amadey | 42ba4a13429b26693044eded719292f50e50e9749cc8e1cfb268c6d0b9fd9e1c

General

Target

fe16a136c5f2c6dbfdc19e5aece87361_JaffaCakes118.exe
Size

712KB
MD5

fe16a136c5f2c6dbfdc19e5aece87361
SHA1

c960ae548ae499d0b9df3279095984c64c3e4111
SHA256

42ba4a13429b26693044eded719292f50e50e9749cc8e1cfb268c6d0b9fd9e1c
SHA512

33de335eeec2e67616a2466adadefe5f7d1ece12f511a0c4fc479a1a194a05393975b25fd3662d7033d9418845cfdd6f111e2f002dfd4f2d3949d57372aef78f
SSDEEP

12288:W6qx+GgJOpEheBWpJ0NjYZZRKFdCFqPryQ32E9i/4B:8QlmWpJGYZZ4FsFEpn

Score

10^/10

amadey defense_evasion discovery trojan

Malware Config

Extracted

Family

amadey

Version

1.99

C2

217.8.117.41/nbDcw2d/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Executes dropped EXE 1 IoCs

pid	Process
4984	bdif.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	\??\c:\programdata\44def37582\bdif.exe:Zone.Identifier	fe16a136c5f2c6dbfdc19e5aece87361_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fe16a136c5f2c6dbfdc19e5aece87361_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bdif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	\??\c:\programdata\44def37582\bdif.exe:Zone.Identifier	fe16a136c5f2c6dbfdc19e5aece87361_JaffaCakes118.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1308	schtasks.exe
3640	schtasks.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5004	fe16a136c5f2c6dbfdc19e5aece87361_JaffaCakes118.exe
4984	bdif.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 5004 wrote to memory of 4984	5004	fe16a136c5f2c6dbfdc19e5aece87361_JaffaCakes118.exe	81
PID 5004 wrote to memory of 4984	5004	fe16a136c5f2c6dbfdc19e5aece87361_JaffaCakes118.exe	81
PID 5004 wrote to memory of 4984	5004	fe16a136c5f2c6dbfdc19e5aece87361_JaffaCakes118.exe	81
PID 4984 wrote to memory of 116	4984	bdif.exe	92
PID 4984 wrote to memory of 3576	4984	bdif.exe	93
PID 4984 wrote to memory of 116	4984	bdif.exe	92
PID 4984 wrote to memory of 3576	4984	bdif.exe	93
PID 4984 wrote to memory of 116	4984	bdif.exe	92
PID 4984 wrote to memory of 3576	4984	bdif.exe	93
PID 4984 wrote to memory of 4460	4984	bdif.exe	94
PID 4984 wrote to memory of 4460	4984	bdif.exe	94
PID 4984 wrote to memory of 4460	4984	bdif.exe	94
PID 4984 wrote to memory of 5112	4984	bdif.exe	95
PID 4984 wrote to memory of 5112	4984	bdif.exe	95
PID 4984 wrote to memory of 5112	4984	bdif.exe	95
PID 3576 wrote to memory of 3640	3576	cmd.exe	100
PID 3576 wrote to memory of 3640	3576	cmd.exe	100
PID 3576 wrote to memory of 3640	3576	cmd.exe	100
PID 116 wrote to memory of 1308	116	cmd.exe	101
PID 116 wrote to memory of 1308	116	cmd.exe	101
PID 116 wrote to memory of 1308	116	cmd.exe	101

C:\Users\Admin\AppData\Local\Temp\fe16a136c5f2c6dbfdc19e5aece87361_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fe16a136c5f2c6dbfdc19e5aece87361_JaffaCakes118.exe"
1⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5004
- \??\c:\programdata\44def37582\bdif.exe
  c:\programdata\44def37582\bdif.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4984
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /C SCHTASKS /Create /SC HOURLY /MO 1 /TN 83bb50ad72ec066ba3b2332b06c6d86c /TR c:\programdata\44def37582\bdif.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:116
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /Create /SC HOURLY /MO 1 /TN 83bb50ad72ec066ba3b2332b06c6d86c /TR c:\programdata\44def37582\bdif.exe
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:1308
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /C SCHTASKS /Create /SC HOURLY /MO 1 /TN 83bb50ad72ec066ba3b2332b06c6d86c /TR c:\programdata\44def37582\bdif.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3576
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /Create /SC HOURLY /MO 1 /TN 83bb50ad72ec066ba3b2332b06c6d86c /TR c:\programdata\44def37582\bdif.exe
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:3640
- - C:\Windows\SysWOW64\REG.exe
    REG ADD "HKCU\Software\Microsoft\Wc:\programdata\44def37582
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4460
- - C:\Windows\SysWOW64\REG.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d c:\programdata\44def37582
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Subvert Trust Controls

1

T1553

SIP and Trust Provider Hijacking

1

T1553.003

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\44def37582\bdif.exe

Filesize
712KB

MD5
fe16a136c5f2c6dbfdc19e5aece87361

SHA1
c960ae548ae499d0b9df3279095984c64c3e4111

SHA256
42ba4a13429b26693044eded719292f50e50e9749cc8e1cfb268c6d0b9fd9e1c

SHA512
33de335eeec2e67616a2466adadefe5f7d1ece12f511a0c4fc479a1a194a05393975b25fd3662d7033d9418845cfdd6f111e2f002dfd4f2d3949d57372aef78f

Download Submit
memory/4984-22-0x00000000006E0000-0x00000000006F0000-memory.dmp

Filesize
64KB

Download
memory/4984-26-0x00000000021A0000-0x00000000021C5000-memory.dmp

Filesize
148KB

Download
memory/4984-45-0x0000000000630000-0x0000000000638000-memory.dmp

Filesize
32KB

Download
memory/5004-4-0x0000000000690000-0x000000000069D000-memory.dmp

Filesize
52KB

Download
memory/5004-0-0x00000000006A0000-0x00000000006B0000-memory.dmp

Filesize
64KB

Download
memory/5004-5-0x00000000022E0000-0x0000000002305000-memory.dmp

Filesize
148KB

Download
memory/5004-21-0x0000000000680000-0x0000000000688000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads