flawedammyy | dffb2a4f8f65c2792a4f9cd223e834321a3c95e005c234f1ff0de567340d3935

General

Target

dffb2a4f8f65c2792a4f9cd223e834321a3c95e005c234f1ff0de567340d3935.exe
Size

720KB
MD5

65b172782afd43866f06256a6f4085a8
SHA1

2867ae70390c9ae7da0e61bf46aecd2955a5dd8f
SHA256

dffb2a4f8f65c2792a4f9cd223e834321a3c95e005c234f1ff0de567340d3935
SHA512

b0a8946f3d3d0bb913137ecb5e0353fabd0bbde4a66a7daf6e8a11f07ed41ed31f737d32e6ce688a0d58a56adb490f03b44b79d6e5c8293457a070dd8735b1ed
SSDEEP

12288:KzJUxbtiiTHRJuEkQO7EwC2ZwFRtAdRXRryd+sq1zkgqPE:K9oNTHRz/O7rT6FRteRXR2IsqzqPE

Score

10^/10

flawedammyy discovery trojan

Malware Config

Signatures

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy
Flawedammyy family
flawedammyy

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\International\Geo\Nation	dffb2a4f8f65c2792a4f9cd223e834321a3c95e005c234f1ff0de567340d3935.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dffb2a4f8f65c2792a4f9cd223e834321a3c95e005c234f1ff0de567340d3935.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dffb2a4f8f65c2792a4f9cd223e834321a3c95e005c234f1ff0de567340d3935.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dffb2a4f8f65c2792a4f9cd223e834321a3c95e005c234f1ff0de567340d3935.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	dffb2a4f8f65c2792a4f9cd223e834321a3c95e005c234f1ff0de567340d3935.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	dffb2a4f8f65c2792a4f9cd223e834321a3c95e005c234f1ff0de567340d3935.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	dffb2a4f8f65c2792a4f9cd223e834321a3c95e005c234f1ff0de567340d3935.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy	dffb2a4f8f65c2792a4f9cd223e834321a3c95e005c234f1ff0de567340d3935.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d567366087c6658524c17525337bf20d5f033b36b	dffb2a4f8f65c2792a4f9cd223e834321a3c95e005c234f1ff0de567340d3935.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = 14eafb3f76a2996a6b4ac80a9678bb7001ca78f1d55e6e93af1ba8f22584abfad9896e510669193f43d9d0866fa4a441bdefe8b70d40dcf678b65bfade5971d9a4468d581f64694e2bf61b	dffb2a4f8f65c2792a4f9cd223e834321a3c95e005c234f1ff0de567340d3935.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2960	dffb2a4f8f65c2792a4f9cd223e834321a3c95e005c234f1ff0de567340d3935.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2960	dffb2a4f8f65c2792a4f9cd223e834321a3c95e005c234f1ff0de567340d3935.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2752 wrote to memory of 2960	2752	dffb2a4f8f65c2792a4f9cd223e834321a3c95e005c234f1ff0de567340d3935.exe	31
PID 2752 wrote to memory of 2960	2752	dffb2a4f8f65c2792a4f9cd223e834321a3c95e005c234f1ff0de567340d3935.exe	31
PID 2752 wrote to memory of 2960	2752	dffb2a4f8f65c2792a4f9cd223e834321a3c95e005c234f1ff0de567340d3935.exe	31
PID 2752 wrote to memory of 2960	2752	dffb2a4f8f65c2792a4f9cd223e834321a3c95e005c234f1ff0de567340d3935.exe	31

C:\Users\Admin\AppData\Local\Temp\dffb2a4f8f65c2792a4f9cd223e834321a3c95e005c234f1ff0de567340d3935.exe
"C:\Users\Admin\AppData\Local\Temp\dffb2a4f8f65c2792a4f9cd223e834321a3c95e005c234f1ff0de567340d3935.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2764

C:\Users\Admin\AppData\Local\Temp\dffb2a4f8f65c2792a4f9cd223e834321a3c95e005c234f1ff0de567340d3935.exe
"C:\Users\Admin\AppData\Local\Temp\dffb2a4f8f65c2792a4f9cd223e834321a3c95e005c234f1ff0de567340d3935.exe" -service -lunch
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2752
- C:\Users\Admin\AppData\Local\Temp\dffb2a4f8f65c2792a4f9cd223e834321a3c95e005c234f1ff0de567340d3935.exe
  "C:\Users\Admin\AppData\Local\Temp\dffb2a4f8f65c2792a4f9cd223e834321a3c95e005c234f1ff0de567340d3935.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\hr

Filesize
22B

MD5
e95a6754185f7d039520ed738eac2542

SHA1
96347ce688eecd625878e8992b030766cddb264b

SHA256
a4299ac556f7024648cad92d32d56a57a5d7a429e2ff62c021bf4a75803c5dfe

SHA512
ba142a0eda5e1afea66bdb3f9d0ae98161f91c5b1ad614d444b4aa0f5e875355416bca6546d55f34bc96955203063582f7cf13ff2caaa64fb71183b9a588f846

Download Submit
C:\ProgramData\AMMYY\hr3

Filesize
75B

MD5
82853adae3889ef9c94fa845a1b4659e

SHA1
e36cc7a49d6b5d0145bc9fd9a637a601fb6b7158

SHA256
7af097caa5c6a9865ff14c7ffeb13c51eaa0b5ceeb3492146a0872a02e445cf8

SHA512
1ffb56957aafa3c22f23aa2a75a5e4428dfed6b045df6627a92481c56ce63f8ca5fc862e4e180abd91645dabae95897f897019e4d717c1bbaa2839b2d33b7311

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
283B

MD5
4da4bbef4087d4badfdb674a2e283b72

SHA1
0946e95f28d350f08a4339ba14ea3e2713a30221

SHA256
3ba4e1f2d16b7d9addf2dc6e44c97d29770846eb122fe42256a26ab6e2640f49

SHA512
cace21bbf08dd1985036a3307151a2c2be3729df4aae5e98eca1aa0acabfb7ac1bb323c47611e389400c7c45e8586bc9bdc854458db747bda681deb27e2184b4

Download Submit

Analysis

Sharing