flawedammyy | 5c45a30fa57a53d73239dc64dbe8e9abcaaa29e95c37e66b91cab7fa002888ec

General

Target

2fa3823f28a02e5910abc38aa65cb63a_JaffaCakes118.exe
Size

718KB
MD5

2fa3823f28a02e5910abc38aa65cb63a
SHA1

cc7dad8158d13d52b008d17118219426439fdfed
SHA256

5c45a30fa57a53d73239dc64dbe8e9abcaaa29e95c37e66b91cab7fa002888ec
SHA512

f5d716cb14e43762ed115f355fc75efce352b60bbefb37d415e47ca064264ce073430422c1c7f8cccbbaaa58083247dd47b7282e0077e6f9d0e67adff3b0cee6
SSDEEP

12288:qIORj+BrZtiSngkkjvpPF2mpirqd72WtghLTkRpPq1RtlVIt7/4Fe7zsvpZQjhf3:tuA7yWu72/MRc1RtDItD17z0ZQKY

Score

10^/10

flawedammyy discovery trojan

Malware Config

Signatures

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\Geo\Nation	2fa3823f28a02e5910abc38aa65cb63a_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2fa3823f28a02e5910abc38aa65cb63a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2fa3823f28a02e5910abc38aa65cb63a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2fa3823f28a02e5910abc38aa65cb63a_JaffaCakes118.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d567366087c6658524c175253a75d600def45b36b	2fa3823f28a02e5910abc38aa65cb63a_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = ca7abaf2c10166933b325846cb3e8685e3a9c4ab0133d48ea94525e45c0943dc09f35a32947fa5175804753ac1b58e917f8ff8b5eec630eac0090864b0505864ffac4f36eed781aa746d79	2fa3823f28a02e5910abc38aa65cb63a_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	2fa3823f28a02e5910abc38aa65cb63a_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	2fa3823f28a02e5910abc38aa65cb63a_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	2fa3823f28a02e5910abc38aa65cb63a_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy	2fa3823f28a02e5910abc38aa65cb63a_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2644	2fa3823f28a02e5910abc38aa65cb63a_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2644	2fa3823f28a02e5910abc38aa65cb63a_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 2644	2108	2fa3823f28a02e5910abc38aa65cb63a_JaffaCakes118.exe	31
PID 2108 wrote to memory of 2644	2108	2fa3823f28a02e5910abc38aa65cb63a_JaffaCakes118.exe	31
PID 2108 wrote to memory of 2644	2108	2fa3823f28a02e5910abc38aa65cb63a_JaffaCakes118.exe	31
PID 2108 wrote to memory of 2644	2108	2fa3823f28a02e5910abc38aa65cb63a_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\2fa3823f28a02e5910abc38aa65cb63a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2fa3823f28a02e5910abc38aa65cb63a_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:3004

C:\Users\Admin\AppData\Local\Temp\2fa3823f28a02e5910abc38aa65cb63a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2fa3823f28a02e5910abc38aa65cb63a_JaffaCakes118.exe" -service -lunch
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Users\Admin\AppData\Local\Temp\2fa3823f28a02e5910abc38aa65cb63a_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\2fa3823f28a02e5910abc38aa65cb63a_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\hr

Filesize
22B

MD5
eecb515dc0f5e0fa2d992ec261922950

SHA1
833b7e077f97fa1ed794cac55f7e8e33f9f243be

SHA256
36a9e2da62df8fecba9dc390f4c381076dd412a2d2b3444d43c5776698e0a859

SHA512
aed480922a8c1db6e5e1ce1665351c1475fa9d41f1a6e80ef6ef23fc26391db267a4047c6eb1e41c520fc37d69ef4706d92d260ce39a8aec33b4355c9da7b4f5

Download Submit
C:\ProgramData\AMMYY\hr3

Filesize
75B

MD5
5e5ba5ecdfe7811fa8c9002a1ef9c2a4

SHA1
8f9121c4bf4745e0e268f68c243e560ce3bbadc1

SHA256
cc36e4d42c0cda4d4591187f6792c1ad178a9f7f03a0e9222407aeaa7cf473e7

SHA512
c16bb0d1afddf2eef7b39299acf446125db2c1ba6876f92d337ef47f497b35ccfcd8b53a15f0aa66010524cd351a266a87a9bf24a88417090a4eb6b8de2db624

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
269B

MD5
a55567fceb74f9ca4f151f4ab84b68c7

SHA1
63b4a57b258e640b165732dbcd0ca00fc69b4c8b

SHA256
f649823939d0bf2b01f5c785e55d3e278c1ee7cc11b547c6644ac9f90996e9d7

SHA512
3cbeb788c068008bdf2c7c19b696d464e66f66a969164cf98793e3150cf5ff82822de41deabb79921cbfcc93897ee824872c64a7bd9e131b1304105cad0f010f

Download Submit

Analysis

Sharing