Overview

overview

10

Static

static

3

1ab71541ca...18.exe

windows7-x64

10

1ab71541ca...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-07-2024 09:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1ab71541ca9a32e1bf68f0cfea8e1f7b_JaffaCakes118.exe

  • Size

    644KB

  • MD5

    1ab71541ca9a32e1bf68f0cfea8e1f7b

  • SHA1

    1b5615f4b20349b2939725fba10430540dc3c13d

  • SHA256

    d24cd201b59ae8b4b5d3e91e5283c2fb09e8a1659812d8eb04e227061473e476

  • SHA512

    3e7bd03b8deecf315a180f873d0486e7415fcb52e03f52f5eb8e33753bc6bedbd559db3f6bb9ca3b09ac3b1efea776eb46dd96e43eab2fd74ef2ba3e3b844651

  • SSDEEP

    12288:YvFZvSduvBf6l2uoQceGlfziC8lQsIaz/Wc9Gojl3vtMK6:y3v1Bf6Yu36lfuCDaqc9Gojl3Fl

Score
10/10
amadey109c93trojan

Malware Config

Extracted

Family

amadey

Version

2.11

Botnet

109c93

C2

http://csgoprofind.net

Attributes
  • install_dir

    de9b658861

  • install_file

    rween.exe

  • strings_key

    720b92c5e32946a09a188fd6d18f00e2

  • url_paths

    /gWmR5f2W/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1ab71541ca9a32e1bf68f0cfea8e1f7b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1ab71541ca9a32e1bf68f0cfea8e1f7b_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2012
    • C:\ProgramData\de9b658861\rween.exe
      "C:\ProgramData\de9b658861\rween.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4876
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\de9b658861\
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2320
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\de9b658861\
          4⤵
            PID:4648

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\152142044500731267028356
      MD5

      d41d8cd98f00b204e9800998ecf8427e

      SHA1

      da39a3ee5e6b4b0d3255bfef95601890afd80709

      SHA256

      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

      SHA512

      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

      Download Submit
    • C:\ProgramData\de9b658861\rween.exe
      Filesize

      644KB

      MD5

      1ab71541ca9a32e1bf68f0cfea8e1f7b

      SHA1

      1b5615f4b20349b2939725fba10430540dc3c13d

      SHA256

      d24cd201b59ae8b4b5d3e91e5283c2fb09e8a1659812d8eb04e227061473e476

      SHA512

      3e7bd03b8deecf315a180f873d0486e7415fcb52e03f52f5eb8e33753bc6bedbd559db3f6bb9ca3b09ac3b1efea776eb46dd96e43eab2fd74ef2ba3e3b844651

      Download Submit
    • memory/2012-7-0x00000000029F0000-0x0000000002A1D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/2012-0-0x0000000000590000-0x0000000000591000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2012-17-0x0000000000400000-0x0000000000430000-memory.dmp
      Filesize

      192KB

      Download
    • memory/2012-16-0x0000000000400000-0x00000000004A8000-memory.dmp
      Filesize

      672KB

      Download
    • memory/2012-8-0x0000000000400000-0x0000000000430000-memory.dmp
      Filesize

      192KB

      Download
    • memory/4876-23-0x0000000000400000-0x00000000004A8000-memory.dmp
      Filesize

      672KB

      Download
    • memory/4876-25-0x0000000000400000-0x00000000004A8000-memory.dmp
      Filesize

      672KB

      Download
    • memory/4876-18-0x0000000000400000-0x00000000004A8000-memory.dmp
      Filesize

      672KB

      Download
    • memory/4876-26-0x0000000000400000-0x00000000004A8000-memory.dmp
      Filesize

      672KB

      Download
    • memory/4876-27-0x0000000000400000-0x00000000004A8000-memory.dmp
      Filesize

      672KB

      Download
    • memory/4876-28-0x0000000000400000-0x00000000004A8000-memory.dmp
      Filesize

      672KB

      Download
    • memory/4876-29-0x0000000000400000-0x00000000004A8000-memory.dmp
      Filesize

      672KB

      Download
    • memory/4876-34-0x0000000000400000-0x00000000004A8000-memory.dmp
      Filesize

      672KB

      Download