1. Home
  2. Software
  3. FlawedAmmyy

FlawedAmmyy

FlawedAmmyy is a remote access tool (RAT) that was first seen in early 2016. The code for FlawedAmmyy was based on leaked source code for a version of Ammyy Admin, a remote access software.[1]

ID: S0381
Type: MALWARE
Platforms: Windows
Version: 1.2
Created: 28 May 2019
Last Modified: 18 July 2022
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

FlawedAmmyy has used HTTP for C2.[1]
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

FlawedAmmyy has established persistence via the HKCU\SOFTWARE\microsoft\windows\currentversion\run registry key.[2]
Enterprise T1115 Clipboard Data

FlawedAmmyy can collect clipboard data.[2]
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

FlawedAmmyy has used PowerShell to execute commands.[2]
.003 Command and Scripting Interpreter: Windows Command Shell

FlawedAmmyy has used cmd to execute commands on a compromised host.[2]
Enterprise T1005 Data from Local System

FlawedAmmyy has collected information and files from a compromised machine.[2]
Enterprise T1001 Data Obfuscation

FlawedAmmyy may obfuscate portions of the initial C2 handshake.[1]
Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

FlawedAmmyy has used SEAL encryption during the initial C2 handshake.[1]
Enterprise T1041 Exfiltration Over C2 Channel

FlawedAmmyy has sent data collected from a compromised host to its C2 servers.[2]
Enterprise T1070 .004 Indicator Removal: File Deletion

FlawedAmmyy can execute batch scripts to delete files.[2]
Enterprise T1105 Ingress Tool Transfer

FlawedAmmyy can transfer files from C2.[2]
Enterprise T1056 Input Capture

FlawedAmmyy can collect mouse events.[2]
.001 Keylogging

FlawedAmmyy can collect keyboard events.[2]
Enterprise T1120 Peripheral Device Discovery

FlawedAmmyy will attempt to detect if a usable smart card is current inserted into a card reader.[1]
Enterprise T1069 .001 Permission Groups Discovery: Local Groups

FlawedAmmyy enumerates the privilege level of the victim during the initial infection.[1][2]
Enterprise T1113 Screen Capture

FlawedAmmyy can capture screenshots.[2]
Enterprise T1518 .001 Software Discovery: Security Software Discovery

FlawedAmmyy will attempt to detect anti-virus products during the initial infection.[1]
Enterprise T1218 .007 System Binary Proxy Execution: Msiexec

FlawedAmmyy has been installed via msiexec.exe.[2]

.011 System Binary Proxy Execution: Rundll32

FlawedAmmyy has used rundll32 for execution.[2]
Enterprise T1082 System Information Discovery

FlawedAmmyy can collect the victim's operating system and computer name during the initial infection.[1]
Enterprise T1033 System Owner/User Discovery

FlawedAmmyy enumerates the current user during the initial infection.[1][2]
Enterprise T1047 Windows Management Instrumentation

FlawedAmmyy leverages WMI to enumerate anti-virus on the victim.[1]

Groups That Use This Software

ID Name References
G0037 FIN6

[3]
G0092 TA505

[1][4][5]

References

  1. Proofpoint Staff. (2018, March 7). Leaked Ammyy Admin Source Code Turned into Malware. Retrieved May 28, 2019.
  2. Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022.
  3. Visa Public. (2019, February). FIN6 Cybercrime Group Expands Threat to eCommerce Merchants. Retrieved September 16, 2019.
  1. Hiroaki, H. and Lu, L. (2019, June 12). Shifting Tactics: Breaking Down TA505 Group’s Use of HTML, RATs and Other Techniques in Latest Campaigns. Retrieved May 29, 2020.
  2. Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020.