amadey | c9409dcdd35f34531c3a7e692b46be9ec74efc25d0cb8c322a099adfb95055ee

General

Target

JaffaCakes118_c9409dcdd35f34531c3a7e692b46be9ec74efc25d0cb8c322a099adfb95055ee.exe
Size

383KB
MD5

4c1c1353d9ba6ccbb2c14f31b77c7a78
SHA1

6bdfd8cdebd9455c4e8dec17d992764865b52c56
SHA256

c9409dcdd35f34531c3a7e692b46be9ec74efc25d0cb8c322a099adfb95055ee
SHA512

fef17d2dd8e96cf7abff922e8be0ddcc7ca2cb736aed76325b8e03b71eb22fd3f53551dca4cb83e272fbc4b85fb12796e118aa206a6ae36c3d49846f63844177
SSDEEP

6144:++E1M63eDwShxpZWqipaOkBI2KbQBL3XjpuzbgwuO0RikwVfT:1Ei63eDwQX7ipaJB1GcL3tunnwR

Score

10^/10

amadey d00855 discovery trojan

Malware Config

Extracted

Family

amadey

Version

3.08

Botnet

d00855

C2

http://179.43.154.147

Attributes

install_dir
9d5cca72fb
install_file
ftewk.exe
strings_key
9defde16baecb416084964a9b667f06e
url_paths
/d2VxjasuwS/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Executes dropped EXE 3 IoCs

pid	Process
2392	ftewk.exe
1300	ftewk.exe
2060	ftewk.exe

Loads dropped DLL 2 IoCs

pid	Process
2128	JaffaCakes118_c9409dcdd35f34531c3a7e692b46be9ec74efc25d0cb8c322a099adfb95055ee.exe
2128	JaffaCakes118_c9409dcdd35f34531c3a7e692b46be9ec74efc25d0cb8c322a099adfb95055ee.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ftewk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ftewk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ftewk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_c9409dcdd35f34531c3a7e692b46be9ec74efc25d0cb8c322a099adfb95055ee.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2340	schtasks.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 2392	2128	JaffaCakes118_c9409dcdd35f34531c3a7e692b46be9ec74efc25d0cb8c322a099adfb95055ee.exe	30
PID 2128 wrote to memory of 2392	2128	JaffaCakes118_c9409dcdd35f34531c3a7e692b46be9ec74efc25d0cb8c322a099adfb95055ee.exe	30
PID 2128 wrote to memory of 2392	2128	JaffaCakes118_c9409dcdd35f34531c3a7e692b46be9ec74efc25d0cb8c322a099adfb95055ee.exe	30
PID 2128 wrote to memory of 2392	2128	JaffaCakes118_c9409dcdd35f34531c3a7e692b46be9ec74efc25d0cb8c322a099adfb95055ee.exe	30
PID 2392 wrote to memory of 2156	2392	ftewk.exe	31
PID 2392 wrote to memory of 2156	2392	ftewk.exe	31
PID 2392 wrote to memory of 2156	2392	ftewk.exe	31
PID 2392 wrote to memory of 2156	2392	ftewk.exe	31
PID 2392 wrote to memory of 2340	2392	ftewk.exe	33
PID 2392 wrote to memory of 2340	2392	ftewk.exe	33
PID 2392 wrote to memory of 2340	2392	ftewk.exe	33
PID 2392 wrote to memory of 2340	2392	ftewk.exe	33
PID 2156 wrote to memory of 2856	2156	cmd.exe	35
PID 2156 wrote to memory of 2856	2156	cmd.exe	35
PID 2156 wrote to memory of 2856	2156	cmd.exe	35
PID 2156 wrote to memory of 2856	2156	cmd.exe	35
PID 1200 wrote to memory of 1300	1200	taskeng.exe	39
PID 1200 wrote to memory of 1300	1200	taskeng.exe	39
PID 1200 wrote to memory of 1300	1200	taskeng.exe	39
PID 1200 wrote to memory of 1300	1200	taskeng.exe	39
PID 1200 wrote to memory of 2060	1200	taskeng.exe	40
PID 1200 wrote to memory of 2060	1200	taskeng.exe	40
PID 1200 wrote to memory of 2060	1200	taskeng.exe	40
PID 1200 wrote to memory of 2060	1200	taskeng.exe	40

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c9409dcdd35f34531c3a7e692b46be9ec74efc25d0cb8c322a099adfb95055ee.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c9409dcdd35f34531c3a7e692b46be9ec74efc25d0cb8c322a099adfb95055ee.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe
  "C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2156
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\
      4⤵
      System Location Discovery: System Language Discovery
      PID:2856
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN ftewk.exe /TR "C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe" /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2340

C:\Windows\system32\taskeng.exe
taskeng.exe {25AA08AB-15FB-437B-8EDE-586A3F0E7C92} S-1-5-21-1488793075-819845221-1497111674-1000:UPNECVIU\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1200
- C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe
  C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1300
- C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe
  C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\387587176297

Filesize
63KB

MD5
d1248ae09d49ba2f88f2401d0c47a01f

SHA1
44bf3a5a0a3284450b2d2465403677d39615d34a

SHA256
1b81d78e3d140863fcbb459d5f1994f5b9f8f161f9e72ad9f4cd97fa80b3f84a

SHA512
4bd894ef6bc52cc1d95e64bfa0d00aa4616ad2c5f9a8e50b5a3f6253d664c602a07231053b4094f9fbac2a3c85b8fe73bb472861f63dee9aa220fa4d21b0b9f1

Download Submit
\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe

Filesize
383KB

MD5
4c1c1353d9ba6ccbb2c14f31b77c7a78

SHA1
6bdfd8cdebd9455c4e8dec17d992764865b52c56

SHA256
c9409dcdd35f34531c3a7e692b46be9ec74efc25d0cb8c322a099adfb95055ee

SHA512
fef17d2dd8e96cf7abff922e8be0ddcc7ca2cb736aed76325b8e03b71eb22fd3f53551dca4cb83e272fbc4b85fb12796e118aa206a6ae36c3d49846f63844177

Download Submit
memory/1300-38-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2060-47-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2128-16-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2128-1-0x0000000000650000-0x0000000000750000-memory.dmp

Filesize
1024KB

Download
memory/2128-14-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2128-2-0x0000000000220000-0x0000000000258000-memory.dmp

Filesize
224KB

Download
memory/2128-15-0x0000000000220000-0x0000000000258000-memory.dmp

Filesize
224KB

Download
memory/2128-3-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2392-20-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2392-28-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2392-24-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2392-36-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2392-19-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2392-39-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2392-43-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2392-18-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads