flawedammyy | 2408c9b2932c10af7485c58bafde8c85e202f476bf226e973219554461918efd

General

Target

bac69b8058800984cf42648b4580329d_JaffaCakes118.exe
Size

652KB
MD5

bac69b8058800984cf42648b4580329d
SHA1

be5017b00f9e70935b335c8cc98e197829bcce41
SHA256

2408c9b2932c10af7485c58bafde8c85e202f476bf226e973219554461918efd
SHA512

85c3f7c30da74adcd41ba82b1802556043fce2b6d1067424e4848a9c65fcd4e4459b7f8500e1a9ba4df739f9db09a95ac0775426da0ddfa7675ec0ea0f969423
SSDEEP

12288:WaA9OKLSwaIN5U8xvFoRQMEoO2rx8ikfRtjIe9rtv8zl6IilgB:qkK+waI8JRQMEJ2rufRtse9rtv8zlziA

Score

10^/10

flawedammyy discovery trojan

Malware Config

Signatures

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy
Flawedammyy family
flawedammyy

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

bac69b8058800984cf42648b4580329d_JaffaCakes118.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	bac69b8058800984cf42648b4580329d_JaffaCakes118.exe

Drops file in System32 directory 12 IoCs

Processes:

bac69b8058800984cf42648b4580329d_JaffaCakes118.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	bac69b8058800984cf42648b4580329d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	bac69b8058800984cf42648b4580329d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	bac69b8058800984cf42648b4580329d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	bac69b8058800984cf42648b4580329d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\34B6AF881B9D738561FC099B83DF3A01	bac69b8058800984cf42648b4580329d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	bac69b8058800984cf42648b4580329d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\34B6AF881B9D738561FC099B83DF3A01	bac69b8058800984cf42648b4580329d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	bac69b8058800984cf42648b4580329d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	bac69b8058800984cf42648b4580329d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	bac69b8058800984cf42648b4580329d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	bac69b8058800984cf42648b4580329d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	bac69b8058800984cf42648b4580329d_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

bac69b8058800984cf42648b4580329d_JaffaCakes118.exebac69b8058800984cf42648b4580329d_JaffaCakes118.exebac69b8058800984cf42648b4580329d_JaffaCakes118.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bac69b8058800984cf42648b4580329d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bac69b8058800984cf42648b4580329d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bac69b8058800984cf42648b4580329d_JaffaCakes118.exe

Modifies data under HKEY_USERS 9 IoCs

Processes:

bac69b8058800984cf42648b4580329d_JaffaCakes118.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	bac69b8058800984cf42648b4580329d_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	bac69b8058800984cf42648b4580329d_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	bac69b8058800984cf42648b4580329d_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	bac69b8058800984cf42648b4580329d_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	bac69b8058800984cf42648b4580329d_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	bac69b8058800984cf42648b4580329d_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	bac69b8058800984cf42648b4580329d_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	bac69b8058800984cf42648b4580329d_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	bac69b8058800984cf42648b4580329d_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

bac69b8058800984cf42648b4580329d_JaffaCakes118.exe

description	pid	Process
Token: SeBackupPrivilege	2132	bac69b8058800984cf42648b4580329d_JaffaCakes118.exe
Token: SeRestorePrivilege	2132	bac69b8058800984cf42648b4580329d_JaffaCakes118.exe
Token: SeBackupPrivilege	2132	bac69b8058800984cf42648b4580329d_JaffaCakes118.exe
Token: SeRestorePrivilege	2132	bac69b8058800984cf42648b4580329d_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

bac69b8058800984cf42648b4580329d_JaffaCakes118.exe

pid	Process
2132	bac69b8058800984cf42648b4580329d_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 1 IoCs

Processes:

bac69b8058800984cf42648b4580329d_JaffaCakes118.exe

pid	Process
2132	bac69b8058800984cf42648b4580329d_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

bac69b8058800984cf42648b4580329d_JaffaCakes118.exe

description	pid	Process	procid_target
PID 2156 wrote to memory of 2132	2156	bac69b8058800984cf42648b4580329d_JaffaCakes118.exe	84
PID 2156 wrote to memory of 2132	2156	bac69b8058800984cf42648b4580329d_JaffaCakes118.exe	84
PID 2156 wrote to memory of 2132	2156	bac69b8058800984cf42648b4580329d_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\bac69b8058800984cf42648b4580329d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bac69b8058800984cf42648b4580329d_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2044

C:\Users\Admin\AppData\Local\Temp\bac69b8058800984cf42648b4580329d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bac69b8058800984cf42648b4580329d_JaffaCakes118.exe" -service -lunch
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Users\Admin\AppData\Local\Temp\bac69b8058800984cf42648b4580329d_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\bac69b8058800984cf42648b4580329d_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\settings.bin

Filesize
88B

MD5
3d22e13ee06537f20e567fb3cbb2ce56

SHA1
1a19bcb870ec2e02d9a517a160e23455581cb453

SHA256
e535a352685ebeaace54d4775b3173b03caad38dccb86ad6df66dd45d61858c8

SHA512
1274b95ac305b56c89adb0f869b28b71953e41e4f3ce5002bc3df21d167140b3f2cd3e35abdaec21726b9ebe78a161c3dd73efa1931874aa7b9847100b12c0ae

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads