amadey | efc0d9b8a1248079246a0c700927c2405ef76b5e6a899c8e97f603d54651db40

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
12/06/2024, 08:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9ff7edfe77efb892b78b9afe94d7589a_JaffaCakes118.exe
Size

712KB
MD5

9ff7edfe77efb892b78b9afe94d7589a
SHA1

cb61f8e1dfb7a4720c87c85b8bdb33a9deab5b9c
SHA256

efc0d9b8a1248079246a0c700927c2405ef76b5e6a899c8e97f603d54651db40
SHA512

0b978fafc19e2ecebd16323a8a1ef69e25afa8246568e72e83f70538a01391c032a75ea0c2eeafb2152947cfe9b1faab89799505604cfbb7977d89257b5729d7
SSDEEP

12288:W6qx+GgJOpEheBWpJ0NjYZZRKFdCFqPryQ32E9i/4B:8QlmWpJGYZZ4FsFEpn

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

1.99

217.8.117.41/nbDcw2d/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Executes dropped EXE 1 IoCs

pid	Process
2692	bdif.exe

Loads dropped DLL 2 IoCs

pid	Process
1648	9ff7edfe77efb892b78b9afe94d7589a_JaffaCakes118.exe
1648	9ff7edfe77efb892b78b9afe94d7589a_JaffaCakes118.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2012	schtasks.exe
1900	schtasks.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	\??\c:\programdata\44def37582\bdif.exe:Zone.Identifier	9ff7edfe77efb892b78b9afe94d7589a_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1648	9ff7edfe77efb892b78b9afe94d7589a_JaffaCakes118.exe
2692	bdif.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 2692	1648	9ff7edfe77efb892b78b9afe94d7589a_JaffaCakes118.exe	28
PID 1648 wrote to memory of 2692	1648	9ff7edfe77efb892b78b9afe94d7589a_JaffaCakes118.exe	28
PID 1648 wrote to memory of 2692	1648	9ff7edfe77efb892b78b9afe94d7589a_JaffaCakes118.exe	28
PID 1648 wrote to memory of 2692	1648	9ff7edfe77efb892b78b9afe94d7589a_JaffaCakes118.exe	28
PID 2692 wrote to memory of 1248	2692	bdif.exe	32
PID 2692 wrote to memory of 1248	2692	bdif.exe	32
PID 2692 wrote to memory of 1248	2692	bdif.exe	32
PID 2692 wrote to memory of 1248	2692	bdif.exe	32
PID 2692 wrote to memory of 1244	2692	bdif.exe	31
PID 2692 wrote to memory of 1244	2692	bdif.exe	31
PID 2692 wrote to memory of 1244	2692	bdif.exe	31
PID 2692 wrote to memory of 1244	2692	bdif.exe	31
PID 2692 wrote to memory of 1272	2692	bdif.exe	33
PID 2692 wrote to memory of 1272	2692	bdif.exe	33
PID 2692 wrote to memory of 1272	2692	bdif.exe	33
PID 2692 wrote to memory of 1272	2692	bdif.exe	33
PID 2692 wrote to memory of 1420	2692	bdif.exe	35
PID 2692 wrote to memory of 1420	2692	bdif.exe	35
PID 2692 wrote to memory of 1420	2692	bdif.exe	35
PID 2692 wrote to memory of 1420	2692	bdif.exe	35
PID 1244 wrote to memory of 2012	1244	cmd.exe	39
PID 1244 wrote to memory of 2012	1244	cmd.exe	39
PID 1244 wrote to memory of 2012	1244	cmd.exe	39
PID 1244 wrote to memory of 2012	1244	cmd.exe	39
PID 1248 wrote to memory of 1900	1248	cmd.exe	40
PID 1248 wrote to memory of 1900	1248	cmd.exe	40
PID 1248 wrote to memory of 1900	1248	cmd.exe	40
PID 1248 wrote to memory of 1900	1248	cmd.exe	40

C:\Users\Admin\AppData\Local\Temp\9ff7edfe77efb892b78b9afe94d7589a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9ff7edfe77efb892b78b9afe94d7589a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- NTFS ADS
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1648
- \??\c:\programdata\44def37582\bdif.exe
  c:\programdata\44def37582\bdif.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /C SCHTASKS /Create /SC HOURLY /MO 1 /TN 83bb50ad72ec066ba3b2332b06c6d86c /TR c:\programdata\44def37582\bdif.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1244
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /Create /SC HOURLY /MO 1 /TN 83bb50ad72ec066ba3b2332b06c6d86c /TR c:\programdata\44def37582\bdif.exe
      4⤵
      Creates scheduled task(s)
      PID:2012
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /C SCHTASKS /Create /SC HOURLY /MO 1 /TN 83bb50ad72ec066ba3b2332b06c6d86c /TR c:\programdata\44def37582\bdif.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1248
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /Create /SC HOURLY /MO 1 /TN 83bb50ad72ec066ba3b2332b06c6d86c /TR c:\programdata\44def37582\bdif.exe
      4⤵
      Creates scheduled task(s)
      PID:1900
- - C:\Windows\SysWOW64\REG.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d c:\programdata\44def37582
    3⤵
    PID:1272
- - C:\Windows\SysWOW64\REG.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d c:\programdata\44def37582
    3⤵
    PID:1420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\ProgramData\44def37582\bdif.exe

Filesize
712KB

MD5
9ff7edfe77efb892b78b9afe94d7589a

SHA1
cb61f8e1dfb7a4720c87c85b8bdb33a9deab5b9c

SHA256
efc0d9b8a1248079246a0c700927c2405ef76b5e6a899c8e97f603d54651db40

SHA512
0b978fafc19e2ecebd16323a8a1ef69e25afa8246568e72e83f70538a01391c032a75ea0c2eeafb2152947cfe9b1faab89799505604cfbb7977d89257b5729d7

Download Submit
memory/1648-11-0x00000000001C0000-0x00000000001CD000-memory.dmp

Filesize
52KB

Download
memory/1648-4-0x0000000000270000-0x0000000000295000-memory.dmp

Filesize
148KB

Download
memory/1648-0-0x00000000001D0000-0x00000000001E0000-memory.dmp

Filesize
64KB

Download
memory/2692-29-0x0000000000370000-0x0000000000395000-memory.dmp

Filesize
148KB

Download
memory/2692-25-0x0000000000350000-0x0000000000360000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads