amadey | fe4985cc75d00384cf4030b80f7f41eab3f3788ef9144b53f4ea52150f5f8187

General

Target

JaffaCakes118_fe4985cc75d00384cf4030b80f7f41eab3f3788ef9144b53f4ea52150f5f8187.exe
Size

378KB
MD5

158f8d3f2c3cdca8900dea5585e2004a
SHA1

1eb6953b90c6d8ec509c949585f000438990bcac
SHA256

fe4985cc75d00384cf4030b80f7f41eab3f3788ef9144b53f4ea52150f5f8187
SHA512

320bed7dfd234a8e71fcd7848003193d2920acfa5f726329576f8f70f7c9226f4f9e80357480de6f940731804852402a72d97fb457ad917aebde32b42ee681f5
SSDEEP

6144:V93Roih6E2l8sEmRMixefsmk8VRuzbgwuO0Q7ITsqGrnH3XEHwVfu:V9BoihHo8sEy/cfsmdunnwQ7zH

Score

10^/10

amadey d00855 discovery trojan

Malware Config

Extracted

Family

amadey

Version

3.08

Botnet

d00855

C2

http://179.43.154.147

Attributes

install_dir
9d5cca72fb
install_file
ftewk.exe
strings_key
9defde16baecb416084964a9b667f06e
url_paths
/d2VxjasuwS/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Executes dropped EXE 3 IoCs

pid	Process
2084	ftewk.exe
1744	ftewk.exe
2132	ftewk.exe

Loads dropped DLL 2 IoCs

pid	Process
2404	JaffaCakes118_fe4985cc75d00384cf4030b80f7f41eab3f3788ef9144b53f4ea52150f5f8187.exe
2404	JaffaCakes118_fe4985cc75d00384cf4030b80f7f41eab3f3788ef9144b53f4ea52150f5f8187.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ftewk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ftewk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_fe4985cc75d00384cf4030b80f7f41eab3f3788ef9144b53f4ea52150f5f8187.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ftewk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2864	schtasks.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 2084	2404	JaffaCakes118_fe4985cc75d00384cf4030b80f7f41eab3f3788ef9144b53f4ea52150f5f8187.exe	30
PID 2404 wrote to memory of 2084	2404	JaffaCakes118_fe4985cc75d00384cf4030b80f7f41eab3f3788ef9144b53f4ea52150f5f8187.exe	30
PID 2404 wrote to memory of 2084	2404	JaffaCakes118_fe4985cc75d00384cf4030b80f7f41eab3f3788ef9144b53f4ea52150f5f8187.exe	30
PID 2404 wrote to memory of 2084	2404	JaffaCakes118_fe4985cc75d00384cf4030b80f7f41eab3f3788ef9144b53f4ea52150f5f8187.exe	30
PID 2084 wrote to memory of 2732	2084	ftewk.exe	31
PID 2084 wrote to memory of 2732	2084	ftewk.exe	31
PID 2084 wrote to memory of 2732	2084	ftewk.exe	31
PID 2084 wrote to memory of 2732	2084	ftewk.exe	31
PID 2084 wrote to memory of 2864	2084	ftewk.exe	33
PID 2084 wrote to memory of 2864	2084	ftewk.exe	33
PID 2084 wrote to memory of 2864	2084	ftewk.exe	33
PID 2084 wrote to memory of 2864	2084	ftewk.exe	33
PID 2732 wrote to memory of 2900	2732	cmd.exe	35
PID 2732 wrote to memory of 2900	2732	cmd.exe	35
PID 2732 wrote to memory of 2900	2732	cmd.exe	35
PID 2732 wrote to memory of 2900	2732	cmd.exe	35
PID 2920 wrote to memory of 1744	2920	taskeng.exe	39
PID 2920 wrote to memory of 1744	2920	taskeng.exe	39
PID 2920 wrote to memory of 1744	2920	taskeng.exe	39
PID 2920 wrote to memory of 1744	2920	taskeng.exe	39
PID 2920 wrote to memory of 2132	2920	taskeng.exe	40
PID 2920 wrote to memory of 2132	2920	taskeng.exe	40
PID 2920 wrote to memory of 2132	2920	taskeng.exe	40
PID 2920 wrote to memory of 2132	2920	taskeng.exe	40

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fe4985cc75d00384cf4030b80f7f41eab3f3788ef9144b53f4ea52150f5f8187.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fe4985cc75d00384cf4030b80f7f41eab3f3788ef9144b53f4ea52150f5f8187.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe
  "C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\
      4⤵
      System Location Discovery: System Language Discovery
      PID:2900
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN ftewk.exe /TR "C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe" /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2864

C:\Windows\system32\taskeng.exe
taskeng.exe {EB352901-D22A-49AA-A766-2E6E029C7FB2} S-1-5-21-312935884-697965778-3955649944-1000:MXQFNXLT\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2920
- C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe
  C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1744
- C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe
  C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\216357716555

Filesize
64KB

MD5
a27b550596b384a8fe1b63d80835284a

SHA1
bbe9f445d2e23fa383f2cb7e6e96cd0ef2b5d3fe

SHA256
be966df0861feac03a10c65ea9f0267ae7545cd1f7b2057d78047359e9352496

SHA512
47126b0d42f71233d47a3b45145fdafe29033e104d68f457aee49405414a9e99ab262579e68f7c9d60b9bdafe940566eaa713e2897ca804ff65db3986ece747b

Download Submit
\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe

Filesize
378KB

MD5
158f8d3f2c3cdca8900dea5585e2004a

SHA1
1eb6953b90c6d8ec509c949585f000438990bcac

SHA256
fe4985cc75d00384cf4030b80f7f41eab3f3788ef9144b53f4ea52150f5f8187

SHA512
320bed7dfd234a8e71fcd7848003193d2920acfa5f726329576f8f70f7c9226f4f9e80357480de6f940731804852402a72d97fb457ad917aebde32b42ee681f5

Download Submit
memory/1744-37-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/2084-33-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/2084-27-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/2084-42-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/2084-17-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/2084-19-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/2084-18-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/2084-23-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/2084-38-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/2132-46-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/2404-5-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2404-1-0x0000000000540000-0x0000000000640000-memory.dmp

Filesize
1024KB

Download
memory/2404-4-0x00000000002F0000-0x0000000000328000-memory.dmp

Filesize
224KB

Download
memory/2404-15-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2404-14-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads