Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    27-11-2024 22:02

General

  • Target

    a9d35b3546a908c804d177020daefcb0_JaffaCakes118.exe

  • Size

    7.0MB

  • MD5

    a9d35b3546a908c804d177020daefcb0

  • SHA1

    1ba9d78409d3188653fcb003d618b97a276577fa

  • SHA256

    45193fa14de60908b958e3f268ef46457acbbe4d7b63784a8dc177a510528827

  • SHA512

    fb03bd4f20493bfd41e013102162e3ca4b3e084f2be6caf8311c0e772d55ebb8b753f5bcc2397cc0f0b9298ac51da27b96232c858c9bbfcedf00b23db04cd337

  • SSDEEP

    196608:XPGZKb8EmARpfMWw93Axfy46VqPFUXd8hSXJTkWOg0rmt+kK1:+o7pa9wVaqcd8hSZkWOgOmHq

Malware Config

Extracted

Family

amadey

Version

2.42

Botnet

6e6f28

C2

http://185.215.113.20

Attributes
  • install_dir

    82b34ed5a0

  • install_file

    rgbux.exe

  • strings_key

    546f4527af5507340e285ce20285c73e

  • url_paths

    /gb9fskvS/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Amadey family
  • Babadeda

    Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.

  • Babadeda Crypter 1 IoCs
  • Babadeda family
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 13 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a9d35b3546a908c804d177020daefcb0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a9d35b3546a908c804d177020daefcb0_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1088
    • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
      "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1798690 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\a9d35b3546a908c804d177020daefcb0_JaffaCakes118.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-3063565911-2056067323-3330884624-1000"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2792
      • C:\Users\Admin\AppData\Roaming\DbVisualizer Manager\DbVisualizer.exe
        "C:\Users\Admin\AppData\Roaming\DbVisualizer Manager\DbVisualizer.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:2472

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    06c70382b6c2e9cdc79875f27f4129c3

    SHA1

    ef17b37ff1a6fd90e11ab17f17bfc24b63f66878

    SHA256

    4f24af8926f2846e8ff486d5922570188f2cea5166e1ddeee739199a03563d66

    SHA512

    daa108d53242cb4ae449fec7bd9d1ceb4b0d3c4e0e3e1bf2cdacf014e650e0c25e2cb394b810fcae013b95483a27149cbb7fbc3f325c96e7c8fb710e860ff2c4

  • C:\Users\Admin\AppData\Local\Temp\152130635659

    Filesize

    80KB

    MD5

    b7c3d6184b4f50e536f6f9f06036dff5

    SHA1

    cef5c0fd35fa6b22b798aced3958c5e9422a2b18

    SHA256

    b9cee1aeb97974b9b68a82938b11c91b36ffbb71822fab9123def22503ec1425

    SHA512

    4299fbfd8668fde6a9990bef924acdc177f4bea19fb7ad8c8196455f3fadb75ff2950cd80a60324c4446b87e59de44bb536686818429ab2301bb5bd6aa6b2aed

  • C:\Users\Admin\AppData\Local\Temp\CabCE0B.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\TarCE1D.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

    Filesize

    326KB

    MD5

    e7a789232ef503dcb4929791673009a3

    SHA1

    8bc28bce4c9d8b4a6e360100441ba54a878de4c1

    SHA256

    89daa79b558055f6f893abf38a0f17d3e1e0193d59dafbdf98d72d4e5961c2a1

    SHA512

    6439a2ec5e9d486c15a37a736bc8d36d8e5f6ecb6a354d0fdd7efc9dccd3fb6bdb208a051b0d81f101669169826e07f9b4ddd79259c79c1e03856af5a9442b87

  • C:\Users\Admin\AppData\Roaming\DbVisualizer Manager\Images\[email protected]

    Filesize

    2KB

    MD5

    44018e1779270b083ad90da3dffe9b15

    SHA1

    e09c06b564abe26bcf91ecb7632d761c3234b30d

    SHA256

    71bacaee2c9e1fbe6a7184aaf9d3f8e24d6390ca62298c5da425bf060cd2bc4c

    SHA512

    ece1fde07753a160735d2c09272410a473c7cbf18972005baa36480d363e87a47f02b7b83efb893b88e334e7f49d645d85f802246e7508623d20c04adb6cbb7b

  • C:\Users\Admin\AppData\Roaming\DbVisualizer Manager\Images\[email protected]

    Filesize

    4KB

    MD5

    b3c74bb5250effad46ce11a96c9468c2

    SHA1

    3a339e244a29fe41d13fa4cc951a7e0a2862e299

    SHA256

    5a9479caa4024731d61172652a67021f4973a03548516d36a4865ec161a57825

    SHA512

    a5f8499a39972341740f46f96f90feb6cab15610fd9e7d25eeae139236fe115874806a6554c8fe180dee097088f8d4802a20b0ebc7de0c04486c7dbce36116c3

  • C:\Users\Admin\AppData\Roaming\DbVisualizer Manager\Images\[email protected]

    Filesize

    4KB

    MD5

    3272be2da53b6d5271111431f7d90d28

    SHA1

    7ec382eee6282454d5b0b03751f3d14c568bbfa5

    SHA256

    4e2a12a194e0db12de874ad8c9a5288b5a56285b426883bd0e3cef1866569982

    SHA512

    45dbfa8dd5aa0bd1e2dd042a716f00bad44142b98bcffedb7c30403b6132b50e72db64909d3873ca3a154d4a2e90433093c4f040454bca005b8274130c827b26

  • C:\Users\Admin\AppData\Roaming\DbVisualizer Manager\Images\[email protected]

    Filesize

    2KB

    MD5

    228d4bd899577ed16ad3ac74b592a0e6

    SHA1

    baf99e34e126d6c41b7aa39caabc2376358bab70

    SHA256

    fe87e02e797a143042bd7f10fa57c6e2a53028b5d5ab4c3da2a1e4affd1c86d5

    SHA512

    285b2057d2bce4086859d76ad7c57f029946106e5bf31525a92450714b790bc77fb982e6e1edfedfbb4335a791911e057caf01ea801868ae196a8775a78adebc

  • C:\Users\Admin\AppData\Roaming\DbVisualizer Manager\Images\[email protected]

    Filesize

    2KB

    MD5

    2719683b8dba819f2e6bd9e9b7307f1c

    SHA1

    6cbac17ebf8b56489ad8b8c458dd618b2788512a

    SHA256

    316b67841dba6c73097d0d50d1b454fd80b6aac86fa0fe15f9b514d65a5bb66a

    SHA512

    96ffe07ea87dae0bcf92a2d06dbfc8604526e77afd8f1bae1bc3ef17261463a214a54d91e7f672a5b8455ed4c7bba8fbe19e12255c6d5b2bbd26dda5c8b6ccee

  • C:\Users\Admin\AppData\Roaming\DbVisualizer Manager\Uninstall\uninstall.xml

    Filesize

    70KB

    MD5

    119ea2c72d34451d550e7faa161ce11f

    SHA1

    0928756073609ccd61ebef1c124668ee7b74f6df

    SHA256

    beb4b2eed8adf28fb7ae76456543c7dd7e8b2c5404b80e0db05ff6ae1efc64ff

    SHA512

    1437abb325307d41af71246b7ba2904692240743b41ee58dd50456c6fc44c5eaabc261b25b038f51cc7680ca9635c69bedde2737d70c057bd050848f73eee7b6

  • C:\Users\Admin\AppData\Roaming\DbVisualizer Manager\Uninstall\uninstall.xml

    Filesize

    75KB

    MD5

    c4b2f0a2b25449262c4c79a95c05a1bf

    SHA1

    0c49bd808727f5245758e60c39b42f791532ac0b

    SHA256

    dc60fd09267af710e4facb5a64adbaad70c088db6e0793cdb1809843358a5b7a

    SHA512

    035b5a88850e6ae61fa4c64c938729afdaef0e3be8f2536724987c09497f8cd5828ac96fecf278e76faab1d5fd47cb83f47d4be3fb31a33c39fd0bb221ec5bf7

  • C:\Users\Admin\AppData\Roaming\DbVisualizer Manager\libintl-8.dll

    Filesize

    3.8MB

    MD5

    4a9b0f444ac743624a8a975d121c7111

    SHA1

    99c8d48075e63e7b5aa80d39bc6e375c5e6d080b

    SHA256

    6486eb74a008109826731bf73e4cfed5acd4feb2b8c8c2825bb2ecdb9da982a5

    SHA512

    a32595907bd5e03fc473d1628ff5db076cd4b62eed1de43b55a774c0e3508096218c16e7afd12e2ca9e9fc8203aadfe1d38140a0c917784d722f19668dc6d9a4

  • C:\Users\Admin\AppData\Roaming\DbVisualizer Manager\manual.pdf

    Filesize

    431KB

    MD5

    b78eb6c1f6364dea245a592bf1cb6a13

    SHA1

    b509bc936a3882db2c911d6bde86da05e5bf829d

    SHA256

    db1efa5c12505764838c95c1f377d3584dde6ff5c7470a4d0c7bb61254065608

    SHA512

    834a06116f2e9e62c60a6024dcbb5f18f938820bb04bfb221fbdcd49b3f0fb61a471edf3056fb1256357beeaf36e8b4d0a5331c2bcfc4f1d2fd5e7f3a277269c

  • C:\Users\Admin\AppData\Roaming\DbVisualizer Manager\res\public\en\html\startpage_banner.html

    Filesize

    490B

    MD5

    5d1f7da1c3d95020a0708118145364d0

    SHA1

    02f630e7ac8b8d400af219bd8811aa3a22f7186e

    SHA256

    d2d828c2c459b72ee378db6c5ac295315b8a783b7049032f92ed4fcb2a89684a

    SHA512

    6bbdaaef1478ffd9e9d3a95d300f35b9ac6f3ce6564e80734445a827ad8761233db36c679fac117f363bae27918983520f0e2f408205d3549b001fc4ae4c920c

  • C:\Users\Admin\AppData\Roaming\DbVisualizer Manager\res\public\en\html\startpage_connect_to_data_no_mru.html

    Filesize

    1KB

    MD5

    20bbd307866f19a5af3ae9ebd5104018

    SHA1

    8e03c9b18b9d27e9292ee154b773553493df1157

    SHA256

    e4fe51c170e02a01f30a4db8b458fb9b8dee13a7740f17765ba4873fac62c5f7

    SHA512

    420a132ad4ba3a67f5b66a3e463c4fa495b7941d58d6d669a8c984380607a03f0afa1c92bcf1f8d1fc5d93838ea611f7f9cf439bb3ada0142431b119ddfad40d

  • C:\Users\Admin\AppData\Roaming\DbVisualizer Manager\res\public\en\html\startpage_connect_to_data_with_mru.html

    Filesize

    1KB

    MD5

    e6bc0d078616dd5d5f72d46ab2216e89

    SHA1

    f70534bb999bcb8f1db0cf25a7279757e794499f

    SHA256

    e8f50f17c994f394239350951a40c3454e9b52b0ca95cf342f2577828f390a54

    SHA512

    6ccd6e19ec63f20c86a28ccaffa609a2d0de7991a8eb2d6ea016bcc5d0e9f2fc28c33a15c4af891f28a9e1e4131f38f84f8e1a8859e020d6f267977075f7c66a

  • C:\Users\Admin\AppData\Roaming\DbVisualizer Manager\res\public\en\html\startpage_landing.html

    Filesize

    720B

    MD5

    0a5b47256c14570b80ef77ecfd2129b7

    SHA1

    69210a7429c991909c70b6b6b75fe4bc606048ae

    SHA256

    1934657d800997dedba9f4753150f7d8f96dd5903a9c47ed6885aabf563bf73d

    SHA512

    5ca22260d26ec5bb1d65c4af3e2f05356d7b144836790ac656bf8c1687dd5c7d67a8a46c7bde374ec9e59a1bedc0298a4609f229d997409a0cc5453ef102ecb2

  • C:\Users\Admin\AppData\Roaming\DbVisualizer Manager\res\public\en\html\startpage_topstrip_no_mru.html

    Filesize

    659B

    MD5

    eced86c9d5b8952ac5fb817c3ce2b8ba

    SHA1

    3ca24e69df7a4b81f799527a97282799fcd3f1e2

    SHA256

    3988afa43d3c716ecbe4e261ff13c32fe67baaaf1718eac790040cff2aa4e44d

    SHA512

    a21e88968c30f14363a73dfd7801cea34255acb968160fad59d813bb64352583c8c4f6cd9d45811676ca5ca90a4250601a53e80b6f41d6727465f3a57e7423a1

  • C:\Users\Admin\AppData\Roaming\DbVisualizer Manager\res\public\en\html\startpage_topstrip_with_mru.html

    Filesize

    798B

    MD5

    cc4d8a787ab1950c4e3aac5751c9fcde

    SHA1

    d026a156723a52c34927b5a951a2bb7d23aa2c45

    SHA256

    13683e06e737e83ca94505b1cd1cd70f4f8b2cc5e7560f121a6e02ed1a06e7ee

    SHA512

    e0b01f5ee4da60e35a4eb94490bed815aea00382f3b9822b7c29294cf86a2fe480dba704f086a38f9d7aaf39e8160f49cf806b6b6c44651de56e290249dd9ebe

  • C:\Users\Admin\AppData\Roaming\DbVisualizer Manager\res\public\en\stylesheets\start_page.css

    Filesize

    2KB

    MD5

    f2ab3e5fb61293ae8656413dbb6e5dc3

    SHA1

    53b3c3c4b57c3d5e2d9a36272b27786cd60f0eb5

    SHA256

    06db4d53adf4a1ecbc03ed9962af7f46fd3a54668d45907dc1737125e38ec192

    SHA512

    2c31cad868e1e5149a4308a149104ac3d88907894699fb0413860c8f578de32f6814b08d518de7a7fe3782f0cea173cb1766da7c25f2bcdddaffae7bc0da927c

  • C:\Users\Admin\AppData\Roaming\DbVisualizer Manager\res\public\en\stylesheets\start_page_landing.css

    Filesize

    282B

    MD5

    49617add7303a8fbd24e1ad16ba715d8

    SHA1

    31772218ccf51fe5955625346c12e00c0f2e539a

    SHA256

    b3a99eea19c469dab3b727d1324ed87d10999133d3268ed0fadd5a5c8d182907

    SHA512

    9d1198ca13a0c1f745b01aabc23b60b8e0df4f12d7fdf17e87e750f021fc3800ea808af6c875848b3850061070dfd54c2e34d92cea4e8a2bf4736fbcfd129d1e

  • \Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

    Filesize

    1.3MB

    MD5

    ac23d03c4b8d531016a3c1ebfa2bc91c

    SHA1

    11383627d5515ed2257f594db7fbce3a4b9106f8

    SHA256

    0ddd10f3c8a3268237117f08a94c52ead801a76286bb76d0f521b56689801d06

    SHA512

    bb649ab787a05dba410ce43a592b7f122c71f1fdc69bbb8789c57a3e64018189eebb9b46669a2d6a1b156818bb59beed130aeae6e1928108dee16168445659c1

  • \Users\Admin\AppData\Roaming\DbVisualizer Manager\DbVisualizer.exe

    Filesize

    4.9MB

    MD5

    7ecebf023300b9b55d8c45a4c418e777

    SHA1

    f82a08f188eeab23adb988cfdecd9bfb7d5d3f58

    SHA256

    5de35a3de224a39ae9e5f68f55711e75a13869e05c11cf02cf026996ab10b53c

    SHA512

    55bf4127741901c3636a82e8f638e6489a0f4facfe02fe062fe32c5748a4374e0d453966389761f5cb9becd74fd664f7cf189071851dc947f035121b75a62005

  • memory/1088-14-0x0000000003340000-0x0000000003728000-memory.dmp

    Filesize

    3.9MB

  • memory/1088-15-0x0000000003340000-0x0000000003728000-memory.dmp

    Filesize

    3.9MB

  • memory/1088-16-0x0000000003340000-0x0000000003728000-memory.dmp

    Filesize

    3.9MB

  • memory/1088-842-0x0000000003340000-0x0000000003728000-memory.dmp

    Filesize

    3.9MB

  • memory/2472-962-0x00000000000F0000-0x00000000005D3000-memory.dmp

    Filesize

    4.9MB

  • memory/2472-840-0x00000000000F0000-0x00000000005D3000-memory.dmp

    Filesize

    4.9MB

  • memory/2792-818-0x0000000000910000-0x0000000000920000-memory.dmp

    Filesize

    64KB

  • memory/2792-18-0x00000000009A0000-0x0000000000D88000-memory.dmp

    Filesize

    3.9MB

  • memory/2792-838-0x00000000009A0000-0x0000000000D88000-memory.dmp

    Filesize

    3.9MB

  • memory/2792-830-0x0000000005690000-0x0000000005B73000-memory.dmp

    Filesize

    4.9MB

  • memory/2792-831-0x0000000005690000-0x0000000005B73000-memory.dmp

    Filesize

    4.9MB

  • memory/2792-832-0x0000000005690000-0x0000000005B73000-memory.dmp

    Filesize

    4.9MB