flawedammyy | 08916dcbb2ac3443429f3426caaedc77a8ebc30417428266434ab108bb808c15

General

Target

JaffaCakes118_53126310b9e5a75cdc27768b2e79c49a.exe
Size

712KB
MD5

53126310b9e5a75cdc27768b2e79c49a
SHA1

89d758296729da08b468e545299ec0106309f7d1
SHA256

08916dcbb2ac3443429f3426caaedc77a8ebc30417428266434ab108bb808c15
SHA512

c2bbac5900278feab83341896fad70ba8c9c648ba8a0c5f418481f57d4b641c381ccc0eed732a9d60ffb67a95b2c3478624072b19bbc9080e7f7660fad0fc1c4
SSDEEP

12288:HKHp9fDIItMm2o44sGTdBqWvwD+8ChCbW3XTjY1r1RtH8ePhAU5u0AhpZxAhegl:HorLkbDEhyW3XS1RtcePKUBATZxul

Score

10^/10

flawedammyy discovery trojan

Malware Config

Signatures

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy
Flawedammyy family
flawedammyy

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\International\Geo\Nation	JaffaCakes118_53126310b9e5a75cdc27768b2e79c49a.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_53126310b9e5a75cdc27768b2e79c49a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_53126310b9e5a75cdc27768b2e79c49a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_53126310b9e5a75cdc27768b2e79c49a.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	JaffaCakes118_53126310b9e5a75cdc27768b2e79c49a.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	JaffaCakes118_53126310b9e5a75cdc27768b2e79c49a.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	JaffaCakes118_53126310b9e5a75cdc27768b2e79c49a.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy	JaffaCakes118_53126310b9e5a75cdc27768b2e79c49a.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d567366087c6658524c175253c717a84eb1d2b36b	JaffaCakes118_53126310b9e5a75cdc27768b2e79c49a.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = 070b752a1e1b40dd245bfce8f2fab2000e572ad5a9abd2cd03968648af901891f85b71767a81a48eb86dfbd3704f4e010f60b7c716c4e76fffc252b12fdbf75132debe8eac3774ea97d386	JaffaCakes118_53126310b9e5a75cdc27768b2e79c49a.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2420	JaffaCakes118_53126310b9e5a75cdc27768b2e79c49a.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2420	JaffaCakes118_53126310b9e5a75cdc27768b2e79c49a.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2152 wrote to memory of 2420	2152	JaffaCakes118_53126310b9e5a75cdc27768b2e79c49a.exe	31
PID 2152 wrote to memory of 2420	2152	JaffaCakes118_53126310b9e5a75cdc27768b2e79c49a.exe	31
PID 2152 wrote to memory of 2420	2152	JaffaCakes118_53126310b9e5a75cdc27768b2e79c49a.exe	31
PID 2152 wrote to memory of 2420	2152	JaffaCakes118_53126310b9e5a75cdc27768b2e79c49a.exe	31

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_53126310b9e5a75cdc27768b2e79c49a.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_53126310b9e5a75cdc27768b2e79c49a.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2124

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_53126310b9e5a75cdc27768b2e79c49a.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_53126310b9e5a75cdc27768b2e79c49a.exe" -service -lunch
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_53126310b9e5a75cdc27768b2e79c49a.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_53126310b9e5a75cdc27768b2e79c49a.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\hr

Filesize
22B

MD5
8a905c31091c990428b98dfd03a21848

SHA1
f3af7a6775d9fd9903e00c0a606eecbc7df9a51b

SHA256
cba948276281d9b77baef43ea08c7b6d98dbe503ce7c00f5552b791431b95033

SHA512
9ed0a17a2e29700a0c189f2a4fe988c3935c4d11c6a60b3a78d70beff95e6cd7b5add0ed2c30f205c259255086a03bac25ae313140cbfa77691eaec04750b100

Download Submit
C:\ProgramData\AMMYY\hr3

Filesize
75B

MD5
ad04a3eedeafb32d7c694688e21cb529

SHA1
3df3c0172e6c2ff929f1a329404c031ab3e471f1

SHA256
5250fc49ef2f5e988061b0b9e36c0f2c37edf98afc2f60dcac9cbbdfdab7346d

SHA512
76547f7bf1ad68e59f9d7e8a4694a3aecb6172d0ba8bcea0d5383c11683c609bc574c39273428889a357ce574203941faa4762a0d33817f9671057cf23c634b5

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
305B

MD5
ff581a784b674e06b6c7981319eb3cc7

SHA1
97209bac14a5f851464e78606ad0d2422c0bc48b

SHA256
09c62b32f52257d9e6f045391f6a140e06c66715b8d5b68a87ed9736b62499f5

SHA512
ca1276674e42d31b2936fddf0b85279102ec48d60e75e52eacfb930a203a18377c15e615a6eab0ffaaf5fb77f651641b9aa8fed2767352b45396a4064da7b7e9

Download Submit

Analysis

Sharing