flawedammyy | 08916dcbb2ac3443429f3426caaedc77a8ebc30417428266434ab108bb808c15

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2025, 18:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_53126310b9e5a75cdc27768b2e79c49a.exe
Size

712KB
MD5

53126310b9e5a75cdc27768b2e79c49a
SHA1

89d758296729da08b468e545299ec0106309f7d1
SHA256

08916dcbb2ac3443429f3426caaedc77a8ebc30417428266434ab108bb808c15
SHA512

c2bbac5900278feab83341896fad70ba8c9c648ba8a0c5f418481f57d4b641c381ccc0eed732a9d60ffb67a95b2c3478624072b19bbc9080e7f7660fad0fc1c4
SSDEEP

12288:HKHp9fDIItMm2o44sGTdBqWvwD+8ChCbW3XTjY1r1RtH8ePhAU5u0AhpZxAhegl:HorLkbDEhyW3XS1RtcePKUBATZxul

Score

10^/10

flawedammyy discovery trojan

Malware Config

Signatures

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy
Flawedammyy family
flawedammyy

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	JaffaCakes118_53126310b9e5a75cdc27768b2e79c49a.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_53126310b9e5a75cdc27768b2e79c49a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_53126310b9e5a75cdc27768b2e79c49a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_53126310b9e5a75cdc27768b2e79c49a.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy	JaffaCakes118_53126310b9e5a75cdc27768b2e79c49a.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin	JaffaCakes118_53126310b9e5a75cdc27768b2e79c49a.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d567366087c6658524c175253e797e64eb1d2b36b	JaffaCakes118_53126310b9e5a75cdc27768b2e79c49a.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = 9089221def80b43e5925f2142e3a7e2194d99d3b766ce178b8444eae892ef5aa0fe212efc6dc21d4c7b7d52369c5fe5ae846707ae4a80e6b545a5973612ea34e5b0f51a5997e3147528f61	JaffaCakes118_53126310b9e5a75cdc27768b2e79c49a.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	JaffaCakes118_53126310b9e5a75cdc27768b2e79c49a.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	JaffaCakes118_53126310b9e5a75cdc27768b2e79c49a.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4996	JaffaCakes118_53126310b9e5a75cdc27768b2e79c49a.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
4996	JaffaCakes118_53126310b9e5a75cdc27768b2e79c49a.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 4996	1948	JaffaCakes118_53126310b9e5a75cdc27768b2e79c49a.exe	86
PID 1948 wrote to memory of 4996	1948	JaffaCakes118_53126310b9e5a75cdc27768b2e79c49a.exe	86
PID 1948 wrote to memory of 4996	1948	JaffaCakes118_53126310b9e5a75cdc27768b2e79c49a.exe	86

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_53126310b9e5a75cdc27768b2e79c49a.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_53126310b9e5a75cdc27768b2e79c49a.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2376

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_53126310b9e5a75cdc27768b2e79c49a.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_53126310b9e5a75cdc27768b2e79c49a.exe" -service -lunch
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_53126310b9e5a75cdc27768b2e79c49a.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_53126310b9e5a75cdc27768b2e79c49a.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\hr

Filesize
22B

MD5
3e5b75b1e41981c6e3a64e9b831bc18b

SHA1
504f2ba8438767b0f8b0875854c0a616a15e5e4c

SHA256
0dbe1d223ad52d06385ff02409cab2f1d211bab8be71981fe8cacae2272b9d27

SHA512
4172a0453b76c626b0b68839820a4cf126a25367249147a084f877d62febbcbb69356b1dcb1c2ab1486fc50543c81470370e29f5797bbbe668bc03a75030d4cb

Download Submit
C:\ProgramData\AMMYY\hr3

Filesize
75B

MD5
d810af43a5c649fb82bdbe8456ccaa67

SHA1
83cb282dbbda4f1dccf0dfd6dd5b31a9665e3074

SHA256
1f62f3f7016e20297940bb6d66efe5069ce05ea3035722fc8a0de0cf956d772e

SHA512
630f08edaa79e7f0c932c43b8e7e3531f4c3025fe09153e7d088c1ec77e4fda7a1197dfca9c44cce60b89b391881534714dc0392cb57de6f82db93647510a263

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
305B

MD5
ff581a784b674e06b6c7981319eb3cc7

SHA1
97209bac14a5f851464e78606ad0d2422c0bc48b

SHA256
09c62b32f52257d9e6f045391f6a140e06c66715b8d5b68a87ed9736b62499f5

SHA512
ca1276674e42d31b2936fddf0b85279102ec48d60e75e52eacfb930a203a18377c15e615a6eab0ffaaf5fb77f651641b9aa8fed2767352b45396a4064da7b7e9

Download Submit