amadey | c9409dcdd35f34531c3a7e692b46be9ec74efc25d0cb8c322a099adfb95055ee

General

Target

JaffaCakes118_c9409dcdd35f34531c3a7e692b46be9ec74efc25d0cb8c322a099adfb95055ee.exe
Size

383KB
MD5

4c1c1353d9ba6ccbb2c14f31b77c7a78
SHA1

6bdfd8cdebd9455c4e8dec17d992764865b52c56
SHA256

c9409dcdd35f34531c3a7e692b46be9ec74efc25d0cb8c322a099adfb95055ee
SHA512

fef17d2dd8e96cf7abff922e8be0ddcc7ca2cb736aed76325b8e03b71eb22fd3f53551dca4cb83e272fbc4b85fb12796e118aa206a6ae36c3d49846f63844177
SSDEEP

6144:++E1M63eDwShxpZWqipaOkBI2KbQBL3XjpuzbgwuO0RikwVfT:1Ei63eDwQX7ipaJB1GcL3tunnwR

Score

10^/10

amadey d00855 discovery trojan

Malware Config

Extracted

Family

amadey

Version

3.08

Botnet

d00855

C2

http://179.43.154.147

Attributes

install_dir
9d5cca72fb
install_file
ftewk.exe
strings_key
9defde16baecb416084964a9b667f06e
url_paths
/d2VxjasuwS/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	JaffaCakes118_c9409dcdd35f34531c3a7e692b46be9ec74efc25d0cb8c322a099adfb95055ee.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	ftewk.exe

Executes dropped EXE 3 IoCs

pid	Process
2184	ftewk.exe
4116	ftewk.exe
3280	ftewk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
3480	4980	WerFault.exe	81
2744	4116	WerFault.exe	100
4928	3280	WerFault.exe	103

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ftewk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ftewk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_c9409dcdd35f34531c3a7e692b46be9ec74efc25d0cb8c322a099adfb95055ee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ftewk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5036	schtasks.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4980 wrote to memory of 2184	4980	JaffaCakes118_c9409dcdd35f34531c3a7e692b46be9ec74efc25d0cb8c322a099adfb95055ee.exe	82
PID 4980 wrote to memory of 2184	4980	JaffaCakes118_c9409dcdd35f34531c3a7e692b46be9ec74efc25d0cb8c322a099adfb95055ee.exe	82
PID 4980 wrote to memory of 2184	4980	JaffaCakes118_c9409dcdd35f34531c3a7e692b46be9ec74efc25d0cb8c322a099adfb95055ee.exe	82
PID 2184 wrote to memory of 4312	2184	ftewk.exe	90
PID 2184 wrote to memory of 4312	2184	ftewk.exe	90
PID 2184 wrote to memory of 4312	2184	ftewk.exe	90
PID 2184 wrote to memory of 5036	2184	ftewk.exe	92
PID 2184 wrote to memory of 5036	2184	ftewk.exe	92
PID 2184 wrote to memory of 5036	2184	ftewk.exe	92
PID 4312 wrote to memory of 4148	4312	cmd.exe	94
PID 4312 wrote to memory of 4148	4312	cmd.exe	94
PID 4312 wrote to memory of 4148	4312	cmd.exe	94

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c9409dcdd35f34531c3a7e692b46be9ec74efc25d0cb8c322a099adfb95055ee.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c9409dcdd35f34531c3a7e692b46be9ec74efc25d0cb8c322a099adfb95055ee.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4980
- C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe
  "C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4312
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\
      4⤵
      System Location Discovery: System Language Discovery
      PID:4148
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN ftewk.exe /TR "C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe" /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:5036
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 1100
  2⤵
  - Program crash
  PID:3480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4980 -ip 4980
1⤵
PID:1040

C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe
C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4116
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4116 -s 500
  2⤵
  - Program crash
  PID:2744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4116 -ip 4116
1⤵
PID:2280

C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe
C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3280
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3280 -s 500
  2⤵
  - Program crash
  PID:4928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3280 -ip 3280
1⤵
PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\847357946614

Filesize
83KB

MD5
01854b6a0c8106277820fcc7ed06ede8

SHA1
556b1b1cb44020d54049f74a1b6bb333a797d430

SHA256
4bc64c85c8e384d7bfd8b79e838369a818588a6d6c8c58ee01307690327437b5

SHA512
da14fc26df0c20cb80ca99c06df2a33954ec9aae38ad84058337c3dd72ce89481ed08a9bd36d6c4450cab5289ce7aa0e667019525f642a0057101d27ac455aa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe

Filesize
383KB

MD5
4c1c1353d9ba6ccbb2c14f31b77c7a78

SHA1
6bdfd8cdebd9455c4e8dec17d992764865b52c56

SHA256
c9409dcdd35f34531c3a7e692b46be9ec74efc25d0cb8c322a099adfb95055ee

SHA512
fef17d2dd8e96cf7abff922e8be0ddcc7ca2cb736aed76325b8e03b71eb22fd3f53551dca4cb83e272fbc4b85fb12796e118aa206a6ae36c3d49846f63844177

Download Submit
memory/2184-34-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2184-33-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2184-49-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2184-43-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2184-41-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2184-21-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2184-20-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2184-25-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2184-39-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/3280-46-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4116-38-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4980-3-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4980-1-0x0000000000550000-0x0000000000650000-memory.dmp

Filesize
1024KB

Download
memory/4980-2-0x0000000002220000-0x0000000002258000-memory.dmp

Filesize
224KB

Download
memory/4980-16-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4980-18-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4980-17-0x0000000002220000-0x0000000002258000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads