General

  • Target

    JaffaCakes118_dfc643f0c12447398ce3700e22d52442a4773494bc6a7ebc836e6260a0eb3f78

  • Size

    4.1MB

  • Sample

    241224-akfj2swnfk

  • MD5

    65b9a2bb5e5510eda9a351da1f95e508

  • SHA1

    673472622fed797b1afb577d0053c9ee2d83d675

  • SHA256

    dfc643f0c12447398ce3700e22d52442a4773494bc6a7ebc836e6260a0eb3f78

  • SHA512

    028aa956ebaf1e20219f8d25fb55f087bbcc68f93e13833ae2be70995cd16696c3cd36fe9accafc00ef20975e3bb016ecd924e264217629cd814971d761020f8

  • SSDEEP

    98304:xly2wGPLwrHKNVXf1WOWxQmeaVPnNPi0ambpBcs/zdPvHrCi9FZF:PwGPLwLKNlkOWzPd/pBdLr9bF

Malware Config

Extracted

Family

amadey

Version

3.01

Botnet

1ce576

Attributes
  • install_dir

    91a0189a82

  • install_file

    tkools.exe

  • strings_key

    5031c806169b48d93a79100688ba0f46

  • url_paths

    /g8lvleE2z/index.php

rc4.plain

Targets

    • Target

      JaffaCakes118_dfc643f0c12447398ce3700e22d52442a4773494bc6a7ebc836e6260a0eb3f78

    • Size

      4.1MB

    • MD5

      65b9a2bb5e5510eda9a351da1f95e508

    • SHA1

      673472622fed797b1afb577d0053c9ee2d83d675

    • SHA256

      dfc643f0c12447398ce3700e22d52442a4773494bc6a7ebc836e6260a0eb3f78

    • SHA512

      028aa956ebaf1e20219f8d25fb55f087bbcc68f93e13833ae2be70995cd16696c3cd36fe9accafc00ef20975e3bb016ecd924e264217629cd814971d761020f8

    • SSDEEP

      98304:xly2wGPLwrHKNVXf1WOWxQmeaVPnNPi0ambpBcs/zdPvHrCi9FZF:PwGPLwLKNlkOWzPd/pBdLr9bF

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Amadey family

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks whether UAC is enabled

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks