So let's Start :)
Parsing Domain List of the Infected Machine:
At first this RAT will parse the domain group list of the machine using "net group /domain". It parses the output of this command by creating a pipe where it place the output of that net command after process creation. then it will read that pipe and look for "WORKGROUP or workgroup" string. |
| figure 1: net group command |
 |
| figure 2: looking for workgroup string to the pipe output |
Checking its Instance running:
It checks if the user running to the infected machine is an admin account, if yes it will delete its component "wsus.exe" as well as the "foundation" service if not it will just delete the "wsus.exe" and create a "Nuget" directory in common %appdata%. |
| figure 3: delete the current instance of itself if exist. |
Harvesting API:
like other malware it harvest its needed API dynamically to bypassed some generic API detection. It has a function that received 2 parameter. One is the case flag that point which module where it will parse the API and the second is the hash of the API itself. |
| figure 4: looking for the right module to compute api hash |
using IDA python I parse all the API within those DLL and create an ENUM to recognize the hash of API.
 |
| figure 5: hash value of the API |
Downloading The Encrypted Flawwed Ammy RAT:
It will try to download an updated Flawed Ammy RAT to its C&C which is RC4 encrypted and be place to TMPTMPZIP7 folder in common %appdata% once decrypted. |
| figure 6: downloading and decrypting actual RAT with rc4 key |
 |
| figure 7: simple rc4 decryptor python script |
 |
| figure 7.1: decrypted flawwed ammy rat |
COM OBJECT Execution:
Then it will call the last function which is responsible in creating persistent capability for flawwed ammy rat. If the infected user is an admin it will create a service named as "foundation" with start value of "auto",else it will create task schedule task using the CLSID of taskschd.dll. |
| figure 8: autorun registry |
 |
| figure 9: COM OBJECT for taskschd.dll |
Conclusion:
we can see that malware keeps on finding some way to create persistence in different way like what we had saw here (using COM OBJECT).IOC:
unpacked version:sha1: b82204acb89bb14234ff30418e9b786c9980ab12
md5: 9b505f54614a7a350242ab540cbd914b
sha256: 3255b1165b227c35b70908f4eed490210390281fc96913fdf96f066d019bd1c2
orignal file:
sha1: 2157f3be72a3ce7d92e07d65ab040a34886d3afd
md5: db129f205ba5c87a4637781a33101caa
sha256: 526582ad66a0f96cfac8dd11841ba499a34310efbca37799d9217abe6beca88c
url: hxxp://54.38.127.28/02.dat (actual flawwed ammy rat)
https://www.virustotal.com/gui/file/526582ad66a0f96cfac8dd11841ba499a34310efbca37799d9217abe6beca88c/detection
yara:
import "pe"
rule unpack_flawed_ammy_downloader_win32_ {
meta:
author = "tcontre"
description = "detecting flawwed ammy rat downloader"
date = "2019-07-02"
sha256 = "3255b1165b227c35b70908f4eed490210390281fc96913fdf96f066d019bd1c2"
strings:
$mz = { 4d 5a }
$code1 = { 8B 45 FC C1 E0 07 8B 4D FC C1 E9 19 0B C1 }
$n1 = "net user /domain" fullword
$n2 = "net group /domain" fullword
$s1 = "NuGets\\template_%x.TMPTMPZIP7" fullword
$s2 = "wsus.exe" fullword
$s3 = "Vmwaretrat.exe" fullword wide
condition:
($mz at 0) and $code1 and 1of ($n*) and 1 of ($s*)
}
