Amadey Lab | CyberDefenders Writeup
Solvenite
Scenario
An after-hours alert from the Endpoint Detection and Response (EDR) system flags suspicious activity on a Windows workstation. The flagged malware aligns with the Amadey Trojan Stealer. Your job is to analyze the presented memory dump and create a detailed report for actions taken by the malware.
Q1. In the memory dump analysis, determining the root of the malicious activity is essential for comprehending the extent of the intrusion. What is the name of the parent process that triggered this malicious behavior?
Use windows.pstree to list parent and child processes in a hierarchical structure.
~/Desktop/Start here/Tools/volatility3$ ./vol.py -f ../../Artifacts/Windows\ 7\ x64-Snapshot4.vmem windows.pstree
The lssass.exe (PID 2748) process here is likely malicious because it impersonates a legitimate security process (lsass.exe). It also has a very unusual start time, and is associated with the suspicious parent process rundll32.exe. Attackers commonly use such techniques to hide malicious activities, such as credential dumping.
Answer: lssass.exe
Q2.Once the rogue process is identified, its exact location on the device can reveal more about its nature and source. Where is this process housed on the workstation?
Use the ‘cmdline’ plugin to get a list of all the command line execution.
./vol.py -f ../../Artifacts/Windows\ 7\ x64-Snapshot4.vmem windows.cmdline
Answer: C:\Users\0XSH3R~1\AppData\Local\Temp\925e7e99c5\lssass.exe
Q3.Persistent external communications suggest the malware's attempts to reach out C2C server. Can you identify the Command and Control (C2C) server IP that the process interacts with?
Use windows.netscan to get the established/closed connections that the process interacts with.
./vol.py -f ../../Artifacts/Windows\ 7\ x64-Snapshot4.vmem windows.netscan
Answer: 41.75.84.12
Q4-Following the malware link with the C2C, the malware is likely fetching additional tools or modules. How many distinct files is it trying to bring onto the compromised workstation?
Dump the malicious Process using windows.memmap with the pid and —dump parameters
./vol.py -f ../../Artifacts/Windows\ 7\ x64-Snapshot4.vmem windows.memmap.Memmap --pid 2748 --dump
You should get a file called pid.2748.dmp. Use strings and grep to extract the HTTP GET Requests
Answer: 2
Q5.Identifying the storage points of these additional components is critical for containment and cleanup. What is the full path of the file downloaded and used by the malware in its malicious activity?
Use windows.cmdline to get the location of the downloaded malicious dlls.
Answer: C:\Users\0xSh3rl0ck\AppData\Roaming\116711e5a2ab05\clip64.dll
Q6. Once retrieved, the malware aims to activate its additional components. Which child process is initiated by the malware to execute these files?
Use windows.pstree to check the child processes.
Q7-Understanding the full range of Amadey's persistence mechanisms can help in an effective mitigation. Apart from the locations already spotlighted, where else might the malware be ensuring its consistent presence?
Use filescan | grep lssass.exe to get files associated with lssass.exe
Thank you for reading the writeup! :)
Subscribe to my newsletter
Read articles from Solvenite directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by