amadey | fe4985cc75d00384cf4030b80f7f41eab3f3788ef9144b53f4ea52150f5f8187

General

Target

JaffaCakes118_fe4985cc75d00384cf4030b80f7f41eab3f3788ef9144b53f4ea52150f5f8187.exe
Size

378KB
MD5

158f8d3f2c3cdca8900dea5585e2004a
SHA1

1eb6953b90c6d8ec509c949585f000438990bcac
SHA256

fe4985cc75d00384cf4030b80f7f41eab3f3788ef9144b53f4ea52150f5f8187
SHA512

320bed7dfd234a8e71fcd7848003193d2920acfa5f726329576f8f70f7c9226f4f9e80357480de6f940731804852402a72d97fb457ad917aebde32b42ee681f5
SSDEEP

6144:V93Roih6E2l8sEmRMixefsmk8VRuzbgwuO0Q7ITsqGrnH3XEHwVfu:V9BoihHo8sEy/cfsmdunnwQ7zH

Score

10^/10

amadey d00855 discovery trojan

Malware Config

Extracted

Family

amadey

Version

3.08

Botnet

d00855

C2

http://179.43.154.147

Attributes

install_dir
9d5cca72fb
install_file
ftewk.exe
strings_key
9defde16baecb416084964a9b667f06e
url_paths
/d2VxjasuwS/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JaffaCakes118_fe4985cc75d00384cf4030b80f7f41eab3f3788ef9144b53f4ea52150f5f8187.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	ftewk.exe

Executes dropped EXE 3 IoCs

pid	Process
1620	ftewk.exe
3916	ftewk.exe
2724	ftewk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
444	1868	WerFault.exe	83
1696	3916	WerFault.exe	102
4652	2724	WerFault.exe	105

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ftewk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ftewk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_fe4985cc75d00384cf4030b80f7f41eab3f3788ef9144b53f4ea52150f5f8187.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ftewk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3196	schtasks.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1868 wrote to memory of 1620	1868	JaffaCakes118_fe4985cc75d00384cf4030b80f7f41eab3f3788ef9144b53f4ea52150f5f8187.exe	84
PID 1868 wrote to memory of 1620	1868	JaffaCakes118_fe4985cc75d00384cf4030b80f7f41eab3f3788ef9144b53f4ea52150f5f8187.exe	84
PID 1868 wrote to memory of 1620	1868	JaffaCakes118_fe4985cc75d00384cf4030b80f7f41eab3f3788ef9144b53f4ea52150f5f8187.exe	84
PID 1620 wrote to memory of 2080	1620	ftewk.exe	88
PID 1620 wrote to memory of 2080	1620	ftewk.exe	88
PID 1620 wrote to memory of 2080	1620	ftewk.exe	88
PID 1620 wrote to memory of 3196	1620	ftewk.exe	90
PID 1620 wrote to memory of 3196	1620	ftewk.exe	90
PID 1620 wrote to memory of 3196	1620	ftewk.exe	90
PID 2080 wrote to memory of 1448	2080	cmd.exe	92
PID 2080 wrote to memory of 1448	2080	cmd.exe	92
PID 2080 wrote to memory of 1448	2080	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fe4985cc75d00384cf4030b80f7f41eab3f3788ef9144b53f4ea52150f5f8187.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fe4985cc75d00384cf4030b80f7f41eab3f3788ef9144b53f4ea52150f5f8187.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1868
- C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe
  "C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2080
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\
      4⤵
      System Location Discovery: System Language Discovery
      PID:1448
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN ftewk.exe /TR "C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe" /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3196
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 1104
  2⤵
  - Program crash
  PID:444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1868 -ip 1868
1⤵
PID:2792

C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe
C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3916
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 508
  2⤵
  - Program crash
  PID:1696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3916 -ip 3916
1⤵
PID:3460

C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe
C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2724
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 508
  2⤵
  - Program crash
  PID:4652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2724 -ip 2724
1⤵
PID:4760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\685323311985

Filesize
81KB

MD5
96e3a0ac0c19f5992e12767c3debdccd

SHA1
4f9fe35098579fd0310f89e84b9c94758ecb3c6c

SHA256
b6bab681351472fa441c99e343d5ade15ca0d06b1e494b875432d542342388b0

SHA512
89f8778d6b6ffd0d2275879f11a03edf2d6905d65b61b60b9528785b2a1d91f2af77dbd91ae146ed1df87c34b106b45397aaa31f703dae3e13cd86b2beb97d75

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe

Filesize
378KB

MD5
158f8d3f2c3cdca8900dea5585e2004a

SHA1
1eb6953b90c6d8ec509c949585f000438990bcac

SHA256
fe4985cc75d00384cf4030b80f7f41eab3f3788ef9144b53f4ea52150f5f8187

SHA512
320bed7dfd234a8e71fcd7848003193d2920acfa5f726329576f8f70f7c9226f4f9e80357480de6f940731804852402a72d97fb457ad917aebde32b42ee681f5

Download Submit
memory/1620-40-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/1620-34-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/1620-50-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/1620-44-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/1620-42-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/1620-20-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/1620-22-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/1620-21-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/1620-26-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/1620-35-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/1868-2-0x00000000021F0000-0x0000000002228000-memory.dmp

Filesize
224KB

Download
memory/1868-3-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1868-1-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/1868-16-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/1868-17-0x00000000021F0000-0x0000000002228000-memory.dmp

Filesize
224KB

Download
memory/1868-18-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2724-48-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/3916-39-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads