amadey | 1783a69593b72237fce4111d231ab3c919f9220e8baf8b2216c488d4dbedcdf1

Analysis

max time kernel
145s
max time network
124s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 17:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

amadey.exe
Size

231KB
MD5

3dd072d71907f6d5a5b046908c081f11
SHA1

6432c3dacb6e4dec30ad44cc92f79d4a0156affd
SHA256

1783a69593b72237fce4111d231ab3c919f9220e8baf8b2216c488d4dbedcdf1
SHA512

2f6a4df887ad59e8b34644e8832f843f0f3c84171dbd8ceee9e1ec348684ba43a7ab4f2864464e343c8a17bc147839add11c939dfcea4fd60f79f48b89010453
SSDEEP

6144:0s9bFCavQJdMSzPgI0KIikB/NiFEZu7dRmV:pbFCRMcRIiTFgu7dR

Score

10^/10

amadey dee301 trojan

Malware Config

Extracted

Family

amadey

Version

3.84

Botnet

dee301

http://109.206.241.33

Attributes

install_dir
73456c80a6
install_file
jbruyer.exe
strings_key
ba1b310f6d9af5c6a5f24008b410aec0
url_paths
/9bDc8sQ/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Executes dropped EXE 4 IoCs

Processes:

jbruyer.exejbruyer.exejbruyer.exejbruyer.exe

pid process

2040 jbruyer.exe
1484 jbruyer.exe
1544 jbruyer.exe
936 jbruyer.exe
Loads dropped DLL 1 IoCs

Processes:

amadey.exe

pid process

2000 amadey.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2944 schtasks.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

amadey.exe

pid process

2000 amadey.exe

pid	process
2040	jbruyer.exe
1484	jbruyer.exe
1544	jbruyer.exe
936	jbruyer.exe

pid	process
2000	amadey.exe

pid	process
2944	schtasks.exe

pid	process
2000	amadey.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

amadey.exejbruyer.execmd.exetaskeng.exe

description	pid	process	target process
PID 2000 wrote to memory of 2040	2000	amadey.exe	jbruyer.exe
PID 2000 wrote to memory of 2040	2000	amadey.exe	jbruyer.exe
PID 2000 wrote to memory of 2040	2000	amadey.exe	jbruyer.exe
PID 2000 wrote to memory of 2040	2000	amadey.exe	jbruyer.exe
PID 2040 wrote to memory of 2944	2040	jbruyer.exe	schtasks.exe
PID 2040 wrote to memory of 2944	2040	jbruyer.exe	schtasks.exe
PID 2040 wrote to memory of 2944	2040	jbruyer.exe	schtasks.exe
PID 2040 wrote to memory of 2944	2040	jbruyer.exe	schtasks.exe
PID 2040 wrote to memory of 2616	2040	jbruyer.exe	cmd.exe
PID 2040 wrote to memory of 2616	2040	jbruyer.exe	cmd.exe
PID 2040 wrote to memory of 2616	2040	jbruyer.exe	cmd.exe
PID 2040 wrote to memory of 2616	2040	jbruyer.exe	cmd.exe
PID 2616 wrote to memory of 2320	2616	cmd.exe	cmd.exe
PID 2616 wrote to memory of 2320	2616	cmd.exe	cmd.exe
PID 2616 wrote to memory of 2320	2616	cmd.exe	cmd.exe
PID 2616 wrote to memory of 2320	2616	cmd.exe	cmd.exe
PID 2616 wrote to memory of 2728	2616	cmd.exe	cacls.exe
PID 2616 wrote to memory of 2728	2616	cmd.exe	cacls.exe
PID 2616 wrote to memory of 2728	2616	cmd.exe	cacls.exe
PID 2616 wrote to memory of 2728	2616	cmd.exe	cacls.exe
PID 2616 wrote to memory of 2492	2616	cmd.exe	cacls.exe
PID 2616 wrote to memory of 2492	2616	cmd.exe	cacls.exe
PID 2616 wrote to memory of 2492	2616	cmd.exe	cacls.exe
PID 2616 wrote to memory of 2492	2616	cmd.exe	cacls.exe
PID 2616 wrote to memory of 2908	2616	cmd.exe	cmd.exe
PID 2616 wrote to memory of 2908	2616	cmd.exe	cmd.exe
PID 2616 wrote to memory of 2908	2616	cmd.exe	cmd.exe
PID 2616 wrote to memory of 2908	2616	cmd.exe	cmd.exe
PID 2616 wrote to memory of 2920	2616	cmd.exe	cacls.exe
PID 2616 wrote to memory of 2920	2616	cmd.exe	cacls.exe
PID 2616 wrote to memory of 2920	2616	cmd.exe	cacls.exe
PID 2616 wrote to memory of 2920	2616	cmd.exe	cacls.exe
PID 2616 wrote to memory of 2644	2616	cmd.exe	cacls.exe
PID 2616 wrote to memory of 2644	2616	cmd.exe	cacls.exe
PID 2616 wrote to memory of 2644	2616	cmd.exe	cacls.exe
PID 2616 wrote to memory of 2644	2616	cmd.exe	cacls.exe
PID 1012 wrote to memory of 1484	1012	taskeng.exe	jbruyer.exe
PID 1012 wrote to memory of 1484	1012	taskeng.exe	jbruyer.exe
PID 1012 wrote to memory of 1484	1012	taskeng.exe	jbruyer.exe
PID 1012 wrote to memory of 1484	1012	taskeng.exe	jbruyer.exe
PID 1012 wrote to memory of 1544	1012	taskeng.exe	jbruyer.exe
PID 1012 wrote to memory of 1544	1012	taskeng.exe	jbruyer.exe
PID 1012 wrote to memory of 1544	1012	taskeng.exe	jbruyer.exe
PID 1012 wrote to memory of 1544	1012	taskeng.exe	jbruyer.exe
PID 1012 wrote to memory of 936	1012	taskeng.exe	jbruyer.exe
PID 1012 wrote to memory of 936	1012	taskeng.exe	jbruyer.exe
PID 1012 wrote to memory of 936	1012	taskeng.exe	jbruyer.exe
PID 1012 wrote to memory of 936	1012	taskeng.exe	jbruyer.exe

C:\Users\Admin\AppData\Local\Temp\amadey.exe
"C:\Users\Admin\AppData\Local\Temp\amadey.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2000

C:\Users\Admin\AppData\Local\Temp\73456c80a6\jbruyer.exe
"C:\Users\Admin\AppData\Local\Temp\73456c80a6\jbruyer.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN jbruyer.exe /TR "C:\Users\Admin\AppData\Local\Temp\73456c80a6\jbruyer.exe" /F
3⤵
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "jbruyer.exe" /P "Admin:N"&&CACLS "jbruyer.exe" /P "Admin:R" /E&&echo Y|CACLS "..\73456c80a6" /P "Admin:N"&&CACLS "..\73456c80a6" /P "Admin:R" /E&&Exit
3⤵
- Suspicious use of WriteProcessMemory
PID:2616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:2320

C:\Windows\SysWOW64\cacls.exe
CACLS "jbruyer.exe" /P "Admin:N"
4⤵
PID:2728

C:\Windows\SysWOW64\cacls.exe
CACLS "jbruyer.exe" /P "Admin:R" /E
4⤵
PID:2492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:2908

C:\Windows\SysWOW64\cacls.exe
CACLS "..\73456c80a6" /P "Admin:N"
4⤵
PID:2920

C:\Windows\SysWOW64\cacls.exe
CACLS "..\73456c80a6" /P "Admin:R" /E
4⤵
PID:2644

C:\Windows\system32\taskeng.exe
taskeng.exe {0A503CF1-D70E-4A37-8E7F-F2CF76FED78D} S-1-5-21-39690363-730359138-1046745555-1000:EILATWEW\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1012

C:\Users\Admin\AppData\Local\Temp\73456c80a6\jbruyer.exe
C:\Users\Admin\AppData\Local\Temp\73456c80a6\jbruyer.exe
2⤵
- Executes dropped EXE
PID:1484

C:\Users\Admin\AppData\Local\Temp\73456c80a6\jbruyer.exe
C:\Users\Admin\AppData\Local\Temp\73456c80a6\jbruyer.exe
2⤵
- Executes dropped EXE
PID:1544

C:\Users\Admin\AppData\Local\Temp\73456c80a6\jbruyer.exe
C:\Users\Admin\AppData\Local\Temp\73456c80a6\jbruyer.exe
2⤵
- Executes dropped EXE
PID:936

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\969036373035
Filesize
68KB

MD5
30c77a551f0f9f896ec3ccf6edee07d8

SHA1
3919fdd724f07cc1893a339f8acb65ce723df6b1

SHA256
1af41c5c82ce7497e373eec52374fec2a638e45ae31113f6f91ebf9933bc8a8e

SHA512
8a5b35fe49f2e3b6408a2e49b2f7eeb19ed90062004818d2816c7d9975688c56a2117ecb1ba69479c0675425c610a529a322f87ab7e840c6dca456f91b11a739

Download Submit
\Users\Admin\AppData\Local\Temp\73456c80a6\jbruyer.exe
Filesize
231KB

MD5
3dd072d71907f6d5a5b046908c081f11

SHA1
6432c3dacb6e4dec30ad44cc92f79d4a0156affd

SHA256
1783a69593b72237fce4111d231ab3c919f9220e8baf8b2216c488d4dbedcdf1

SHA512
2f6a4df887ad59e8b34644e8832f843f0f3c84171dbd8ceee9e1ec348684ba43a7ab4f2864464e343c8a17bc147839add11c939dfcea4fd60f79f48b89010453

Download Submit
memory/2000-0-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download