GLITCH
  • Who Am I ?
  • WRITEUPS
    • CyberDefenders Labs
      • PhishStrike Write-up
      • OpenWire Write-up
      • BlueSky Ransomware Write-up
      • PsExec Hunt Write-up
      • Red Stealer Write-up
      • Amadey Write-up
      • GrabThePhisher Write-up
      • BlackEnergy Write-up
  • SUMMARIEs
    • Phishing
    • Kerberos_AD
    • Bug Hunting
    • MITRE
  • OSEP
  • GLITCH HUB
    • Books
    • Courses
      • Youtube
    • Githubs
    • Tools
    • Bookmarks
  • Projects
    • Youtube Downloader
  • Malware Analysis
    • SOON!
Powered by GitBook
On this page
  • Instructions:
  • Scenario:
  • Questions:
  • 1. In the memory dump analysis, determining the root of the malicious activity is essential for comprehending the extent of the intrusion. What is the name of the parent process that triggered this malicious behavior?
  • 2. Once the rogue process is identified, its exact location on the device can reveal more about its nature and source. Where is this process housed on the workstation?
  • 3. Persistent external communications suggest the malware’s attempts to reach out C2C server. Can you identify the Command and Control (C2C) server IP that the process interacts with?
  • 4. Following the malware link with the C2C, the malware is likely fetching additional tools or modules. How many distinct files is it trying to bring onto the compromised workstation?
  • 5. Identifying the storage points of these additional components is critical for containment and cleanup. What is the full path of the file downloaded and used by the malware in its malicious activity?
  • 6. Once retrieved, the malware aims to activate its additional components. Which child process is initiated by the malware to execute these files?
  • 7. Understanding the full range of Amadey’s persistence mechanisms can help in an effective mitigation. Apart from the locations already spotlighted, where else might the malware be ensuring its consistent presence?
  • You Can Find me Here!
  1. WRITEUPS
  2. CyberDefenders Labs

Amadey Write-up

PreviousRed Stealer Write-upNextGrabThePhisher Write-up

Last updated 6 months ago

الحمد لله والصلاة والسلام على رسول الله وعلى آله وصحبه أما بعد

Instructions:

  • Ensure that there are no blockers, such as Adblock extensions, that might prevent the lab from opening in a new tab or affect lab’s functionality.

  • All the lab-related files and tools are on the desktop in ‘Start here’ directory.

Scenario:

An after-hours alert from the Endpoint Detection and Response (EDR) system flags suspicious activity on a Windows workstation. The flagged malware align with the Amadey Trojan Stealer. Your job is to analyze the presented memory dump and create a detailed report for actions taken by the malware.

Link:

Medium:

Questions:

1. In the memory dump analysis, determining the root of the malicious activity is essential for comprehending the extent of the intrusion. What is the name of the parent process that triggered this malicious behavior?

Command: python3 [vol.py](<http://vol.py/>) -f /home/ubuntu/Desktop/Start\\ here/Artifacts/Windows\\ 7\\ x64-Snapshot4.vmem windows.pstree

I noticed a strange name that resembles lsass, but as in the picture there is a trailing letter in the suspicious process

Answer: lssass.exe

2. Once the rogue process is identified, its exact location on the device can reveal more about its nature and source. Where is this process housed on the workstation?

Command: python3 [vol.py](<http://vol.py/>) -f /home/ubuntu/Desktop/Start\\ here/Artifacts/Windows\\ 7\\ x64-Snapshot4.vmem cmdline | grep lssass.exe

Answer: C:\Users\0XSH3R~1\AppData\Local\Temp\925e7e99c5\lssass.exe

3. Persistent external communications suggest the malware’s attempts to reach out C2C server. Can you identify the Command and Control (C2C) server IP that the process interacts with?

Command: python3 [vol.py](<http://vol.py/>) -f /home/ubuntu/Desktop/Start\\ here/Artifacts/Windows\\ 7\\ x64-Snapshot4.vmem netscan | grep lssass.exe

Answer: 41.75.84.12

4. Following the malware link with the C2C, the malware is likely fetching additional tools or modules. How many distinct files is it trying to bring onto the compromised workstation?

Command1: python3 [vol.py](<http://vol.py/>) -f /home/ubuntu/Desktop/Start\\ here/Artifacts/Windows\\ 7\\ x64-Snapshot4.vmem windows.memmap.Memmap --pid 2748 --dump

After Dump the data use this command for get http requests

Command2: strings pid.2748.dmp | grep 'GET /’

Answer: 2

5. Identifying the storage points of these additional components is critical for containment and cleanup. What is the full path of the file downloaded and used by the malware in its malicious activity?

Command: python3 [vol.py](<http://vol.py/>) -f /home/ubuntu/Desktop/Start\\ here/Artifacts/Windows\\ 7\\ x64-Snapshot4.vmem cmdline | grep dll

Answer: C:\Users\0xSh3rl0ck\AppData\Roaming\116711e5a2ab05\clip64.dll

6. Once retrieved, the malware aims to activate its additional components. Which child process is initiated by the malware to execute these files?

If you notice from the previous picture, you will know the answer or run the firest command

Command : python3 [vol.py](<http://vol.py/>) -f /home/ubuntu/Desktop/Start\\ here/Artifacts/Windows\\ 7\\ x64-Snapshot4.vmem windows.pstree

Anser: rundll32.exe

7. Understanding the full range of Amadey’s persistence mechanisms can help in an effective mitigation. Apart from the locations already spotlighted, where else might the malware be ensuring its consistent presence?

Command: python3 [vol.py](<http://vol.py/>) -f /home/ubuntu/Desktop/Start\\ here/Artifacts/Windows\\ 7\\ x64-Snapshot4.vmem filescan | grep lssass.exe

Answer: C:\Windows\System32\Tasks\lssass.exe

You Can Find me Here!

Blog: /

Linkedin:

Facebook:

Tryhackme:

https://g1it0h.gitbook.io/glitch
https://www.linkedin.com/in/glitchgc/
https://www.facebook.com/GLITC.GC/
https://tryhackme.com/p/GLITCH1GC
https://cyberdefenders.org/blueteam-ctf-challenges/amadey/
https://medium.com/@GLITCHGC/amadey-lab-903d9fbc16bc