amadey | efc0d9b8a1248079246a0c700927c2405ef76b5e6a899c8e97f603d54651db40

Analysis

max time kernel
141s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
12-06-2024 08:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9ff7edfe77efb892b78b9afe94d7589a_JaffaCakes118.exe
Size

712KB
MD5

9ff7edfe77efb892b78b9afe94d7589a
SHA1

cb61f8e1dfb7a4720c87c85b8bdb33a9deab5b9c
SHA256

efc0d9b8a1248079246a0c700927c2405ef76b5e6a899c8e97f603d54651db40
SHA512

0b978fafc19e2ecebd16323a8a1ef69e25afa8246568e72e83f70538a01391c032a75ea0c2eeafb2152947cfe9b1faab89799505604cfbb7977d89257b5729d7
SSDEEP

12288:W6qx+GgJOpEheBWpJ0NjYZZRKFdCFqPryQ32E9i/4B:8QlmWpJGYZZ4FsFEpn

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

1.99

217.8.117.41/nbDcw2d/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Executes dropped EXE 1 IoCs

pid	Process
4372	bdif.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1632	schtasks.exe
2440	schtasks.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	\??\c:\programdata\44def37582\bdif.exe:Zone.Identifier	9ff7edfe77efb892b78b9afe94d7589a_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4912	9ff7edfe77efb892b78b9afe94d7589a_JaffaCakes118.exe
4372	bdif.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4912 wrote to memory of 4372	4912	9ff7edfe77efb892b78b9afe94d7589a_JaffaCakes118.exe	81
PID 4912 wrote to memory of 4372	4912	9ff7edfe77efb892b78b9afe94d7589a_JaffaCakes118.exe	81
PID 4912 wrote to memory of 4372	4912	9ff7edfe77efb892b78b9afe94d7589a_JaffaCakes118.exe	81
PID 4372 wrote to memory of 424	4372	bdif.exe	91
PID 4372 wrote to memory of 424	4372	bdif.exe	91
PID 4372 wrote to memory of 424	4372	bdif.exe	91
PID 4372 wrote to memory of 4776	4372	bdif.exe	92
PID 4372 wrote to memory of 4776	4372	bdif.exe	92
PID 4372 wrote to memory of 4776	4372	bdif.exe	92
PID 424 wrote to memory of 1632	424	cmd.exe	95
PID 424 wrote to memory of 1632	424	cmd.exe	95
PID 424 wrote to memory of 1632	424	cmd.exe	95
PID 4372 wrote to memory of 4260	4372	bdif.exe	96
PID 4372 wrote to memory of 4260	4372	bdif.exe	96
PID 4372 wrote to memory of 4260	4372	bdif.exe	96
PID 4372 wrote to memory of 2400	4372	bdif.exe	97
PID 4372 wrote to memory of 2400	4372	bdif.exe	97
PID 4372 wrote to memory of 2400	4372	bdif.exe	97
PID 4260 wrote to memory of 2440	4260	cmd.exe	100
PID 4260 wrote to memory of 2440	4260	cmd.exe	100
PID 4260 wrote to memory of 2440	4260	cmd.exe	100

C:\Users\Admin\AppData\Local\Temp\9ff7edfe77efb892b78b9afe94d7589a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9ff7edfe77efb892b78b9afe94d7589a_JaffaCakes118.exe"
1⤵
- NTFS ADS
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4912
- \??\c:\programdata\44def37582\bdif.exe
  c:\programdata\44def37582\bdif.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4372
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /C SCHTASKS /Create /SC HOURLY /MO 1 /TN 83bb50ad72ec066ba3b2332b06c6d86c /TR c:\programdata\44def37582\bdif.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:424
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /Create /SC HOURLY /MO 1 /TN 83bb50ad72ec066ba3b2332b06c6d86c /TR c:\programdata\44def37582\bdif.exe
      4⤵
      Creates scheduled task(s)
      PID:1632
- - C:\Windows\SysWOW64\REG.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d c:\programdata\44def37582
    3⤵
    PID:4776
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /C SCHTASKS /Create /SC HOURLY /MO 1 /TN 83bb50ad72ec066ba3b2332b06c6d86c /TR c:\programdata\44def37582\bdif.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4260
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /Create /SC HOURLY /MO 1 /TN 83bb50ad72ec066ba3b2332b06c6d86c /TR c:\programdata\44def37582\bdif.exe
      4⤵
      Creates scheduled task(s)
      PID:2440
- - C:\Windows\SysWOW64\REG.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d c:\programdata\44def37582
    3⤵
    PID:2400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\44def37582\bdif.exe

Filesize
712KB

MD5
9ff7edfe77efb892b78b9afe94d7589a

SHA1
cb61f8e1dfb7a4720c87c85b8bdb33a9deab5b9c

SHA256
efc0d9b8a1248079246a0c700927c2405ef76b5e6a899c8e97f603d54651db40

SHA512
0b978fafc19e2ecebd16323a8a1ef69e25afa8246568e72e83f70538a01391c032a75ea0c2eeafb2152947cfe9b1faab89799505604cfbb7977d89257b5729d7

Download Submit
memory/4372-26-0x00000000021B0000-0x00000000021D5000-memory.dmp

Filesize
148KB

Download
memory/4372-22-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/4372-45-0x0000000000670000-0x0000000000678000-memory.dmp

Filesize
32KB

Download
memory/4912-0-0x0000000002230000-0x0000000002240000-memory.dmp

Filesize
64KB

Download
memory/4912-4-0x0000000002220000-0x000000000222D000-memory.dmp

Filesize
52KB

Download
memory/4912-5-0x0000000002260000-0x0000000002285000-memory.dmp

Filesize
148KB

Download
memory/4912-20-0x0000000002210000-0x0000000002218000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads