData\Local\Temp\0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\0dcf6b80de9636e9f2d58825842404ee_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\hr

Filesize
22B

MD5
8352ac3fd99dfbf88696e82b6a8f9b73

SHA1
3478e9fae1134bdcb746af6f68003d903ed9c230

SHA256
0ae23cb1624774d1a87adab495fbb21a889307bf1e77b7da515fc03bca72a7b2

SHA512
d19df87cc0d7da7e690f2b778d410978fc192b595bd64ec8c0b79fdc360154e70dbc9163fe85ac951fdea4a0ab6deb0a1be8522648878bbb63a7451959cc6151

Download Submit
C:\ProgramData\AMMYY\hr3

Filesize
75B

MD5
d7b220d30166d66262abf9b7572b4e6e

SHA1
1331b52444d8250a0f6d51ca06780d19dbc7fccb

SHA256
29db91def7c8ec84dc5a0af97b23986ceeb991b56a7fc9a9335bd36a6a4023e1

SHA512
e5fc78a6843962b79c7da1569edaf514d92b9a8757c65d4169b96c6b6c8e6c45fad95052bf782b03d622edfdefbe1d20ffbef827b1790786c9937cae8097028b

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
305B

MD5
e57a0570fc4baf51499bf05f363705df

SHA1
41653da3b123392ff4d89ff894a4cc160b80e6e9

SHA256
bc9847d6150b46d1fe077f2489c308da53a54c3e003ace56724a721e6e698f75

SHA512
aa3b12aaac6427372043cd6ebeb11d9205ce0e1a20258673b8083f776046a2ddedbacdeca9d993a1959a70d074a46352e69f9ec93ca27ecd403a4e7f81002465

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads