General

  • Target

    JaffaCakes118_10a7d83a5560c2ad097c43ad2654e1f31f065be4e4b3bb59628b36c08f829a48

  • Size

    163KB

  • Sample

    241223-3k9r4svmhz

  • MD5

    86b3d79b6b43440a0aa881f477100abf

  • SHA1

    23f7268bdb475a33d6bfec4debd14e0a8dca3b50

  • SHA256

    10a7d83a5560c2ad097c43ad2654e1f31f065be4e4b3bb59628b36c08f829a48

  • SHA512

    319e98c2a6ff91ddd81359e1134199f4ebd1734dc3454eb32d3d6bb21b6ed67981e20d47850b9593de612d3c84cd85c13dbd02556807b0ab1c01e1bf9bce761e

  • SSDEEP

    3072:I24Q+EJ64RjJ87MbUVRW83xUjr1ZS+JufkszE0AFyNwm+YK3Knpva2oVVFlR:I24QB7j8Qg083xCr++JEkmE09wmm8aNB

Malware Config

Extracted

Family

amadey

Version

3.50

Botnet

0237fa

C2

http://193.56.146.194

Attributes
  • install_dir

    50c1695437

  • install_file

    rovwer.exe

  • strings_key

    b6d412dd2efdf33d84e939e52040748f

  • url_paths

    /h49vlBP/index.php

rc4.plain

Targets

    • Target

      914935fe8c30b7184ccfa19097c53eca43dd157b63c29429171a194dce8f9af2.exe

    • Size

      212KB

    • MD5

      f57c2b72ee75c357a12ce03a08be95b8

    • SHA1

      c0e8867ac37614f7e0e40fab9a66b9c6ef1c3249

    • SHA256

      914935fe8c30b7184ccfa19097c53eca43dd157b63c29429171a194dce8f9af2

    • SHA512

      59123bbe391f391b3c248f5be7889fad1cc806bbcbbe9ed1653c3ca687f7d27f21ba7e75215e225ddc04e29195d5e5a712e7a6219968eb1ff0e74c32d69da5da

    • SSDEEP

      3072:qeJLLpTnq5URrqNqYd31LgpI01TEr4J6anBbkPzHM38ad:zLLpThR4qYh1UG01TEr4nWw38s

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Amadey family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

MITRE ATT&CK Enterprise v15

Tasks