Overview

overview

10

Static

static

10

AMMYY_Admin.exe

windows7-x64

10

AMMYY_Admin.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12/02/2025, 22:56 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    AMMYY_Admin.exe

  • Size

    651KB

  • MD5

    b730e7b8f3eebd51dc21d7997313b890

  • SHA1

    57ef7a2d07f3703f84c1d7ad33e34e550d23a6fa

  • SHA256

    e4a87095c27219afe9c7a3cb01c13de899e201d2340748a5fc446207c8f99b2a

  • SHA512

    05e87e0ac0e6c097cec3e3801c66752f1a69bd3f8b732062b16596fd4e46388e66eb2e4455ede69769dad62cb7a063849cc2199c140c6ba6a498173eaafe051d

  • SSDEEP

    12288:caA9OKLSwaIN5U8xvFoRQMEoO2rx8ikfRtjIe9rtv8zl6mi/gQ:AkK+waI8JRQMEJ2rufRtse9rtv8zlBi3

Score
10/10
flawedammyydiscoverytrojan

Malware Config

Signatures

  • FlawedAmmyy RAT

    Remote-access trojan based on leaked code for the Ammyy remote admin software.

    trojanflawedammyy
  • Flawedammyy family
    flawedammyy
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in System32 directory 5 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    defense_evasionspywaretrojan
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AMMYY_Admin.exe
    "C:\Users\Admin\AppData\Local\Temp\AMMYY_Admin.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:2708
  • C:\Users\Admin\AppData\Local\Temp\AMMYY_Admin.exe
    "C:\Users\Admin\AppData\Local\Temp\AMMYY_Admin.exe" -service -lunch
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2684
    • C:\Users\Admin\AppData\Local\Temp\AMMYY_Admin.exe
      "C:\Users\Admin\AppData\Local\Temp\AMMYY_Admin.exe"
      2⤵
      • Checks computer location settings
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Modifies system certificate store
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2812

Network

  • flag-us
    DNS
    rl.ammyy.com
    AMMYY_Admin.exe
    Remote address:
    8.8.8.8:53
    Request
    rl.ammyy.com
    IN A
    Response
    rl.ammyy.com
    IN A
    188.42.129.148
  • flag-nl
    POST
    http://rl.ammyy.com/
    AMMYY_Admin.exe
    Remote address:
    188.42.129.148:80
    Request
    POST / HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    Host: rl.ammyy.com
    Content-Length: 143
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Date: Wed, 12 Feb 2025 22:56:18 GMT
    Server: Apache
    X-Powered-By: PHP/5.4.16
    Content-Length: 92
    Content-Type: text/html
  • flag-us
    DNS
    www.ammyy.com
    AMMYY_Admin.exe
    Remote address:
    8.8.8.8:53
    Request
    www.ammyy.com
    IN A
    Response
    www.ammyy.com
    IN A
    136.243.18.118
  • flag-de
    GET
    http://www.ammyy.com/admin_v3.9_20200220-182209/AA_v3.exe
    AMMYY_Admin.exe
    Remote address:
    136.243.18.118:80
    Request
    GET /admin_v3.9_20200220-182209/AA_v3.exe HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    Range: bytes=0-
    Accept-Encoding: gzip, deflate
    Host: www.ammyy.com
    Cache-Control: no-cache
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Wed, 12 Feb 2025 22:56:22 GMT
    Server: Apache/2.4.6 (CentOS)
    Location: https://www.ammyy.com/admin_v3.9_20200220-182209/AA_v3.exe
    Content-Length: 344
    Connection: close
    Content-Type: text/html; charset=iso-8859-1
  • flag-de
    GET
    https://www.ammyy.com/admin_v3.9_20200220-182209/AA_v3.exe
    AMMYY_Admin.exe
    Remote address:
    136.243.18.118:443
    Request
    GET /admin_v3.9_20200220-182209/AA_v3.exe HTTP/1.1
    Connection: Keep-Alive
    Range: bytes=0-
    Accept-Encoding: gzip, deflate
    Cache-Control: no-cache
    Host: www.ammyy.com
    Response
    HTTP/1.1 404 Not Found
    Date: Wed, 12 Feb 2025 22:56:23 GMT
    Server: Apache/2.4.6 (CentOS)
    Content-Length: 313
    Connection: close
    Content-Type: text/html; charset=iso-8859-1
  • flag-us
    DNS
    r10.o.lencr.org
    AMMYY_Admin.exe
    Remote address:
    8.8.8.8:53
    Request
    r10.o.lencr.org
    IN A
    Response
    r10.o.lencr.org
    IN CNAME
    o.lencr.edgesuite.net
    o.lencr.edgesuite.net
    IN CNAME
    a1887.dscq.akamai.net
    a1887.dscq.akamai.net
    IN A
    104.86.110.232
    a1887.dscq.akamai.net
    IN A
    104.86.110.200
  • flag-gb
    GET
    http://r10.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRpD%2BQVZ%2B1vf7U0RGQGBm8JZwdxcgQUdKR2KRcYVIUxN75n5gZYwLzFBXICEgPPWIcoBZfKmcXEgffa%2BM%2Fi9w%3D%3D
    AMMYY_Admin.exe
    Remote address:
    104.86.110.232:80
    Request
    GET /MFMwUTBPME0wSzAJBgUrDgMCGgUABBRpD%2BQVZ%2B1vf7U0RGQGBm8JZwdxcgQUdKR2KRcYVIUxN75n5gZYwLzFBXICEgPPWIcoBZfKmcXEgffa%2BM%2Fi9w%3D%3D HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: r10.o.lencr.org
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Content-Type: application/ocsp-response
    Content-Length: 504
    ETag: "62D750DDF02E3CEB260D121DEC3341C2690184EB85A86FEDAF4481883D8F0472"
    Last-Modified: Tue, 11 Feb 2025 02:22:00 UTC
    Cache-Control: public, no-transform, must-revalidate, max-age=2159
    Expires: Wed, 12 Feb 2025 23:32:22 GMT
    Date: Wed, 12 Feb 2025 22:56:23 GMT
    Connection: keep-alive
  • flag-nl
    POST
    http://rl.ammyy.com/
    AMMYY_Admin.exe
    Remote address:
    188.42.129.148:80
    Request
    POST / HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    Host: rl.ammyy.com
    Content-Length: 165
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Date: Wed, 12 Feb 2025 22:56:34 GMT
    Server: Apache
    X-Powered-By: PHP/5.4.16
    Content-Length: 92
    Content-Type: text/html
  • flag-de
    GET
    http://www.ammyy.com/admin_v3.9_20200220-182209/AA_v3.exe
    AMMYY_Admin.exe
    Remote address:
    136.243.18.118:80
    Request
    GET /admin_v3.9_20200220-182209/AA_v3.exe HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    Range: bytes=0-
    Accept-Encoding: gzip, deflate
    Host: www.ammyy.com
    Cache-Control: no-cache
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Wed, 12 Feb 2025 22:56:40 GMT
    Server: Apache/2.4.6 (CentOS)
    Location: https://www.ammyy.com/admin_v3.9_20200220-182209/AA_v3.exe
    Content-Length: 344
    Connection: close
    Content-Type: text/html; charset=iso-8859-1
  • flag-de
    GET
    https://www.ammyy.com/admin_v3.9_20200220-182209/AA_v3.exe
    AMMYY_Admin.exe
    Remote address:
    136.243.18.118:443
    Request
    GET /admin_v3.9_20200220-182209/AA_v3.exe HTTP/1.1
    Connection: Keep-Alive
    Range: bytes=0-
    Accept-Encoding: gzip, deflate
    Cache-Control: no-cache
    Host: www.ammyy.com
    Response
    HTTP/1.1 404 Not Found
    Date: Wed, 12 Feb 2025 22:56:40 GMT
    Server: Apache/2.4.6 (CentOS)
    Content-Length: 313
    Connection: close
    Content-Type: text/html; charset=iso-8859-1
  • 188.42.129.148:80
    http://rl.ammyy.com/
    http
    AMMYY_Admin.exe
    651 B
     722 B
     8
    6

    HTTP Request

    POST http://rl.ammyy.com/

    HTTP Response

    200
  • 136.243.18.118:80
    http://www.ammyy.com/admin_v3.9_20200220-182209/AA_v3.exe
    http
    AMMYY_Admin.exe
    526 B
     813 B
     7
    5

    HTTP Request

    GET http://www.ammyy.com/admin_v3.9_20200220-182209/AA_v3.exe

    HTTP Response

    301
  • 136.243.18.118:443
    https://www.ammyy.com/admin_v3.9_20200220-182209/AA_v3.exe
    tls, http
    AMMYY_Admin.exe
    1.2kB
     3.8kB
     10
    9

    HTTP Request

    GET https://www.ammyy.com/admin_v3.9_20200220-182209/AA_v3.exe

    HTTP Response

    404
  • 104.86.110.232:80
    http://r10.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRpD%2BQVZ%2B1vf7U0RGQGBm8JZwdxcgQUdKR2KRcYVIUxN75n5gZYwLzFBXICEgPPWIcoBZfKmcXEgffa%2BM%2Fi9w%3D%3D
    http
    AMMYY_Admin.exe
    531 B
     2.0kB
     6
    5

    HTTP Request

    GET http://r10.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRpD%2BQVZ%2B1vf7U0RGQGBm8JZwdxcgQUdKR2KRcYVIUxN75n5gZYwLzFBXICEgPPWIcoBZfKmcXEgffa%2BM%2Fi9w%3D%3D

    HTTP Response

    200
  • 188.42.129.148:80
    http://rl.ammyy.com/
    http
    AMMYY_Admin.exe
    955 B
     682 B
     14
    5

    HTTP Request

    POST http://rl.ammyy.com/

    HTTP Response

    200
  • 136.243.18.118:80
    http://www.ammyy.com/admin_v3.9_20200220-182209/AA_v3.exe
    http
    AMMYY_Admin.exe
    770 B
     865 B
     8
    6

    HTTP Request

    GET http://www.ammyy.com/admin_v3.9_20200220-182209/AA_v3.exe

    HTTP Response

    301
  • 136.243.18.118:443
    https://www.ammyy.com/admin_v3.9_20200220-182209/AA_v3.exe
    tls, http
    AMMYY_Admin.exe
    1.1kB
     3.7kB
     8
    8

    HTTP Request

    GET https://www.ammyy.com/admin_v3.9_20200220-182209/AA_v3.exe

    HTTP Response

    404
  • 8.8.8.8:53
    rl.ammyy.com
    dns
    AMMYY_Admin.exe
    58 B
     74 B
     1
    1

    DNS Request

    rl.ammyy.com

    DNS Response

    188.42.129.148

  • 8.8.8.8:53
    www.ammyy.com
    dns
    AMMYY_Admin.exe
    59 B
     75 B
     1
    1

    DNS Request

    www.ammyy.com

    DNS Response

    136.243.18.118

  • 8.8.8.8:53
    r10.o.lencr.org
    dns
    AMMYY_Admin.exe
    61 B
     160 B
     1
    1

    DNS Request

    r10.o.lencr.org

    DNS Response

    104.86.110.232
    104.86.110.200

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\AMMYY\settings.bin
    Filesize

    76B

    MD5

    090bba5cbe9cd62189310f633f14d686

    SHA1

    0ce1d78aace04650b0c592665686a89412c1771c

    SHA256

    7bc48188bbd0ad1b7ac10257e6a8fc5327f2ccfd56402a4353f6d8ef26eb0ff8

    SHA512

    846781bdb4d8902963f1859077c8db4c763fdd4ca28f0be83b95c20d324b5db030f312fc3d4f959dc05ca4f41ef872a49d123195494b16440e16ebcc5edb31a7

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.