flawedammyy | 847a62b88f8e17d9face6fac84037a125f66c4db0f1cdbf464305f053578d37b

Analysis

max time kernel
150s
max time network
116s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-01-2025 15:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_18966a28fba7a616962f90694009a466.exe
Size

708KB
MD5

18966a28fba7a616962f90694009a466
SHA1

4f7ac1f55f093bf3c7dc0fb6971a6da701793a56
SHA256

847a62b88f8e17d9face6fac84037a125f66c4db0f1cdbf464305f053578d37b
SHA512

3a0073e82cdf16bb3accb1512f2bfb5da15ab9f12eeb0616fedfbed2a877fcf52be91017523ab121549e3b0a2501974137c0d88c2c56472f6adf45f0a021b8bd
SSDEEP

12288:yVr29UGEg6VUM5oAL1jq3E2jj0NOjAqHKtCessZWjya7VM1en9Nm1RtNeCVao2Vy:oUbj4qwCessA41Rt0CVMVZtxI

Score

10^/10

flawedammyy discovery trojan

Malware Config

Signatures

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy
Flawedammyy family
flawedammyy

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JaffaCakes118_18966a28fba7a616962f90694009a466.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_18966a28fba7a616962f90694009a466.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_18966a28fba7a616962f90694009a466.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_18966a28fba7a616962f90694009a466.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d567366087c6658524c175253e7e27240e332b36b	JaffaCakes118_18966a28fba7a616962f90694009a466.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = 90eb36e9f3eef7d9d4badacd1785db9a419010bf6b92f29d3d626fa213bf5113ae6d50db7d6499e7d7b57c46a72b6109946251d0d35adff633a132049aad65f5e7d194f1df0eca3d6dd5f1	JaffaCakes118_18966a28fba7a616962f90694009a466.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	JaffaCakes118_18966a28fba7a616962f90694009a466.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	JaffaCakes118_18966a28fba7a616962f90694009a466.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy	JaffaCakes118_18966a28fba7a616962f90694009a466.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin	JaffaCakes118_18966a28fba7a616962f90694009a466.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1224	JaffaCakes118_18966a28fba7a616962f90694009a466.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1224	JaffaCakes118_18966a28fba7a616962f90694009a466.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 1224	2272	JaffaCakes118_18966a28fba7a616962f90694009a466.exe	83
PID 2272 wrote to memory of 1224	2272	JaffaCakes118_18966a28fba7a616962f90694009a466.exe	83
PID 2272 wrote to memory of 1224	2272	JaffaCakes118_18966a28fba7a616962f90694009a466.exe	83

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_18966a28fba7a616962f90694009a466.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_18966a28fba7a616962f90694009a466.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:5088

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_18966a28fba7a616962f90694009a466.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_18966a28fba7a616962f90694009a466.exe" -service -lunch
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_18966a28fba7a616962f90694009a466.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_18966a28fba7a616962f90694009a466.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\hr

Filesize
22B

MD5
8bcc3074a14d94e0bff5bacf30bffe0a

SHA1
b0754c62643c834a78e0a9267d1a496d8f2dcc9a

SHA256
313d4479f9097d9e94cd7957f53861dbc6e85eb5b36fdb7b64f065ef7041b347

SHA512
54498574f9c92db823f2339336b46fdb16deff50356fe81870bd709c5fac2125026b6f9ecee9e0773fcbff4d2d608c719984e7b416d1be594e49ed6792b05046

Download Submit
C:\ProgramData\AMMYY\hr3

Filesize
75B

MD5
71fd20fc5f8e3e90acaf41d71d5eb4b3

SHA1
40ef85dfd0589f70009c8389e7c52615a6bf56a4

SHA256
eb93692434c78a0a88eeeb7ad04453a535c03bc5cde3b436b9ab5aa60f1886ae

SHA512
d2abb74ba72c4e641543f2620888a3cce895b4b314ed8ee7abb868f2d93b9d301ea43eb2c6b60dc7eb57d79db2fb052cda38aad687f9f859f058c1e6bf56bc55

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
281B

MD5
0ab37e79601368085b4631f7a9c5597f

SHA1
7144ec339f1a518775a4719f3c1b5b2572775c1f

SHA256
142eee7e8791e4bd6f1e6bddacab55563c33069db8a977ea4416479ea5c1b565

SHA512
7cec54972600f22f4024a90b145114fb5b6f2f1e20882495d36b0dd1a4f4174a11eacb4dda66d457b7193bdc328f8bf909b6e73cd9e0c3bfd46cb8018b926a55

Download Submit