Analyzing Amadey – a simple native malware

Apparently there is a new Russian botnet floating around by the name of Amadey. Despite the very high price tag on Russian forums, it is a very simplistic bot that is quite honestly poorly made.

SHA-1: B7235E2981456D29412AD935BDBCA140B6AD0151

Compiler info (from ExeInfo PE): Microsoft Visual C++ ver 5.0/6.0

Sample given by a friend.

The payload was not spreaded directly but rather was packed with a crypter. The crypter seems to be TitanCrypt, based on the storage method (appended section which contains the payload which was encrypted and then base64 encoded). The crypter’s code is encrypted using a self-decryptor as well as heavily obfuscated, and is executed by using windows API callbacks.

The code being passed as a callback function

The code is put into a layer of self decryption loop, after which we jump into a very obfuscated region of code. After some (and by some I mean a lot) of manual analysis, the important code where the payload is decrypted is identified.

The decryption call:

The code decryption call
After the call

Stepping over the call, we see the region decrypted rather clearly. Dumping this, we get the actual payload.

SHA1: 3E4CD703DEEF2CFD1726095987766E2F062E9C57

Compiler info: FreeBASIC Compiler v0.14 – 0.17

The malware in question is “Amadey”, a new bot that is sold on a Russian forum. Link to thread content in Russian. It goes for $600 for a license, and for the high price cap the author is extra nice in his customer service – he delivered the symbols for us within the binary, allowing reverse engineers to inspect it with great ease : )

Main function
UAC bypass just runs self as admin…
Terrible permission check by creating a file in a privileged folder

Startup is added by executing the command “REG ADD “HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders” /f /v Startup /t REG_SZ /d path_to_folder_containing_the_file”

The bot is not too interesting, it is in fact very simplistic. I would write more about the bot but…there is nothing else to write about. The programmer was nice enough to ship the file with symbols for us, making things a lot easier and in the process of doing so defeated the point of him encrypting strings. All files are available on virustotal and virusbay as usual.