flawedammyy | 8d6878dd7a05b9402efa6824ea82613fa6785187ec878823a387adabc2cd6965

General

Target

b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe
Size

701KB
MD5

b9b5ca19815cd592e7a4113076839b7c
SHA1

e66f3cc9131ef224800f496d26854d6699f72b70
SHA256

8d6878dd7a05b9402efa6824ea82613fa6785187ec878823a387adabc2cd6965
SHA512

c7a721d782a46b59b866fada56c904713f118d883fdd19863bd3f53113f18c168e7db70ab1cb8e751aead1a17fd8b8463b3c09dedb9b3e372503075a9e39ad99
SSDEEP

12288:aZsgrzAe9zLbMmop7HxLp5x1Rtr79Oj8TmwZxEiga6:mIe9zMmoZHxB1Rtf9Y8TmwZxQa6

Score

10^/10

flawedammyy discovery trojan

Malware Config

Signatures

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy
Flawedammyy family
flawedammyy

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exeb9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exeb9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe

Modifies data under HKEY_USERS 6 IoCs

Processes:

b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy	b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin	b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d567366087c6658524c1752532604add8a41bb36b	b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = 30a00d49556e97c8a0cd9fbcfe8861f913ff8e6f1ef4bf532468b4976104d0f1e8ab95c4d4131239d293a9fadf371884909b9242cc3a2c0aae3ecd3bb409b35eab387dd75b7c57c552bd91	b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe

pid	Process
3672	b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 1 IoCs

Processes:

b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe

pid	Process
3672	b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe

description	pid	Process	procid_target
PID 4620 wrote to memory of 3672	4620	b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe	84
PID 4620 wrote to memory of 3672	4620	b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe	84
PID 4620 wrote to memory of 3672	4620	b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:5064

C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe" -service -lunch
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4620
- C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\b9b5ca19815cd592e7a4113076839b7c_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\hr

Filesize
22B

MD5
1a7916c00d109cf550fc6211628b8e69

SHA1
18f8befce1069936b964a90f607c0fae42eb2014

SHA256
b664e0680deb51ff7bd24ea6a37fe8ca61a5f28eabebe94f425b74aca7ba3d23

SHA512
1cb36515e69b95dd1d928c56e1e58a96c9db57dd31147fa1a33bf4c62bff40b2f1d6659ba1cd11194c17b51698c567c1a178729b9264692b3ed393272a6b5dca

Download Submit
C:\ProgramData\AMMYY\hr3

Filesize
75B

MD5
f95eb921bf7444b31e217bdefbccaecb

SHA1
21ebed7343840b278666b2b226236bc19b9074af

SHA256
b9f138ced554e9e1df438b685fad56df7a370ac6b428b4d945d361d2b4b4b34d

SHA512
40682904f5e74bde50d7f488b741a1dc4f76b78de2523a58c7a71d28e0cbf97b7bcc1d17a2734fe6c155e30094f077486b8f987252e43cfd3770bffc0969b3d4

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
269B

MD5
097a18ed7b31114c7ef39ef06eff02f0

SHA1
276bb5fc8ab72ed3a447dd57be668ace8f75a7c1

SHA256
985b458559939244b777d09d71d6192a13f693b88b046ca904012603a5582812

SHA512
168ef05ddb434dd4003748c7cd6ea9ed5c8280506de4473c3b193fffc314b469e85e2474f919f189c9b7ffb16aa741d75900341a9802dae175ad185e1fea3e96

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads