flawedammyy | 5c45a30fa57a53d73239dc64dbe8e9abcaaa29e95c37e66b91cab7fa002888ec

General

Target

2fa3823f28a02e5910abc38aa65cb63a_JaffaCakes118.exe
Size

718KB
MD5

2fa3823f28a02e5910abc38aa65cb63a
SHA1

cc7dad8158d13d52b008d17118219426439fdfed
SHA256

5c45a30fa57a53d73239dc64dbe8e9abcaaa29e95c37e66b91cab7fa002888ec
SHA512

f5d716cb14e43762ed115f355fc75efce352b60bbefb37d415e47ca064264ce073430422c1c7f8cccbbaaa58083247dd47b7282e0077e6f9d0e67adff3b0cee6
SSDEEP

12288:qIORj+BrZtiSngkkjvpPF2mpirqd72WtghLTkRpPq1RtlVIt7/4Fe7zsvpZQjhf3:tuA7yWu72/MRc1RtDItD17z0ZQKY

Score

10^/10

flawedammyy discovery trojan

Malware Config

Signatures

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	2fa3823f28a02e5910abc38aa65cb63a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	2fa3823f28a02e5910abc38aa65cb63a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	2fa3823f28a02e5910abc38aa65cb63a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	2fa3823f28a02e5910abc38aa65cb63a_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2fa3823f28a02e5910abc38aa65cb63a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2fa3823f28a02e5910abc38aa65cb63a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2fa3823f28a02e5910abc38aa65cb63a_JaffaCakes118.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = b0f7148b157b231daf091165e4d81c14497b460a1223c9d28ec8fde27f14cd7a130c0c3b7cd3bc1a3373e01af85b9899a21c4b5012f9d37f5f3248634d9919f804f23538b3fb1987372919	2fa3823f28a02e5910abc38aa65cb63a_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	2fa3823f28a02e5910abc38aa65cb63a_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin	2fa3823f28a02e5910abc38aa65cb63a_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d567366087c6658524c17525395a8b170ef45b36b	2fa3823f28a02e5910abc38aa65cb63a_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	2fa3823f28a02e5910abc38aa65cb63a_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy	2fa3823f28a02e5910abc38aa65cb63a_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	2fa3823f28a02e5910abc38aa65cb63a_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	2fa3823f28a02e5910abc38aa65cb63a_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	2fa3823f28a02e5910abc38aa65cb63a_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5012	2fa3823f28a02e5910abc38aa65cb63a_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
5012	2fa3823f28a02e5910abc38aa65cb63a_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 5012	3036	2fa3823f28a02e5910abc38aa65cb63a_JaffaCakes118.exe	86
PID 3036 wrote to memory of 5012	3036	2fa3823f28a02e5910abc38aa65cb63a_JaffaCakes118.exe	86
PID 3036 wrote to memory of 5012	3036	2fa3823f28a02e5910abc38aa65cb63a_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\2fa3823f28a02e5910abc38aa65cb63a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2fa3823f28a02e5910abc38aa65cb63a_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:8

C:\Users\Admin\AppData\Local\Temp\2fa3823f28a02e5910abc38aa65cb63a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2fa3823f28a02e5910abc38aa65cb63a_JaffaCakes118.exe" -service -lunch
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Users\Admin\AppData\Local\Temp\2fa3823f28a02e5910abc38aa65cb63a_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\2fa3823f28a02e5910abc38aa65cb63a_JaffaCakes118.exe"
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:5012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\hr

Filesize
22B

MD5
0cb31a8297ee54755a58b50afbc70b4b

SHA1
01e5f63238545b1671b955d4d083c799b23043dd

SHA256
185ff55faddc02d5a94908cd264051cb6dbee1ed813e4b1d99a9472ff0be5ef3

SHA512
f42d8ad777bfb225141c9766ff07153ea5056930dca4d5e9f29dfa0eed881f288dcdd86f7438e17158da9aea2f347e2e09a04823e1cae6290c8ea8d9af3317ea

Download Submit
C:\ProgramData\AMMYY\hr3

Filesize
75B

MD5
cd9dd10b7a00f57d4dc9ffcaba0d607a

SHA1
4b419cf88c9295610e817ded19d3b6856ae608c3

SHA256
dbe8115529593a97b9d9de0acb828b3d841a8fc9bba963e5d484bfbde436f468

SHA512
98940dd8bea592a01b08b44ff43ceb294004e55cd4ee9558f35c8ad4538d8c5151800e814908627a067612756a00ea6a4f37a6405001f44aa4ee66afc941807a

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
269B

MD5
a55567fceb74f9ca4f151f4ab84b68c7

SHA1
63b4a57b258e640b165732dbcd0ca00fc69b4c8b

SHA256
f649823939d0bf2b01f5c785e55d3e278c1ee7cc11b547c6644ac9f90996e9d7

SHA512
3cbeb788c068008bdf2c7c19b696d464e66f66a969164cf98793e3150cf5ff82822de41deabb79921cbfcc93897ee824872c64a7bd9e131b1304105cad0f010f

Download Submit

Analysis

Sharing