amadey | d24cd201b59ae8b4b5d3e91e5283c2fb09e8a1659812d8eb04e227061473e476

Analysis

max time kernel
141s
max time network
123s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 09:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ab71541ca9a32e1bf68f0cfea8e1f7b_JaffaCakes118.exe
Size

644KB
MD5

1ab71541ca9a32e1bf68f0cfea8e1f7b
SHA1

1b5615f4b20349b2939725fba10430540dc3c13d
SHA256

d24cd201b59ae8b4b5d3e91e5283c2fb09e8a1659812d8eb04e227061473e476
SHA512

3e7bd03b8deecf315a180f873d0486e7415fcb52e03f52f5eb8e33753bc6bedbd559db3f6bb9ca3b09ac3b1efea776eb46dd96e43eab2fd74ef2ba3e3b844651
SSDEEP

12288:YvFZvSduvBf6l2uoQceGlfziC8lQsIaz/Wc9Gojl3vtMK6:y3v1Bf6Yu36lfuCDaqc9Gojl3Fl

Score

10^/10

amadey 109c93 trojan

Malware Config

Extracted

Family

amadey

Version

2.11

Botnet

109c93

http://csgoprofind.net

Attributes

install_dir
de9b658861
install_file
rween.exe
strings_key
720b92c5e32946a09a188fd6d18f00e2
url_paths
/gWmR5f2W/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Executes dropped EXE 1 IoCs

Processes:

rween.exe

pid process

2592 rween.exe
Loads dropped DLL 2 IoCs

Processes:

1ab71541ca9a32e1bf68f0cfea8e1f7b_JaffaCakes118.exe

pid process

1992 1ab71541ca9a32e1bf68f0cfea8e1f7b_JaffaCakes118.exe
1992 1ab71541ca9a32e1bf68f0cfea8e1f7b_JaffaCakes118.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

1ab71541ca9a32e1bf68f0cfea8e1f7b_JaffaCakes118.exerween.exe

pid process

1992 1ab71541ca9a32e1bf68f0cfea8e1f7b_JaffaCakes118.exe
1992 1ab71541ca9a32e1bf68f0cfea8e1f7b_JaffaCakes118.exe
2592 rween.exe
2592 rween.exe

pid	process
2592	rween.exe

pid	process
1992	1ab71541ca9a32e1bf68f0cfea8e1f7b_JaffaCakes118.exe
1992	1ab71541ca9a32e1bf68f0cfea8e1f7b_JaffaCakes118.exe

pid	process
1992	1ab71541ca9a32e1bf68f0cfea8e1f7b_JaffaCakes118.exe
1992	1ab71541ca9a32e1bf68f0cfea8e1f7b_JaffaCakes118.exe
2592	rween.exe
2592	rween.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

1ab71541ca9a32e1bf68f0cfea8e1f7b_JaffaCakes118.exerween.execmd.exe

description	pid	process	target process
PID 1992 wrote to memory of 2592	1992	1ab71541ca9a32e1bf68f0cfea8e1f7b_JaffaCakes118.exe	rween.exe
PID 1992 wrote to memory of 2592	1992	1ab71541ca9a32e1bf68f0cfea8e1f7b_JaffaCakes118.exe	rween.exe
PID 1992 wrote to memory of 2592	1992	1ab71541ca9a32e1bf68f0cfea8e1f7b_JaffaCakes118.exe	rween.exe
PID 1992 wrote to memory of 2592	1992	1ab71541ca9a32e1bf68f0cfea8e1f7b_JaffaCakes118.exe	rween.exe
PID 2592 wrote to memory of 2732	2592	rween.exe	cmd.exe
PID 2592 wrote to memory of 2732	2592	rween.exe	cmd.exe
PID 2592 wrote to memory of 2732	2592	rween.exe	cmd.exe
PID 2592 wrote to memory of 2732	2592	rween.exe	cmd.exe
PID 2732 wrote to memory of 2508	2732	cmd.exe	reg.exe
PID 2732 wrote to memory of 2508	2732	cmd.exe	reg.exe
PID 2732 wrote to memory of 2508	2732	cmd.exe	reg.exe
PID 2732 wrote to memory of 2508	2732	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\1ab71541ca9a32e1bf68f0cfea8e1f7b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1ab71541ca9a32e1bf68f0cfea8e1f7b_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1992

C:\ProgramData\de9b658861\rween.exe
"C:\ProgramData\de9b658861\rween.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2592

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\de9b658861\
3⤵
- Suspicious use of WriteProcessMemory
PID:2732

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\de9b658861\
4⤵
PID:2508

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\152148167823037733278593
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\ProgramData\de9b658861\rween.exe
Filesize
644KB

MD5
1ab71541ca9a32e1bf68f0cfea8e1f7b

SHA1
1b5615f4b20349b2939725fba10430540dc3c13d

SHA256
d24cd201b59ae8b4b5d3e91e5283c2fb09e8a1659812d8eb04e227061473e476

SHA512
3e7bd03b8deecf315a180f873d0486e7415fcb52e03f52f5eb8e33753bc6bedbd559db3f6bb9ca3b09ac3b1efea776eb46dd96e43eab2fd74ef2ba3e3b844651

Download Submit
memory/1992-6-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1992-5-0x0000000000890000-0x00000000008BD000-memory.dmp

Filesize
180KB

Download
memory/1992-17-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1992-18-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1992-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2592-19-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2592-25-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2592-26-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2592-27-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2592-28-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2592-32-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download