flawedammyy | 847a62b88f8e17d9face6fac84037a125f66c4db0f1cdbf464305f053578d37b

General

Target

JaffaCakes118_18966a28fba7a616962f90694009a466.exe
Size

708KB
MD5

18966a28fba7a616962f90694009a466
SHA1

4f7ac1f55f093bf3c7dc0fb6971a6da701793a56
SHA256

847a62b88f8e17d9face6fac84037a125f66c4db0f1cdbf464305f053578d37b
SHA512

3a0073e82cdf16bb3accb1512f2bfb5da15ab9f12eeb0616fedfbed2a877fcf52be91017523ab121549e3b0a2501974137c0d88c2c56472f6adf45f0a021b8bd
SSDEEP

12288:yVr29UGEg6VUM5oAL1jq3E2jj0NOjAqHKtCessZWjya7VM1en9Nm1RtNeCVao2Vy:oUbj4qwCessA41Rt0CVMVZtxI

Score

10^/10

flawedammyy discovery trojan

Malware Config

Signatures

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy
Flawedammyy family
flawedammyy

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\International\Geo\Nation	JaffaCakes118_18966a28fba7a616962f90694009a466.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_18966a28fba7a616962f90694009a466.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_18966a28fba7a616962f90694009a466.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_18966a28fba7a616962f90694009a466.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	JaffaCakes118_18966a28fba7a616962f90694009a466.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	JaffaCakes118_18966a28fba7a616962f90694009a466.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy	JaffaCakes118_18966a28fba7a616962f90694009a466.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d567366087c6658524c175253a7ae1e5fe332b36b	JaffaCakes118_18966a28fba7a616962f90694009a466.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = caec7d5767ce5d24d594c916e1bfe4b41e37418fcd528d2f29b2506f20e2c7e76b16f3046a165b1d08c14f5f811d2a4958e6c09e2147ca36a145edf6c3f0db24b25a626f335ac352b06ccb	JaffaCakes118_18966a28fba7a616962f90694009a466.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	JaffaCakes118_18966a28fba7a616962f90694009a466.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2692	JaffaCakes118_18966a28fba7a616962f90694009a466.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2692	JaffaCakes118_18966a28fba7a616962f90694009a466.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 2692	2020	JaffaCakes118_18966a28fba7a616962f90694009a466.exe	32
PID 2020 wrote to memory of 2692	2020	JaffaCakes118_18966a28fba7a616962f90694009a466.exe	32
PID 2020 wrote to memory of 2692	2020	JaffaCakes118_18966a28fba7a616962f90694009a466.exe	32
PID 2020 wrote to memory of 2692	2020	JaffaCakes118_18966a28fba7a616962f90694009a466.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_18966a28fba7a616962f90694009a466.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_18966a28fba7a616962f90694009a466.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2728

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_18966a28fba7a616962f90694009a466.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_18966a28fba7a616962f90694009a466.exe" -service -lunch
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_18966a28fba7a616962f90694009a466.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_18966a28fba7a616962f90694009a466.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\hr

Filesize
22B

MD5
57475b15138707759c1f3bdef17c5ce6

SHA1
1d2497e1308e9952063a4cf9fdee8e4de7b1831d

SHA256
fa478877f184b02d698bd38aa906673818c175c08998df617f2a7eaaf7c4fcb9

SHA512
33820fa0e9bdf00f3b4714670edda7d71cdb3a176bcec8d76664ad26277daf852c65aea7656523e569e6dbfe8507c1800ca9e2972c0c72e53db0359bb6250b4b

Download Submit
C:\ProgramData\AMMYY\hr3

Filesize
75B

MD5
dd6c8f4d04b547b097792f485386a8d3

SHA1
7d3411911f1f50f0ba598e2f082459f9baa34ed9

SHA256
0e0c29615a947d001a5dd1c1c1843a65b781776719df1a3577391dc915fc25ac

SHA512
99a66eefc6750824d54e5f7356d6a2bc2d18e1db50455620abb5196ff6a68c394d45854319d8ee13e836ff237fcb91df0142c4a112a0cc8f20df603a143ae98b

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
281B

MD5
0ab37e79601368085b4631f7a9c5597f

SHA1
7144ec339f1a518775a4719f3c1b5b2572775c1f

SHA256
142eee7e8791e4bd6f1e6bddacab55563c33069db8a977ea4416479ea5c1b565

SHA512
7cec54972600f22f4024a90b145114fb5b6f2f1e20882495d36b0dd1a4f4174a11eacb4dda66d457b7193bdc328f8bf909b6e73cd9e0c3bfd46cb8018b926a55

Download Submit

Analysis

Sharing