General

  • Target

    JaffaCakes118_0ad22c62ad6c2d47a67e6363c4c581b4484535a1037dca85c0e6c56793130034

  • Size

    383KB

  • Sample

    241224-ctm2layqdv

  • MD5

    fca659ae151e9601e395311c80affaf3

  • SHA1

    4267eba1fd55cba76e72d239d32b44d7415ef0c7

  • SHA256

    0ad22c62ad6c2d47a67e6363c4c581b4484535a1037dca85c0e6c56793130034

  • SHA512

    c74044ee4f85a07a318a20830d39551fdb95dec61794f1cba6d71d2d4d76f5290ee3b191eb8c69a0cac7bd8a1229bc95111d7640abf9d66bdfc95b2bbfa512fa

  • SSDEEP

    6144:kPOoI3LsLwU9DjVOxnbLdWdR+sVEPQs6FU6KdAHuzbgwuO0Q7ITsqpTmZwVfT:kP5I3Lo59OxbLdWQIvUwunnwQ7OT

Malware Config

Extracted

Family

amadey

Version

3.08

Botnet

d00855

C2

http://179.43.154.147

Attributes
  • install_dir

    9d5cca72fb

  • install_file

    ftewk.exe

  • strings_key

    9defde16baecb416084964a9b667f06e

  • url_paths

    /d2VxjasuwS/index.php

rc4.plain

Targets

    • Target

      JaffaCakes118_0ad22c62ad6c2d47a67e6363c4c581b4484535a1037dca85c0e6c56793130034

    • Size

      383KB

    • MD5

      fca659ae151e9601e395311c80affaf3

    • SHA1

      4267eba1fd55cba76e72d239d32b44d7415ef0c7

    • SHA256

      0ad22c62ad6c2d47a67e6363c4c581b4484535a1037dca85c0e6c56793130034

    • SHA512

      c74044ee4f85a07a318a20830d39551fdb95dec61794f1cba6d71d2d4d76f5290ee3b191eb8c69a0cac7bd8a1229bc95111d7640abf9d66bdfc95b2bbfa512fa

    • SSDEEP

      6144:kPOoI3LsLwU9DjVOxnbLdWdR+sVEPQs6FU6KdAHuzbgwuO0Q7ITsqpTmZwVfT:kP5I3Lo59OxbLdWQIvUwunnwQ7OT

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Amadey family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

MITRE ATT&CK Enterprise v15

Tasks